You are on page 1of 250

Ethical Hacking Reference Guide.

Preface

In Todays World the Cyber Crime is increasing rapidly and the limelight of such situation we can
see in media, news papers and television also. The most comman cyber crimes are email Hacking,
fake profile, data deft, banking frauds, Numeraous websites are getting hacked. To prevent such
attach and provide strong security, we came with the solution through this book. This Book will
give you complete scenario about all ethical concepts of hacking
This is specially written for the people who have no understanding about cyber crime and internet
related frauds. It will help them to understand all offensive technique to prevent from all cyber
attacks. After going through this book people will come to some special skills like vulnerability
assessment, Penetration Testing, Email Security, System and Network Security, Mobile Security etc

Disclaimer
All the contents in this book is only for education purpose only. We dont take any responsibility for
any illegal activity in future . We give credits to FLS team and Reference Material taken from
Internet.

Course Content in Details

1. Introduction To Cyber Security
2. Careers In Cyber Security
3. IT ACT 2000/2008
4. Kali Linux Terminology
5. Information Gethering
6. Scanning and Enumrations
7. Hiding Identity
8. Social Engineering Toolkit
9. Advance Metasploit Exploitation
10. Armitage and Fast Track Exploitation
11. Sniffing
12. System Hacking
13. Virus, Trojans and Keyloggers
14. Website Hacking
15. Data Hiding
16. Wireless Hacking
17. Mobile Hacking
18. Honeypots
19. Buffer Overflow, DOS and DDOS
20. Reverse Engineering
21. Pentest Methodolgy
22. Vulnerability Assement and Penetration Testing

Module 1
Introduction To Cyber Security

Introduction
Cyber-security is headline news and a growing challenge for national and global security, while
computer technology now pervades every aspect of the personal and professional lives of our
graduates. This technology underpins enormous performance improvements but also brings serious
vulnerabilities. The many forms of cyber-threats-such as data theft, surveillance, and system
compromise-have become tools of activism, corporate and state espionage, warfare,
counter-proliferation, and intelligence gathering.
Hacker
Someone who seeks and exploits weaknesses in a computer system or computer network (or) who
makes innovative customizations or combinations of retail electronic and computer equipment (or)
who combines excellence, playfulness, cleverness and exploration in performed activities
Ethical Hacker
An ethical hacker is a computer and network expert who attacks a security system on behalf of its
owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system,
ethical hackers use the same methods as their less principled counterparts, but report problems
instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion
testing and red teaming. An ethical hacker is sometimes called a white hat.

Different Types Of Hacker
White Hat Hackers: These are the good guys, computer security experts who specialize in
penetration testing and other methodologies to ensure that a company’s information systems are
secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle
hackers.
Black Hat Hackers: These are the bad guys, who are typically referred to as just plain hackers.
The term is often used specifically for hackers who break into networks or computers, or create
computer viruses. Black hat hackers continue to technologically outpace white hats. They often
manage to find the path of least resistance, whether due to human error or laziness, or with a new
type of attack. Hacking purists often use the term “crackers” to refer to black hat hackers. Black
hats’ motivation is generally to get paid.
Script Kiddies: This is a derogatory term for black hat hackers who use borrowed programs to
attack networks and deface websites in an attempt to make names for themselves.
Hacktivists: Some hacker activists are motivated by politics or religion, while others may wish to
expose wrongdoing, or exact revenge, or simply harass their target for their own entertainment.
State Sponsored Hackers: Governments around the globe realize that it serves their military
objectives to be well positioned online. The saying used to be, “He who controls the seas controls
the world,” and then it was, “He who controls the air controls the world.” Now it’s all about
controlling cyberspace. State sponsored hackers have limitless time and funding to target civilians,
corporations, and governments.
Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade secrets. They
may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use
similar tactics as hacktivists, but their only agenda is to serve their client’s goals and get paid.
Cyber Terrorists: These hackers, generally motivated by religious or political beliefs, attempt to
create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most
dangerous, with a wide range of skills and goals. Cyber Terrorists ultimate motivation is to spread

fear, terror and commit murder.
Elite Hacker: As with any society, better than average people are rewarded for their talent and
treated as special. This social status among the hacker underground, the elite (or, according to the
hacker language that eventually devolved into leetspeak, 31337) are the hackers among hackers in
this subculture of sorts. They're the masters of deception that have a solid reputation among their
peers as the cream of the hacker crop.

Skill Profile of a Hacker
Hackers are considered as most intelligent person in Cyber world. They are dynamic and highly
skilled persons. Some of the skills are as under:-
1. Good Computer knowledge including different operating system platform like UNIX, Linux,
windows, mac OS etc.
2. Internet and Internet related terms Protocols like OSI, TCP/IP, servers, website, WAN, LAN etc.
3. Various programming language knowledge like C, C++, PHP, PERL, PYTHON, RUBY etc.
4. Networking and network device knowledge like Switch, Router, Gateway, Firewall etc.
5. Internet savvy with R&D interest so that he/she can upgrade for future

Hacking Methodology
1. Reconnaissance
Reconnaissance is the firstly preparatory phase where an attacker makes a systematic attempt to
locate, gather, identify, and record information about the target of evaluation prior to launching an
attack. It involves network scanning either external or internal without authorization. Here, hackers
use to find out as much information as possible about the victim. There are two categories of
reconnaissance techniques which consist of active and passive reconnaissance.

Passive reconnaissance involves gathering information regarding a potential target without the
targeted individual’s or company’s knowledge. Passive reconnaissance can be as simple as watching
a building to identify what time employees enter the building and when they leave. However, it’s
usually done using Internet searches or by Googling an individual or company to gain information.
This process is generally called information gathering methods. Sniffing the network is another
means of passive reconnaissance and can yield useful information such as IP address ranges,
naming conventions, hidden servers or networks, and other available services on the system or
network. Sniffing network traffic is similar to building monitoring: A hacker watches the flow of
data to see what time certain transactions take place and where the traffic is going.

Active reconnaissance involves probing the network to discover individual hosts, IP addresses,
and services on the network. This usually involves more risk of detection than passive
reconnaissance and is sometimes called rattling the doorknobs. Active reconnaissance can give a
hacker an indication of security measures in place, but the process also increases the chance of
being caught or at least raising suspicion. Both Passive and Active reconnaissance can lead to the
discovery of useful information to use in an attack. For example, it’s usually easy to find the type of
web server and the operating system (OS) version number that a company is using. This
information may enable a hacker to find vulnerability in that OS version and exploit the
vulnerability to gain more access.

and Trojans. Maintaining Access Once a hacker has gained access. Steganography and use of tunneling for purposes of hacking will be discussed in later posts. they can use it as a base to launch additional attacks. In this case. and vulnerability scanners. 3. . hackers harden the system from other hackers or security personnel by securing their exclusive access with backdoors. IP addresses and user accounts. to remove evidence of hacking. Vulnerabilities discovered during the reconnaissance and scanning phase are now exploited to gain access. Covering Tracks Once hackers have been able to gain and maintain access. network mappers. Once the hacker owns the system. to continue to use the owned system.Scanning Scanning involves taking the information discovered during reconnaissance and using it to examine the network. sweepers. the use of tunneling protocols. the Internet. 4.GainingAccess This is the phase where the real hacking takes place. Hackers are seeking any information that can help them perpetrate attack such as computer names. The method of connection the hacker uses for an exploit can be local area network (LAN. Sometimes. port scanners. the owned system is sometimes referred to as zombie system. Gaining access is known in the hacker world as owning the system. Hackers try to remove all traces of the attack. Examples of activities during this phase of the attack include steganography. they cover their tracks to avoid detection by security personnel. denial of service (DOS). These topics will be discussed in later posts. or offline. and altering log files. or to avoid legal action. and session hijacking. Examples include stack-based buffer overflows. Tools that a hacker may employ during the scanning phase can include dialers. 5. rootkits. they want to keep that access for future exploitation and attacks. either wired or wireless). such as log files or intrusion detection system (IDS) alarms. local access to a PC.2.

He was the first person prosecuted under the 1986 Computer Fraud . 400 hours of community service and was fined $10.Top 10 Hackers in the World 1. He whacked the security system of NASA and Pentagon. The nerd is now facing 70 years of imprisonment and is deprived from accessing internet.500. But the worm lead to the slow speed of internet and made the systems no longer usable.000 damage to the economy. Gary McKinnon: USA declared him as the biggest military computer hacker ever. 2. There was no ways to know how many computers were affected but the experts alleged that around 6000 machines. He was sent to 3 years imprisonment. At present he is a professor at Massachusetts institute of technology. Robert Tappan Morris: He is the creator of first internet worm ?Morris worm? he was a student at Cornell and from that where he started writing codes to create worms as he wanted to know how large the internet world is. computer science and artificial intelligence laboratory. This made him one of the great black hat hacker celebrities and got his name into the hacker's community. He has illegally accessed 97 computers and has caused around $700.

3. He termed his activity as ?social engineering? to legalize his acts. Fujitsu Siemens and sun Microsystems.000. Motorola. author and a hacker was accused of many cases.and Abuse Act. He also gained the full administration privileges to IBM minicomputers at the computer learning institute in Los Angeles for a bet. 4. He hacked the Los Angeles bus transfer system to get free rides the biggest hacking was the breaking into the DEC system to view the VMS source code (open virtual memory system which lead to the clean-up cost of around $160. He was also known as dark Dante. Kevin Poulson: He is best known for his takeover of the KIIS-FM phone lines. He broke into the computer of top technology and telecommunications like Nokia. a Los Angeles based radio station. Kevin David Mitnick: The computer security consultant. The former black hat hacker is currently a senior editor at wired news .

2007. The black hat hacker was sentenced to six month home confinement and two years of probation and two years of probation which is expired on January 16. yahoo and Microsoft that lead to his arrest in the year 2003. He also got into the hacking of NASA. Adrian Lamo: The threat analyst and grey hat hacker broke into various high profile computers like New York Times. Jonathan James: He is maestro of all hackers who broke into the server of department of defense in the year 1999 which gave him a nick name c0mrade at the age of 16. 6. Now he a great public speaker and a award winning journalist. . Stealing softwares of NASA and DoD later put him into big trouble. He used his internet connections at libraries and coffee shops.5. As he was a minor the punishment was for for 6 months imprisonment and has to pledge that he won?t be using computers forever.

He had to pay Citibank of amount $240. He was 19 years when he performed the hacking. . He was arrested in London airport in March 1995. Germany and Israel. Vladimir Levin: The Russian born Jewish became famous for being involved in an attempt to fraudulent transfer of $10. He made a transaction of $3.015. He published about 6.7 million via wires to accounts his group controlled in United States.7 million through Citibank?s computers. was convicted upto 3 years in jail. He and his 4 other members with him were involved in this activity. Raphael Gray: He hacked the computer systems around the world in over six weeks. the Netherlands. He used a laptop computer in London. Finland. His mission was to make a multi. England for the access.500 credit cards as an example of weak security in the consumer websites. 8.million pound credit card. He stole the customers? codes and passwords.7.

E-Bay and CNN. A high school student from west island. 10. He was restricted from accessing the internet. On September 12. amazon. the Montreal Youth Court sentenced him to 8 months of open custody. navy.Inc. NASA.com. his name was not disclosed. Stark was sentenced to 2 years imprisonment and Lyttle severed 4 months in prison with 3 years? probation and was fined with an amount of ten thousand dollars each. Dell. a small fine. including the U. They argued that they were merely trying to expose security failures and protect Americans because of the 9/11 incident.18 who broke into government networks. FAA and Department of Defense (DoD). E*trade. one year probation.9. The Deceptive Duo: In the year 2002 two young boys namely Benjamin stark. 2001.S. Quebec who launched service attacks in the year 2000 against the top commercial websites including yahoo!. Michael Calce: Famously knows as mafia boy in the hackers? world as he was a minor. .20 and Robert Lyttle.

Module 2 Careers In Cyber Security .

Why Cyber Security is essential? The security of computer systems is important to the world for two reasons. Systems Software  Computer Systems Engineer/Architect  Auditor  Security Manager  Intelligence Analyst List of Security Certifications Knowledge Based – Certifying an individuals knowledge and skills Organisational Based – Certifying that an organisation has reached certain standards Product Based – Certifying that a product or system has been accredited at a certain standard Knowledge Based Computer Associates Computer Associates Certified eTrust Specialist (CACES) CERT/CC Computer Security Incident Handler (CSIH) Cisco Cisco Certified Security Professional (CCSP) Cisco Advanced Security Field Specialist Cisco Firewall Specialist Cisco IPS Specialist Cisco Security Sales Specialist Cisco Security Solutions and Design Specialist Cisco VPN Specialist Cisco VPN/Security Sales Specialist Certified Internet Web CIW Security Analyst CIW Security Professional . such as the national power grid. and to the protection of infrastructure systems. have made cybersecurity essential to the economy.cybersecurity is vital to the operation of safety critical systems. Applications  Network and Computer Systems Administrator  Software Developer. The increased role of Information Technology (IT) and the growth of the e-commerce sector. such as emergency response. Different Fields in Cyber Security  Information Security Analyst  Security Management Specialist  Computer Systems Analyst  Software Developer.

various GIAC Security Essentials Certification (GSEC) GIAC Certified Firewall Analyst (GCFW) GIAC Certified Intrusion Analyst (GCIA) GIAC Certified Incident Handler (GCIH) GIAC Certified Windows Security Administrator (GCWN) GIAC Certified UNIX Security Administrator (GCUX) GIAC Information Security Officer (GISO) GIAC Systems and Network Auditor (GSNA) GIAC Security Leadership Certificate (GSLC) GIAC IT Security Audit Essentials (GSAE) GIAC Gold Standard Certificate (GGSC-0100) Information Systems Audit and Control Association (ISACA) Certified Information System Auditor (CISA) Certified Information Security Manager (CISM) International Information Systems Security Certification Consortium (ISC2) Certified Information Systems Security Professional (CISSP) Systems Security Certified Practitioner (SSCP) Certification and Accredication Professional CISSP Concentrations ISSEP®: Information Systems Security Engineering Professional ISSAP®: Information Systems Security Architecture Professional ISSMP®: Information Systems Security Management Professional International Organisation for Standardisation ISO 27001:2005.CompTIA CompTIA Security+ Global Information Assurance Certification (SANS) GIAC.Lead Auditor Course Microsoft Microsoft Certified Systems Engineer: Security (MCSE: Security) EC-Council Ethical Hacker Computer Hacking Forensic Investigator Licensed Penetration Tester Certified Network Defence Architect Network Security Administrator Certified Security Analyst Certified Secure Programmer and Certified Secure Application Developer Security 5 Disaster Recovery Institute International Associate Business Continuity Professional Certified Functional Continuity Professional Certified Business Continuity Professional Master Business Continuity Professional The International Society of Forensic Computer Examiners Certified Computer Examiner Critical Infrastructure Institute PCIP (Professional in Critical Infrastructure Protection) .

Basic Internet Investigation Intermediate Internet Investigation Advanced Internet Investigation Cyber Security Institute CyberSecurity Forensic Analyst (CSFA) CyberSecurity Institute Certified Instructor (CSICI) FCPA Field Certified™ Security Specialist (FCSS™) Security Certified Program Security Certified Network Professional (SCNP) Security Certified Network Architect (SCNA) Security for Business (S4B) SCNP — Security Certified Network Professional SCNA — Security Certified Network Architect CWNP The CWSP® (Certified Wireless Security Professional) certification Symantec SPS – Symantec Product Specialist STA – Symantec Technology Architect SCSE – Symantec Certified Security Engineer SCSP – Symantec Certified Security Practitioner RSA RSA Certified Security Professional RSA SecurID Certified Administrator (RSA SecurID CA) .Security University Security University Software Security Engineer Certification The Association of Certified Fraud Examiners Certified Fraud Examiner Ecfirst.com Certified Security Compliance Specialist Learning Tree Network Security Certified Professional Enterprise and Web Security Certified Professional High Tech Crime Network Certified Computer Crime Investigator [Advanced] Certified Computer Crime Investigator [Basic] Certified Computer Forensic Technician [Basic] Certified Computer Forensic Technician [Advanced] Espionage research Institute Certified Counterespionage & Information Security Manager IACIS Certified Electronic Evidence Collection Specialist Certification Certified Forensic Computer Examiner Certification eBusiness Process Solutions Certified Cyber-Crime Expert (C3E) Cyber Enforcement Resources Inc.

1x Internet Engineering Task Force (IETF) Public-Key Infrastructure Exchange (PKIX).RSA Certified Instructor (RSA/CI) RSA Certified Systems Engineer (RSA/CSE) CyberTrust TICSA Professional Certification Checkpoint Various Microsoft MCSE: Security on Microsoft Windows Server 2003 MCSA: Security on Microsoft Windows Server 2003 ITIL Certifications for Individuals ITIL Foundation Level Certification ITIL Practioner Level Certification ITIL Management Level Certification Technology/Product Certification VISA Verified By Visa. NSS Gold. Eco Certified Senders Alliance GeoTrust Trust Site Seal. CCEVS (US). NSS Tested McAfee SiteAdvisor (automatic website rating) TUV various TRUSTe TRUSTe . Verified Domain. WebTrust BBBOnline BBBOnline BITS Financial Services Roundtable BITS Products Certification (based on CC) ITSEC JIL (joint interpretation library) CC (ISO 15408). Payment Card Industry (PCI) Data Security Standard WestCoastLabs Checkmark American Institute of Certified Public Accountants (AICPA) SysTrust. GeoCode ICSA Labs ICSA Labs Product Certification Institute of Electrical and Electronic Engineers (IEEE) Wireless security standards 802. Public Key Cryptography Standards (PKCS) NSS Labs NSS Approved.

509 Center for Internet Security CIS Certified Security Software Products CyberTrust Enterprise Certification Business partner Certification Application Certification Perimeter Certification Organisational Certifications merican Society for Industrial Security (ASIS) CPP — Certified Protection Professional Bundesamt für Sicherheit in der Informationstechnik (BSI) Grundschutz Prosoft Learning Corporation CIW Security Analyst International Organisation for Standardisation (ISO) ISO27001. ISO 13335. ISO17799 ISO 20000 IT Service Management Standard (has controls for security and business continuity) ISO/TR 13569:2005 – Financial services — Information security guidelines Information Systems Security Association (ISSA) Generally Accepted Information Security Principles (GAISP) International Systems Security Engineering Association (ISSEA) Systems Security Engineering Capability Maturity Model (SSE-CMM) = ISO 21827 ITIL Security Management Note that organisations cannot be certified against ITIL as ITIL is not a standard but a Framework National Institute of Standards and Technology (NIST) NIST 800-53. 800-14 NIST Special Publication 800-37 – Guide for the Security Certification and Accreditation of Federal Information Systems Security Certified Program Security Certified Program Information Security Forum (ISF) Standard of Good Practice for Information Security Chartered Accountants of Canada (CICA) ITCG: Information Technology: Control Guidelines 1998 CESG ITSEC or Common Criteria formal evaluation and certification CLAS and the ITPC Qualification AICPA . NIST 800-40.VeriSign VeriSign Secured Seal Virus Bulletin VB100% award International Telecommunication Union (ITU) X.

htm . http://www.com/information-security-certifications/oscp-offensive-security-cert ified-professional/ 3.amrita.Tech In Cyber Security and Computer Networks Link:.http://www.ac.php?route=academic/coursehighlights 2.htm 5. M.offensive-security.ac.sans.edu/cyber/mtech.in/course-details Long Term Course Including PG Programmes and Diploma 1. http://www. http://www.eccouncil.in/Engineering/CSECourses/mtechftISCF. http://www.drmgrdu.Sc in Cyber Forensics and Information Security Link:.ac. M. M.ifs.unom. http://www.org/ 4. Systrust Short & Long Term Courses In India Following are the courses Helpful in Building Career in Cyber Security.ac.in 3.S In Cyber Law and Information Security Link:.html 4.http://www.ili.php 6.asianlaws.http://www.in/index. Short Term Courses 1.Webtrust.http://ms.org/index.Tech in Information Security & Cyber Forensics Link:.iiita.edu.in/e-learn10.org 2.http://www. M.

in/mscs_about. Burning Glass also noted that it’s not just defense contractors seeking cybersecurity experts..ignou. Salaries for such experts as engineers.ac. managers and architects averaged $101. demand is growing at 12 times that of the overall job market. while demand for all computer jobs grew 20 percent. Post Graduate Certificate in Cyber Law (PGCCL) Link:.taaza.5. M.000 cybersecurity experts in the near future.http://www. analysts. Inc.imtcdl. ITWAC identified specific domains requiring more extensive training to better equip IT security professionals to deal with increasingly pervasive cyberthreats According to Burning Glass International. a firm specializing in using technology to match people and jobs.com/study/list-colleges-in-india-providing-m-tech-cyber-security Need of Cyber Security Experts : The numbers are startling: The U. .S.in/ignou/aboutignou/school/sol/programmes/detail/37/2 7.000.000 cybersecurity pros. Between 2007 and 2012 demand for cyber security experts grew 73 percent.S In Cyber Law and Security Link:.ac.http://study.http://www. The federal government will need 10. Even the Department of Homeland Security's comparatively small yet urgent demand for 600 new cybersecurity employees is dizzying once the logistics are considered. financial services companies and telecoms are driving demand as they face new threats and challenges. Some Other Colleges Link:. Cyber Command seeks 5.htm 6.

Module 3 IT Act 2000/2008 .

2000 ("IT Act") which came into force on October 17. that all states give favourable consideration to the said Model Law while revising enacting new law. or idea as part of the computer and information age. of the various cyber-nations. the bill was referred to the 42-member Parliamentary Standing Committee following demands from the Members. Every action and reaction in cyberspace has some legal and cyber legal perspectives. 2000. One of the suggestions that was highly debated upon was that a cyber café owner must maintain a register to record the names and addresses of all people visiting his café and also a list of the websites that they surfed. All these regulatory mechanisms and legal infrastructures come within the domain of Cyber law. Cyber law can also be described as that branch of law that deals with legal issues related to use of inter-networked information technology. applicable to alternatives to paper based methods of communication and storage of information. This resolution recommended. World Wide Web and cyberspace. inter alia. The main purpose of the Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government. so that uniformity may be observed in the laws. The Department of Electronics (DoE) in July 1998 drafted the bill. After its introduction in the House. cyber laws are contained in the Information Technology Act. The Ministry of Law and Company Affairs then vetted this joint draft. 1999 (after a gap of almost one and a half years) when the new IT Ministry was formed. with the Commerce Ministry making suggestions related to e-commerce and matters pertaining to World Trade Organization (WTO) obligations. Cyber law is important because it touches almost all aspects of transactions and activities on and involving the internet. only those suggestions that were approved by the Ministry of Information Technology were incorporated. which adopted the Model Law on Electronic Commerce. so crucial to the success of Electronic Commerce. The information Technology Act is an outcome of the resolution dated 30th January 1997 of the General Assembly of the United Nations. cyber law is the law governing computers and the internet. In short. Greek word for "steersman" or "governor. The growth of Electronic Commerce has propelled the need for vibrant and effective regulatory mechanisms which would further strengthen the legal infrastructure. However.Introduction "Cyber" is a prefix used to describe a person. Taken from kybernetes. This suggestion was made as an attempt to curb cyber crime and to facilitate speedy locating of a cyber . adopted the Model Law on Electronic Commerce on International Trade Law. a word coined by Norbert Wiener and his colleagues. Cyber law encompasses laws relating to – • Cyber crimes • Electronic and digital signatures • Intellectual property • Data protection and privacy CYBER LAW IN INDIA In India." it was first used in cybernetics. The virtual world of internet is known as cyberspace and the laws governing this area are known as Cyber laws and all the netizens of this space come under the ambit of these laws as it carries a kind of universal jurisdiction. However. The Standing Committee made several suggestions to be incorporated into the bill. it could only be introduced in the House on December 16. thing. It underwent substantial alteration.

The Union Cabinet approved the bill on May 13. 2000. The vision of the Policy is “To strengthen and enhance India’s position as the Global IT hub and to use IT and cyber space as an engine for rapid. 10. However. 2000 on several counts. both the houses of the Indian Parliament passed the Information Technology Bill. 2000 and on May 17. Health. 9. The IT (Amendment) Act. Finally. Rural Development and . The Bill received the assent of the President on 9th June 2000 and came to be known as the Information Technology Act. 7. The thrust areas of the policy include: 1. 3. location based services. 2000. this suggestion was dropped by the IT Ministry in its final draft. 8. 2000. To increase revenues of IT and ITES (Information Technology Enabled Services) Industry from 100 Billion USD currently to 300 Billion USD by 2020 and expand exports from 69 Billion USD currently to 200 Billion USD by 2020. as technology developed further and new methods of committing crime using Internet & computers surfaced. It also aims to create a pool of 10 million additional skilled manpower in ICT. the need was felt to amend the IT Act. To create a pool of 10 million additional skilled manpower in ICT. Social Media and Utility models. approved the National Policy on Information Technology 2012. 2. at the same time it was ridiculed. 5. To provide fiscal benefits to SMEs and Startups for adoption of IT in value creation 6. in delivery of public services. NATIONAL POLICY ON INFORMATION TECHNOLOGY 2012 The Union Cabinet has recently in September 2012. The Policy aims to leverage Information & Communication Technology (ICT) to address the country’s economic and developmental challenges. To promote innovation and R&D in cutting edge technologies and development of applications and solutions in areas like localization. to increase revenues of IT and ITES Industry from 100 Billion USD at present to 300 Billion USD by 2020 and expand exports from 69 Billion USD at present to 200 Billion USD by 2020. Cloud Computing. 2008 has brought marked changes in the IT Act. To encourage adoption of ICTs in key economic and strategic sectors to improve their competitiveness and productivity. reliability and decentralization in Government and in particular. To provide for mandatory delivery of and affordable access to all public services in electronic mode.criminal. 2000 to insert new kinds of cyber offences and plug in other loopholes that posed hurdles in the effective enforcement of the IT Act. as it would invade upon a net surfer’s privacy and would not be economically viable. The Act came into force on 17th October 2000. To enhance transparency. 4. inclusive and substantial growth in the national economy”. accountability. efficiency. To make at least one individual in every household e-literate. The Policy envisages among other objectives. mobile value added services. To leverage ICT for key Social Sector initiatives like Education. To gain significant global market-share in emerging technologies and Services. 2008 which was made effective from 27 October 2009. With the passage of time. This led to the passage of the Information Technology (Amendment) Act.

13. 2011 b) The Information Technology (Electronic Service Delivery) Rules. commonly referred to as "electronic commerce". computer systems and computer networks as also data and information in the electronic format. 2000 a) The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules. 93 and 94 of the principal Act were omitted by the Information Technology (Amendment) Act 2008 and has 2 schedules. The Preamble to the Act states that it aims at providing legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication. digital (electronic) signatures. 11. cyber crimes and liability of network service providers. 12. To make India the global hub for development of language technologies. 2009 . 15. which involve the use of alternatives to paper-based methods of communication and storage of information and aims at facilitating electronic filing of documents with the Government agencies. Rules notified under the Information Technology Act. regulate ecommerce. 2000 consists of 90 sections spread over 13 chapters [Sections 91. 2008. The IT Act of 2000 was developed to promote the IT industry. 92.[ Schedules III and IV were omitted by the Information Technology (Amendment) Act 2008]. Allowances and other terms and conditions of service of Chairperson and Members) Rules. It received the assent of the President on 5th February 2009 and was notified with effect from 27/10/2009. The Amendment was created to address issues that the original bill failed to cover and to accommodate further development of IT and related security concerns since the original law was passed. INFORMATION TECHNOLOGY ACT. 2008 and in Rajya Sabha on 23rd December. To enable access of content and ICT applications by differently-abled people to foster inclusive development. to encourage and facilitate development of content accessible in all Indian languages and thereby help bridge the digital divide. facilitate e-governance and prevent cybercrime. 2011 e) The Cyber Appellate Tribunal (Salary. 2000 is India’s nodal legislation regulating the use of computers. This Act was amended by Information Technology Amendment Bill. 14. 2011 d) The Information Technology (Guidelines for Cyber Cafe) Rules. To strengthen the Regulatory and Security Framework for ensuring a Secure and legally compliant Cyberspace ecosystem. 2000 Information Technology Act. The IT Act. The Act also sought to foster security practices within India that would serve the country in a global context. This legislation has touched varied aspects pertaining to electronic authentication.Financial Services to promote equity and quality. To adopt Open standards and promote open source and open technologies The Policy has however not yet been notified in the Official Gazette. 2011 c) The Information Technology (Intermediaries guidelines) Rules. 2008 which was passed in Lok Sabha on 22nd December. To leverage ICT for expanding the workforce and enabling life-long learning.

Chapter – IV – Attribution. 2009 g) The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public).13 of the Negotiable Instruments Act. • A trust as defined in Section 3 of the Indian Trusts Act. • Any contract for the sale or conveyance of immovable property or any interest in such property. It applies also to any offence or contravention there under committed outside India by any person.Chapter – II – Digital Signature and Electronic Signature (Sections 3 & 3A) . 2001 n) Information Technology (Certifying Authorities) Rules. 1925 including any other testamentary disposition by whatever name called. The Act shall not apply to the following documents or transactions •A negotiable instrument as defined in Sec. 2009 j) The Information Technology (Use of electronic records and digital signatures) Rules.Chapter – V – Secure electronic records and secure electronic signatures (Sections 14 to 16) . 1882. 1881. Acknowledgement and Dispatch of Electronic Records (Sections 11 to 13) . • A power of attorney as defined in Sec. monitoring and decryption of information) Rules. 2000 Brief Overview of the Information Technology Act. to prevent computer based crimes and ensure security practices and procedures in the context of widest possible use of information technology worldwide. 2000 The Information Technology Act was enacted with a view to give a fillip to the growth of electronic based transactions. 2009 h) The Information Technology (Procedure and Safeguards for interception. 2009 i) The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules. 2003 m) The Information Technology (Certifying Authority) Regulations. to provide legal recognition for e-commerce and e-transactions.Chapter – VI – Regulation of Certifying Authorities (Sections 17 to 34) . Applicability of the Act The Act will apply to the whole of India unless otherwise mentioned. Scheme of the Act .f) The Cyber Appellate Tribunal (Procedure for investigation of Misbehaviour or Incapacity of Chairperson and Members) Rules.Chapter – III – Electronic Governance (Sections 4 to 10A) .2(h) of the Indian Succession Act. 2004 k) The Information Technology (Security Procedure) Rules. 1882. 2004 l) The Information Technology (Other Standards) Rules.1A of the Powers of Attorney Act. • A Will as defined in Sec. to facilitate e-governance.Chapter – I – Preliminary .

Telecommunication companies. If it is creating more violation then years may exceed to seven and fine will be same.Chapter XIII – Miscellaneous (Sections 80 to 90) First Schedule – Documents or Transactions to which the Act shall not apply Second Schedule – Electronic signature or Electronic authentication technique or procedure Offences and Penalties under IT ACT 2000 1.Cyber Terrorism. They will be considered as victim for distributed such sexual content.Punishment is Life Imprisonment 4.Chapter – IX – Penalties.Chapter XII – Intermediaries not to be liable in certain cases (Section 79) . Penalty: .System Hacking using Virus. 5. Offence: .Child pornography Penalty: . if they are not maintaining at least for 1 year. cyber cafe etc. Section 67B Offence: .If intermediary fails to block such content. Section 66E Offence: ..Intermediary like ISP. has to maintain record of such Data. Telecommunication companies.Chapter XIIA – Examiner of Electronic Evidence (Section 79A) .. Penalty: . Section 69A Central Govt. has power to monitor and collect traffic data or information through any computer . 7.Privacy Violation of any person Penalty: . damaging property of a person or death etc.Seven years imprisonment and fine. Section 69B Central Govt. Section 67C Offence: .Chapter – VII – Electronic Signature Certificates (Sections 35 to 39) .Chapter XI – Offences (Sections 65 to 78) . or any of its officers has Power to issue directions for blocking any information to intermediary like ISP. Section 66F Offence: .Three Years Punishment or Two Lakh rupees charge or both 2. Trojans.. cyber cafe etc.Five Years Punishment or Ten Lakh rupee charge.Three Years Punishment or fine.Chapter – VIII – Duties of Subscribers (Sections 40 to 42) . 6.Chapter X – The Cyber Appellate Tribunal (Sections 48 to 64) . Penalty: . Malwares etc.Three Years Punishment or Two Lakh rupees charge or both 3. Compensation and Adjudication (Sections 43 to 47) . Section 65 Offence: Tampering with Data Penalty: .

1 years imprisonment or 1 Lakh rupees or both. Section 70B ICERT (Indian Computer Emergency Response Team) to serve as national agencies for incident response Offence: . Section 72 Offence: .Publication for fraudulent purpose Penalty: . The person accused of an offence under this act may file an application for compounding in the court in which offence is pending for trial and the provisions of section 265 B and 265 C of Code of Criminal Procedures.Breach of confidentiality or Privacy.three years imprisonment and fine. Penalty: . 9. 12. compact disks. Penalty: . floppies.Offences with three years imprisonment to be cognizable Penalty: . 14. Offence: . in respect of which any provision of this Act. Section 71 Offence: . Penalty: .Contraventions committed outside India. 10.2 years imprisonment or 1 Lakh rupees or both. Section 74 Offence: . the offence punishable with imprisonment of three years and above shall be cognizable and the offence punishable with imprisonment of three years shall be bail able .False statement regarding any material.Publishing Electronic Signature Certificates false in certain particulars.resource for cyber security.2 years imprisonment or 1 Lakh rupees or both. Section 76 Offence: . controller and Certifying Authority.Any service provider. 16. tape drives or any other accessories related thereto. body corporate or person who fails to provide information called by ICERT.Compounding of offences. Section 75 Offence: . Penalty: . Section 73 Offence: . 8.2 years imprisonment or 1 Lakh rupees or both. computer system. 11. intermediaries.2 years imprisonment or 1 Lakh rupees or both. orders or regulations made there under has been or is being contravened. rules.Notwithstanding anything contained in Criminal Procedure Code 1973. Section 77B Offences: . 13. 1973 shall apply. Penalty: .If authorized agencies fail to do such. Section 77A Offences: . data centres. shall be liable to confiscation 15.Confiscation Any computer.

7. Section 67 Offence: Punishment for publishing or transmitting obscene material in electronic form Penalty: . 2008 was passed by the parliament on December 23. 1. Following are the changes in IT ACT 2008 with updated penalties and offences. It focuses mainly on Section 67. 3. Section 66 Offence: .Imprisonment of Two Years or fine not exceeding One Lakh rupees or both 9. Penalty: .Three Years Punishment or One Lakh rupees charge or both 5. Section 69 Govt. Penalty: .Imprisonment may extend to 2-3 years or with fine which may extend to five Lakh rupees or with both. Section 67A Offence: . Section 66 has been amended for increasing the punishment up to three or five years.Password Stealing.IT ACT 2008 Known as ITAA. message and IP Spoofing Penalty: . Section 66B Offence: . New amendment was brought in changes in section 43 of IT act 2000 and the penalty may increase to 1 Crore.Publishing Sexual content. 2008 in 26 minutes. Section 66C Offence: .Cheating person using computer or communication resources Penalty: . Section 66D Offence: .Sending Offensive mails. Penalty: . Section 69A and Section 69B are added.Punishment for three years or fine also. Section 68 Power of controllers to give directions Offence: . .2-5 Years Punishment or 5-10 Lakh rupees charge. Electronic signature stealing etc.Any person who intentionally or knowingly fails to comply with any orders of Controllers. Section 69A and Section 69B. 2. has Power to issue directions for interception or monitoring or decryption of any information through any computer resource.Three Years Punishment or One Lakh rupees charge or both 6. Section 66A Offence: .5-7 Years Punishment with fine which may exceed to Ten Lakh rupees 8.Three Years Punishment or One Lakh rupees charge or both 4.Computer related offences like fraud.Any Authorized body who intentionally or knowingly fails to do it. Offence: .Data theft from Computers Penalty: . Penalty: . Section 69. dishonesty etc.

Imprisonment may exceed seven Years or fine. 13. Section 70A National Nodal Agency Designate any organisation of govt. Section 78 Power to investigate offenses A police officer not below the rank of Inspector shall investigate any offence under this Act. penalties or confiscation not to interfere with other punishment No compensation awarded. 10. .Imprisonment may exceed Ten Years or fine. or both. Section 77 Compensation. Section 72A Offence: . 12. 14.Disclosure of information in breach of lawful contract Penalty: .Penalty: . penalty imposed or confiscation made under this Act shall prevent the award of compensation or imposition of any other penalty or punishment under any other law for the time being in force.Imprisonment may exceed Three Years or fine which may extend to five Lakh rupees. 11. Section 70 Offence: . as National Nodal Agency which shall be responsible for all including Research and Development related to protection of critical information Infrastructure.Violating privacy of protected system Penalty: .

Module 4 Kali Linux Terminology .

Download VmwareWorkstation and Install it int your System. should you decide to boot the live image instead. completely to Debian development standards. the i386.org/downloads Insatallation of Kali Linux ** Before Starting the process of Kali Linux Installation. It is a complete re-build of BackTrack. without the quotes . amd64. and only top 10 tools took to develop as advanced penetration Testing OS. All the new infrastructure has been developed. Download kali Linux from the Below Link => http://kali. Kali Linux allows users to configure a password for the root user. Default root Password During installation. VMWare and ARM images are configured with the default root password – “toor“. all tools were reviewed and packaged. However.Introduction Kali Linuxis an advanced Penetration Testing and Security Auditing Linux based OS.

Start Vmware Workstation and Click on "Create New Virtual Machine". .Follow the steps to install kali Linux in Vmware Workstation 1.

.2. Select "Typical" and click on "Next".

.3. Select Installation Media type and click on "Next".

Give your Machine a name and Choose location where you want save it. .4.

. Specify Disk Size.5.

Click on Finish or click on customize if want to make any changes with Virtual Machine .6.

7. Choose Install Option .

8. Choose Language .

Choose Keyboard Type or else keep by Default .9.

Select Country and hit enter for installation **Now its insalling all the needed packages .10.

Set Host Name. give any name .11.

Set "Root" user Password .12.

Create any User and give Password .13.

14. . Set Time Zone".

15. Choose partition for installing kali Linux. .

**Now everything is done. . Wait for some time to finish Installattion.

Log in with Root. . Once got finished with installation its asks to restarts. Now welcomes with a login page.16.

By defualt there will no support for hardware.17. we will get all hardware support along with full screen and mouse integration. due to lack of vmware tool. . Vmware tool:. Once we install vmware tool. List of Top Security Tools.

Following are the steps to install vmware tools for kali linux. Open Terminal and copy vmware tools compressed file to desktop . 1. Go to VM-->>Install Vmware tools 2.

3. . Move to desktop 4. Extract files.

.5. Move to extracted files directory. Install vmware tool and keep press enter if ask for anything untill u get the command promt back. 5. After successfully done restart system.

Module 5 Information Gathering .

It will show the help guide. Ex: Searching target resources from publicly available data Tools for Information Gathering Dnsdict6: It is used to gather and enumerate information which are publicly restricted. It is the act collecting the required information about the target by using various resources.It is avilable in kali linux and back track Feautures: • Detects information about sub domain • Enumeration of Ipv4 and Ipv6 • Enumeration of SRV records • Enumeration of Name Server and Mail Server records Procedure:  To open Dnsdict6 in shell just type “dnsdict6”. Ex: port scanning using NMAP Passive Information Gathering Information gathering done by indirectly with out interacting the targets and its belongings. Active Information Gathering Information gathering done by directly interacting with the targets to grab more information about them.Introduction Information gathering is first step of Tenetration Testing. .

Name Server and Mail Server information.com  To enumerate the DNS records : dnsdict6 -d domainname ex: dnsdict6 -d yahoo. .com It will give the DNS. To find sub domains: dinsdict6 -4 domainname ex: dinsdict6 -4 yahoo.

 To enumerate SRV Service Records :dnsdict6 -S domainname ex: dnsdict6 -S yahoo. Features: • Gives the host address • Name server information • Mx record information • Time zone transfer information • Sub domains information via google scraping • Brute force the sub domains from the files • Reverse lookups .it gives the host names and port numbers Conclusion: • dnsdict6 is used for enumerating DNS records. Dnsenum: It is use to gather information regarding the domain.it is available in kali linux and backtrack.com SRV record is the specification for data in DNS.it reaveals vast inforation related to DNS and subdomains.

 To open dnsenum.type “dnsenum” in shell prompt ex:dnsenum  To find the host information.type “dnsenum domain name”(not need of www before domain name) ex:dnsenum yahoo.zone and additional information.MX.name servers.com .

txt” .it is helpful to find remote access servers .type “dnsenum -f dnslist.misconfigured servers and new domain names.type “dnsmap domain name -r path” ex:dnsmap google.  To get sub domains using goolgle scraping.type “dnsenum -p 5 -s 20 domain name” -p -> pages -s -> scrap  To brute force the sub domain .type “dnsmap domainname -w wordlistname.type “dnsmap” in shell prompt ex:dnsmap  To save results in text file.com -r /root/  To bruteforce subdoamins by own wordlist. Features: • It supports Ipv6 • Gives complete ip addresses of successfully bruteforced subdoamins • Discovers connected embedded devices configured with DNS services • Bruteforcing by using wordlist • Delay option added to save bandwidth • Results can be saved in CSV format  To open dnsmap.we can find the sub domains associated to doamin.txt domain name” -f ->file name Dnsmap It is the passive network mapper usually used to brute force the subdoamins.

it will the complete options. reverse lookups • It used for enumeration and gather much information regarding the target system • It is available in kali linux and backtarck  To open fierce. Feautures: • It used for discover non-contiguous IP address and reconnaissance • It used for DNS transfer zone.type “fierce -h” in shell prompt.com .Zone Transfer etc information about target. ex:fierce -h  To find the Name Server.com -w mywordlist Fierce: Fierce is a perl script written by Rsnake for information gathering.Type “fierce – dns domain” ex: fierce -dns google.DNS brute force. ex:dnsmap google.

search blog.if there is no account in maltego and we need to activate our account ..meta data and etc.phone numbers. it allows us to enumerate with persons email adresses.social groups  To open Maltego.incoming links.domains. It provides the unprecedented information It allows us to enumerate network and domain information It allows us to search email.Maltego: Maltego is opensource tool for gathering maximum information regarding networks. It can be available in both Kali linux and BackTrack Features: It gives the collection of information posted all over the internet.people and many more. Applications -> Kali linux -> Information Gathering -> DNS analysis ->Maltego  At first we need to register.

.

 Maltego while running.at first we need to login  Give login credentials .

 It will show welcome page along with login results .

it opens like this way  click on -> 1.  After successfull login.expand infrastructure and drag Domain .Manage icon -> 2.

 we can change the domain by double click on the domain and enter teh new domain name  Right click on domain icon and click ->Run Trandform ->All Transforms->To website(Quick lookup) .

.

 To find the ipaddress if our target website Right click on the icon which appeared -> Run Transform -> Resolve to IP -> To Ip Address(DNS) .

 To find Ip Address related to domain ->Run Transform -> All Tranforms ->Mirror:Email address found .

 To remove items completly.press “cntrl + A” and press “Delete key” .

Google and its working Google is world famous search engine. How it works ? Google bot for web crawling.These all pages are stored in googles index database.It uses the web crawling bot to find and retrive pages relative to the search results from the web and gives them to google indexer. .searching methodologies. Google bot finds pages in two ways: • Through an add url form www.It is famous for simplicity.identifying ads . Google indexer: • It gives the indexer to the full text for pages it finds.google.com/addurl.sponsored links.htm • Finding the links by crawling the web.identifying cyber attacks and filtering spam.relevant results. • Index stores alphabetically by search item with each index entry storing a list of documents.

com/google-dorks • cache: Google will search with in cache document • link: list webpages that have links to specified website • related:show webpages that are similar to the website • info: gives the information by the google • define: definition of the words • stocks:shows the stock information • site:pages in the specified web site • allintitle: Filter the results with respect to word in the url • intitle: • allinurl: • inurl: Google Hacking Tools: • Search Diggity v3 • Bing Hacking Database • Sharepoint – Google and Bing Hacking Dictionary Files • GHDB Reborn Dictionaries – Exploit-DB • SHODAN Hacking Databse-SHDB Web Crawling Tools: • Bingbot • FAST crawlwr • Googlebot .content.size and search terms etc.exploit-db. Web Resource: www.Google query processor: • It evaluates the search queries and matches them to relevant items.the page having highest page rank appears first in the result. • Google uses google page ranks. • Google considers nearly 200 factors for page ranking like popularity.. Dorks for Google Hacking: Google dorks are used to filter the results as per our search requirement..

• Polybot • RBSE • WebCrawler • WebFountain • WebRACE • World Wide Web Worm • Yahoo Slurp • GNUWget • Heritrix • HTTRACK Google as a vulnerability scanner: Web Based Footprinting: • BlogPulse • Pipl :https://pipl.com • Spy • Serph • Monitter:Real time twitter monitoring Addons and Tool Based Footprinting • Hackbar • Tamper Data • DOM Inspector • HTTP Live Header • Fire Bug Sites for Footprinting • Netcraft • Yougetsignal • Spiderfoot • Dnsstuff • MxToolbox .

Module 6 Scanning and Enumerations .

NMAP Network Mapped (Nmap) is a network scanning and host detection tool that is very useful during several steps of penetration testing.service network Types of Scanning • Port Scanning: To find open ports and services • Network Scanning: To find Ip address and their ranges • Vulnerability Scanning:To find the weaknesses TCP/IP 3Hand Shake The TCP three-way handshake in Transmission Control Protocol (also called the TCP-handshake).It scans the network by sending different types of packet requests.SYN+ACK.  Host discovery  Discovery or enumeration  Service discovery  Operating system. hardware address. and the software version  Nmap scripts Resource:http://nmap.ACK).Scanning • Foot printing the first stage of hacking • We need additional information regarding the target system so we are doing scanning • Scaning refers to identifying the hosts.org .Here we send three handshake messages (SYN.ports.it is also powerful utility that can be used as a vulnerability detector or a security scanner.

 Nmap sends SYN packets to the destination.  The target computer can’t create any log of the interaction because no session was initiated. but it does not create any sessions.  To scan only particular ports.168. just type nmap along with ip address.use option 'p'  nmap target/cidr nmap 192.NMAP scaning techniques:  To start scan using nmap.1/24  Nmap Syn Scan:  It is also called half-open scanning because this technique allows Nmap to get information from the remote host without the complete TCP handshake process. .1.

.  To find an open UDP port of the target machine. It does not require any SYN packet to be sent because it is targeting the UDP ports. It completes the normal TCP three way handshake process and requires the system to call connect.

1.nmap -o ipaddress  Evading firewall/ IDS  Firewalls and IDS (intrusion detection systems) normally play an important role to defend the remote target very well from a security point of view  There are two types of firewall that might be installed on the target computer:  Host based firewall (A firewall is running on a single target computer. so it is not required to complete the TCP handshaking.168. nmap -sI zombie_host target_host  To detect OS detection.nmap -sV 192.168.168. nmap -sF 192. nmap -sW 192.8  To find version .1.1.9  Fragment Packets (-f) . it might be LAN)  TCP Window Scan (-sW) the TCP window scan has been designed to differentiate between open and closed ports instead of showing unfiltered. for example you are running a firewall on your computer)  Network based firewall (A firewall has been installed and is running to protect the entire network and has been deployed at the node of the network.1  To idle scan.• A FIN scan sends the packet only set with a FIN flag.

and many other features. the ability to send files between a covert channel.1 nmap –script=samba-vuln-cve-2012-1182 -p 139 target nmap -sV –script=smtp-strangeport target nmap -sV –script=http-php-version target Scanning using hping Hping is a command-line oriented TCP/IP packet assembler/analyzer.9  Spoof MAC Address :nmap –spoof-mac Cisco 192. It supports TCP. Nmap scripting Nmap scripts can perform so many different functions from vulnerability scanning to exploitation and from malware detection to brute forcing. Four types of responses: Open port (few ports in the case of the firewall)  Closed port (most ports are closed because of the firewall)  Filtered (Nmap is not sure whether the port is open or not)  Unfiltered (Nmap can access the port but is still confused about the open status of the port) TCP ACK Scan (-sA)nmap -sA 192. In this section I will discuss some of the best Nmap scripts and their usage: Nmap –script smb-check-vulns -p445 ipaddress nmap -sV –script=http-enum 127.168. The parameter of this technique is -f. • Firewall testing • Advanced port scanning • Network testing. it just split the request into small segments of IP packets called the fragmented IP packets map n -f 192.1.0. ICMP and RAW-IP protocols. under all the supported protocols • Remote OS fingerprinting • Remote uptime guessing • TCP/IP stacks auditing .3 MAC address spoofing creates a very difficult situation for the victim to identify the computer who originated the incoming request.0.168. UDP. The interface is inspired by the ping(8) Unix command.All header fields can be modified and controlled using the command line. TOS. has a traceroute mode.1.168.1. using different protocols.9  TCP ACK Scan (-sA):Send the ACK packets rather than the SYN packets. fragmentation • Manual path MTU discovery • Advanced traceroute.

Crafting TCP packets is the default behavior of Hping. It could be useful for penetration testing or systems monitoring. one can easily construct TCP packets. SNMP runs over UDP (which runs over IP). but typically you will find SNMP agents running on internetworking devices (eg. switches. Snmpcheck Snmpcheck allows you to enumerate the SNMP devices . -F –fin set FIN flag -S –syn set SYN flag -R –rst set RST flag -P –push set PUSH flag -A –ack set ACK flag -U –urg set URG flag -X –xmas set X unused flag (0×40) -Y –ymas set Y unused flag (0×80) Enumeration Enumeration is the first attack on target network. enumeration is the process to gather the information about a target machine by actively connecting to it. NMS – (Network Management Station) – A device designed to poll SNMP agents for information. hubs. Almost any network device could potentially run SNMP. Distributed under GPL license and based on "Athena-2k" script by jshaw. Enumerating windows active directory to find out these stuffs. Windows NT) can also run SNMP agents. MIB – (Management Information Base) – provides a standard representation of the SNMP agent’s available information and where it is stored. SNMP Agent – a device running some software that understands the language of SNMP. a destination port and a target IP address. • hping can also be useful to students that are learning TCP/IP. SNMP – (Simple Network Management Protocol) – an application-layer protocol for managing TCP/IP based networks. Ex:snmpcheck -t ipaddress . By specifying the TCP flags.It means to identify the user account. system account and admin account. Some operating systems (UNIX. bridges). routers.

.

Snmpenum Ex:perl snmpenum.pl ip address Public windows.txt .

Module 7 Hiding Identity .

Working with UltraSurf You can download this application from this source: . UltraSurf has now become one of the world's most popular anti-censorship.us .Hiding Identity Why Hackers Use Proxy and VPNs? Hackers use proxy and VPN to hide their identity while performing Attacks so that instead of original IP proxy IP will be stored on logs.http://ultrasurf. UltraSurf UltraSurf is a product of Ultrareach Internet Corporation. pro-privacy software. Originally created to help internet users in China find security and freedom online. with millions of people using it to bypass internet censorship and protect their online privacy.

Tor Proxy (Anonymous Proxy)

Working with Tor browser Proxy (windows platform)
Download Tor browser bundle from here http://www.torproject.org.in

Hotspot Shield VPN

VPN creates a secure tunnel between our machine and VPN Gateway, allow you to surf internet
securely. This VPN is Available for free and paid users both.

Working with Hotspot Shield VPN

Download Hotspot shield VPN from its official website http://www.hotspotshield.com/en

Now to check what IP address is assigned to you by Hotspot Shield VPN
Open site http://whatismyipaddress.com and check IP address.

Module 8
Social Engineering Toolkit

What is Social engineering tool kit (SET) ?
SET is the process of making people to give away access or confidential information. Internet
defines as "is the act of manipulating people into performing actions or divulging confidential
information. It is to do a confidence trick or simple fraud, applies to trickery for the purpose of
information gathering, fraud, or computer system access. In many cases the attacker never comes
face-to-face with the victim."Always use type of trick called SET like offering a "free pizza","free
coffee". aspects social engineering actually touches on many parts of daily life.From a security
standpoint, it is more a collection of tools and techniques that range from negotiation, sales,
psychology and ethical hacking.

Why We Use Set ?
Most of the Attackers never come directly toward Victim and grab the information. They use some
social engineering techniques to collect information from victim. A attacker send a fake post letter
to victim to confirm weather he is at home or not. In daily life we are seeing many types of Social
engineering trics which ever cant know after the effect.

All the Social Engineering Tricks Combined together and made a took kit to Hacker's called SET
( Social engineering tool kit ) in Back track and Kali linux

Go to application – Backtrack – Exploitation tools – Social Engineering Tools – Social
Engineering Toolkit – set.

Types of Social Engineering Attack
The spear-phishing attack vectors
The web attack vectors
Infectious Media Generator
Mass Mailer Attack
Arduino-Based Attack Vector
SMS Spoofing Attack Vector
Wireless Access point Attack Vector
QRcode Generator Attack Vector
Powershell Attack Vectors

The Spear – Phishing Attack Vectors

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking
unauthorized access to confidential data. Those are not typically initiated by "random hackers" but
more likely to be conducted by perpetrators out for financial gain, trade secrets or military
information. As with the e-mail messages used in regular phishing messages appear to come from a
trusted source. Phishing messages usually appear to come from a large and well-known company or
Web site.

The Web Attack Vector

It is a path or means by which a hacker (or) cracker can gain access to a computer or network
server in order to deliver a payload or something malicious which harm pc/server. Attack vectors
enable hackers to exploit system vulnerabilities, including the human element. It includes viruses,
e-mail attachments, Web pages, pop-up windows, instant messages, chat rooms, adn adds. All the
methods involve programming and in a few cases uses hardwares too. To some xtent, firewalls and
anti virus can block attack vectors. But no protection method is totally attack-proof. Defense
method is effective today it may not remain so long, because hackers are constantly updating attack
vectors and seeking new things, in their quest to gain unauthorized access to computers and servers.
The most common malicious payloads are virus, trojan, worms, and spyware.

Infectious Media Generator

The most majority of people having at least one USB drive to transfer files and a common
characteristic of all humans is curiosity. These two things together can create a huge threat which
can affect any company. This type of attack allows hacker to create a USB,DVD/CD with a
malicious content when user opens the file in his company then the payload will executed and it
will return a shell in to pc of user. This type of attack doesn’t require any knowledge and it is very
fast and easy to implemented by anyone. This means that anyone that can plant a malicious USB
stick inside a company can be a potential threat. It also points out how a simple USB or DVD can
bypass the network perimeter and can become a threat for any company if the employees are not
following the security policies. For example companies should have a policy that would protect
them against any mobile threats and the employees should follow that policy.

So you can create a template and use it when you need it.Mass Mailer Attack Sending emails in bluk to large number. You can spoof the SMS source. In this attack vector a Qrcode genrates with malicious link. For mass mailing we can create a file with one email address per line. When Victim scan Qrcode the attack payload will deploy in to victim machine. Sending some malicious or harmfull mails to number of people at a time. You will need to purchase the Teensy USB device. SMS Spoofing Attack Vector SMS Spoofing Attack allows you to send a crafted SMS messages to a person. You can send SMS to a single number or import a file that will send the SMS to all of them. dhcp server. Wireless Access point Attack Vector This will create a fake access point to your wireless card and redirect to all DNS queries to you. Finally for sending the emails you have two options GMAIL or your own server and open relay. The main method for this would be to convince a user to click the link in their browser and steal credentials or perform other attack vectors. This attack vector will create the .pde files necessary to import into Arduino. Now we can get the access of the victim machine. and other methods. SET will create a wireless access point. . QRcode Generator Attack Vector It a type of attack on the base of QRcode. and spoof DNS to redirect traffic to the attacker machine from network plcae. it’s roughly $22 dollars. when a victim joined to attacker’s access point tries going to a website. which have onboard storage and can allow for remote code execution on the physical system. You can leverage the Teensy’s. You can run any attack vector you want. Now send it to victim by mail using SET.The attack vectors range from Powershell based downloaders. This attack vector will auto generate the code needed in order to exploit the payload on the system for you. the DNS spoof will redirect the victim to attackers machine. wscript attacks. Arduino-Based Attack Vector This Attack Vector utilizes the Arduin-based device to program the device. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista/win7 all versions and above. PowerShell provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by preventative technologies. Since the devices are registered as USB Keyboard’s it will bypass any autorun disabled or endpoint protection on the system. Powershell Attack Vectors The Powershell Attack Vector allows you to create PowerShell specific attacks. You can use a predefined template or create your own template.

. Use 1st opition as Social engineering attacks. We are having 7 different opitions.How to Perform Social Engineering Attack How to start SET in Back track Go to applications – backtrack – exploitation tools – Social engineering tools – Social engineering toolkit – set.

Now we can fine 11 opitions in Social engineering Attacks. . Select 6st opition as web jacking attack method. choose opition 2nd for website attack vector Under Website attack vector we can find 9 opitions.

Select 2nd opition as site cloner Asking to enter ip address to reverse connetion mentions the bt ip and enter a site you want to clone .

example www.com and enter Now make the victim to enter your ip in url bar to open gmail as shown below Aafter clicking the url which appears in the above windows a fake gmail.gamil. . Once he entered the username and password automaticly those credientials displays in attacker machine as shown below image. Commonly victim enters his Username and password.com will appears.

• Best Antivirus • Should not download any software or any stuff from untrusted sites • Download only from offical pages • Always scan for virus.Prevention Against Social Engineering Social engineering describes primarily non-technical threats to company security. The broad nature of these potential threats necessitates providing information about threats and potential defenses to a range of management and technical staff within a company. including Need to Keep up – to – date. worms and trojans • Scan and download updates for Os .

Module 9 Advance Metasploit Exploitation .

network. In year 2007. the Metasploit Framework had been completely rewritten in Ruby.code executed in victime system by metasploit Module.Metasploit Metasploit was created by HD Moore in 2003 as a portable network tool using Perl. Payload. Shellcode – code used as a payload. Metasploit Framework steps for exploiting a system using the Framework : • Choosing and configuring an exploit • Check the target system is exploit or not • Choosing and configuring a payload • Choosing the encoding technique to bypass IDS/IPS • Executing the exploit Metasploit Interfaces • Metasploit Framework Edition • Metasploit Community Edition • Metasploit Express • Metasploit Pro • Armitage • Cobalt Strike Payloads Metasploit conatains many different types of payloads. Metasploit is available in Backtrack and kali linux.each have the unique identity • Inline(Non staged) • Staged • Meterpreter • PassiveX • NoNX(No execute) • Ordinal Payloads • IPv6 . Metasploit Terms Exploit – security flaw within a system.code can be added to the metasploit framework to execute an attack. or application.

• Reflective DLL injection Opcode Database Opcode Database is an important resource for writers of new exploits. Shellcode Database The Shellcode database contains the payloads used by the Metasploit Framework for the exploitation.we need to use the exploit. It will load all the modules.Positions differ in the various versions and patch-levels of a given operating system.we are exploiting the windows xp system by using the netapi exploit [2] we need to set the victim ip address as a RHOST [3]we need to set payload for reverse ip connection [4]we need to configure the LHOST . They all are documented and conveniently searchable in the Opcode Database. This is useful to write buffer overflow exploits that work across different versions of the target. [1]at first.Type “msfconsole”. To start metasploit.its the attacker Ip [5]we are going to exploiting the system by typing “exploit” [6]Finally we are attempting to trigger the exploit . We can find exploits information  To start exploiting on the target.For Buffer overflow exploits on Windows often require knowledge of the position of certain machine language opcodes in program.

 Meterpreter shell invoked and showing the victim windows prompt .

Module 10 Armitage and Fast Track Exploitation .

• Foot printing • Scanning • Enumeration Installation and usage • It is pre-installed in Backtrack • In kali linux we need to install.click on Yes[6] to continue .Type “service postgresql start”[1] in shell.net/ Features: we can perform following steps with out using any additional tools.use “apt-get install armitage” • To start armitage. • Type “armitage” in shell prompt[3] • Window will appear[3]. • It is going to start Metasploit[5].fastandeasyhacking.which visualize the targets.exploits and post exploitations. Source: http://www.first we need to start postgresql database.Armitage It is the GUI version for the Metasploit.click on connect[4].

• Armitage window will open. .

• To scan any particular host move to Hosts -> Nmap Scan ->Quick Scan(OS detect)  Give the Individual ip address or complete network range .

 It will diplay the connected devices in the network .

click on Attacks-> Find Attacks . To find possible Attacks .

 It checks the vulnerabilities  After succesful exploitation.means its attacked.it will shows that particular system in red color. .

Menu -> Backtrack -> Exploitation Tools -> Network Exploitation Tools -> Fast track ->Fasttrack -interactive .Fasttrack Fast-Track is a tool for exploiting. It is available in three different forms:  CLI  Web interface  Interactive • To start Fasttrack web .it uses other pentest tools to make easy exploration.

 This the main menu of the Fast track .

 Select option '8' to create payload  To create Reverse_Tcp Meterpreter select option '2' .

 To encode our payload. use option '2' .

 Select option.to create an executable or shellcode So.the created payload will save in /pentest/exploits/fasttrack .

Module 11 Sniffing .

Its is data interception technology. showing the values of various fields in the packet. FTP. web.You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable. of course). the sniffer captures each packet and. or both. such tools were either very expensive. just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level.Introduction A packet analyzer (also known as a network analyzer. an Ethernet sniffer or wireless sniffer) is a computer programme or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network. In the past. with the advent of Wireshark. decodes the packet's raw data. Objective of sniffig is to steal : • Passowrds of E-mail. proprietary.protocol analyzer or packet sniffer. and analyzes its content according to the appropriate RFC or other specifications. and SQL • Email text • Files in transfer (Email files. FTP files or SMB ) Types of sniffing attacks  MAC attack  DHCP attack  DNS poisoning  ARP poisoning Attack Wireshark It is a network packet sniffer and analyzer.Wireshark is perhaps one of the best open source packet analyzers available today. However. As data streams flow across the network. . or for particular types of networks. all that has changed. if needed.Packet capture is the process of intercepting and logging traffic. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. A programe or a device that capture vital information from the network traffic specific to a particular network. SMB.

wireshark.How to install wireshark Download from http://www.org/ Run the wireshark application Click next .

Click I Agree Click next with check boxes .

Click next Browse where to install the wireshark select and click next .

Check the install winPcap box to get install WinPcap which I used to capture the packets and click Install This is how winPcap install .

Installation of wireshark is completed click next .

You can Run application by just checking the box, click Finish.

This is how interface of wireshark looks.
1 – Interface list : where we can select to sniff a particular interface packets
2 – start : after selecting the interface just click it, to start sniffing
3 – capture options : selection for types of packets
4 – open : we can open a dump file of saved packets

This is the area where we need to give tags of wireshark
Examples
Ip.src==192.168.0.0/20 and ip.dst==192.168.0.0/20
Show only traffic in the LAN (192.168.0.0/0)

host 192.168.x.x
Capture only traffic to or from IP address 192.168.x.x

Ip.addr ==(googl ip)

Its show only the packets which connects to google.com

Networkminor

It is a Network Forensic Analysis Tool (NFAT) for Windows but alsoworks on Linux and Mac OS.
It can be used as a passive network sniffer or packet capturing tool in order to detect operating
systems, sessions, hostnames, open ports etc. without putting any traffic on the network. It collects
data like forensic evidence about hosts on the network rather than to collect data regarding the
traffic on the network. It has, since the first release in 2007, become popular tool among incident
response teams as well as law enforcement.

How to install

Download a free edition from http://www.netresec.com/

Extract Networkminor

Run networkminor application

**Note: Always run as administrator

Now select interface (adapter )

Select the interface you need to sniff, click start to start sniffing.

After starting sniffing we can see the list of host as well as we can extract .

Just Install it in your system. Its main objective is to recover of passwords from various sources. recording VoIP conversations. recovers wireless networs keys. How to install Cain and Abel 1. Another few more options we can check it out like Frames. . Session s. http://www. It cracks the passwords very easily by sniffing the network taffic. Cracking like encrypted passwords using Dictionary. Credentials.oxid.We can see complete details of host just by extracting the host.it/cain. Cain and Abel It is a tool to recovery of passwords.html 2. Linux etc. images. Brute-Force and Cryptanakysis attacks. this tool is available for different platform like windows. files. Messages. Once installed you can see its GUI interface like below. Download it from here. DNS and Parameters.

3. . The following steps will guide to sniff Traffic Complete traffic • Open Cain & Abel • Click on Sniffer Tab and Turn on it from a Button Present in Toolbar Above.

4. 5. Next is Arp Poisoning where we will route all Network to go through from our PC and then To outside World So that We can Sniff All traffic. Click On “+” sign and click ok To Add Host. Now It's time to Add Host present in Your network.  Click On Arp TAB at the bottom of Cain & Abel and then Select Host Whose traffic we want to sniff by clicking on “+” Sign Before Click On “+” button click on any white space Area to Activate “+” Sign. . To Do Arp poisoning Follow these Steps.

URL Visited etc. Analyse traffic and Get Sensitive information like Password.  It will show username and password if anyone entered. Now Finally click on Start/Stop Arp to Poison Traffic. 6.  Click on Password tab located just Above the Status Bar. At the left hand side you can choose which traffic you want analyse. .

.

Module 12 System Hacking .

img” file 5. Now we a have a USB drive which has been prepared for booting up. Browse the “Konboot-v 1. 2. Choose the disk image format as “Floppy” 4. Choose the location of your USB ( It differs on different computer like H:\ E:\ etc. 1. Just prepare a bootable pen drive with the konboot image file. ) 7. Choose “Disk image” 3.1. 3. Get in to “Boot menu” when the computer restarts by pressing the “F12” key ( .How to bypass Windows Security For this we need “KON boot” tool which is freely available. Preparing a bootable USB with Konboot in it The just follow the steps below. Using Konboot to bypass Windows Security 1. Click “OK” Now your bootable disk is ready Which has Konboot in it. Choose your bootable medium as “USB Drive” 6. Open “UNetbootin” tool and follow the steps 2. Restart the computer in which you have forgotten your password or the system which is password protected..

Then just press “Enter”. . You will be taken to a screen like this. You will see a page of Konboot. Choose the first boot disk as your USB disk. 5.This may differ in some computer ) 4. Once you have booted from your USB Pendrive.

we get a command prompt like interface.gentilkiwi. This method works in all windows version from windows XP to the latest windows 8. But a new technique which extracts the password in plaint text is possible by exploiting a windows flaw. It temporarily removes the passwords of the computer. Now enter the command “privilege::debug” in the command windows. Now enter the command “sekurlsa::logonPasswords full” and press enter. This is how a Hacker gets into a system by bypassing the security of Windows Security Logon .6. Place it in a folder Then Right Click on the Tool “mimikatz” and run as Administrator. 4. The Tool and its other use can be found online at http://blog. . Once we have the tool. After this screen your computer will resume it’s normal booting and you will be logged in the admin account without the login screen. Upgrade Version of Konboot can be used to bypass Windows Security of Windows Vista. 7 & 8 Windows Password in Plain Text Cracking Passwords is difficult if we have only limited time on a machine. 6.com/mimikatz 1. Once we run the tool. The tool can be found online or in the tool kit.

Like this one “P@. Use Drive Encryption Tools to protect your Data from being modified or damaged. in the Boot menu which comes during the Startup. Create a Hard-Disk BOOT Password. Now we get the password of the current user in plain text format as shown below. 1. Symbols and Both cases of Alphabets.s5w%0Rdfl$” and not like this “password123” ! 4. Use SAM Lock Tool to Encrypt your Passwords ( Type “syskey” in run command box to get it ) 3. Create a complex password which has Numbers. the following steps are to be followed. 5. Do not keep your password written on the table of your computer or anywhere nearby ! . 2.7. How to prevent System Hacking To protect your computer from these attacks.

) 6.Setting up a Secure System A system can be secured if the following methods are followed while setting up a system. Install Add-ons which help you to be secure in web (E. Use Original Operating Systems and not Pirated. WOT.. Antiphishing. Use updated Browsers and use password protected browsers 7. 5. Secure your Important documents and files using Encryption methods 9.. 2. 8.g. Use Drive Encryption tools to protect your data . Antivirus and Firewall programs regularly. Be careful when installing software downloaded from free forums or websites. Update your OS. . Don’t use Pirated or Cracked versions of Antivirus. 3. Setup a Boot Password for BIOS and Hard-disk to prevent intruders 4. No script etc. 1.

Trojans and Keyloggers . Module 13 Virus.

Server Part . Trojan horses may steal information. or harm their host computer systems. Most of the Trojan contains two important parts.What is a Trojan A Trojan or a Trojan Horse is a is a malicious application that acts like a legitimate file or helpful program but whose real purpose is. Images and files like mp3. for example. There are several methods that a Trojan can implement to infect your PC They are as follows. mp4 etc via untrusted sources DarkComet .3gp. 1. to grant a hacker unauthorized access to a computer.( Installed on Victim – Infectious File ) 2. Instant Messenger applications IRC (Internet Relay Chat) Attachments Physical access Browser and email software bugs FileSharing Fake programs Untrusted sites and freeware software Cracks & Keygens used for Software piracy Cracked versions of paid softwares. Client Part – ( Used to Control the Victim using a Control Panel ) Different way a Trojan Can Get Into A System A Trojan is mostly designed in such a way that it appears to be a legitimate software and it can infect your system silently. Trojans do not attempt to inject themselves into other files like a computer virus.

It has the following functionalities.Darkcomet is Remote Access Trojan which can perform several functions in the victims PC once infected. File Manager 4. 1. Initiate FTP Connection 5. Open the Darkcomet creator . Keylogger 2. Monitor all process 6. because the Trojan creator can itself be a Trojan. Open any WebPages remotely Creating the Trojan Use a Virtual machine to try and create a Trojan. 1. Webcam Control 3.

Connection settings – used to define how the Trojan is connected .2. Click on Edit Server to create a server All settings are provided to customize your Trojan 3.

Server startup – To define how it will sytart during boot of PC 5.4. Server Shield – To protect your Server from being Deleted 6.To Display a fake error message 7. Offline Keylogger – To send all the keylogs to your FTP Server . Fake Messagebox.

Anti Virtualbox – To disable the use of Virtualbox to run the app 9. Icon Settings – To select an Icon file to disguise the application .8.

10. Generate Server – To create the server part with options for selecting the file format Once we have created the Server part send the server is distributed by some means and when the victim executes the Trojan. i.e your IP address. we get a reverse connection at the specified IP address mentioned in the settings . .

. almost all Anti-Virus detects this as a Trojan. Since this is already available in the internet. We will see how hackers bypass Anti-Virus Protection and run their malicious codes in next part. options are displayed to control the infected system from our computer. This is how a simple Trojan is created.Now clikc on the Listen button to start listening to a particular port number Once the connection is established.

Install real-time anti-spyware protection 3. Use Hardware based Firewall. . it cannot detect it. 5. Free or Paid is good. Update your Anti-virus programs daily. Never download software from third-party sites. 2. 10. Some of the common crypters are 1. Download from original website. It is a very simple crypter which can modify your code and produce a new file which is undetectable by most of the antivirus. Perform scans on your computer daily. 8. Security Against Trojans 1. We will see the functioning of Ritalin Crypter. 6. Install a good antivirus.. Crypters are nothing but Programs/Tools which can change the signature of your Trojan file and /or add some random bits and encrypt your code in such a way that the Antivirus program cannot detect it as a virus. Hyperion Crypter etc.How Attacker Bypass Your Antivirus By Trojans Anti-Virus software are bypassed by Hackers by the use of programs called “Crypters” . 9. but don’t used cracked or pirated versions. 11. Don’t click on any mail links or attachments from unknown sources or malicious users. Xenocode 3. Most Antiviruses are signature based and if it doesn’t have the signature in its database. Use good anti-virus which has browser plug-ins and scans all URL's for malicious content. 4. Don’t use cracks or keygens which may be a virus/Trojan itself. PE Crypter 4. Disable image previews if using Outlook 7. Disable autorun to prevent infection from pendrives. Ritalin 2.

Module 14 Website Hacking .

"' AND password='" . $password = mysql_real_escape_string($_POST["password"]). $_POST['username'] .so it executes the user name and password Method to Secure: Use the php function mysql_real_escape_string. $password . It changes that every of this characters: \x00. "'".The query seems to be like SELECT * FROM users WHERE user='1'or'1'='1' AND password='1'or'1'='1'Here. Example: <?php $sql = "SELECT * FROM users WHERE username='" . $sql = "SELECT * FROM users WHERE username='" . ' replaced with a simple Backslash „/“ Example: <?php $username = mysql_real_escape_string($_POST["username"]). ?> . \r. ?>User input is not filtered here properly. $response = mysql_query($sql). \. $POST_['password'] . How it works ? Instead of giving proper user name and password simply give this string 1'or'1'='1. "' AND password='" . \n.Authentication/Authorization Bypass Authentication Bypass Flaw can be find in websites which jave the unsecured authorization script. $username . "'". response = mysql_query($sql). '1'='1' is always true.

we find php?id=48 at the end of the url  Put quote ( ' ).  Its like php?id=48' .modify database data.It may leads to gain the sensitive data from the databse. Categorized SQL injection: • Poorly Filtered Strings • Incorrect Type Handling • Signature Evasion • Filter Bypassing • Blind SQL Injection Manual SQL injection: • At first we need to find vulnerable link.SQL Injection Sql injection is one of the most popular vulnerability.we can inject a SQL query via input datafrom .execute administration operations on database. the website is vulnerable to SQL injection.so. you will find some content is missing.

 When we put order by 17--.so we guess this is the page to perform our further attack.we need to change the number. . upto some blank page will appear. its shows the blank page. We need to order the columns using order by statement.

but we can only one table name.we can get table name by using the following query. Use UNION SELECT to find vulnerable column numbers  So. .

we need to grab columns information from that table.instead of giving table name directly we need to give in hex format .It will display the complete table information. To get complete table names.So.  From the above information we can predict that admin credentials may be available in admin_user table. use group_concat(table_name).

 We got the columns of admin table .

change string as follows.so we put separator : in hex decimal 0x3a .• To get the column information.  The obtained out put is merged .

it has a rich set of detection engine.database finger printing. roles.  It executes the arbitary commands and retrive their standard output on the databse server.fetching data from the database. Features:  It supports MySQL.  It supports enumerate users. time-based blind. stacked queries and out-of-band.The injection process of detecting and exploiting SQL injection flaws will be automated. Firebird. privileges.  It supports injection techniques like boolean-based blind. error-based. PostgreSQL.Type sqlmap -u url –dbs -u :url name --dbs: option to find database name . UNION query. Microsoft SQL Server.  To open sqlmap. Oracle. Sybase and SAP MaxDB database management systems.accesing and executing the commands. Microsoft Access. SQLite. IBM DB2.SQL map sqlmap is an open source penetration testing tool. databases. password hashes. tables and columns.

here admin is the required table.So.  we got database name and additional details To find the tables in the database :sqlmap -u url name -D database name --tables  We get the tables information. we need to grab column information from the admin table. Sqlmap -u database name -T table name --columns .

. The obtained column information  we need to dump the information in the columns.

If the trusted site is vulnerable to the vector.Attack can be done by submitting quieries into text boxes or URL. is used immediately by server-side scripts to parse and display a page of results for and to that user.Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. without proper HTML escaping.This is most commonly with online message boards where users are allowed to post HTML formatted messages for other users to read. pointing to a trusted site but containing the XSS vector. Persistent(or)Stored: When the data provided by the attacker is saved by the server. most commonly in HTTP query parameters or in HTML form submissions. clicking the link can cause the victim's browser to execute the injected script. Types of XSS Non-persistent(or) Reflective: When the data provided by user. A reflected attack is typically delivered via email or a neutral web site. and then permanently displayed on "normal" pages returned to other users in the course of regular browsing. .Cross Site Scripting XSS(cross site scripting) is most common web attack. without properly sanitizing the request. The bait is an innocent-looking URL.It is used to execute HTML and Javascript on the web-page.

Module 15 Data Hiding .

” It uses various methods to hide a secret message in any other data. In the olden days. It works on the principle that all files have some insignificant bits in it.S-tools **note for this lab we require 1 BMP image and a text file to hide 1.Steganography “Steganography is the art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient. it may be a picture . We will see some of the methods used in steganography . a mp3. Open S-tools . Following are the steps to hide data behind image Tools used:. So replacing it with our secret data produces only minor changes to the picture and hence our data can be embedded. sophisticated tools can hide your messages in any files you want. secret messages were sent in normal papers or pictures using some invisible ink. Similar techniques are used to conceal data in various other formats. But now. and some tools which are used for that. or writing in wax and such methods. a video etc.. suspects the existence of the message. a pdf.

2. Right click and Save image with .bmp extension . First drag and drop image and after that text file and supply password to protect it from others 3.

4. Drag and drop image to S-tool and Right click on that.Now data is hidden behind image. choose reveal . Now if want to reveal the data.

Supply Password and save hidden file.5. .

.

Module 16 Wireless Hacking .

the WLAN client need not provide its credentials to the Access Point during authentication. between a WLAN client and an Access Point). . This is how happen in wireless hacking WEP Cracking Wired Equivalent Privacy (WEP) it is an easily cracked security algorithm for 802. It is recognizabke by the key of 10 ot 26 hexadecimal digits and it was at one time widely used the first security choice presented to users by router configuration tools.11 wireless networks. the client must have the correct keys. At this point. In effect. Wireless local-area networks(WLANs) – also called Wi-Fi networks are vulnerable to security failure that wired networks. Any client can authenticate with the Access Point and then attempt to associate. no authentication occurs. we discuss WEP authentication in the Infrastructure mode (that is. In Open System authentication. Subsequently WEP keys can be used for encrypting data frames. WAP introduced as part of the original 802. WAP main intention was to provide data confidentiality comparable to that of a traditional wired network. Two methods of authentication is used with WEP Open System authentication and Shared Key authentication. There are two basic types of vulnerabilities associated with WLANs those caused by poor configuration and those caused by weak encryption of password.Introduction Cracking of wireless networks is the defeating of security devices in Wireless local-area networks. For the sake of clarity. Cracking is a kind of information network attack that is similar to a direct intrusion.11 standard ratified.

In Shared Key authentication. .  The Access Point replies with aclear textchallenge. and sends it back in another authentication request.Cracker) We Are Going To Crack A WPA Key : How to start gerix-wifi-cracker tool in Bt 5r3 Applications – backtrack – Exploitation tools – wireless exploitation tools – Wlan exploitation – gerix-wifi-cracker-ng. the WEP key is used for authentication in a four step challenge-response handshake:  The client sends an authentication request to the Access Point.  The client encrypts the challenge-text using the configured WEP key. If this matches the challenge-text the Access Point sends back a positive reply.  The Access Point decrypts the response. By Using A Tool (Gerix-Wifi.

.Select gerix-wifi-cracker-ng tools This is how gerix – wifi – cracker looks.

First we need to configure the interface. click Enable/Disable monitor Mode if you wont find any interface before you select. Now select monitor interface from interface list. .

.After selection of our interface the log will be created and shown to us at the bottom of the tool as seen in the above image.

After rescan of networks we get list of available wifi networks. From the list of wifi networks select any wifi as target. .

.Select Target with WPA Enable and Start sniffing and login and test for injection Success.

.This will popups when we start sniffing a target. The test of injection works like this and shows 100% completed.

Now click on WEP attacks to start attacking .

.Click Autoload Victim clients to load the victims mac address in to fields and also click Client deauthentication to capture the handshake packets.

. Once its done then close the window.Now 3 way handshake is going on.

Basically select bruteforce cracking. .Click Cracking tab and select they type of attack you wish to do.

Now select the path of your word list from your disk which contain more word which can break the key. .

packets number should cross 5000.Now click Aircrack-ng to crack the password. Key found in encrypted form just decrypt it or you can use as password too. . Note : before cracking the password.

o Access points and routers all use a network name called the SSID. there’s a possibility of encountering a bigger problem in future. o Change the default name and password. knowing the SSID does not by itself allow your neighbors to break into your network. It is not intended for business use. which requires a RADIUS server. o Secure your network by turning on the WPA/WEP Encryption. For example. Wireless Security Measures Your home computer and office wireless network might be at risk and if you don’t take the necessary precautions to your wireless network. o Keep your MAC address filtering option enabled. Once the you attacked all the personal information and important data will steal by hackers from and many more in proper activities will be done from your network. This ensures that any data transferred online are secured and protected. Encryption transforms information shared over the internet into codes that cannot be easily decoded or understood by humans.11i (or IEEE 802. . WPA (sometimes referred to as the draft IEEE 802.WPA2 Password Cracking : Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computers and networks. This will prevent hackers from getting access to your internet connection as it only allows known users or devices to gain internet access. Having a password or a security key also keeps unauthorized computers from accessing your wireless connection. It is intended for home use where the set of users and devices does not change often. Below are some of precaution to be take to protect your wireless network access points. the SSID for Linksys devices is normally "linksys. WEP (Wired Equivalent Privacy). but it is a start. More importantly. Hackers do not discriminate and they can attack any wifi’s where the security leve is low. It is very important to change such information once you have set up your wireless network. Manufacturers normally ship their products with the same SSID set.11i-2004) standard. when someone finds a default SSID. o The Private Shared Key (PSK) mode for WPA uses a single password for all devices that connect to the wireless network. Every step is same as we done in previous one just try with WPA instead of WEP. they see it is a poorly configured network and are much more likely to attack it. yet many companies use WPA-PSK because it is easier to get up and running than WPA Enterprise. The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. Change the default SSID immediately when configuring wireless security on your network. Routers come with a default username which is normally the brand name.11i standard) became available in 2003." True. WPA/WPA2 defined these in response to serious weaknesses and researchers had found in the previous system. WPA2 became available in 2004 and is a common shorthand for the full IEEE 802.

Module 17 Mobile Hacking .

6.Virtual Machine with following specification 1.Any Softphone.6.Installation Of Voip Server Requirement:- 1.Now it will ask for Root Password.It will ask you to select the language so select the language you want use.sourceforge. Step:- 1. 5.Please Select the Correct timezone.It will now ask for timezone.Download trixbox CE 2.Start the virtual machine.You will see cool green screen of trixbox installation.Enter the password whatever you want and confirmed it.RAM-256Mb 2.iso Burn the image into CD.dl.net/sourceforge/asteriskathome/trixbox-2.Trixbox 3.2. http://master.Press ok .Hard Disk-10GB 1.iso 2.4.Otherwise you can use .1.2.Now press ENTER to install trixbox 3.2 (Stable) from following link .2.

.Installation will be started within 1 Minute and it will reformat your hard-disk and install trixbox.6.

.7.After installation machine will be restarted and you will see following screen.

After assigning IP you can login to GUI. 9.At this point is asking for username and password Username:-root Password:-You supplied during installation.If you want to change IP address enter the following command. System-config-network 10.8. Open your browser and enter IP. .

Username:-maint Password:-password . Click On Switch tab. 12. After clicking switch button following screen will come.11.

Secret:.) 2.Click on PBX > PBX Settings > Extensions 14.( 202.302.(Enter any name you want) 3.(Enter any name you want) .User extension:.402 and so on.Select Generic SIP Device .13.Display Name:. You need to enter following detail 1. Click submit.

.Click Submit.

com/ 16.Enter the password whatever you enter in the Secret field at the time of adding user on server.15.zoiper. Enjoy free calling.Download Zoiper softphone from below link. http://www. The main task is to configure Softphone. .

. let’s use metasploit’sxi auxiliary module named sip_invite_spoof. Scenario:- Step 1:.Voip Hacking Caller ID Spoofing This is one of the easiest attacks on VoIP networks.Start Your metasploit and load voip/sip_invite_spoof auxiliary module. For demonstration. Caller ID spoofing creates a scenario where an unknown user may impersonate a legitimate user to call other legitimate users on VoIP network.

122--------Caller IP Address Step 3:. In my case Set MSG 201-------------------------------Caller ID Set RHOSTS 192.104---------.168.Step 2:-Configure the option.Auxiliary module will send a spoofed invite request to the victim Step 4:. .0.168.-Victim IP Address Set SRCADDR 192.0.Victim considers it as legitimate call from other legitimate user.

Module 18 Honeypot .

http://www. It doesn’t open actual service just simulate them. Before Downloading just check your System IP address 3. ** Now No ports and services are open here.net/kfsensor Configuration 1. Download link . . 2.KFSensor KFSensor is windows based Honeypot which is designed to attract and trap hackers by opening weak and exploitable services. Download application from above link.keyfocus. Now Scan your system from any remote PC which is having proper connectivity with your system using software called Zenmap.

4. Now Double click on Kfsensor to install. .

Choose destination folder or else keep default and then click next to continue .5. 6. Accept the license agreement and click nest to continue 7. Just click next to proceed. Welcome screen will come.

9. Click next . Click next to continue.8. Program is ready to install.

After reboot got to Start-->All Programs-->KfSensor. Right click on KfSensor and run as administrator. 11. Click on reboot now and click next to finish setup.10. .

12. . Kfsensor home screen will come and set up wizard will guide you to configure Kfsensor for your machine.

13. Click on Next 14. . Select only windows Port classes because we installed it on windows platform.

.15. Specify domain name if not then keep it default.

Give E-mail address if you want to get updates On your E mail account. Click on next. 18. 17.16. Select install as system service. Here keep everything default and click on next to continue. .

19. . Click on finish to complete configuration.

Here you will see number of ports and services are opened that can alert an hacker that someone has installed honeypot. Click on Edit Scenario . To confuse him we will open only selected port and services.20. To do follow the steps below 21.

Select the services and click on delete to delete particular service. Here you can see we have opened only one service i. 24. FTP which is running on port . 23.e.22. Click on Edit.

Now if any hacker tries to scan your system he will find some open ports which we open in KFsensor. .25. But these ports are only virtual port not actual ports.

At Kfsensor you will get all the details that scanned your system. . In this way we trap the hackers using Kfsensor.26.

http://www.http://research.net/kfsensor/ 2.org/ 3. HoneyMonkey Site: .honeyd. KFsenor Site: .http://www. Honeyd Site: .keyfocus.http://www. Snort Site: .org .snort.com/en-us/um/redmond/projects/strider/honeymonkey/ 4. 1.microsoft.HoneyPot Tools Following are common HoneyPots demanding in market.

Module 19 Buffer Overflow. DOS and DDOS .

Buffer Overflow Buffer overflows become one of the biggest security problem on the internet and modern computing. crash. return 0. }  It normally displays the content which you entered while execution. gets(buffer).It is the anomaly where program writing data to buffer it overruns the buffer boundary and overwrites adjacent memory. Example :  we used a C programing code to accept data upto some size.h> int main() { char buffer[30]. The common programming languages associated with buffer overflows are c and c++ which provide no build-in protection accessing or overwriting data. This problem can also find .  If we are going to give the data beyond the buffer size that it leads to the buffer overflow • This problem due to lack of proper checking the bound values. or a breach of system security. printf("Enter Data: "). buffer).It results to erratic program behavior. printf("Data entered by you%s\n". including memory access errors. Buffer overflows invoked by inputs that are designed to execute code and change the program execution. #include <stdio.

HEAP: This region of memory holds dynamic length data.It Includes 'read-only data’.The region which holds the information.' DATA : The region of memory where static variables are stored. RET : Saved Return Address: when a function or procedure is called . it will read the ‘return address’ and program return to where is left off. to pass parameters to the functions.Stack works with LIFO [last in. first out] queue concept. This address is also known as the "saved return address" ====================================================================== . ttempt to write data in the text region will cause a 'segmentation violation. It means the last object placed on the stack will be the first object removed. This area of memory is allocated dynamically at run time for process. in the folowing functions strcpy() strcat() sprintf() vsprintf() scanf() getchar() etc in c Memory structure: ------------------------------------------------------------------------------------------------------------- STACK Higher Memory [0xFFFFFFFF] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HEAP -------------------------------------------------------------------------------------------------------------- DATA --------------------------------------------------------------------------------------------------------------- TEXT ---------------------------------.Lower Memory [0x00000000] -------------------------------------- --------------------------------------------------------------------------------------------------------------- TEXT : The area where the executable code or the program code store. when the function ends.then the system saves where it was called from. In an executable file we usually have a text section. STACK: This region is used to dynamically allocate the local variables used in functions. Executable file have 'data-bss sections’.

under all the supported protocols 11. Feautures: 7. The interface is inspired to the ping(8) unix command.Hping supports ICMP echo requests.ICMP and RAW-IP protocols. Advanced port scanning 8. hping can also be useful to analyse TCP/IP.30 bytes ====================================================================== RETURN ADDRESS ====================================================================== But if the users inputs more than 30 bytes of data Ex:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [user input] This is how it would look in the memory. Manual path MTU discovery 10. Hping hping is a command-line oriented TCP/IP packet assembler/analyzer. TOS. fragmentation 9.Apllications -> Information gathering -> Live host gathering ->hping3.TCP. Network testing. Remote uptime guessing 13.. . using different protocols.UDP. • To open hping3 in gui . Advanced traceroute. TCP/IP stacks auditing 14. BUFFER[ ] <----. ===================================================================== XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ===================================================================== XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ===================================================================== overflowed the space allocated for Buffer and even overwrote the Return Address program control would not find the return address and show us an error 'segmentation violation'. Remote OS fingerprinting 12.

it provide somany options to craft the packets. hping3 .-rand-source –udp -p ipaddress . • Flooding with sync packets.-flood -S -L 0 -p 80 • Flooding with the UDP packets. hping3 --rand-source ip address .• The available options in hping 3.-flood .

It continues to send subsequent headers at regular intervals to keep the sockets from closing.It supports Ipv4 and Ipv6 versions. In this way webservers can be quickly tied up. Install Slowloris • Get a Copy http://ha.pl • cd /pathto/slowloris . • hping3 --icmp --spoof <target address> <broadcast address> --flood:Flooding with ICMP packets by spoofed IP (--spoof) Slowris It is the DOS attacking tool entire script is wrriten in perl wrriten by Rsnake.pl • sudo apt-get install libio-socket-ssl-perl • Now you should be ready to run slowloris.some more options: • hping3 --rand-source –SA –p <open port> <target IP> :sending SYN + ACK packets from a random source.ckers. Functionality: Slowloris holds connections open by sending partial HTTP requests.org/slowloris/slowloris. • hping3 --rand-source –SAFRU –L 0 –M 0 –p <port> <target> --flood :sending SYN+ACK+FIN+RST+URG packets with TCP ack (-L) and TCP seq (-M).

example./slowloris.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost www.com -port 80 -num 500 : Number of Sockets you want to open.com .target.  perl slowloris.in  To run Loic ->install Loic ->install donetfx 4.com LOIC Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application.It perfom DOS on target site by flooding the server with TCP or UDP packets with the intention of disrupting the service Features:  Java script based JS LOIC  Enable Dos from web browser by using http://loworbitwebcannon.pl -dns www.pl -dns www.blogspot. LOIC was initially developed by Praetox Technologies.0(no need if already installed ) ->click on icon LOIC .example. • perl slowloris.com -port 80  perl slowloris.pl -dns www.pl -dns example.virtualhost.example.pl -dns www.example. written in C#.com -port 443 -timeout 30 -num 500 -https  perl slowloris.

TCP.Steps to run: step 1:Give URL address and click on lock on step 2:Give IP address instead of URL step 3:Displays Ip adress of target step 4:Choose which method you are going use for request like HTTP.UDP step 5:you can move the cursor for chaging requesting speed step 6:To start attack click on the button Step 7:To stop attack click on button “stop flooding” .

Module 20 Reverse Engineering .

tells linker entry point mov edx. With assembly language. and the second are the operands or the parameters of the command.call kernel section .message to write mov ebx.must be declared for linker (ld) _start: . the licensed use of software specifically prohibits reverse engineering. Reverse engineering for the purpose of copying or duplicating programs may constitute a copyright violation.4 . and it gives programmers the insight required to write effective code in high-level languages. assembly language is the most powerful computer programming language available. In some cases.Introduction It is done to retrieve the source code of a program because the source code was lost.message length mov ecx.1 .comment] The fields in the square brackets are optional. 0xa . Learning assembly language is well worth the time and effort of every serious programmer. to identify malicious content in a program such as a virus or to adapt a program written for use with one microprocessor for use with another.call kernel mov eax. Each statement follows the following format: [label] mnemonic [operands] [. Basics of Assembly Language Assembly language statements are entered one statement per line. Assembly language lacks high-level conveniences such as variables and functions. Example program: global _start . world!'.data msg db 'Hello. Nevertheless.msg . which is to be executed. and it is not portable between various families of processors. to fix a bug (correct an error in the program when the source code is not available).1 .len . a programmer works only with operations implemented directly on the physical . “Engineering’s constructed a building we break that structure on use on our own way” Assembly Language Basics Introduction It is the most basic programming language available for any processor.our dear string len equ $ .file descriptor (stdout) mov eax. A basic instruction has two parts. to improve the performance of a program.system call number (sys_write) int 0x80 . the first one is the name of the instruction.msg .system call number (sys_exit) int 0x80 .length of our dear string . to study how the program performs certain operations.

So we need to give a serial key in to field to get activate. . We need a key are serial number to get registered with that application to activate full version and to use more befits with usage in real time. Now search for the error in to the application. normally every application asks to register with it. Now if we try to enter some user name and some registration code we get a error like this saying The username and serial number is not valid This is the error message what we got from the application. Debuggers A debugger or debugging tool is a computer program that is used to test and debug other programs. a technique that allows great power in its ability to halt when specific conditions are encountered but which will typically be somewhat slower than executing the code directly on the appropriate processor.Identifying Flaws After installing a application in to computer. The code to be examined might alternatively be running on an instruction set simulator (ISS).

Now go to .List of debuggers: • GNU Debugger (GDB) • Intel Debugger (IDB) • LLDB • Microsoft Visual Studio Debugger • Valgrind • WinDbg • Eclipse debugger API used in a range of IDEs: Eclipse IDE (Java) Nodeclipse (JavaScript) Tool used Applications – Back Track – Reverse engineering – ollydbg.

This is how the values are seen in ollyDbg.File and open . . Now here search for the flaw what we got pop up when we tried to register with users name and serial key.exe file from where it got installed to extract the Hex values in to ollydbg.

Now a new window appears.Now right click and go for search for opition and All referenced text strings. .

Right click and select option search for a text. . check entire Scope box and ok. Search in the field for the error which we got while trying to register the application. After clicking ok you will find the error in field.

now double click on the flaw other window appears showing you error message.After finding the messages. Bypassing & Cracking .

. Right click go to Copy to executable option and click on All modifications and click copy to all. Now double click on JNZ SHORT powerISO.00456236 Now change JNP SHORT 00456236 value in to JNP SHORT 00456236 and click Assemble.Move upward still you get JNZ power iso.

The application says Thank you for your registration. After copy and replacing the exe file in to programme files now enter your registration details as some junk as shown in above image and enter.Right click and Save file and copy the cracked .exe file and paste in to installed folder. . Now run the application and enter some junk in to user name field and serial number field. Cracking of a exe file is done and reverse engineering task is completed.

• Anti Debugging. while the active measurements aim at the dynamic analysis process. but nowadays are also heavily used for malware and software that is concerned about security or theft of intellectual property. • Anti Emulation. The passive one story to disturb or complicate the static analysis approach. • Active Protection Measures. Since all protections can be bro- Ken. The different methods to protect a binary can be divided into passive and active measures. • Anti Dumping. the aim is to render the analysis impossible. .Counter Measures Anti-analysis protections originally have their roots in copy-protection mechanisms used against software pirvacy. • Passive Protection Measures. • Anti Virtualization. but at least to make it as hard as possible and to hide essential data within the irrelevant. Especially for malware the winning of time is crucial to reach maximum infection before an AntiVirus (AV) signature is available.

Module 21 Pentest Methodolgy .

which can be physical. MAC Address. This whole process initiates a technical road map towards evaluating the targetenvironment thoroughly and is known as Audit Scope. thus. and telecommunication Index The index is a method which is considerably useful while classifying these target assets corresponding to their particular identifications. Most of the security assessments today are carried out using this strategy. such as. Open Source Security Testing Methodology Manual (OSSTMM) Scope The scope defines a process of collecting information on all assets operating in the target environment Channel A channel determines the type of communication and interaction with these assets. human psychology. Backtrack Based Penetration Testing 1. wireless communication medium. There are different forms of security testing which have been classified under OSSTMM methodology and their organization is presented within six standard Security test types: Blind: The blind testing does not require any prior knowledge about the target system. But the target is informed before the execution of an audit scope. and communication. Information Systems Security Assessment Framework (ISSAF) 3. Black-box auditing and penetration testing are examples of double blind testing. an auditor does not require any knowledge about the target system nor is the target informed before the test execution. spectrum.Penetration Testing Methodology 1. putting a real challenge for auditors to select the best of . Double blind: In double blind testing. This kind of testing is also widely accepted because of its ethical vision of informing a target in advance. These components comprise of physical security. Open Web Application Security Project (OWASP) Top Ten 4. and IP Address Vector vector concludes the direction by which an auditor can assess and analyze each functiona asset. Ethical hacking and war gaming are examples of blind type testing. Web Application Security Consortium Threat Classification (WASC-TC) 5. Open Source Security Testing Methodology Manual (OSSTMM) 2. data networks. All of these channels depict a unique set of security components that has to be tested and verified during the assessment period.

A2 .Broken Authentication and Session Management: Use of insecure authentication and session management routines may result in the hijacking of other user accounts and the predictable session tokens. Gray box: In gray box testing. an auditor holds full knowledge about the target system and the target will never be informed of how and when the test will be conducted. Treatment. and a complete list of vulnerabilities that may exist in the target environment. Escaping the special characters from user input can prevent the application from malicious data injection. Double gray box: The double gray box testing works in a similar way to gray box testing. White-box audit is an example of double gray box testing. A3 . the auditor holds minimum knowledge to assess the target system and the target is also notified in advance before the test is executed.Injection: A malicious data input given by an attacker to execute arbitrary commands in the context of a web server is known as injection attack. exemplary types. Crystal box and in-house audit are examples of tandem testing. its assessment framework does include the Planning. SQL. 2. Open Web Application Security Project (OWASP) Top Ten In order to justify top ten application security risks presented by OWASP. we have explained them below with their short definitions. The assessment process chooses the shortest path to reach the test deadline by analyzing its target against critical vulnerabilities that can be exploited with minimum effort. It is fairly noted that the tandem testing is conducted thoroughly. Each of these phases holds generic guidelines that are effective and flexible to any organizational structure. except the time frame for an audit is defined and there are no channels and vectors being tested.breed tools and techniques in order to achieve their required goal. Accreditation. Assessment. By escaping all the untrusted meta characters based on HTML. an auditor holds limited knowledge about the target system and the target is also informed before the test is executed. and secure data connection over SSL or TLS is highly . 3. Tandem: In tandem testing. Since auditing requires a more established body to proclaim the necessary standards. JavaScript. and LDAP injections are some of its well-known types. Information Systems Security Assessment Framework (ISSAF) The ISSAF was developed to focus on two areas of security testing. The use of encryption. which once executed may result in session hijacking. Reversal: In reversal testing. XML. Red-teaming is an example of reversal type testing. The output is a combination of operational activities.Cross-Site Scripting (XSS): An application that does not properly validate the user input and forwards those malicious strings to the web browser. or website defacement is known as cross-site scripting (XSS). security initiatives. cookie stealing. hashing. Developing a strong authentication and session management scheme can prevent such attacks. Vulnerability assessment is one of the basic examples of gray box testing. technical and managerial. and preventive measures: A1 . or CSS output can prevent the application from cross-site scripting attack. and Maintenance phases.

recommended.

A4 - Insecure Direct Object References: Providing a direct reference to the internal application
object can allow an attacker to manipulate such references and access the unauthorized data, unless
authenticated properly. This internal object can refer to a user account parameter value, filename, or
directory. Restricting each user-accessible object before validating its access control check should
ensure an authorized access to the requested object.

A5 - Cross-Site Request Forgery (CSRF): Forcing an authorized user to execute forged HTTP
requests against a vulnerable web application is called a cross-site request forgery attack. These
malicious requests are executed in terms of a legitimate user session so that they can not be
detected. Binding a unique unpredictable token to every HTTP request per user session can provide
mitigation against CSRF.

A6 - Security Misconfiguration: Sometimes using a default security configuration can leave the
application open to multiple attacks. Keeping the entire best known configuration for the deployed
application, web server, database server, operating system, code libraries, and all other application
related components is vital. This transparent application security configuration can be achieved by
introducing a repeatable process for software updates, patches, and hardened environment rules.

A7 - Insecure Cryptographic Storage: Applications that do not employ the cryptographic
protection scheme for sensitive data, such as health care information, credit card transaction,
personal information, and authentication details fall under this category. By implementing the
strong standard encryption or hashing algorithm one can assure the security of data at rest.

A8 - Failure to Restrict URL Access: Those web applications that do not check for the access
permissions based on the URL being accessed can allow an attacker to access unauthorized pages.
In order to resolve this issue, restrict the access to private URLs by implementing the proper
authentication and authorization controls, and develop a policy for specific users and roles that are
only allowed to access the highly sensitive area.

A9 - Insufficient Transport Layer Protection: Use of weak encryption algorithms, invalid
security certificates, and improper authentication controls can compromise the confidentiality and
integrity of data. This kind of application data is always vulnerable to traffic interception and
modification attacks. Security of such applications can be enhanced by implementing SSL for all
sensitive pages and configuring a valid digital certificate issued by an authorized certification
authority

A10 - Unvalidated Redirects and Forwards: There are many web applications which use dynamic
parameter to redirect or forward a user to a specific URL. An attacker can use the same strategy to
craft a malicious URL for users to be redirected to phishing or malware websites. The same attack
can also be extended by forwarding a request to access local unauthorized web pages. By simply
validating a supplied parameter value and checking the access control rights for the users making a
request can avoid illegitimate redirects and forwards.

4. Web Application Security Consortium Threat Classification
(WASC-TC)
Identifying the application security risks requires a thorough and rigorous testing procedure which
can be followed throughout the development lifecycle. WASC Threat Classification is another such
open standard for assessing the security of web applications. Similar to the OWASP standard, it is

also classified into a number of attacks and weaknesses, but addresses them in a much deeper
fashion. Practicing this black art for identification and verification of threats hanging over the Web
application requires standard terminology to be followed which can quickly adapt to the technology
environment. This is where the WASC-TC comes in very handy. The overall standard is presented
in three different views to help developers and security auditors to understand the vision of web
application security threats.

1. Enumeration View: This view is dedicated to provide the basis for web application attacks and
weaknesses. Each of these attacks and weaknesses has been discussed individually with their
concise definition, types, and examples of multiple programming platforms. Additionally, they are
inline with their unique identifier which can be useful for referencing. There are a total of 49 attacks
and weaknesses collated with a static WASC-ID number (1 to 49). It is important to note that this
numeric representation does not focus on risk severity but instead serves the purpose of referencing.

2. Development View: The development view takes the developer's panorama forward by
combining the set of attacks and weaknesses into vulnerabilities which may likely to occur at any
of three consecutive development phases. This could be a design, implementation, or deployment
phase. The design vulnerabilities are introduced when the application requirements do not fulfill the
security at the initial stage of requirements gathering. The implementation vulnerabilities occur due
to insecure coding principles and practices. And, the deployment vulnerabilities are the result of
misconfiguration of application, web server, and other external systems. Thus, the view broadens
the scope for its integration into a regular development lifecycle as a part of best practices.

3. Taxonomy Cross Reference View: Referring to a cross reference view of multiple web
application security standards which can help auditors and developers to map the terminology
presented in one standard with another.With a little more effort, the same facility can also assist in
achieving multiple standard compliances at the same time. However, in general, each application
security standard defines it own criteria to assess the applicationsfrom different angles and
measures their associated risks. Thus, each standard requires different efforts to be made to scale up
the calculation for risks and their severity levels. The WASC-TC attacks and weaknesses presented
in this category are mapped with OWASP top ten, Mitre'sCommon Weakness Enumeration (CWE),
Mitre's Common Attack Pattern Enumeration and Classification (CAPEC) and SANS-CWE Top 25
list.

5. Backtrack Based Penetration Testing

The illustration for the BackTrack testing process is also given below.

1. Target scoping

2. Information gathering

3. Target discovery

4. Enumerating target

5. Vulnerability mapping

6. Social engineering

7. Target exploitation

8. Privilege escalation

9. Maintaining access

10. Documentation and reporting

6. Scope of Pen-testing
Scope defines what we can test.?

1. A single system
2. Multiple system
3. Whole network
4. Networking Devices
5. Web Application
6. System Application

The scope of VA & PT is very wide we can perform VA & PT on almost every device and every
type of network.

7. Why Penetration Testing
Now days penetration testing has become the need of every company due to the following reasons.
1. To minimize the risk of Zero day vulnerability.
2. To expose the vulnerability and release patch for it.
3. To identify loop holes before Hackers.
4. If problem is there report it to Security team
5. Implementation of Security team.
6. Exposure of Security Level to be maintained.

Module 22
Live VA-PT

1. Manual VA-PT
Manual vulnerability assessment and penetration testing is the best practice to do but it takes time as
compared to tool based testing. So if you are performing testing without a tool you need to know
the common vulnerability that exists in real world.

To Test SQL injection manually

-->Find the URL Revealing ID of a Object.

Example:- http://www.abc.com/index.php?id=1

Just Put single quote ' over ID number.

Example:- http://www.abc.com/index.php?id=1'

**Here we are getting SQL syntax error. It means it is vulnerable to SQL Injection.

And put this simple java script "><script>alert("Test")</script> in Input Boxes of website and if Get Pop-up. and when we click on Find. URL accepting arguments etc. Comment.To Test XSS manually Visit any site and find input boxes like Search Box. It means site is vulnerable to XSS. Here is a pop-up which means this site is vulnerable to XSS . Here we have sample site where we input a simple java script in Find Box.

Testing each and every vulnerability manually it will take lot of time. So the solution is Testing by
Tools. In market we have lots of tools some of them are below.

Acunetix WVS (web vulnerability scanner)

Acunetix WVS (web vulnerability scanner) automatically checks web applications for
vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, and weak
password strength on authentication pages. It boasts a comfortable GUI, an ability to create
professional security audit and compliance reports, and tools for advanced manual webapp testing

AppScan

AppScan provides security testing throughout the application development lifecycle, easing unit
testing and security assurance early in the development phase. Appscan scans for many common
vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden
field manipulation, backdoors/debug options, buffer overflows and more.

Nessus

Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers
any vulnerabilities that malicious hackers could use to gain access to any computer you have
connected to a network. It does this by running over 1200 checks on a given computer, testing to
see if any of these attacks could be used to break into the computer or otherwise harm it.

2. Tool Based VA-PT
Performing a VA-PT via tool is very easy but we should know how to deal with our tool. So this
tutorial will guide you how to do a Pentest.

Requirement
1. A Computer
2. Nessus
3. Human effort.
4. Internet

Nessus is a good tool for VA-PT and widely used in many scenario. It is multi Platform tool can be
used for testing different flavours of Operating system like Windows, Linux, Solaris, FreeBSD etc,
Network Pentest like Router, Switch testing.

Download link:- http://www.tenable.com/products/nessus

Working With Nessus

1. Download Nessus from here
http://www.tenable.com/products/nessus/nessus-download-agreement.

2. Accept license by clicking on " Agree" Tab

3. Select Operating system. I am Downloading for Windows Platform.

4. Once download complete. Click on setup file to start Installation.

5. Click Next to continue.

6. Accept license and click on next.

.Keep Destination folder as in Default location.7. 8. Select complete as setup type.

Click on install to start installing. 10. It will take time to install.9. .

11. 12. . Once installed click on finish. After that Web interface will come that will ask to connect via SSL.

Click on "I Understand the Risks" and then click on "Add Exception" to start Secure connection. .13.

. Click on Confirm Security Exception.14.

15. click on Get started. . Welcome screen will come.

You can purchase it and get it. But you can get Activation key For 15 days free. Got to this link:. .com/products/nessus-professionalfeed/nessus-evaluation and click on Evaluate. Next it will ask for Activation. Create an User here.16. 17.http://www.tenable.

. Accept Nessus evaluation agreement.18.

20. Click on it to start downloading updated plugins. Fill detail here. Once Activation is Done.19. Put that key in Nessus Activation Window. **open your Email ID you will find Activation key Either in INBOX or SPAM folder. . It will prompt for download plugins. It will ask for Email ID so that it can send you Activation Key for 15 days.

It will start downloading plugins.21. .

23.22. Once Done. Home screen of Nessus will come and ask you to login with Username and Password. After it will start installing in your system. .

. Login with Username and Password created above.24.

. After that Mention Target IP address or URL.25. Click On Create Scan to start scanning. Click on Scan--> New Scan 26. With Nessus you can test Web Application as well Network also. Specify what to test in Scan Policy.

27. Click on Vulnerability to explore it. It will list all your target vulnerability and loop holes. 28. when completed Double click on your scan to explore it. Scan will start. .

. 2. Click On Export.3. Chapters and then Click on Export. Choose Export Format. Reporting a VA-PT Reporting is nothing but the detail Report about the scan in a proper way so that it can be easily understand by everyone Reporting in Nessus is very easy 1.

Select "Save File" and click on Ok. Scroll down to see more. Right click on Saved file and Choose "Open" to open with Firefox browser. . 4.3. Now here is the detail Report of Target. 5.