You are on page 1of 32

ETHICAL HACKING AND INFORMATION SECURITY

ETHICAL HACKING AND INFORMATION SECURITY INTRODUCTION


PREHISTORY 1960s: The Dawn of Hacking Original meaning of the word "hack" started at MIT; meant elegant, witty or inspired way of doing almost anything; hacks were programming shortcuts\ ELDER DAYS (1970-1979) 1970s: Phone Phreaks and Cap'n Crunch:

One phreak, John Draper (aka "Cap'n Crunch"), discovers a toy whistle inside Cap'n Crunch cereal gives 2600-hertz signal, and can access AT&T's long-distance switching system. calls. Steve Wozniak and Steve Jobs, future founders of Apple Computer, make and sell blue boxes. THE GOLDEN AGE (1980-1991) 1980: Hacker Message Boards and Groups Hacking groups form; such as Legion of Doom (US), Chaos Computer Club (Germany). 1983: Kids' Games Movie "War Games" introduces public to hacking. Draper builds a "blue box" used with whistle allows phreaks to make free

ETHICAL HACKING AND INFORMATION SECURITY

1. ETHICAL HACKING
An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat.

1.1. CYBER ETHICS

Cyber ethics is a code of behavior for using the Internet. Since we are going to view it as the hackers prospective, we will first dissect what the word hacker stands for?

HACKER:
A person, who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. It is used to refer to someone skilled in the use of computer systems, especially if that skill was obtained in an exploratory way. The term is often misused in a pejorative context, where cracker would be the correct term. And due to that the term evolved to be applied to individuals, with or without skill, who break into security systems. Several subgroups of the computer are underground with different attitudes and aims use different terms to demarcate themselves from each other, or try to exclude some specific group with which they do not agree. In hackers culture there are many different categories, such as white hat (ethical hacking), grey hat, black hat and script kiddies. Usually the term cracker refers to black hat hackers, or, more generally hackers with unlawful intentions. WHITE HAT HACKER A white hat hacker, also rendered as ethical hacker, is, in the realm of information technology, a person who is ethically opposed to the abuse of computer systems. Realization that the Internet now represents human voices from around the world has made the defense of its integrity an important pastime for many. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them Terminology. The term white hat hacker is also often used to describe those who attempt to break into systems or networks in order to help the owners of the system by making them aware of security flaws, or to perform some other altruistic activity. Many such people are employed by computer security companies; these professionals are sometimes called sneakers. Groups of these people are often called tiger teams.

ETHICAL HACKING AND INFORMATION SECURITY

GREY HAT HACKER A Grey Hat in the computer security community, refers to a skilled hacker who sometimes acts legally, sometimes in good will, and sometimes not. They are a hybrid between white and black hat hackers. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits Disambiguation .One reason a grey hat might consider himself to be grey is to disambiguate from the other two extremes: black and white. It might be a little misleading to say that grey hat hackers do not hack for personal gain. BLACK HAT HACKER A black hat is a person who compromises the security of a computer system without permission from an authorized party, typically with malicious intent. The term white hat is used for a person who is ethically opposed to the abuse of computer systems, but is frequently no less skilled. The term cracker was coined by Richard Stallman to provide an alternative to using the existing word hacker for this meaning.[1] The somewhat similar activity of defeating copy prevention devices in software which may or may not be legal in a country's laws is actually software cracking. Terminology. Use of the term "cracker" is mostly limited (as is "black hat") to some areas of the computer and security field and even there, it is considered controversial. Until the 1980s, all people with a high level of skills at computing were known as "hackers".

PHREAKER Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. As telephone networks have become computerized, phreaking has become closely linked with computer hacking. This is sometimes called the H/P culture (with H standing for hacking and P standing for phreaking).The term phreak is a portmanteau of the words phone and freak, and may also refer to the use of various audio frequencies to manipulate a phone system. Phreak, phreaker, or phone phreak are names used for and by individuals who participate in phreaking. A large percentage of the phone Phreaks were blind. Because identities were usually masked, an exact percentage cannot be calculated.

SCRIPT KIDDIES A script kiddie or skiddie, occasionally skid, script bunny, script kitty, script-running juvenile (SRJ) or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites.

ETHICAL HACKING AND INFORMATION SECURITY

HACKTIVISTS Hacktivism (a portmanteau of hack and activism) is the use of computers and computer networks as a means of protest to promote political ends. The term was first coined in 1998 by a member of the Cult of the Dead Cow hacker collective named Omega. If hacking as "illegally breaking into computers" is assumed, then hacktivism could be defined as "the nonviolent use of legal and/or illegal digital tools in pursuit of political ends". These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sitins, typosquatting and virtual sabotage. If hacking as "clever computer usage/programming" is assumed, then hacktivism could be understood as the writing of code to promote political ideology: promoting expressive politics, free speech, human rights, and information ethics through software development. Acts of hacktivism are carried out in the belief that proper use of code will be able to produce similar results to those produced by regular activism or civil disobedience.

MALICIOUS HACKER STRATEGIES


As there are steps to develop any software so was Every hackers do follow some predefined rules or steps to hack into the system. They are system. Reconnaissance :- The Basic information gathering about the target

Scanning :- Scanning the target system for open ports and services running on the open ports etc. Gaining Access:- Gaining the actual access to the particular system by exploiting the system. Maintaining Access:- Keeping the access of the system even after leaving the system so as not to perform all the steps from the scratch. Clearing Tracks:- To remove the footprints if any so as to remain undetected from the victim.

1.2. INFORMATION GATHERING


Information gathering is the initial process as far as hacking and investigation is concerned. It is the process of profiling any organisation, system, server or an individual using methodologies procedure. Information gathering is used by attacker as well as investigator to get more information bat the target.

ETHICAL HACKING AND INFORMATION SECURITY

ATTACKERS POINT OF VIEW:


Attacker will first gather initial information like domain name , IPaddress , Network IP range , operating system, services, control panel information, vulnerable services etc before attacking into system. Footprinting is required to ensure that isolated information repositories that are critical to the attack are not overlooked or left undiscovered. Footprinting merely comprises on aspect of the entire information gathering process, but is considered one of the most important stages of mature hack. Attacker will take 90% of time in information gathering & only 10% of time while attacking & gathering an access to the system.

INVESTIGATION POINT OF VIEW:


Investigator will gather initial information like traces of criminal on internet, about his name, occupation , address, contact number about his/her company/organization before taking any legal action This will help investigator to profile the criminal & his/her activities properly during interrogation. Following are the various methodologies for information gathering.

INFORMATION GATHERING USING SEARCH ENGINES


"One leaves footprints/information everywhere while surfing internet". this is basic principle for investigators as well as hackers. The only difference is the way they use this information. Attacker will gather information About the system, operating system, about vulnerable application running on them & later on exploit it. Investigator will gather information on how he got an access to system & where he left his/her footprint behind on the same system & later on traced it. Search engine are most powerful tool to search about any individual , organisation & system Following are the list of top 10 search engines : Yahoo Search : www.search.yahoo.com MSN Live Search: www.live.com AOL Search : www.search.aol.in Ask Search : www.ask.com
5

ETHICAL HACKING AND INFORMATION SECURITY

Altavista Search : www.altavista.com Fast Search : www.alltheweb.com Gigablast : www.gigablast.com Snap Search: www.snap.com

INFORMATION GATHERING USING RELATIONAL SEARCH ENGINES


These type search engines gets results from different search engines & make relation or connections between those results. Kartoo

Maltego With the continued growth of your organization, the people and hardware deployed to ensure that it remains in working order is essential, yet the threat picture of your environment is not always clear or complete. In fact, most often its not what we know that is harmful - its what we dont know that causes the most damage. This being stated, how do you develop a clear profile of what the current deployment of your infrastructure resembles? What are the cutting edge tool platforms designed to offer the granularity essential to understand the complexity of your network, both physical and resource based? Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltegos unique advantage is to demonstrate the complexity
6

ETHICAL HACKING AND INFORMATION SECURITY

and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

Yahoo People Search - www.people.yahoo.com

ETHICAL HACKING AND INFORMATION SECURITY

Intelius:

Whois Lookup:

Querying regional Internet Registries:

ETHICAL HACKING AND INFORMATION SECURITY

Domain tools :

samspade.org:

.In registry

ETHICAL HACKING AND INFORMATION SECURITY

Reverse IP Mapping : Reverse IP mapping is the method to find number of websites hosted on same server

Here by selecting the Reverse IP link we can get list of websites hosted on "IP Address." Trace Route: Traceroute gives useful information regarding number of servers between your computers & remote computers. 1) USeful for investigation as well as different attacks. 2) Visualroute, Neotrace.

Geowhere: Find Websites using popular news groups, also finds out mailing lists, news groups & extract information from 20 search engines.

10

ETHICAL HACKING AND INFORMATION SECURITY

Email Spiders: Email spiders are automated softwares which captures email id's using spiders & store them on the database. Spammers are using email spiders to collect thousand emails for spamming purposes.

Other Tools: www.visualroute.visualware.com www.samspade.org www.dnsstuff.com

11

ETHICAL HACKING AND INFORMATION SECURITY

1.3 SCANNING
Many time ago we scanned the different ports making telnet manually. Today people use more sophisticated programs with massive methods to scan IP ranges searching a lot of ports. Scanning is the process of finding out open/close ports, vulnerabilities in remote system, sever & networks, Scanning will reveal IP address, Operating systems, Services running on remote computer. There are three types of Scanning. PORT SCANNING Port Scanning is one of the most popular technique attacker use to discover the service they break into. 1) All machines connected to a LAN or connected to internet via a modem run many services that listen at well-known and so well-known ports. 2)There are 1 to 65535 ports are available in the computer. 3)By the scanning the attacker finds which ports are available.

PORTS: THE PORT NUMBERS ARE UNIGUE ONLY WITHIN A COMPUTER SYSTEM 1) Port numbers are 16-bit unsigned numbers 2) The port numbers are divided into three ranges: *Well Known Ports (0.1023) *The Registered Ports (102449151) * The Dynamic and/or Private ports (4915265535)

WELL KNOWN PORTS:

echo ftp-data ftp ssh

7/tcp 20/udp 21/tcp 22/tcp


12

Echo File Transfer[Default Data] File Transfer[Control] SSH Remote Login Protocol

ETHICAL HACKING AND INFORMATION SECURITY

telnet domain www-http Smtp

23/tcp 53/udp 80/tcp 25/tcp

Telnet Domain Name Service WorlWideWeb HTTP. Simple mail Transfer protocol

REGISTERED PORTS: wins radius yahoo x11 1512/tcp 1812/udp 5010 Microsoft Windows Internet Name Service RADIUS authentication protocol Yahoo Messenger

6000-6063/tcp Window System

TCP PACKET HEADER

SYN-Synchronize-it is used to initiate connection between hosts. ACK-Acknowlegment- it is used to establish connection between hosts. PSH-push- Tells receiving system to send all buffer data. URG-urgent- Stats that data contain in packet should be process immediately. FIN-Finish- tells remote system that there will be no more transmission. TTL-Time to Live.

13

ETHICAL HACKING AND INFORMATION SECURITY

TCPCONNECT() 1.The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. 2.If the port is listening, connect() will succeed, otherwise the port isn't reachable.

STEALTH SCAN: 1.A stealth scan is a kind of scan that is designed to go undetected by auditing tools. 2.Fragmented Scan: The scanner splits the TCP header into several IP fragments. 3.This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules.

SYN SCAN 1.This technique is called half open scanning because a TCP connection is not completed. 2.A SYN packet is sent to remote system. 3.The target host responds with a SYN+ACK, this indicates the port listening and an RST indicates a non-listener.

14

ETHICAL HACKING AND INFORMATION SECURITY

1.4 VIRUS, WORMS, TROJANS AND VIRUS ANALYSIS

SPYWARE Spyware is a piece of software that gets installed on computer without your consent. It collects your personal information without you being aware of it. Change how your computer or web browser is configured and bombard you with online advertisements. Spyware programs are notorious for being difficult to remove on your own and slow down your PC. A program gets installed in the background while you are doing something else on Internet. Spyware has fairly widespread because your cable modem or DSL connection is always connected.

DIFFERENCE BETWEEN VIRUS,WORMS AND TROJANS Virus is an application that self replicates by injecting its code into other data files. Virus spreads and attempts to consume specific targets and are normally executables. Worm copies itself over network. It is a program that views the infection points another computer rather than as other executables files on an already infected computer. Trojan is a program that once executed performs a task other than expected.

MODE OF TRANSMISSION IRC ICQ Email Attachments Physical Access Browser & email Software Bugs Advertisements NetBIOS Fake Programs
15

ETHICAL HACKING AND INFORMATION SECURITY

VIRUS PROPERTIES Your computer can be infected even if files are just copied. Can be Polymorphic. Can be memory or non-memory resident. Can be a stealth virus Viruses can carry other viruses. Can make the system never show outward signs. Can Stay on the computer even if the computer is formatted.

VIRUS OPERATION PHASE Most of the viruses operate in two phases. INFECTION PHASE

In this phase virus developers decide -When to infect program -Which programs to infect Some viruses infect the computer as soon as virus file installed in computer Some viruses infect computer at specific date,time or particular event. TSR viruses loaded into memory & later infect the PC's.

ATTACK PHASE In this phase Virus will -Delete files. -Replicate itself to another PC's. -Corrupt targets only.

16

ETHICAL HACKING AND INFORMATION SECURITY

VIRUS INDICATIONS system. Following are some of the common indications of virus when it infects Files have strange name than the normal. File extensions can also be changed. Program takes longer time to load than normal. Computer's hard drives constantly runs out of free space. Victim will not be able to open some programs. Programs getting corrupted without any reasons.

VIRUS TYPES Following are some of the common indications of virus when it infects system. Macro Virus - Spreads & Infects database files. File Virus - Infects Executables. Source Code Virus - Affects & Damage source code. NetworkVirus - Spreads via network elements & protocols. Boot virus - Infects boot sectors & Records.

Shell virus - Virus code forms shell around target host's genuine program & host it as subroutine. Terminate & stay resident virus - Remains permanently in the memory during the work session even after target host is executed & terminated.

17

ETHICAL HACKING AND INFORMATION SECURITY

METHOS TO AVOIDE DETECTION SAME LAST MODIFIES DATE.

-In order to avoid detection by users, some viruses employ different kinds of deception. -Some old viruses, especially on the MS-DOS platform, make sure that the " last modified" date of a host file stays the same when the file is infected by the virus. -This approach sometimes fool anti-virus software. OVERWRITING UNUSED AREAS OF THE .EXE FILES. KILLING TASKS OF ANTIVIRUS SOFTWARES.

-Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them. AVOIDING BAIT FILES & OTHER UNDESIRABLE HOSTS.

-Bait files(goat files) are files that are specially created but anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. -Many anti-virus programs perform an integrity check of their own code. -Infecting such programs will therefore increase the likelihood that the virus is detected. -Anti-virus professionals can use bait files to take a sample of a virus. MAKING STEALTH VIRUS

-Some viruses try to trick anti-virus software by intercepting its requests to the operating system. -The virus can then return an uninfected version of the file to the anti-virus software, so that it seems the file is "clean." SELF MODIFICATION ON EACH INFECTION

-Some viruses try to trick anti-viruses software by modifying themselves on each modifications. -As file signatures are modified, Antivirus softwares find it difficult to detect. ENCRYPTION WITH VARIABLE KEY.

-Some viruses use simple methods to encipher the code. -The virus is encrypted with different encryption keys on each infections. -The AV cannot scan such files directly using conventional methods.

18

ETHICAL HACKING AND INFORMATION SECURITY

VIRUS ANALYSIS IDA PRO TOOL

-It is dissembler & debugger tool. -Runs both on Linux & Windows. -Can be used in Source Code Analysis, Vulnerabilities Research & Reverse Engineering.

AUTORUNS

PROCESS EXPLORER

19

ETHICAL HACKING AND INFORMATION SECURITY

2. WEB APPLICATION HACKING & SECURITY


Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application. Open Web Application Security Project (OWASP) and Web Application Security Consortium (WASC) updates on the latest threats which impair web based applications. This aids developers, security testers and architects to focus on better design and mitigation strategy. OWASP Top 10 has become an industrial norm in assessing Web Applications.

2.1. WHY WEB APPLICATION SECURITY?


Application Layer Attacker sends attacks inside valid HTTP requests. Your custom code is tricker into doing something it should not. Security requires software development expertise, not signatures. Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests. Security relies on signature databases.

2.2. SECURITY MISCONCEPTIONS


"The firewall protects my web server and database" - Access to the server through ports 80 and 443 makes the web server part of your external perimeter defence. - Vulnerabilities in the web server software or web applications may allow access to internal network resources. "The IDS protects my web server and database" - The IDS is configured to detect signatures of various well-known attacks. - Attack signatures do not include those for attacks against custom applications.
20

ETHICAL HACKING AND INFORMATION SECURITY

"SSL secures my site" - SSL secures the transport of data between the web server and the user's browser. - SSL does not protect against attacks against the server and applications. - SSL is the hackers best friend due to the false sense of security. The Source of Problem " Malicious hackers don't create security holes; they simply exploit them. Security holes and vulnerabilities - the real root cause of the problem - are the result of bad software design and implementation." -John Viega & Gary McGraw.

2.3 REASONS FOR ATTACKING WEB APPLICATIONS

* Vulnerability Used

21

ETHICAL HACKING AND INFORMATION SECURITY

2.4.

SECURITY GUIDELINES

-Validate Input and Output. -Fail Securely(Closed). -Keep it Simple. -Use and Reuse trusted Components. -Defence in Depth. -Only as Secure as the Weakest Link. -Security By Obscurity Won't Work. -Least Privilege -Compartmentalization (Separation of Privileges)

Validate Input and Output. All User input and user output should be checked to ensure it is both appropriate and expected. Allow only explicitly defined characteristics and drop all other data.

Fail Securely When it fails, it fails closed. It should fail to a state that rejects all subsequent security requests. A good analogy is a firewall fails it should drop all subsequent packets.

Keep it Simple If a security system is too complex for its user base, it will either not be used or users will try to find measures to bypass it. This message applies equally to tasks that an administrator must perform in order to secure an application.

22

ETHICAL HACKING AND INFORMATION SECURITY

This message is also intended for security layer API's that application developers.must use to build the system.

Use and Reuse trusted Components Using and reusing trusted components makes sense both from a resource stance and from a security stance. When someone else has proven they got it, take advantage of it.

Defence in Depth unrealistic. Relying on one component to perform its function 100%of the time is

While we hope to build software and hardware that works as planned, predicting the unexpected is difficult. Good systems don't predict the unexpected, but plan for it.

Only as Secure as the Weakest Link Careful thought must be given to what one is securing. Attackers are lazy and will find the weakest point and attempt to exploit it.

Security By Obscurity Won't Work of time. short term. It's naive to think that hidings things from prying eyes doesn't buy some amount This strategy doesn't work in the long term and has no guarantee of working in the

Least Privilege Systems should be designed in such a way that they run with the least amount of system privilege they need to do their job.

23

ETHICAL HACKING AND INFORMATION SECURITY

Compartmentalization (Separation of Privileges) occur. Compartmentalization is an important concept widely adopted in the information security realm. Compartmentalizing users, processes and data helps contain problems if they do

WEB APPLICATIONS SECURITY CHECKLIST

3. WIRELESS HACKING & SECURITY


Wireless networking Technology is becoming increasingly popular but at the same time has introduced many security issues. The popularity in wireless technology is driven by two primary factors - convenience and cost. A Wireless local area network (WLAN) allows workers to access digital resources without being locked into their desks. Laptops could be carried into meetings or even into Starbucks cafe tapping into the wireless network. This convenience has become affordable. Wireless LAN standards are defined by the IEEE's 802.11 working group. WLAN's come in three flavours: 802.11b

Operates in the 2.4000GHz to 2.2835GHz frequency range and can operate at up to 11 megabits per second.

24

ETHICAL HACKING AND INFORMATION SECURITY

802.11a

Operates in the5.15-5.35GHz frequency range and can operate at up to 54 megabits per second. 802.11g

Operates in the 2.4GHz frequency range (increased bandwidth range) and can operate at up to 54megabits per second. When setting up a WLAN, the channel and service set identifier(SSID) must be configured in addition to traditional network settings such as IP address and a subnet mask. The channel is a number between 1 and 11 ( 1 and 13 inEUROPE) and designates the frequency on which the network will operate. The SSID is an alphanumeric string that differentiates networks operating on the same channel. It just essentially a configurable name that identifies an individual network. These settings are important factors when identifying WLAN's and sniffing traffic.

SSIDs The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. SSID acts as a single shared password between access points and clients. Security concerns arise when the default values are not changed as these units can be easily compromised. ATTACKERS POINT OF VIEW: If the target access point responds to a broadcast SSID probe,then he might just be in luck.This is because most wireless card drivers are configured with an SSID of ANY so that they will be able to associate with the wireless network .When the SSID is set to ANY the driver sends a probe request to the broadcast address with a zero-length SSID and info. Though this configuration makes it easier for the user,as the user does not have to remember the SSID to connect to the wireless LAN,it makes it much simpler for the attackers to gather SSIDs.Some of the common default passwords are 3com AirConnect 2.4 GHz DS(newer 11 mbit,Harris/Intersil Prism based)

Default SSID: 'comcomcom'

25

ETHICAL HACKING AND INFORMATION SECURITY

3Com other Access points

default SSID: '3Com'

Addtron (Model:?)

default SSID:'WLAN'

Cisco Aironet 900 Mhz/2.4 GHz BR10000/e,BR5200/e and BR4800

Default SSID : 'tsunami';'2'

Console Port :No default password

HTTP management :On by default, No default Password

APPLE AIRPORT

Default SSID :'AirPort Network '; ' AirPort Netzwerk'

Baystack 650/660 802.11 DS AP

Default SSID :'Default SSID'

Default admin pass:<none>


26

ETHICAL HACKING AND INFORMATION SECURITY

Default channel :1

MAC addr : 00:20:d8:XX:XX:XX

Compaq WL -100/200/300/400

Default SSID :'Compaq'

Dlink DL-713 802.11 DS Access Point

Default SSID :'WLAN'

Default Channel :11

Default IP address :DHCP-administered

3.1. WIRELESS STANDARDS


Different methods and standards of wireless communication have developed across the world, based on various commercially driven requirements. These technologies can roughly be classified into four individual categories, based on their specific application and transmission range. These categories are summarized in the figure below.

27

ETHICAL HACKING AND INFORMATION SECURITY

3.2. WEP & WPA SUMMARY


WEP Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by the key of 10 or 26 hexadecimal digits, is widely in use and is often the first security choice presented to users by router configuration tools. Although its name implies that it is as secure as a wired connection, WEP has been demonstrated to have numerous flaws and has been deprecated in favor of newer standards such as WPA2. In 2003 the Wi-Fi Alliance announced that WEP had been superseded by Wi-Fi Protected Access (WPA). In 2004, with the ratification of the full 802.11i standard (i.e. WPA2), the IEEE declared that both WEP-40 and WEP-104 "have been deprecated as they fail to meet their security goals".

WPA and WPA2 Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy). WPA (sometimes referred to as the draft IEEE 802.11i standard) became available around 1999 and was intended as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. WPA2 became available around 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard.
28

ETHICAL HACKING AND INFORMATION SECURITY

A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup, allows WPA and WPA2 security to be bypassed and effectively broken in many situations. HACKING TOOL: Netstumbler: http://netstumbler.org

3.3. CRACKING WEP & WPA & COUNTERMEASURES


What is aircrack ? aircrack is a set of tools for auditing wireless networks:

airodump: 802.11 packet capture program aireplay: 802.11 packet injection program aircrack: static WEP and WPA-PSK key cracker airdecap: decrypts WEP/WPA capture files

This document has been translated in Spanish (thanks to ShaKarO). Is there an aircrack discussion forum ? Sure: http://100h.org/forums/. Also, check out #aircrack on irc.freenode.net Where to download aircrack ? The official download location is http://www.cr0.net:8040/code/network/. However, if you can't access port 8040 for some reason, you may use this mirror instead:http://100h.org/wlan/aircrack/. Aircrack is included in the Troppix LiveCD, which features { Prism2 / PrismGT / Realtek / Atheros / Ralink } drivers patched for packet injection, as well as the acx100, ipw2200 (Centrino) and zd1211 drivers. It says "cygwin1.dll not found" when I start aircrack.exe. You can download this library from: http://100h.org/wlan/aircrack/. To use aircrack, drag&drop your .cap or .ivs capture file(s) over aircrack.exe. If you want to pass options to the program you'll have to start a shell (cmd.exe) and manually type the command line; there is also a GUI for aircrack, developed by hexanium. Example: C:\TEMP> aircrack.exe -n 64 -f 8 out1.cap out2.cap ... See below for a list of options.
29

ETHICAL HACKING AND INFORMATION SECURITY

How do I crack a static WEP key ? The basic idea is to capture as much encrypted traffic as possible using airodump. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack on the resulting capture file. aircrack will then perform a set of statistical attacks developped by a talented hacker named KoreK. How do I know my WEP key is correct ? There are two authentication modes for WEP:

Open-System Authentication: this is the default mode. All clients are accepted by the AP, and the key is never checked: association is always granted. However if your key is incorrect you won't be able to receive or send packets (because decryption will fail), so DHCP, ping etc. will timeout. Shared-Key Authentication: the client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so it's never enabled by default.

In summary, just because you seem to have successfully connected to the access point doesn't mean your WEP key is correct ! To check your WEP key, try to decrypt a capture file with the airdecap program. Countermeasures First, always use a complex pass phrase. Include upper case and lower case letters, numbers and special characters in the pass phrase. Next, the pass phrase should be as long as possible. Using the full 63 character space for WPA is best however if you must keep it simple, make sure it is at least 12 or more characters. Enable MAC address filtering and statically assign IP addresses to MAC addresses if your network (like most) uses DHCP to dynamically assign IP addresses. In addition, configure the DHCP scope to include only IP addresses statically assigned to a network host. Employ IEEE 802.1x and/or directory server authentication in addition to a wireless encryption protocol. Wireless network clients would be required to associate with a wireless AP and then authenticate with the directory servers before access is granted. Remember that each security measure takes time for would be hackers to crack. If it takes too long, they will move on to the next target.

30

ETHICAL HACKING AND INFORMATION SECURITY

4. CONCLUSION :

The word "hacker" carries weight. People strongly disagree as to what a hacker is. Hacking may be defined as legal or illegal, ethical or unethical. The medias portrayal of hacking has boosted one version of discourse. The conflict between discourses is important for our understanding of computer hacking subculture. Also, the outcome of the conflict may prove critical in deciding whether or not our society and institutions remain in the control of a small elite or we move towards a radical democracy (a.k.a. socialism). It is my hope that the hackers of the future will move beyond their limitations (through inclusion of women, a deeper politicization, and more concern for recruitment and teaching) and become hacktivists. They need to work with nontechnologically based and technology-borrowing social movements (like most modern social movements who use technology to do their task more easily) in the struggle for global justice. Otherwise the non-technologically based social movements may face difficulty continuing to resist as their power base is eroded while that of the new technopower elite is growing and the fictionesque cyberpunk-1984 world may become real.

If you know the enemy and know yourself, you need not fear the results of a hundred battles.
HACKING - An ART of EXPLOITING.

31

ETHICAL HACKING AND INFORMATION SECURITY

5. REFERENCES:

^ http://www.eccouncil.org/cnda.htm ^ a b http://www.eccouncil.org/certification/certified_ethical_hacker.aspx ^ https://eccouncil.org/cehv7.aspx ^ EC-Council. "CEH v7 Exam (312-50)". Retrieved May 3, 2011. ^ D'Ottavi, Alberto (2003-02-03). "Interview: Father of the Firewall". Retrieved 200806-06. ^ http://hotjobs.yahoo.com/career-articles-6_unusual_high_paying_careers-600 ^ http://www.eccouncil.org/pressroom/Recognition%20of%20ECCouncil%20Certifications.pdf ^ http://www.darkreading.com/security/management/showArticle.jhtml?articleID=21300 0149 ^ http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html

32