You are on page 1of 21



1. 2. 3. 4. 5.

What is Hacking? Who Are Hackers? How Hackers Are Attacking? Hackers Techniques Penetration Testing

1. Introduction: What is a penetration test? 2. Why penetration testing: Why would you want it? 3. Choosing a service: What are the different types of tests available? External Penetration Testing Internal Security Assessment Application Security Assessment Wireless/Remote Access Assessment (RAS) Security Assessment Telephony Security Assessment Social Engineering 4. The different types of approach: "Black-box" and "White-box" 5. Methodology

6. Types of Attacks 1. Denial of Service Attacks 2. Password Based Attacks 3. Identity Spoofing 4. Accessing the Log-In Prompt 5. Brute Force Attacks 6. Keystroke Logging 7. Packet Sniffing 8. Social Engineering 9. General Access Methods 7. Security Objectives 1. Data confidentiality 2. Data integrity 8. Intrusion Analysis 1. Prevention 2. Detection 3. Recovery 9. Risk Management 10. Cyber Crime

1. What Is Hacking Hacking Is a Technique to Destroy The Security of a System by finding Weaknesses and hack the Information with out taking permission from the particular Authorized Person of that system.

2. Who Are Hackers?

Hacker is a skilled computer person and he is a threat to computer and network security. These are performing unauthorized breaks in to computer systems. Another term is using to hacker is "intruder" to describe those who intrude into networks or systems With out authorization.

3. How

Hackers Are Attacking?

Hacker attacks that are not automated by programs such as viruses, worms, or trojan horse programs. There are various forms that exploit weaknesses in security. Many of these may cause loss of service or system crashes. * IP spoofing - An attacker may fake their IP address so the receiver thinks it is sent from a location that it is not actually from. There are various forms and results to this attack. o The attack may be directed to a specific computer addressed as though it is from that same computer. This may make the computer think that it is talking to itself. This may cause some operating systems such as Windows to crash or lock up. * Gaining access through source routing. Hackers may be able to break through other friendly but less secure networks and get access to your network using this method. * Man in the middle attack -

o Session hijacking - An attacker may watch a session open on a network. Once authentication is complete, they may attack the client computer to disable it, and use IP spoofing to claim to be the client who was just authenticated and steal the session. Server spoofing - A C2MYAZZ utility can be run on Windows 95 stations to request LANMAN (in the clear) authentication from the client. The attacker will run this utility while acting like the server while the user attempts to login. If the client is tricked into sending LANMAN authentication, the attacker can read their username and password from the network packets sent. * DNS poisoning - This is an attack where DNS information is falsified. This attack can succeed under the right conditions, but may not be real practical as an attack form. The attacker will send incorrect DNS information which can cause traffic to be diverted. The DNS information can be falsified since name servers do not verify the source of a DNS reply. When a DNS request is sent, an attacker can send a false DNS Reply with additional bogus information which the requesting DNS server may cache. I am a man This attack can be used to divert users from a correct web server such as a bank and capture information from customers when they attempt to logon. * Password cracking - Used to get the password of a user or administrator on a network and gain unauthorized access.

4. Hackers Techniques

Hackers are three types , these types Depend on various techniques in various forms What they going to do. These are 1. White Hat Hacker The white hat hacker is one who tests networks and systems to examine their performance and determine how vulnerable they are to intrusion. Usually, white hat hackers crack their own systems or the systems of a client who has specifically employed them for the purposes of security auditing. 2. Black Hat Hacker A black hat hacker is synonymous with a cracker. In general, crackers are less focused on programming and the academic side of breaking into systems. They often rely on available cracking programs and exploit well known vulnerabilities in systems to uncover sensitive information for personal gain or to inflict damage on the target system or network. 3. Grey Hat Hacker The grey hat hacker, on the other hand, has the skills and intent of a white hat hacker in most situations but uses his knowledge for less than noble purposes on occasion. A grey hat hacker can be thought of as a white hat hacker who wears a black hat at times to accomplish his own agenda.


1. Introduction: What is a penetration test? A penetration test is the process of actively evaluating your information security measures. There are a number of ways that this can be undertaken, but the most common procedure is that the security measures are actively analyzed for design weaknesses, technical flaws and vulnerabilities; 2. Why penetration testing: Why would you want it? There are several reasons why organizations choose to perform a penetration test; they range from technical to commercial but the most common are: Identify the threats facing your organization's information assets so that you can quantify your information risk and provide adequate information security expenditure. Reduce your organization's IT security costs and provide a better return on IT security investment (ROSI) by identifying and resolving vulnerabilities and weaknesses. Provide your organization with assurance - a thorough and comprehensive assessment of organizational security covering policy, procedure, design and implementation.

3. Choosing a service: What are the different

types of tests available?

External Penetration Testing is the traditional

approach to penetration testing. The testing is focused on the servers, infrastructure and the underlying software comprising the target. It may be performed with no prior knowledge of the site (black box) or with full disclosure of the topology and environment (crystal box).


Internal Security Assessment follows a similar

methodology to external testing, but provides a more complete view of the site security. Testing will typically be performed from a number of network access points, representing each logical and physical segment. For example, this may include tiers and DMZ's within the environment, the corporate network or partner company connections. 3. Application Security Assessment is designed to identify and assess threats to the organization through bespoke, proprietary applications or systems. These applications may provide interactive access to potentially sensitive materials, for example. It is vital that they be assessed to ensure that, firstly, the application doesn't expose the underlying servers and software to attack, and secondly that a malicious user cannot access, modify or destroy data or services within the system. Even in a well-deployed and secured infrastructure, a weak application can expose the organization's crown-jewels to unacceptable risk.
Wireless/Remote Access Assessment (RAS) Security Assessment addresses the security risks

associated with an increasingly mobile workforce. Homeworking, broadband always-on Internet access, 802.11 wireless networking and a plethora of emerging remote access technologies have greatly increased the exposure of companies by extended the traditional perimeter ever further. It is vital that the architecture, design and deployment of such solutions is secure and sound, to ensure the associated risks are managed effectively. 5. Telephony Security Assessment addresses security concerns relating to corporate voice technologies. This includes abuse of PBX's by outsiders to route calls at the targets expense, mailbox deployment and security, voice

over IP (VOIP) integration, unauthorized modem use and associated risks.

6. Types of Attacks
Denial of Service Attacks

* Ping broadcast - A ping request packet is sent to a broadcast network address where there are many hosts. The source address is shown in the packet to be the IP address of the computer to be attacked. If the router to the network passes the ping broadcast, all computers on the network will respond with a ping reply to the stacked system. The attacked system will be flooded with ping responses which will cause it to be unable to operate on the network for some time, and may even cause it to lock up. The attacked computer may be on someone else's network. One countermeasure to this attack is to block incoming traffic that is sent to a broadcast address. * Ping of death - An oversized ICMP datagram can crash IP devices that were made before 1996. * Smurf - An attack where a ping request is sent to a broadcast network address with the sending address spoofed so many ping replies will come back to the victim and overload the ability of the victim to process the replies. * Teardrop - a normal packet is sent. A second packet is sent a which has a fragmentation offset claiming to be inside the first fragment. This second fragment is too small to even extend outside the first fragment. This may cause an unexpected error condition to occur on the victim host which can cause a buffer overflow and possible system crash on many operating systems.
Password Based Attacks

Obtaining Passwords Once the hacker has gained access to an organizations log-in prompt, he or she can attempt to sign on to the system. This procedure requires a valid user ID and password combination. Passwords are a primary piece of information that intruders will try to acquire in order to gain unauthorized access to systems or networks. Password Storage When users enter passwords for the network or operating system, they or some facsimile of them must be stored so there is something to compare user login attempts to. There are three primary choices for password storage: * Clear text * Encrypted password * Hash value of a password - Used by Unix and Windows NT The storage locations may be: * Root or administrator readable only * Readable by anyone. Passwords are more secure when they can only be read by the administrator or root account. Also the best password storage security is to store the hashed value of a password. Typical Hashing Functions * UNIX - Algorithm similar to DES with 56 bit key. There are two random characters (salt)

are added to the algorithm so two password values are not stored the same even if they are the same. * Windows NT - MD4 is used to generate a 128 bit value. Password Protection and Cracking Passwords should be chosen wisely and a dictionary word should never be used. This is because if an attacker can get the hashed or encrypted value of a password, they can run password guessing programs to eventually guess the password by comparing the encrypted result of the guess to the actual encrypted password. The easiest password attack is a dictionary attack where dictionary words are used to guess the password. The complexity requirements should include three of four of the following four types of characters: * Lowercase * Uppercase * Numbers * Special characters such as !@#$%^&*(){}[] For help in choosing passwords wisely see the article Tips for choosing Passwords that can be easily remembered, but are secure Protocols to send passwords * PAP - Password Authentication Protocol - Used with Point to Point Protocol (PPP). The password is sent in the clear. * CHAP - Challenge handshake authentication protocol is preferred rather than PAP since the actual password is not sent across the internet or network. Password Cracking

Most UNIX sites store encrypted passwords together with corresponding user accounts in a file called /etc/passwd. Should a hacker gain access to this file, he or she can simply run a password cracking program such as Crack. Crack works by encrypting a standard dictionary with the same encryption algorithm used by UNIX systems (called crypt). It then compares each encrypted dictionary word against the entries in the password file until it finds a match. Crack is freely available via an anonymous FTP from at /pub/tools/crack. To combat the hackers use of password-cracking software, the network administrator should ensure that: Encrypted passwords are stored in a shadow password file and that the file is adequately protected. All weak passwords are identified by running Crack against the password file. Software such as Npasswd or Passwd+ is used to force users to select passwords that are difficult to guess. Users do not write their passwords on or near their work environments. Only the minimum number of users have access to the command line to minimize the risk of copying the /etc/passwd file. IDENTITY SPOOFING spoofing The word "spoof", which means "to deceive" which is derived from a game of trickery. It is invented by a British comedian, Arthur Roberts. spoofing refers to intentionally deceiving an Internet user into believing the website or e-mail he/she is viewing is authentic as to its apparent origin, when in reality it was developed and/or communicated by another entity.

For e-mail, spoofing often involves forging header information used in automated delivery and identification of the message. Email spoofing is even per se illegal in some jurisdictions, no matter the reason. Also, under the newly signed CAN-SPAM Act, it is illegal to use fraudulent header information in unsolicited commercial e-mail. Because of the ease of changing e-mail address settings and the lack of authentication in the Simple Mail Transfer Protocol (SMTP), spoofed e-mails are relatively common. E-mail is so easy to spoof because the widely used SMTP (port 25 on Unix-based systems) doesn't authenticate users. Once a server opens up the SMTP port, any client can connect and issue commands that can send e-mail appearing to come from any correctly formatted address. In response, many ISP's and mail providers, like Earthlink, are now blocking SMTP access to clients, not in their own pool of IP addresses. However, combining trademark reproductions, requests for personal information, and links to spoofed websites, spoofed HTML-based e-mails can dangerously fool even experienced Internet users. Websites can also be spoofed to make the site appear to come from a trusted source, when it was actually generated by another disguised host. Often the content of websites can be easily copied with the source code and images on websites available for downloading at the click of a mouse. Unlike e-mail messages, the website address' domain name will disclose the true source of the page and cannot be easily altered. However, reports of a bug in Internet Explorer versions 5 and 6 for Windows have surfaced that allows falsifying of even the domain name of a viewed website because of an input validation error. Even without this bug, the rich HTML content available on web pages allows for robust forgery of legitimate websites. Spoofing can also describe the falsifying of an IP address.

While this certainly represents a challenge in investigating computer hacking activity, its scope is beyond this paper's primary issue of describing corporate identity fraud in the forms of spoofing and phishing. Phishing From the vernacular of computer hacking, phishing on the Internet has come to mean the act of enticing users to give up their personal information through spoofed e-mails and websites. The perpetrator, "phishes" for victims who are fooled into entering their usernames, passwords, credit card numbers, and other personal information into seemingly legitimate forms.
Accessing the Log-In Prompt

One method of gaining illegal access to a computer system is through the log-in prompt. This situation may occur when the hacker is physically within the facility or is attempting to access the system through a dial-in connection. Physical Access An important step in securing corporate information systems is to ensure that physical access to computer resources is adequately restricted. Any internal or external person who gains physical access to a terminal is given the opportunity to attempt to sign on at the log-in prompt. To reduce the potential for unauthorized system access by way of a terminal within the organizations facility, the network administrator should ensure that: Terminals are located in physically secure environments.

Appropriate access control devices are installed on all doors and windows that may be used to access areas where computer hardware is located. Dial-in Access Another method of accessing the log-in prompt is to dial in to the host. Many daemon dialers are readily available on the Internet. These programs, when given a range of numbers to dial, can identify valid modem numbers. Once a hacker discovers an organizations modem number, he or she can dial in and, in most cases, immediately gain access to the log-in prompt. To minimize the potential for security violations by way of dial-in network access, the network administrator should ensure that: Adequate controls are in place for dial-in sessions, such as switching off the modem when not in use, using a call-back facility, or requiring an extra level of authentication, such as a one-time password, for dial-in sessions.
Brute Force Attacks

Brute force attacks involve manual or automated attempts to guess valid passwords. A simple password guessing program can be written in approximately 60 lines of C code or 40 lines of PERL. Many password guessing programs are available on the Internet. Most hackers have a password hit list, which is a collection of default passwords automatically assigned to various system accounts whenever they are installed. For example, the default password for the guest account in most UNIX systems is guest. To protect the network from unauthorized access, the network administrator should ensure that:

All user accounts are password protected. Password values are appropriately selected to avoid guessing. Default passwords are changed once the system is installed.

Keystroke Logging It takes less than 30 seconds to type in a short script to capture sign-on sessions. A hacker can use a diskette to install a keystrokelogging program onto a workstation. Once this Trojan horse is installed, it works in the background and captures every sign-on session, based on trigger key words. Packet Sniffing The Internet offers a wide range of network monitoring tools, including network analyzers and packet sniffers. These tools work by capturing packets of data as they are transmitted along a communications segment. Once a hacker gains physical access to a PC connected to a LAN and loads this software, he or she is able to monitor data as it is transferred between locations. Social Engineering Hackers often select a user account that has not been used for a period of time (typically about two weeks) and ensure that it belongs to a user whom the administrator is not likely to recognize by voice. Hackers typically target accounts that belong to interstate users or users in another building. General Access Methods Hackers use a variety of methods to gain access to a host system from another system.

Internet Protocol Address Spoofing In a typical network, a host allows other trusted hosts to communicate with it without requiring authentication (i.e., without requiring a user account and password combination). 7. SECURITY OBJECTIVES DATA CONFIDENTIALITY As society comes to depend more and more on information, new problems of individual rights and privacy arise. People want information about many things, such as the latest figures on jobs for school leavers and up-to-the-minute accurate bank balances from automatic teller machines. At the same time, many people are concerned that too much of their information is being stored on computer databases and accessed by persons or organizations unknown to them. Privacy and security Increasingly, people need more information and better skills in handling it in order to make decisions. As the information age evolves, privacy remains an essential issue to be considered. DATA INEGRITY In telecommunication term data integrity has the following meanings: 1. [The] condition that exists when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed. 2. The condition in which data are identically maintained during any operation, such as transfer, storage and retrieval.

3. The preservation of data for their intended use. 4. Relative to specified operations, the a priori expectation of data quality

8. Intrusion Analysis Engagement Expectations: One of your systems has just been attacked. What now? The purpose of intrusion analysis is to learn exactly what happened, make sure it doesn't happen again, and determine the motives of the intruder. Intrusion analysis encompasses the following services:

Incident response procedures and training Incident response Technical analysis of intrusion data Reverse engineering of attacker tools

Why Have Intrusion Analysis Performed? Computer intrusions can be difficult to analyze at first glance. A noisy port scan may actually be cover for a more stealthy attack on one of your crucial systems. The compromise of one insignificant system may actually be a symptom of the compromise of your entire network. Intrusion Analysis Methodology: Crucial Security recommends that proactive organizations consider an engagement before an intrusion occurs so that appropriate intrusion response procedures can be developed and implemented. However, we are prepared for our initial engagement with a client to be in response to an intrusion.

Crucial Security's intrusion analysis methodology consists of the following:

Initial client meeting to determine scope of the engagement If an incident has not occurred Development or evaluation of client's incident response procedures Training in incident response procedures If an incident has occurred Gathering of incident data for analysis On-site or off-site analysis of intrusion data Detailed reporting

Intrusion prevention Stop attacks before they get into your network. Intrusion prevention from Secure Works centers on the iSensor appliance. A marriage of firewall and intrusion detection technologies, the iSensor blocks attacks while legitimate traffic flows, uninterrupted. Intrusion prevention at the network level consists of three major pieces: 1. The iSensor appliance stops attacks in realtime. Frequent updates to the iSensor are managed for you.

Security analysts in the security operations center monitor aggregated security events and act to resolve ambiguity. board

3.Reporting for IT staffers all the way up to members. How we respond to new attacks

The SecureWorks method of encoding attack signatures is unique, and the process is patent-pending. Our approach dramatically

reduces false-positive alerts, allows legitimate network traffic to flow unabated, and launches very specific countermeasures against very specific exploits rather than deploying broad or poorly defined attack signatures. Network Intrusion Detection Your network should have some network intrusion detection system. With that said, the method of detecting intrusions, how to monitor, and how to interpret the data is a complex subject. Intrusion Detection Types * Network - Used to protect the network or a large part of it. It listens to all available network packets and tries to find any intrusion pattern based on the information in the packets. Where this type of IDS is placed on the network is important since it cannot analyze all packets behind routers, bridges, or switches. 9. Risk Management Risk management is a set of principles and practices like any other management discipline, and involves evaluating the value of your assets, possible threats to them, and determining appropriate measures to take to secure them. By learning to manage risk proactively instead of reacting to it when an exploit occurs, companies can better utilize their resources to protect their business. 10. Cyber Crime

The scenario that no one in the computer security field likes to talk about has come to pass: The biggest e-commerce sites on the Net have been falling like dominoes. First it was Yahoo! Inc. On Feb. 6, the portal giant was shut down for three hours. Then retailer Inc. was hit the next day, hours after going public. By that evening, eBay,, and CNN had gone dark. And in the morning, the mayhem continued with online broker E*Trade and others having traffic to their sites virtually choked off. The work of some super hacker? For now, law enforcement officials don't know, or won't say. But what worries experts more than the identity of this particular culprit or outlaw group is how easily these attacks have been orchestrated and executed. Seemingly, someone could be sitting in the warmth of their home and, with a few keystrokes, disrupting electronic commerce around the globe. DEAD HALT. Experts say it's so easy, it's creepy: The software to do this damage is simple to use and readily available at underground hacker sites throughout the Internet. A tiny program can be downloaded and then planted in computers all over the world. Then, with the push of a button, those PCs are alerted to go into action, sending a simple request for access to a site, again and again and again--indeed, scores or hundreds of times a second. Gridlock. For all the sophisticated work on firewalls, intrusiondetection systems, encryption and computer security, e-businesses are at risk from a relatively simple technique that's akin to dialing a telephone number repeatedly so that everyone else trying to get through will hear a busy signal. ``We have not seen anything of this magnitude before--not only at eBay, but across so many sites,'' says Margaret C. Whitman, CEO of eBay. No information on a Web site was snatched, no data corrupted, no credit-card numbers stolen--at least so far.

Cyber crime is becoming one of the Net's growth businesses. The recent spate of attacks that gummed up Web sites for hours--known as ``denial of service''--is only one type.