Building Blocks

A hacker is defined as a “person who enjoys learning the details

of computer systems and how to stretch their capabilities”…One
who programs enthusiastically or who enjoys programming
rather than just theorizing about programming.
 Content

1. What is Information Security

2. Need of Information Security
3. Importance Information Security
4. Cracking and Hacking
5. Difference between Hacking and Cracking
6. Types of Hackers
7. Step in Hacking
8. How to become a Hacker
9. Penetration Testing
10. Steps in Penetration Testing

2
 What is Informational Security ?

Information security means protecting information and

information systems from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or
destruction

3
 Need of Information Security
The terms information security, computer security and
information assurance are frequently incorrectly used
interchangeably. These fields are interrelated often and share the
common goals of protecting the confidentiality, integrity and
availability of information.

These differences lie primarily in the approach

to the subject, the methodologies used, and
the areas of concentration.
Information security is concerned with the
confidentiality, integrity and availability of
data regardless of the form the data may take:
electronic, print, or other forms.

4
Importance of Information Security

• There are people who make a living from

hacking.

• They use their technological skills to break

into computer systems and access private
information.

• This could result in the loss of vital

information.

• A computer hacker can gain access to a

network if a firewall is shut down for only a
minute.

5
One of the biggest potential threats to information security is the
people who operate the computers. A workplace may have
excellent information security systems in place, but security can
be easily compromised.

If a help desk worker gives out or resets passwords without

verifying who the information is for, then anyone can easily gain
access to the system. Computer operators should be made fully
aware of the importance of security.

6
 What is Hacking ?
Hacking may be defined as the “methodology adopted by ethical
hackers to discover the vulnerabilities existing in information
systems’ operating environments”.

7
The term “Hack" is to refer to a program that (often illegally)
modifies another program, usually a computer game, giving the
user access to those features which are inaccessible to them.

A positive way, a term “Patriot hacking” is used for computer

hacking in which supporters of a country, attempts to carry out
attacks on, or block attacks by enemies.

The negative side refers to

any crime that involves a
computer and a network ,
activities like spying,
financial theft.

8
 What is Cracking ?

Cracking means breaking into systems and causing harm,

changing data or stealing. It is done with wrong intensions.

9
 Hacker
This is someone that seeks to
understand computer, phone or other
systems strictly for the satisfaction of
having that knowledge.

Hackers wonder how things work,

and have an incredible curiosity.

Hackers will sometimes do

questionable legal things, such as
breaking into systems, but they
generally will not cause harm once
they break in.

10
The possible characteristics that
qualify one as a hacker :

• A person who enjoys learning details

of a programming language or system
and picks up programming quickly.

• A person who enjoys actually doing

the programming rather than just
theorizing about it.

• A person who is an expert at a

particular programming language or
system.

11
 Cracker
Crackers get into all kinds of mischief, including breaking or
"cracking" copy protection on software programs, breaking into
systems and causing harm, changing data, or stealing.

12
 Categorization of Hackers

Script Kiddies - Is someone who lacks the skills of a typical

hacker. They rely on downloading hacking programs or utilities
sometimes calls scripts to perform an attack.

Admins - These are those persons who know how the

execution of the code is taking place but are not able to
develop a code .

Coders – These are the actual skilled hacking experts . They

develop the hacking tools, scripts. They are the persons who
create the viruses and worms.

13
 Types of Hacker
BLACK HAT
Black Hat - Also known as a
cracker uses his skills to break
into computer systems for
unethical reasons.

Like, username and password,

credit card numbers, bank
information.

14
WHITE HAT
White hat has the skills to break
into computer systems and do
damage. However, they use their
skills to help organizations.

For example a white hat might

work for an organization to test for
security weaknesses and
vulnerabilities in the network.

15
GREY HAT
This type can be thought of as a
white hat attacker who sometimes
acts unethically. They could be
employed as a legit network security
administrator.

But, during this person's duties, he

may find an opportunity for gaining
access to company data and stealing
that data

16
 Steps of Hacking
Hacking consists of large number of steps. It is basically
classified into 5 major steps i.e. -:

1. FOOTPRINTING

2. SCANNING

3. GAINING ACCESS

4. MAINTAING ACCESS

5. CLEARING TRACKS

17
 What is Foot Printing ?

Footprinting is the first and most convenient way that

hackers use to gather information
about computer systems and the companies they belong to.

The purpose of footprinting to

learn as much as you can about a system, it's remote access
capabilities, its ports and
services, and the aspects of its security.

It begins by determining the location and objective of an

intrusion. Once this is known, specific information about the
organization is gathered using non-intrusive methods.

18
 The Necessity of Foot Printing
Footprinting is necessary to systematically
and methodically ensure that all pieces of
information related to the aforementioned
technologies are identified.

Without a sound methodology for performing

this type of reconnaissance ,we are likely to
miss key pieces of information related to a
specific technology or organization.

Footprinting must be performed accurately

and in a controlled fashion.

19
 Types of Foot Printing

WHOIS
The WHOIS system originated as a method for
system administrators to obtain contact
information for IP address assignments or
domain name administrators. The use of the data
in the WHOIS system has evolved into a variety of
uses, including:

• Supporting the security and stability of the

Internet by providing contact points for network
operators and administrators, including ISPs,
and certified computer incident response teams;

20
• Determining the registration status of domain
names;

• Assisting in the combating against abusive

uses of Information communication
technology;

• Facilitating inquiries and subsequent steps to

conduct trademark clearances and to help
counter intellectual property infringement,
misuse and theft in accordance with applicable
national laws and international treaties;

21
• Contributing to user confidence in the Internet as a reliable and
efficient means of information and communication and as an
important tool for promoting digital inclusion, e-commerce and
other legitimate uses by helping users identify persons or entities
responsible for content and services online; and

Assisting businesses, other organizations and users in combating

fraud, complying with relevant laws and safeguarding the
interests of the public

22
23
NS lookup
nslookup is the name of a program that lets an Internet server
administrator or any computer user enter a host name (for
example, "whatis.com") and find out the corresponding ip
adress. It will also do reverse name lookup and find the host
name for an IP address you specify.

For example, if you entered "whatis.com" (which is one of the

TechTarget sites), you would receive as a response our IP
address, which happens to be :
65.214.43.37

Or if you entered "65.214.43.37", it would return

"sites.techtarget.com".

24
nslookup sends a domain name query packet to a designated (or
defaulted) domain name system (DNS) server.

Depending on the system you are using, the default may be the
local DNS name server at your service provider, some
intermediate name server, or the root server system for the
entire domain name system hierarchy

25
IP Lookup
The IP Address Lookup tool also referred to as IP Lookup,
Lookup IP, Lookup IP Address, IP Address Location, IP Location,
and IP Locator is designed to give you an idea of where your IP
address or the IP Address you lookup is located.

This tool is not 100% accurate due to many different factors.

Some of those factors include where the owner of the IP has it
registered, where the agency that controls the IP is located,
proxies, cellular IPs, etc.

26
If you are in the US and the controlling agency of the IP is
located in Canada, chances are the IP address lookup results
will show as Canada. Showing a Canadian IP while in the
US is very common among Blackberry users on the Verizon
network.

The results of this IP Address Lookup utility include the IP

Address, City, Host Name, Region / State, Postal / Zip Code,
Country Name, Country Code, Time Zone, Longitude, Latitude,
ISP, Domain Name, Net Speed, and IP Decimal

27
28
How to gather info
Gathering info about the victim can be done from :

1. Website

2. Social Profiles

3. Contact Info

4. Fake Calling

5. Fake Mails

29
Google crawling
Google takes a snapshot of each page it
examines and caches (stores) that version as a
back-up. The cached version is what Google
uses to judge if a page is a good match for your
query.
Wildcards in Google
Use *, an asterisk character, known as a
wildcard, to match one or more words in a
phrase.
.
Each * represents just one or more words.
Google treats the * as a placeholder for a word
or more than one word.

30
Google limits queries to 32 words.

Google will indicate in a message below the query box at the top
of the page if your query exceeds the 32-word limit.

The 32-word limit applies to search terms and operators but not
stop words. (The limit was previously 10 words.)

31
Google Searching
Some of the Operators are as follows:

• define: – The query prefix "define:" will

provide a definition of the words listed after
it.
• stocks: – After "stocks:" the query terms
are treated as stock ticker symbols for
lookup.

• site: – Restrict the results to those websites

in the given domain, such as,
site:www.acmeacme.com. The option
"site:com" will search all domain URLs
named with ".com" (no space after "site:").
32
• allintitle: – Only the page titles are searched (not the
remaining text on each webpage).

• intitle: – Prefix to search in a webpage title, such as

"intitle:google search" will list pages with word "google" in title,
and word "search" anywhere (no space after "intitle:").

• allinurl: – Only the page URL address lines are searched (not
the text inside each webpage).

• inurl: – Prefix for each word to be found in the URL;others

words are matched anywhere, such as "inurl:acme search"
matches "acme" in a URL, but matches "search" anywhere (no
space after "inurl:").

33
 What is Scanning ?
Scanning is one of the easiest way to find out vulnerabilities
in the system.

What’s the Need ?

System administrators are constantly being advised to
check their systems for open ports and services that might
be running that are either unintended or unnecessary.

In some cases, the services might be Trojans just waiting

to be exploited.

34
 Port Scanning
The act of systematically
scanning a computer's ports.
Since a port is a place where
information goes into and out
of a computer, port scanning
identifies open doors to a
computer.

Port scanning has legitimate

uses in managing networks,
but port scanning also can be
malicious in nature if
someone is looking for a
weakened access point to
break into your computer.

35
36
 Ways of Port Scanning

Finger printing
• Fingerprinting is the technique of
interpreting the responses of a system
in order to figure out what it is.

• Unusual combination’s of data are

sent to the system in order to trigger
these responses.

• Systems respond the same with

correct data.

37
ACTIVE FINGERPRINTING
• These products are designed to guestimate remote
operating systems and sometimes even the patch
level that the operating system is running on.

• Active fingerprinting tools rely on stimulus-

response, where the source will send certain packets
(stimulus) to the target, the target's response can be
analyzed to identify the operating system,

• Different Operating Systems respond to the source

packets in different ways, hence their ability to
fingerprint different remote hosts reliably .

38
PASSIVE FINGERPRINTING
• Passive fingerprinting is based on sniffer traces from the
remote system. Instead of actively querying the remote system,
all you need to do is capture packets sent from the remote
system.

• Based on the sniffer traces of these packets, you can

determine the operating system of the remote host. Just like in
active fingerprinting, passive fingerprinting is based on the
principle that every OS IP stack has its own idiosyncrasies.

• By analyzing sniffer traces and identifying these differences,

you may be able determine the operating system of the remote
host.

39
FIREWALIKING
• Firewalking is a technique that employs traceroute -
like techniques to analyze IP packet responses to
determine gateway ACL filters and map networks.

• If the packet is dropped without comment, this

doesn’t necessarily mean that traffic to the target
host and port is filtered. Some firewalls know that
the packet is due to expire and will send the
“expired” message whether the policy allows the
packet or not.

•Firewalk the tool employs the technique to

determine the filter rules in place on a packet
forwarding device
40
FIREWALK
• Mike Schiffman and Dave Goldsmith’s Firewalk utility
assessment of firewalls and packet filters by sending IP packets
with TTL values set to expire one hop past a given gateway.

Three simple states allow you to determine if a packet has passed

through the firewall or not:

• If an ICMP type 11 code 0 (“TTL exceeded in transit”) message is

received, the packet passed through the filter and a response was
later generated.

41
• If the packet is dropped without comment, it was probably
done at the gateway.

• If an ICMP type 3 code 13 (“Communication administratively

prohibited”) message is received, a simple filter such as a
router ACL is being used.

42
FIREWALL
• It turns out that a small home network has many of the same
security issues that a large corporate network does.

• You can use a firewall to protect your home network and family
from offensive Web sites and potential hackers.

43
TRACEROUTE
• Traceroute is the program that shows you the route over the
network between two systems, listing all the intermediate
routers a connection must pass through to get to its
destination.

• It can help you determine why your connections to a given

server might be poor, and can often help you figure out where
exactly the problem is.

• It also shows you how systems are connected to each other,

letting you see how your ISP connects to the Internet as well as
how the target system is connected.

44
45
A traceroute marks the path of ICMP packets from the local
host (where the command is executed) to the destination host.
It is available as a command line tool on both the UNIX
(traceroute) and Windows (tracert) operating systems.

In addition, the Windows-based tool VisualRoute performs

this service as well as mapping the path over a map of the
world.

We perform traceroutes on several IP addresses within the

same Class C address block to see if the ICMP packets follow
the same path.

46
NETWORK ENUMERATION

Network Enumeration is the discovery of hosts/devices on a
network, they tend to use overt discovery protocols such as ICMP
and SNMP to gather information, they may also scan various
ports on remote hosts for looking for well known services in an
attempt to further identify the function of a remote host and
solicit host specific banners.

The next stage of enumeration is to fingerprint the OS of the

remote host.

Whilst products that accomplish this are beyond the scope of

this page, they can be found on the Active OS FingerPrinting
page.

47
 Gaining Access
Gaining access refers to the true attack phase.

● The exploit can occur over a LAN, locally, Internet, offline, as

deception or theft.
● System Hacking
● Social Engineering
● Session Hijacking
● Buffer Overflows
● Hacking Web servers
● Web based password cracking
● SQL injection
● Hacking Wireless networks
● Virus and Worms
● Cryptography

48
 Maintaining Access

Maintaining access refers to the phase when the attacker tries

to retain his 'ownership' of the system.

Install tools such as

● Rootkits

● Trojans and its backdoors.

● Backdoors

49
 Clearing Tracks
Clearing Tracks is the last and important step of remote
hacking, which includes the deletion of all logs on the remote
system. This step is used by hackers to keep their identity
anonymous.

Techniques include:

● Tunneling.

● Altering/Clearing log files.

● Disabling auditing

50
 How to become a Hacker
1. Learn computer programming.
Computer programming is a
fundamental, though complex, hacker
skill. Several different programming
languages should be learned such as
C, LISP, Perl and Java.

The hacker's mastery of these

programming languages is directly
related to his effectiveness and
reputation in the hacker culture.

51
 This will provide the very basic
skills but the only way to advance
in skill is to read code and write
code. The Internet provides a
multitude of free programming
tools and operating systems to
expedite the learning process

2. Learn the Unix operating system. Unix is the original

operating system built by hackers.

The difference is that the Unix operating system free and the
code is open source--it can be read and modified. Windows
and MacOS are distributed in binary code.

52
 The code cannot be read or modified. The Unix operating
system must be mastered. It can be loaded on any PC. The
hacker can read the code and modify it using a wide
variety of free programming tools.
The Linux is a very popular Unix-based operating system. It
has all of the features of the original Unix OS such as open
source and popular programming tools

3. Write free software. There is nothing more popular and

accepting to the hacker community than writing useful
software for the public domain to freely use.

Writing and debugging software gives the hacker a

reputation in the hacker culture and improves programming
skills.

53
54
4. Stay connected to the hacker community. The hacker
community is run primarily by volunteers. There are many
different tasks that need to be done to keep things going such
as administering mailing lists, moderating newsgroups and
developing technical standards.

5. Speak to other hackers in the community. Share technical

information and ideas.

One of the best ways to stay in touch is to join a local Unix or

Linux user's group and attend the meetings.

To be a hacker requires motivation, dedication, initiative and a

self-education.

55
 Penetration Test
• A penetration test, occasionally pentest,
is a method of evaluating the security of a
computer network by simulating an attack
from a malicious source, known as a Black
Hat Hacker, or Cracker.

• The process involves an active analysis of

the system for any potential vulnerabilities
that could result from poor or improper
system configuration, both known and
unknown hardware or software flaws, or
operational weaknesses in process or
technical countermeasures.

56
• This analysis is carried out from the position of a potential
attacker and can involve active exploitation of security
vulnerabilities. Any security issues that are found will be
presented to the system owner, together with an assessment of
their impact, and often with a proposal for mitigation or a
technical solution.

• The intent of a penetration test is to determine the feasibility of

an attack and the amount of business impact of a successful
exploit, if discovered. It is a component of a full security audit.
• For example, the Payment Card Industry Data Security
Standard (PCI DSS), and security and auditing standard,
requires both annual and ongoing penetration testing.

57
 Types Penetration Testing
BLACK BOX TESTING

It is a method of software testing that tests the functionality
of an application as opposed to its internal structures or
workings.

Specific knowledge of the application's code/internal

structure and programming knowledge in general is not
required. Test cases are built around specifications and
requirements, i.e., what the application is supposed to do.

58

It uses external descriptions of the software, including
specifications, requirements, and design to derive test cases

These tests can be functional or non-functional, though

usually functional. The test designer selects valid and invalid
inputs and determines the correct output. There is no
knowledge of the test object's internal structure.

This method of test can be applied to all levels of software

testing: unit, integration, functional, system and acceptance.

It typically comprises most if not all testing at higher levels,

but can also dominate unit testing as well.

59
60
WHITE BOX TESTING

White box Testing is a method of testing
software that tests internal structures or
workings of an application, as opposed to
its functionality (i.e black box testing).

In white-box testing an internal

perspective of the system, as well as
programming skills, are required and used
to design test cases. The tester chooses
inputs to exercise paths through the code
and determine the appropriate outputs.
This is analogous to testing nodes in a
circuit, i.e. In circuit testing (ICT).

61

While white-box testing can be applied at the unit, integration
and system levels of the software process , it is usually done at
the unit level.

It can test paths within a unit, paths between units during

integration, and between subsystems during a system level test.
Though this method of test design can uncover many errors or
problems, it might not detect unimplemented parts of the
specification or missing requirements.

White-box test design techniques include:

• Control Flow testing

• Data flow testing
• Branch testing
• Path testing

62
GREY BOX TESTING
• Grey box Testing involves having knowledge of internal data
structures and algorithms for purposes of designing the test
cases, but testing at the user, or black-box level.

• Manipulating input data and formatting output do not qualify

as grey box, because the input and output are clearly outside
of the "black-box" that we are calling the system under test.

• This distinction is particularly important when conducting

integration testing between two modules of code written by two
different developers, where only the interfaces are exposed for
test. Grey box testing may also include reverse engineering to
determine, for instance, boundary values or error messages.

63
 Need of Penetration Testing

From a business perspective, penetration testing helps safeguard

your organization against failure, through:

• Preventing financial loss through fraud (hackers, extortionists

and disgruntled employees) or through lost revenue due to
unreliable business systems and processes.

• Proving due diligence and compliance to your industry

regulators, customers and shareholders. Non-compliance can
result in your organization losing business, receiving heavy fines,
gathering bad PR or ultimately failing.

64
• Protecting your brand by avoiding loss of consumer
confidence and business reputation.

From an operational perspective, penetration testing helps

shape information security strategy through:

• Identifying vulnerabilities and quantifying their impact and

likelihood so that they can be managed proactively; budget can
be allocated and corrective measures implemented.

65
 Steps in Penetration Testing

1. Information Gathering
2. Network Mapping
3. Vulnerability Identification
4. Penetration
5. Gaining Access & Privilege Escalation
6. Enumerating Further
7. Compromise Remote Users/Sites
8. Maintaining Access
9. Covering Tracks

66
Pictorial Representation

67
INFORMATION
GATHERING is essentially using
the Internet to find all the information
you can about the target (company
and/or person) using both technical
(DNS/WHOIS) and non-technical
(search engines, news groups, mailing
lists etc) methods.

68
This is the initial stage of any information security audit, which
many people tend to overlook. When performing any kind of test
on an information system, information gathering and data
mining is essential and provides you with all possible
information to continue with the test.

Anything you can get hold of during this stage of testing is

useful: company brochures, business cards, leaflets, newspaper
adverts, internal paperwork

69
NETWORK MAPPING
Network specific information from the previous section is taken
and expanded upon to produce a probable network topology for
the target.

Many tools and applications can be used in this stage to aid the
discovery of technical information about the hosts and networks
involved in the test.

70
• Find live hosts

• Port and service scanning

• Perimeter network mapping (router, firewalls)

• Identifying critical services

• Operating System fingerprinting

• Identifying routes using Management Information Base (MIB)

• Service fingerprinting

71
VULNERABILITY IDENTIFICATION
During vulnerability identification, the assessor will perform
several activities to detect exploitable weak points. These
activities include:

• Identify vulnerable services using service banners

• Perform vulnerability scan to search for known

vulnerabilities. Information regarding known vulnerabilities
can be obtained from the vendors’ security announcements, or
from public databases such as Security Focus, CVE or CERT
advisories.

72
Perform false positive and false negative verification (e.g. by
correlating vulnerabilities with each other and with previously
acquired information)

• Enumerate discovered vulnerabilities

• Estimate probable impact (classify vulnerabilities found)

• Identify attack paths and scenarios for exploitation

73
PENETRATION
The assessor tries to gain unauthorized access by circumventing
the security measures in place and tries to reach as wide a level
of access as possible.

This process can be divided in the following steps:

• Find proof of concept code/tool

• Develop tools/scripts
• Test proof of concept code/tool
• Use proof of concept code against target
• Verify or disprove the existence of vulnerabilities
• Document findings

74
GAINING ACCESS AND PRIVILEGE
ESCALATION
It allows the assessors to confirm and document
probable intrusion and/or automated attacks
propagation

GAINING ACCESS
• Discovery of username/password combinations)

• Discovery of blank password or default passwords

in system accounts

• Exploit vendor default settings (such as network

configuration parameters, passwords and others)

75
ENUMERATING FURTHER
• Obtain encrypted passwords for offline cracking

• Obtain by using sniffing or other techniques

• Sniff traffic and analyze it

• Gather cookies and use them to exploit sessions and for

password attacks

• E-mail address gathering

• Identifying routes and networks

76
COMPROMISE REMOTE USERS/SITES
A single hole is sufficient to expose an entire network, regardless
of how secure the perimeter network may be. Any system is as
strong (in this case, as secure) as the weakest of its parts.

Communications between remote users/sites and enterprise

networks may be provided with authentication and encryption by
using technologies such as VPN, to ensure that the data in transit
over the network cannot be faked nor eavesdropped

In such scenarios the assessor should try to compromise remote

users, telecommuter and/or remote sites of an enterprise. Those
can give privileged access to internal network

77
MAINTAINING ACCESS
COVERT CHANNELS

• Identify Covert Channel Which Can Be

Used

• Select the Best Available Tool for the

Covert Channel

• Methodology - Setup the Covert

Channel in the Target Network

• Test the Covertness of Channel Using

Common Detection Technique

78
BACKDOORS
Backdoors are meant to be able to always get back to a certain
system, even if the account you used to hack the system is no
longer available (for example, it has been terminated).

ROOT-KITS
Root-kits will allow you to have even more power than the
system administrator does of a system. You will be able to
control the remote system completely

79
COVER THE TRACKS
HIDE FILES
The importance of this stage is easily understood but usually
understated. After an attacker has successfully compromised
a system, he will like to keep it without alerting the
administrator, for obvious reasons. The longer the attacker
stays on a compromised system, the better the chances that
he will be able to achieve his goals further in the network.

During the process of compromising the system, some

suspicious and/or erroneous activities are logged. A skilled
attacker knows that logs need to be doctored. He modifies
them to cover his tracks and delude his presence.

80
CLEAR LOGS
Hiding files is important if the security assessor needs to hide
activities which have been done so far while and after
compromising the system and to maintain back channel[s].
This is also important to hide tools so
that these don’t need to be uploaded to
the target server each time.

METHODOLOGY

1. Check History

2. Edit Log files

81
DEFEAT ANTI-VIRUS
The focus of this step in penetration testing is to be able to
disable or defeat AV software so that the assessor is able to
perform activities unhindered, and the possibility to reactivate
the AV later.

Possible things that assessors can do (most require
Administrator level access):

• Create a batch file so that the AV services are stopped every 30

sec

• Disable the AV services

• Block the central management port

82
IMPLEMENT ROOT-KITS
• Root-kits, like POC exploits, should be customized to be able to
completely cover the assessor’s activities. In most cases if there
is an AV patrolling, root-kits (usually on win32) will be detected
before installation. So, modifying the root-kits is required in
most situations.

• It’s also important to notice that some root-kits won’t work on

different system setups.

• For example your root-kit may work on win2k-SP3 but it can’t

cover anything on SP4.

83
84