Professional Documents
Culture Documents
SIDDAGANGA POLYTECHNIC
Department of Computer Science & Engineering
2013-2014
SIDDAGANGA POLYTECHNIC, Tumkur-3 Department of Computer Science & Engg. 2
1. Learn to install Wine/Virtual Box/Cygwin or any other equivalent Software
on the host Operating System.
INSTALLING CYGWIN
PREREQUISITES:
1. Make sure that you are using a version of Windows supported by Cygwin, and that you have
sufficient disk space and time available for the installation, as indicated above.
2. If your Windows login name contains a space character, consider changing it or creating a
separate login for use with Cygwin. The Cygwin installer names your home directory
according to your Windows login name. It is usually possible to work around problems caused
by directory or file names that contain spaces
3. Some virus scanners may interfere with Cygwin installation. If you encounter problems,
consider disabling your virus scanner during Cygwin installation and re-enabling it afterwards.
15. Once all selected package files have been downloaded and checked, they are unpacked
into the Cygwin root install directory.
Create Icons: Unless these icons already exist from a previous Cygwin installation,
make sure the boxes are checked and click Finish.
USING CYGWIN
As noted, Cygwin provides a Unix-like environment under Windows. The installation
directory (by default, c:\cygwin) is the root of the Unix-like file system, which contains bin, etc,
home, tmp, and usr directories as would be found on a GNU/Linux or other Unix system.
Within home will be one or more subdirectories, each allocated to a Windows user.
To begin, click on the Cygwin desktop icon, or choose the Cygwin entry from your start
menu, to open a Cygwin terminal window. Within this window, the GNU bash shell is
running, with POSIX syntax (directory separators are '/', not '\'). Initially, the current
(working) directory is /home/user, where user is your Windows login name. Don't use this
directory if your Windows login name contains a space; make another and use that one
instead, e.g., by typing these commands at the bash prompt:
mkdir /home/bob
echo "export HOME=/home/bob" >>.bashrc
echo "export HOME=/home/bob" >>.bash_profile
cp .bashrc .bash_profile /home/bob
echo "cd" >>.bashrc
Close your Cygwin terminal window and open another one; your current directory should
now be /home/bob (or whatever you chose to call it).
------*------
SIDDAGANGA POLYTECHNIC, Tumkur-3 Department of Computer Science & Engg. 5
C:> telnet 192.168.1.88 80
BANNER GRABBING
In the context of Computer Networking, Banner Grabbing is a technique to determine which
application or service is running on the specified port by attempting to make a connection to
this host.
Banner Grabbing is an enumeration technique used to get information about computer
systems on a network and the services running its open ports. Administrators can use this to
take inventory of the systems and services on their network. An intruder however can use
banner grabbing in order to find network hosts that are running versions of applications and
operating systems with known exploits.
Introduction to telnet
For banner grabbing, we will be using the Telnet client. The telnet client is more of a legacy
piece of command line software that is still installed on most Operating Systems by default.
The basic telnet syntax is: telnet [target ip] [port]
1. First Enable the TELNET service on your computer by typing the command given;
Type the command SERVICES.MSC in run command menu, Click on Telnet service and
enable the service, select it automatic and Click Start.
2. Open Command prompt and type the following ;
telnet www.rediff.com 80 (http port) and press enter key twice.
3. After suceesful connection type following request and press enter twice:
Get head /1.0
4. Now you can see the rediff website web server’s information.
5. You can also try it on your local machine connecting to your Guest OS like
telnet Guest IP address(example: 192.168.56.101 80) and press enter twice.
HTTP/1.1 200 OK
Date: Mon, 11 May 2009 22:10:40 EST
Server: Apache/2.0.46 (Unix) (Red Hat/Linux)
Last-Modified: Thu, 16 Apr 2009 11:20:14 PST
ETag: "1986-69b-123a4bc6"
Accept-Ranges: bytes
Content-Length: 1110
Connection: close
Content-Type: text/html
C:/ns> nc –vv –n 192.168.56.101 80 and press enter twice to see the result.
-vv=verbose mode , -n=numerical IP address only.
Opening a raw connection to port 25 (like telnet)
nc mail.server.net 25
Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z)
nc -vzu 192.168.0.1 80-90
Note that UDP tests will always show as “open”. The -uz argument is useless.
Features of Netcat:
Some of netcat's major features are:
Outbound or inbound connections, TCP or UDP, to or from any ports
Full DNS forward/reverse checking, with appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network source address
Built-in port-scanning capabilities, with randomization
Built-in loose source-routing capability
Can read command line arguments from standard input
~~~~***~~~~
Port scanning: Port scanning or scanning is when intruders collect information on the
network services on a target network. Here, the intruder attempts to find open ports on the
target system.
1. Vanilla scan/SYNC scan: TCP SYN packets are sent to each address port in an attempt
to connect to all ports. Port numbers 0 – 65,535 are utilized.
2. Strobe scan: Here, the attacker attempts to connect to a specific range of ports that are
typically open on Windows based hosts or UNIX/Linux based hosts.
3. Sweep: A large set of IP addresses are scanned in an attempt to detect a system that has
one open port.
4. Passive scan: Here, all network traffic entering or leaving the network is captured and
traffic is then analyzed to determine what the open ports are on the hosts within the
network.
5. User Datagram Protocol (UDP) scan: Empty UDP packets are sent to the different
ports of a set of addresses to determine how the operating responds. Closed UDP ports
respond with the Port Unreachable message when any empty UDP packets are
received. Other operating systems respond with the Internet Control Message Protocol
(ICMP) error packet.
6. FTP bounce: To hide the attacker’s location, the scan is initiated from an intermediary
File Transfer Protocol (FTP) server.
7. FIN scan: TCP FIN packets that specify that the sender wants to close a TCP session
are sent to each port for a range of IP addresses.
Zenmap/Nmap:
Nmap ("Network Mapper") is a free and open source (license) utility for network
exploration or security auditing. Many systems and network administrators also find it useful
for tasks such as network inventory, managing service upgrade schedules, and monitoring
host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are
available on the network, what services (application name and version) those hosts are
offering, what operating systems (and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly
scan large networks, but works fine against single hosts.
Nmap runs on all major computer operating systems, and official binary packages are
available for Linux, Windows, and Mac OS X. Nmap is executable in classic command-line
and an advanced GUI results viewer Nmap can recognise five port states such as: Closed,
Filtered, Unfiltered, Open-filtered and Closed-Filtered.
3. By agreeing the license agreement, by selecting components and choose the location
where the Nmap software to be installed.
7. On the Zenmap Window in target option enter the targeted website URL.
9. After scanning, it will list the number of ports, types of ports, Protocol used, Service
offered by the ports, Status of port, version of Software using by port etc.,
10. Go to file menu select save option to save these information in some files.
<<<<<< . >>>>>>>
nmap -v 192.168.1.82
Nmap Features:
Flexible: Supports dozens of advanced techniques for mapping out networks filled
with IP filters, firewalls, routers, and other obstacles. This includes many port
scanning mechanisms (both TCP & UDP), OS detection, version detection, ping
sweeps, and more. See the documentation page.
Powerful: Nmap has been used to scan huge networks of literally hundreds of
thousands of machines.
Portable: Most operating systems are supported, including Linux, Microsoft
Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS,
Amiga, and more.
Easy: While Nmap offers a rich set of advanced features for power users, you can
start out as simply as "nmap -v -A targethost". Both traditional command line and
graphical (GUI) versions are available to suit your preference. Binaries are available
for those who do not wish to compile Nmap from source.
Free: The primary goals of the Nmap Project is to help make the Internet a little more
secure and to provide administrators/auditors/hackers with an advanced tool for
exploring their networks. Nmap is available for free download, and also comes with
full source code that you may modify and redistribute under the terms of the license.
Well Documented: Significant effort has been put into comprehensive and up-to-date
man pages, whitepapers, tutorials, and even a whole book! Find them in multiple
languages here.
Supported: While Nmap comes with no warranty, it is well supported by a vibrant
community of developers and users. Most of this interaction occurs on the Nmap
mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but
only after you read the guidelines. We recommend that all users subscribe to the low-
traffic nmap-hackers announcement list. You can also find Nmap on Facebook and
Twitter.
Acclaimed: Nmap has won numerous awards, including "Information Security
Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been
featured in hundreds of magazine articles.
Popular: Thousands of people download Nmap every day, and it is included with
many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD,
etc). It is among the top ten (out of 30,000) programs at the Net repository.
**** *********
Fingerprinting: This is basically the initial step in hacking a corporate network. Here the
intruder attempts to gain as much information on the targeted network by using sources that
the public can access. The aim of fingerprinting is to create a map of the network to
determine what operating systems, applications and address ranges are being utilized and to
identify any accessible open ports.
Access information publicly available on the company website to gain any useful info.
Try to find any anonymous File Transfer Protocol (FTP) sites and intranet sites that are not
secured.
Gather information on the company’s domain name and the IP address block used.
Test for hosts in the network’s IP address block. Tools such as Ping is typically used.
Using tools such as Nslookup, the intruder attempts to perform Domain Name System
(DNS) zone transfers.
A tool such as Nmap is used to find out the operating systems are that are being used.
Tools such as Tracert are used to find routers and to collect subnet information.
Nmap is a port scanning tool that can be used for active stack OS fingerprinting.
~~~((((((. ))))))~~~
Sniffer attack: Sniffing refers to the process of capturing and analyzing network traffic.
The packets’ contents on a network are analyzed. The tools that attackers use for sniffing are
called sniffers or more correctly, protocol analyzers. While protocol analyzers are really
network troubleshooting tools, hackers also use them for malicious purposes.
A sniffer is an application or device that can read, monitor, and capture network data
exchanges and read network packets. If the packets are not encrypted, a sniffer provides a
full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken
open and read unless they are encrypted and the attacker does not have access to the key.
Sniffers monitor, capture, and obtain network information such as passwords and valuable
customer information. When an individual has physical access to a network, he/she can
easily attach a protocol analyzer to the network and then capture traffic. Remote sniffing can
also be performed and network attackers typically use them.
There are a number of common sniffers that network security administrators and malicious
hackers use: Dsniff, Ethereal, Etherpeek, Network Associates’s Sniffer, Ngrep, Sniffit,
Snort, Tcpdump, Windump.
To protect against sniffers, implement Internet Protocol Security (IPSec) to encrypt network
traffic so that any captured information cannot be interpreted.
DumpSec is a graphical tool which allows you to dump the permissions (DACLs) and
audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable
listbox format, so that holes in system security are readily apparent. DumpSec also dumps
user, group and replication information.
You click on the Report tab, Select Computer (enter IP number) and select what items you
want in the report. You will receive the output.
It allows users to remotely connect to any computer and dump permissions, audit settings,
and ownership for the Windows NT/2000 file system into a format that is easily converted
to Microsoft Excel for editing. Hackers can choose to dump either NTFS or share
permissions. It can also dump permissions for printers and the registry. The user can also
get password information such as 'Password Last Set Time' and 'Password Expires Time'. To
summarize, Dumpsec can pull a list of users, groups, and the NT system's policies and user
rights.
--------@@@--------
A corporate network administrator needs assure that the wired LAN is not being
exposed to unauthorized users. This can often happen when users set up their own
wireless LANs for convenience. Such wireless LANs often have little or no security,
which poses a risk to the entire LAN. The network administrator can use NetStumbler
to detect the presence of these "rogue" wireless LANs.
If your LAN uses DHCP, make sure that DHCP is enabled on your wireless LAN card.
You will then be able to tell if networks that you find are connected to your network.
The owner of a wireless LAN can use NetStumbler to verify that an area is well covered
by a good quality signal. NetStumbler can also be used to see how far the coverage area
extends beyond its intended boundary.Configure the wireless LAN card with the SSID
and other settings of the LAN being verified.
Site Survey
Use a wireless card that reports noise levels. High noise levels are one of the indicators
of interference.
Wardriving
Netstumbler: NetStumbler (Network Stumbler) is one of the Wi-Fi hacking tool which
only compatible with windows, this tool also a freeware. With this program, we can
search for wireless network which open and infiltrate the network. Its having some
compatibility and network adapter issues. NetStumbler will start in a record mode and
will automatically configure our wireless card, soit's as simple as launching the tool
while our wireless card is enabled.Some APs have lock symbols in the green bubble
indicate that the AP has encryption enabled.
NetStumbler uses:
Verify that your network is set up the way you intended.
Find locations with poor coverage in your WLAN.
Detect other networks that might be causing interference with your network.
Detect unauthorized "rogue" access points in your workplace.
Help aim directional antennas for long-haul WLAN links.
Use it recreationally for WarDriving.
BSSID: The text contains the BSSID (Basic Service Set Identifier) for wireless devices. The
icon shows the signal strength as reported in the last scan: Gray means the item was not
detected, or a colored icon ranging from red to green reports the signal strength. A lock
appears in the icon if encryption is enabled on the network. For devices on a wired network
segment, the icon shows a T-shaped network cable and the MAC address is displayed.
SSID (Service Set Identifier) : The reported SSID. This may be blank for access points that
report their existence but not their SSID. For wired network items, the SSID is assumed to
be the SSID that was associated when the item was discovered.
Name : The device's name. This is reported rarely and only if "Query APs for names" is
configured.
Chan : All the channels that the device has been seen on. The most recent one is listed first.
Before the channel number may be a star (*), which means you are associated with the
device, or a plus (+) which means that you were associated with it at some point.
Speed: The maximum reported bandwidth for the device (this is not the actual bandwidth).
If you are using an 802.11b device, it may misreport the bandwidth of 802.11g networks as
11Mbps. Some devices are capable of 108Mbps but only report 54Mbps.
Vendor: The vendor assigned to the MAC, which may not be the actual equipment
manufacturer.
Encryption: The word "WEP" will appear on an encrypted network, regardless of whether it
is really using WEP.
SNR: The current Signal to Noise ratio, either in dB or arbitrary RSSI units.
Graph View
The data that appears in the graph view is somewhat dependent on your hardware and
device driver.
The green bars indicate signal strength. The higher the bar, the better the signal.
The red bars, if available, indicate noise level. The higher the bar, the higher the
noise.
The gap between the green and red bars is equivalent to signal to noise ratio.
A purple bar indicates loss of signal, possibly temporary.
To avoid using the networks that you observe, go to the Network Control Panel and
unbind TCP/IP from your wireless LAN card.
The graph view will automatically scroll to keep up with new data if you are viewing the
rightmost part of it.
decibel : dBm is a decibel unit that measures power. 0 dBm is equivalent to 1 milliwatt. 30
dBm is equivalent to 1 watt. A decibel is a logarithmic measure of something compared
with a defined reference point. An increase of 10 dB corresponds to the value being
multiplied by 10. A decrease of 10 dB corresponds to the value is divided by 10.
Access Points (APs) that do have encryption enabled. One of the flaws with the latest
version of NetStumbler is that all enabled encryption is displayed as WEP.
Decrypt 802.11
Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode.
WPA/WPA2 enterprise mode decryption is not yet supported.
You can add decryption keys using Wireshark's 802.11 preferences or by using the
wireless toolbar. Up to 64 keys are supported.
In versions that support WPA decryption you should use a prefix to tell
Wireshark what kind of key you're using:
wep The key is parsed as a WEP key.
wep:a1:b2:c3:d4:e5
wpa-pwd The password and SSID are used to create a raw pre-shared key.
wpa-pwd:MyPassword:MySSID
wpa-psk The key is parsed as a raw pre-shared key.
wpa-psk:0102030405060708091011...6061626364
_-_-_-_-_-_-_-_
MAC address is a unique identifier for network nodes, such as computers, printers, and other
devices on a LAN. MAC addresses are associated to network adapter that connects devices
to networks. The MAC address is critical to locating networked hardware devices
because it ensures that data packets go to the correct place. ARP tables, or cache, are used to
correlate network devices’ IP addresses to their MAC addresses.
ARP poisoning is when an attacker is able to compromise the ARP table and changes the
MAC address so that the IP address points to another machine. If the attacker makes the
compromised device’s IP address point to his own MAC address then he would be able to
steal the information, or simply eavesdrop and forward on communications meant for the
victim. Additionally, if the attacker changed the MAC address of the device that is used to
connect the network to Internet then he could effectively disable access to the web and other
external networks.
Cain & Abel : It is a nifty program that deals with recovering lost passwords using the
most powerful and tough decryption algorithms. It is capable to quickly and efficiently
retrieve Outlook and network passwords and to display passwords underneath asterisks.
Most encrypted passwords are breakable using this program via Dictionary, Brute-Force
and Cryptanalysis attacks. Decrypting scrambled passwords or wireless network keys is not
a challenge either. Besides the ability to record VoIP conversations, the application also
features the possibility to analyze route protocols.
--------QQQQQQQ-------
Intrusion Detection Systems look for attack signatures, which are specific patterns that
usually indicate malicious or suspicious intent.
About Snort:
Snort is an open source network intrusion prevention system, capable of performing real-
time traffic analysis and packet logging on IP networks. It can perform protocol analysis,
content searching/matching, and can be used to detect a variety of attacks and probes, such
as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting
attempts, and much more.
Snort has three primary uses: It can be used as a straight packet sniffer like tcpdump, a
packet logger (useful for network traffic debugging, etc), or as a full blown network
intrusion prevention system.
The privacy of the Snort community is very important to Sourcefire. If you choose to opt-
out, the information collected at the time of registration will not be used for any Sourcefire
marketing efforts. In addition, Sourcefire will not sell or distribute any personal information
to 3rd party companies.
1. Sniffer mode 2. Packet Logger mode 3. Network Intrusion Detection System mode
Sniffer mode: snort –v Print out the TCP/IP packets header on the screen
SIDDAGANGA POLYTECHNIC, Tumkur-3 Department of Computer Science & Engg. 41
Packet Logger mode : snort –dev –l c:\log [create this directory in the C drive] and
snort will automatically know to go into packet logger mode, it
collects every packet it sees and places it in log directory.
++++++++++++++
++++++++++++++
Rootkit - “A tool used to protect backdoors and other tools from detection by
administrators”
ROOTKITS :
Rootkit is a malicious software program, used to gain elevated access to a computer while it
remains hidden from the owner of the computer and installed security software. Rootkits
typically run at a low level and load before the computer's operating system to remain
hidden. The rootkit can then divert any OS functions that would reveal its presence and
display manipulated results to the user.
Malicious users or software often install a rootkit once they have gained access to a
computer, through vulnerabilities in the computer's software or through gaining the
password by social engineering, for example. The rootkit allows them continued access to
the computer, but it leaves no trace of their activity, as it would if they were logged in
through a normal user account. Once installed, the rootkit owner can access the computer at
any time to run software, or to control the computer remotely.
o Root kits are used by criminals for a variety of purposes, usually to turn a computer into
part of a botnet, which can then, in turn, go on to infect other computers or send spam email
messages. The rootkit owner can install keyloggers to capture user-entered passwords for
online banking and similar activities, or steal the user’s personal details to use for identity
fraud. If the rootkit owner uses the computer for criminal acts, such as breaking into other
computers, it will appear as if the computer owner is responsible if authorities trace the
connection.
o Many root kits infect the boot sectors of the computer’s hard disk, allowing them to load
before the computers operating system. The rootkit then patches the operating system and
SIDDAGANGA POLYTECHNIC, Tumkur-3 Department of Computer Science & Engg. 44
changes common functions to hide its existence. For example, the root kit could intercept
calls for a list of files in a directory, removing its own file names before showing the results
to the user, so it would appear as if the directory is clean. Both anti-virus and security
software programs are vulnerable to the effects of a root kit, which runs at a lower level,
ensuring the anti-virus software cannot detect or remove it. This leads the anti-virus
software into believing the system is clean, when it is actually infected and running
malicious software.
Root kits Hide processes, Hide files, Hide registry entries, Hide services, Completely
bypass personal firewalls, Undetectable by antivirus, Remotely undetectable, Covert
channels - undetectable on the network, Defeat cryptographic hash checking, Install silently,
All capabilities ever used by viruses or worms
o “*”“*”“*”
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) network protocols and related cryptography standards
required by them.
The openssl program is a command line tool for using the various cryptography functions of
OpenSSL's crypto library from the shell.
The openssl program provides a rich variety of commands, each of which often has a wealth
of options and arguments (command_opts and command_args in the SYNOPSIS). The
pseudo-commands list-standard-commands, list-message-digest-commands, and list-cipher-
commands output a list (one entry per line) of the names of all standard commands, message
digest commands, or cipher commands, respectively, that are available in the present openssl
utility.
STANDARD COMMANDS
~~~~~***~~~~~
C:\OpenSSL-Win32\bin>openssl
OpenSSL> passwd
Password:
Verifying - Password:
q8jVlTuFX9wSU
72RhZZGSB4rph+eg
HoneyBOT works by opening over 1000 UDP and TCP listening sockets on your computer
and these sockets are designed to mimic vulnerable services. When an attacker connects to
these services they are fooled into thinking they are attacking a real server. The honeypot
safely captures all communications with the attacker and logs these results for future
analysis. Should an attacker attempt an exploit or upload a rootkit or trojan to the server the
honeypot environment will safely store these files on your computer for analysis and
submission to antivirus vendors. Our test servers have captured several thousand trojans and
rootkits from some simulated services.
7. Click on the blue play button to start the HoneyBOT listening engine.
8. Using a Web Browser try to access various network systems by providing their IP
Addresses.
Uninstalling HoneyBOT
Click the Uninstall HoneyBOT icon in the programs start menu to uninstall HoneyBOT and
follow the prompts.
*)))))
(((((
3. Open the text editor in jcryptool & write the msg which you want to encrypt.
Password Setup - IPCop has 2 users which we will be asked to setup passwords for the root
SIDDAGANGA POLYTECHNIC, Tumkur-3 Department of Computer Science & Engg. 68
and admin. Set these both to a strong password > 8 character password that is not a word in
any language and contains Caps. A good example would be 1luv19c0p. Root password will
be used to log on and add any add-ons or upgrades via SSH. Admin user is used to manage
our IPCop day to day.
Since we have 3 interfaces and only have set up Green, repeat the interface setup options for
the Red and Orange interfaces as described above.
Configure the RED interface to use DHCP as this is interface connected to the Internet (i.e.
Our ISP). Then configure our ORANGE interface to use the 192.168.10.x address space. For
Red tab over to the DHCP box and select it by hitting Enter. So if our Green network will
contain 15 hosts we can use 192.168.1.2-16. To set this up simply add in this range
192.168.1.2-16 and tab down to OK.