1. What is unauthorized access? What are the possible ways to gain unauthorized access?

List out
all the techniques to do the same.

Unauthorized Access is when a person who does not have permission to connect to or use a
system gains entry in a manner unintended by the system owner. The popular term for this is
“hacking”.

Password cracking: is the process of recovering passwords from data that has been stored in or
transmitted by a computer system. A common approach is to repeatedly try guesses for the password.

Packet sniffer: is an application that captures data packets, which can be used to capture passwords and
other data in transit over the network.

Spoofing attack: involves one program, system, or website successfully masquerading as another by
falsifying data and thereby being treated as a trusted system by a user or another program. The purpose
of this is usually to fool programs, systems, or users into revealing confidential information, such as user
names and passwords, to the attacker.

Root kit: is designed to conceal the compromise of a computer's security, and can represent any of a set
of programs which work to subvert control of an operating system from its legitimate operators. Usually,
a root kit will obscure its installation and attempt to prevent its removal through a subversion of
standard system security. Root kits may include replacements for system binaries so that it becomes
impossible for the legitimate user to detect the presence of the intruder on the system by looking at
process tables.

Social engineering :is the art of getting persons to reveal sensitive information about a system. This is
usually done by impersonating someone or by convincing people to believe you have permissions to
obtain such information.

A Trojan horse: is a program which seems to be doing one thing, but is actually doing another. A Trojan
horse can be used to set up a back door in a computer system such that the intruder can gain access
later.

Virus: is a self-replicating program that spreads by inserting copies of itself into other executable code or
documents. Therefore, a computer virus behaves in a way similar to a biological virus, which spreads by
inserting itself into living cells.

2. Differentiate between Authentication and Authorization.

 3. What tools are available to carry out
i) A Brute Force attack :

Brutus:
Brutus is one of the fastest, most flexible remote password crackers you can get your hands
on - it's also free. It is available for Windows 9x, NT and 2000, there is no UN*X version
available although it is a possibility at some point in the future. This Windows-only cracker
bangs against network services of remote systems trying to guess passwords by using a
dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP,
NTP, and more.
Platform: Windows

TSGrinder: is the first production Terminal Server brute force tool. The main idea here is that the Administrator
account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the
TS logon process sure helps to keep IDS from catching the attempts. It is a "dictionary" based attack tool, but it does
have some interesting features like "l337" conversion, and supports multiple attack windows from a single
dictionary file.  It supports multiple password attempts in the same connection, and allows you to specify how many
times to try a username/password combination within a particular connection.
Platform: Windows
RainbowCrack: tool is a hash cracker that makes use of a large-scale time-memory trade-off.
A traditional brute force cracker tries all possible plaintexts one by one, which can be time
consuming for complex passwords. RainbowCrack uses a time-memory trade-off to do all the
cracking-time computation in advance and store the results in so-called "rainbow tables". It does
take a long time to precompute the tables but RainbowCrack can be hundreds of times faster than
a brute force cracker once the precomputation is finished.

ii) Dictionary based attacks:

THC hydra: This tool allows for rapid dictionary attacks against network login
systems, including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP,
VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support and is apparently
now part of Nessus.
Platform: UNIX

iii) Password guessing attacks:

Solar winds: A plethora of network discovery/monitoring/attack tools

SolarWinds has created and sells dozens of special-purpose tools targeted at
systems administrators. Security-related tools include many network
discovery scanners, an SNMP brute-force cracker, router password
decryption, a TCP connection reset program, one of the fastest and easiest
router config download/upload applications available and more.

L0phtCrack:
 Windows password auditing and recovery application
L0phtCrack attempts to crack Windows passwords from hashes which it can
obtain (given proper access) from stand-alone Windows workstations,
networked servers, primary domain controllers, or Active Directory. In some
cases it can sniff the hashes off the wire. It also has numerous methods of
generating password guesses.

Cain and Abel:

The top password recovery tool for Windows
UNIX users often smugly assert that the best free security tools support their
platform first, and Windows ports are often an afterthought. They are usually
right, but Cain & Abel is a glaring exception. This Windows-only password
recovery tool handles an enormous variety of tasks. It can recover passwords
by sniffing the network, cracking encrypted passwords using Dictionary,
Brute-Force and Cryptanalysis attacks, recording VoIP conversations,
decoding scrambled passwords, revealing password boxes, uncovering
cached passwords and analyzing routing protocols.

4. What are the known methods to bypass the authentication?

Direct page request

If a web application implements access control only on the login page, the authentication schema
could be bypassed. For example, if a user directly requests a different page via forced browsing,
that page may not check the credentials of the user before granting access. Attempt to directly
access a protected page through the address bar in your browser to test using this method.

Parameter Modification

Another problem related to authentication design is when the application verifies a successful
login on the basis of a fixed value parameters. A user could modify these parameters to gain
access to the protected areas without providing valid credentials. In the example below, the
"authenticated" parameter is changed to a value of "yes", which allows the user to gain access. In
this example, the parameter is in the URL, but a proxy could also be used to modify the
parameter, especially when the parameters are sent as form elements in a POST request.

http://www.site.com/page.asp?authenticated=no
raven@blackbox /home $nc www.site.com 80
GET /page.asp?authenticated=yes HTTP/1.0

HTTP/1.1 200 OK
Date: Sat, 11 Nov 2006 10:22:44 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
</HEAD><BODY>
<H1>You Are Auhtenticated</H1>
</BODY></HTML>

Session ID Prediction

Many web applications manage authentication using session identification values (SESSION
ID). Therefore, if session ID generation is predictable, a malicious user could be able to find a
valid session ID and gain unauthorized access to the application, impersonating a previously
authenticated user.

In the following figure, values inside cookies increase linearly, so it could be easy for an attacker
to guess a valid session ID.

SQL Injection (HTML Form Authentication)

SQL Injection is a widely known attack technique. We are not going to describe this technique in
detail in this section; there are several sections in this guide that explain injection techniques
beyond the scope of this section.