Rameswara Reddy.K.

V
Essential Terminology
 Threat – An action or event that is a concern regarding
security. A threat is a potential violation of security.

 Vulnerability – Weakness in the system, that can be

compromised.

 Target Evaluation – An IT system, product , or

component that will be evaluated by security
professional.
Contd..
 Attack – An attack is any action that attempts to or
violates security.

 Exploit – A defined way to breach the security of an IT

system through vulnerability.
AIC Triad
 -is a model designed to guide policies for IS

 Confidentiality
 Integrity
 Availability
General Hacking Methods
 A typical attacker works in the following manner:

1. Identify the target system.

2. Gathering Information on the target system.

3. Finding a possible loophole in the target system.

4. Exploiting this loophole using exploit code.

5. Removing all traces from the log files and escaping

without a trace.
Phases of EH
 Reconnaissance
 Scanning
 Gaining Access
 Maintaining Access
 Covering Tracks
Reconnaissance
- Collect Information
 Active
 passive
Scanning
 Attacker uses the details gathered during the 1st phase
to identify specific vulnerabilities.
 Tools that a hacker may employ during the scanning
phase can include
- dialers
- Port scanners
- Network mappers
- Sweepers
- Vulnerability scanners
PORT SCANNING: Introduction
Port Scanning means to scan the target system in order
to get a list of open ports (i.e. ports listening for
connections) and services running on these open
ports.

 Port Scanning is normally the first step that an

attacker undertakes.

 Is used to get a list of open ports, services and the

Operating System running on the target system.

 Can be performed easily by using different methods.

Contd..
Manual Port Scanning can be performed using the
famous ‘Telnet’ program.

It is often the first tell tale sign, that gives an

attacker away to the system administrator .
Port Scanning : TCP Connect Scanning

Port Scanner establishes a full 3-way TCP\IP

Handshake with all ports on the remote system.
The regular 3-way TCP\IP Handshake has been
depicted below:
1. Client---------SYN Packet------------- Host
2. Host-----------SYN\ACK Packet-------- Client
3. Client----------ACK Packet--------------- Host

 Accurate and Fastest Port Scanning Method.

Port Scanning : Major Tools Available
Some of the best and the most commonly used Port Scanners are:

 Nmap
 Superscan
 Hping

Common Features of all above Port Scanners:

 Very Easy to Use

 Display Detailed Results

The easy usability and the detailed information reports generated by

popular port scanners has led to an alarming increase in the number of
script kiddies.
Port Scanning: Counter-
Attacks Strategies
Although, it is impossible to stop clients from Port Scanning
your network, however, it is advisable to take all possible
measures against possible attackers. Some useful Anti-Port
Scanning software available are:

Scanlogd (A Unix based Port Scan Detector & Logger)

BlackICE (A Windows based Port Scan Detector &
Logger)
Snort: A packet sniffer cum IDS.
Abacus Port sentry: Capable of Detecting both normal
and stealth port scanning attempts.
ICMP Scanning: An Introduction
 The Internet Control Message Protocol (ICMP) is
the protocol used for reporting errors that might
have occurred while transferring data packets
over networks

 Extremely Useful in Information Gathering.

 Originally, designed for network diagnosis and to

find out as to what went wrong in the data
communication.
ICMP Scanning: An Introduction
 Can be used to find out the following:

 Host Detection
 Operating System Information
 Network Topography Information
 Firewall Detection
ICMP Scanning: Host Detection
Techniques
 ICMP Host Detection technique ‘ping’ command or utility.

 The ‘ping’ utility can be used to determine whether the remote

host is alive or not.

 The ping command can be used by the attacker for the

following purposes:

 Host Detection Purposes

 To clog up valuable network resources by sending infinite
‘Echo request’ ICMP messages.
 Firewall detection
Gaining Access
 Real hacking
- DOS(Denial of Service)
Denial of Services (DOS) Attacks
DOS Attacks are aimed at denying valid, legitimate
Internet and Network users access to the services
offered by the target system.

In other words, a DOS attack is one in which you

clog up so much memory on the target system that
it cannot serve legitimate users.

There are numerous types of Denial of Services

Attacks or DOS Attacks.
DOS Attacks: Ping of Death Attack
 The maximum packet size allowed to be transmitted by TCP\IP
on a network is 65 536 bytes.

 In the Ping of Death Attack, a packet having a size greater than

this maximum size allowed by TCP\IP, is sent to the target
system.

 As soon as the target system receives a packet exceeding the

allowable size, then it crashes, reboots or hangs.

 This attack can easily be executed by the ‘ping’ command as

follows:

ping -l 65540 hostname

DOS Attacks: SMURF Attack
 In SMURF Attacks, a huge number of Ping
Requests are sent to the Target system, using
Spoofed IP Addresses from within the target
network.

 Due to infinite loops thus generated and due to

the large number of Ping Requests, the target
system will crash, restart or hang up.
Mainitaining Access
 Attackers choose to remain undetected
- Remove evidence of their entry.
- Install a back door or a trojan to gain repeat access.
- Install root kits at the kernel level to gain full
administrator access to the target compute.
-
Covering Tracks
 Erase all evidence
Malicious attackers beget EH
 Ethical hackers use the same methods and techniques
to test and bypass a system's defenses as their less-
principled counterparts, but rather than taking
advantage of any vulnerabilities found, they document
them and provide actionable advice on how to fix them
so the organization can improve its overall security.
 EH, malicious attackers view point to better secure
systems.
 It is a part of an overall information risk management
program that allows for ongoing security
improvements.
EH vs Auditing
 A security audit is a systematic evaluation of the
security of a company's information system by
measuring how well it conforms to a set of established
criteria. A thorough audit typically assesses the
security of the system's physical configuration and
environment, software, information handling
processes, and user practices.
Contd..
 EH focuses on vulnerabilities that can be exploited.
 EH validates that security controls do not exist or are
ineffectual at best.
 Less structured
 Integrate EH
Policy considerations
 Documented security testing policy
 Which systems are tested
 How often tested
 Security standards document– security testing tools –
specific dates
Compliance and Regulatory
concerns
 Own internal policies might dictate how management
views security testing
 Also need to consider the state, federal and global laws
and regulations that affect your business.
Understanding the need to hack
your own system
 With the increased no.of hackers and their expanding
knowledge ... Vulnerabilities
 Hacking preys on weak security practices and
undisclosed vulnerabilities.
 Firewalls, encryption, and password –safety
 These security systems often focus on high level
vulnerabilities such as basic access control.
 Attacking your own systems to discover vulnerabilities
helps make them more secure.
Contd..
 Think like hacker
 Anticipating all the possible vulnerabilities you will
have in your system and business processes
 More combinations you try
Overall goals as an ethical hacker
 Prioritize your systems so you can focus your efforts on
what matters.
 Hack your systems in a non destructive fashion
 Enumerate vulnerabilities and, if necessary, prove to
management that vulnerabilities exist and cann be
exploited.
 Apply results to remove the vulnerabilities and better
secure your systems.
Understanding the dangers your
system face
 Exploiting several vulnerabilities at the same time can
take its toll on a system.
 UNIT - II

ATTACKS AND ETHICAL HACKING

COMMANDMENTS
Attack
 Attack − An attack is an action that is done on a
system to get its access and extract sensitive data.
 Virus − A virus is a malicious program or a piece of
code which is capable of copying itself and typically
has a detrimental effect, such as corrupting the system
or destroying data.
 Worms − A worm is a self-replicating virus that does
not alter files but resides in active memory and
duplicates itself.
 Botnet – A network of private computers infected
with malicious software and controlled as a group
without the owners’ knowledge, e.g. to send spam.
 Trojan − A Trojan, or Trojan Horse, is a malicious program
disguised to look like a valid program, making it difficult to
distinguish from programs that are supposed to be there
designed with an intention to destroy files, alter
information, steal passwords or other information.
 Malware – short for malicious software which is
specifically designed to disrupt, damage, or gain
authorized access to a computer system. Much of the
malware out there today is self-replicating : once it infects
one host, from that host it seeks entry into other hosts over
the Internet, and from the newly infected hosts, it seeks
entry into yet more hosts. In this manner, self-replicating
malware can spread exponentially fast.
Non Ethical Attacks
 Social Engineering is the exploitation of the trusting
nature of human beings to gain information for
malicious purposes.
 Phishing attack - this type of attack use social
engineering techniques to steal confidential
information - the most common purpose of such
attack targets victim's banking account details and
credentials. Phishing attacks tend to use schemes
involving spoofed emails send to users that lead them
to malware infected websites designed to appear as
real on-line banking websites.
 Social Phishing - in the recent years Phishing
techniques evolved much to include as well social
media like Facebook or Tweeter - this type of Phishing
is often called Social Phishing.
 Spear Phishing Attack - this is a type of Phishing
attack targeted at specific individuals, groups of
individuals or companies.
The recommendations to protect your company
against Phishing and Spear Phishing include:
 Never open or download a file from an unsolicited email,
even from someone you know (you can call or email the
person to double check that it really came from them)
 Keep your operating system updated
 Use a reputable anti-virus program
 Enable two factor authentication whenever available
 Confirm the authenticity of a website prior to entering
login credentials by looking for a reputable security trust
mark
 Look for HTTPS in the address bar when you enter any
sensitive personal information on a website to make sure
your data will be encrypted
 Watering Hole Attack - is a more complex type of a
Phishing attack. Instead of the usual way of sending
spoofed emails to end users in order to trick them into
revealing confidential information, attackers use
multiple-staged approach to gain access to the
targeted information.
 Whaling - type of Phishing attack specifically targeted at
senior executives or other high profile targets within a
company.
 Vishing (Voice Phishing or VoIP Phishing) - use of
social engineering techniques over telephone system to
gain access to confidential information from users. This
Phishing attack is often combined with caller ID spoofing
that masks the real source phone number and instead of it
displays the number familiar to the Phishing victim or
number known to be of a real banking institution. General
practices of Vishing includes pre-recorded automated
instructions for users requesting them to provide bank
account or credit card information for verification over the
phone.
Types of Attacks
 Network infrastructure attacks
 Operating system attack
 Application and other specialized attacks
Network Infrastructure
 Network infrastructure is the hardware and software
resources of an entire network that enable network
connectivity, communication, operations and
management of an enterprise network. It provides the
communication path and services between users,
processes, applications, services and external
networks/the internet.
Contd..
 The entire network infrastructure is interconnected, and can be used for
internal communications, external communications or both. A typical network
infrastructure includes:
 Networking Hardware:
 Routers
 Switches
 LAN cards
 Wireless routers
 Cables

Networking Software:
 Network operations and management
 Operating systems
 Firewall
 Network security applications

How to fix phising
 You should enforce a good security policy in your
organization and conduct required trainings to make all
the employees aware of the possible Social Engineering
attacks and their consequences.
 Document shredding should be a mandatory activity in
your company.
 Make double sure that any links that you receive in your
email is coming from authentic sources and that they point
to correct websites. Otherwise you might end up as a victim
of Phishing.
 Be professional and never share your ID and password with
anybody else in any case.
Network Infrastructure Attacks
 Hacker attacks against network infrastructures
- Connecting to network through an unsecured wireless
access point attached behind a firewall
- Exploiting weaknesses in network protocols, such as
TCP/IP and NetBIOS
- Flooding a network with too many requests, creating a
DoS for legitimate requests.
- Installing a network analyzer on a network segment
and capturing every packet that travels across it.
Network Attacks
 Port scanning - an attack type where the attacker
sends several requests to a range of ports to a targeted
host in order to find out what ports are active and open
- which allows him them to exploit known service
vulnerabilities related to specific ports.
 Spoofing − Spoofing is a technique used to gain
unauthorized access to computers, whereby the
intruder sends messages to a computer with an IP
address indicating that the message is coming from a
trusted host.
 IP Address spoofing - process of creating IP packets
with forged source IP address to impersonate
legitimate system. This kind of spoofing is often used
in DoS attacks (Smurf Attack).
 ARP spoofing (ARP Poisoning) - process of sending
faked ARP messages in the network. The purpose of
this spoofing is to associate the MAC address with the
IP address of another legitimate host causing traffic
redirection to the attacker host. This kind of spoofing
is often used in man-in-the-middle attacks.
 DNS spoofing (DNS Cache Poisoning) - attack
where the wrong data is inserted into DNS Server
cache, causing the DNS server to divert the traffic by
returning wrong IP addresses as results for client
queries.
 Email spoofing - process of faking the email's sender
"From" field in order to hide real origin of the email.
This type of spoofing is often used in spam mail or
during Phishing attack.
 Email spoofing - process of faking the email's sender
"From" field in order to hide real origin of the email. This
type of spoofing is often used in spam mail or during
Phishing attack.
 Search engine poisoning - attackers take here advantage
of high profile news items or popular events that may be of
specific interest for certain group of people to spread
malware and viruses. This is performed by various methods
that have in purpose achieving highest possible search
ranking on known search portals by the malicious sites and
links introduced by the hackers. Search engine poisoning
techniques are often used to distribute rogue security
products (scareware) to users searching for legitimate
security solutions for download.
 Network sniffing (Packet sniffing) - process of
capturing the data packets travelling in the network.
Network sniffing can be used both by IT Professionals
to analyse and monitor the traffic for example in order
to find unexpected suspicious traffic, but as well by
perpetrators to collect data send over clear text that is
easily readable with use of network sniffers (protocol
analysers). Best countermeasure against sniffing is the
use of encrypted communication between the hosts.
 ICMP flood attack (Ping Flood) - the attack that
sends ICMP ping requests to the victim host without
waiting for the answer in order to overload it with
ICMP traffic to the point where the host cannot answer
to them any more either because of the network
bandwidth congestion with ICMP packets (both
requests and replies) or high CPU utilisation caused by
processing the ICMP requests.
 Ping of Death (PoD) - attack involves sending a
malformed or otherwise corrupted malicious ping to
the host machine - this can be for example PING
having size bigged that usual which can cause buffer
overflow on the system that lead to a system crash.
 Smurf Attack - works in the same way as Ping Flood
attack with one major difference that the source IP
address of the attacker host is spoofed with IP address
of other legitimate non malicious computer. Such
attack will cause disruption both on the attacked host
(receiving large number of ICMP requests) as well as
on the spoofed victim host (receiving large number of
ICMP replies).
 Man-in-the-middle Attack - the attack is form of active
monitoring or eavesdropping on victims connections and
communication between victim hosts. This form of attack
includes as well interaction between both victim parties of
the communication and the attacker
 Session Hijacking Attack - attack targeted as exploit of
the valid computer session in order to gain unauthorized
access to information on a computer system. The attack
type is often referenced as cookie hijacking as during its
progress the attacker uses the stolen session cookie to gain
access and authenticate to remote server by impersonating
legitimate user.
 SQL Injection Attack - attacker uses existing
vulnerabilities in the applications to inject a
code/string for execution that exceeds the allowed and
expected input to the SQL database.
Operating System Attacks
 Hacking an operating system is a preferred method
 OS attacks makeup a large portion of hacker attacks
 Hackers often prefer attacking windows and linux
- exploiting missing patches
- Attacking built in authentication system
- Breaking file system Security
- Cracking passwords and weak encryption
implementation
Authentication
 Authentication is the process of confirming truth or
identity of an object. In the technical terms, it is a
program or process which confirms user’s identity, to
ensure that user really is who he claims to be. As we
know, all the computer systems that require need to
maintain user specific sessions or data-sets, need users
to login thus requiring some sort of authentication
mechanism in place.
How authentication system works
 The user tries to authenticate himself with the
authentication verifier.
 The verifier is a secure software system, which first
challenges user to provide his credentials such as a
userid and a password.
 User enters the information which is sent to an
authentication module. This module refers a backend
authentication database which has information about
user’s credentials.
 This information was created when the user’s profile
was established in the past.
Contd..
 Once the database entries and the presented information is
compared and found to be matching, a token is provided to
user.
 This token now becomes part of user’s active session, and
eliminates authentication process for each further request.
 This example depicts the process of a user being
authenticated by software system. There are situations
wherein a software system authenticates other software
systems as well.
 there are multiple protocols available for authentication,
operating at different OSI layers, and each for a different
purpose in terms of strengthening the security.
OSI
Application Layer
 The Application Layer contains a variety of protocols
that are commonly needed by users. One widely-used
application protocol is HTTP(HyperText Transfer
Protocol), which is the basis for the World Wide Web.
When a browser wants a web page, it sends the name
of the page it wants to the server using HTTP. The
server then sends the page back.
Presentation Layer
 The primary goal of this layer is to take care of
the syntax and semantics of the information
exchanged between two communicating systems.
 Translation
 Encryption
 Compression
Session Layer
 It's main aim is to establish, maintain and synchronize
the interaction between communicating systems.
Session layer manages and synchronize the
conversation between two different applications.
Transport Layer

 The basic function of the Transport layer is to accept

data from the layer above, split it up into smaller units,
pass these data units to the Network layer, and ensure
that all the pieces arrive correctly at the other end.
 Service Point Addressing
 Segmentation and Reassembling
 Connection Control
 Flow Control
 Error Control
Network Layer

 The main aim of this layer is to deliver packets from

source to destination across multiple links (networks).
If two computers (system) are connected on the same
link, then there is no need for a network layer. It routes
the signal through different channels to the other end
and acts as a network controller.
 Ip address
 Routing tables
Data Link Layer

 Data link layer performs the most reliable node to

node delivery of data. It forms frames from the packets
that are received from network layer and gives it to
physical layer. It also synchronizes the information
which is to be transmitted over the data. Error
controlling is easily done
 Framing
 Physical Addressing
 Flow control
 Error control
Physical Layer

 Physical layer is the lowest layer of the OSI reference

model. It is responsible for sending bits from one
computer to another. This layer is not concerned with
the meaning of the bits and deals with the setup of
physical connection to the network and with
transmission and reception of signals.
 Topologies
Logon Authentication
 This type consists of the rudimentary userid and
password combination as well as modern means of
security such as using captcha images, biometrics,
smart cards, pin numbers etc. The client server
systems as well as web based systems used this method
as the first level of defense.
Network Authentication
 This type operates at multiple OSI layers of networks,
and verifies user identity for network resources being
accessed. Usually the operating system does this job
with the help of network driver and the protocol stack.
For example, once a user authenticates and connects to
a share, he is not asked for credentials again for that
session.
IP Authentication
 This method operates at lower network layers and is
primarily used to validate source and destination IP
datagrams. This is achieved by using IPSec or Kerberos
security modules at its core, or in some cases it uses
public key cryptography.
Remote Authentication
 This type is used for authentication between remote
computer systems communicating to each other for
data transfer. Typically the virtual private networks
(VPN) use this authentication and may use PAP, or
CHAP protocols.
 In the internet world where HTTP is the base protocol
for communication, the application and session layer
security is paramount. It is important to note that web
portals use a variety of authentication mechanisms
too.
 Basic Authentication – This type uses Base-64
encoded clear text passwords. This is usually the
default method for most of the web servers.
 Digest – This type is similar to basic, but the passwords
are encrypted using scrambling methods.
 Form Based – In this method, HTTP protocol’s POST
command is used to submit information of an HTML
form to the receiving web page on the server side.
Form based authentication can happen on a plain
HTTP channel or a protected SSL channel.
 NTLM – This is a Microsoft proprietary protocol
operating at transport layer and session layer, and may
be used by HTTP protocol as a vehicle to perform
authentication for web portals. Its primary usage is to
perform authentication among the windows or non-
windows clients.
 Client certificates – While SSL is used to endorse the
identity of a website hosting server, the client
certificate does the same for the user accessing that
website. Typically a client certificate is used as an
economic means to replace expensive smart cards or
secureid tokens. Client certificates are implemented
over SSL or TLS protocol, and need browser support to
participate in the challenge response process.
File system Security
 A file system is an abstraction to store, retrieve and
update a set of files. The term also identifies the data
structures specified by some of those abstractions,
which are designed to organize multiple files as a
single stream of bytes. responsible for organizing files
and directories, and keeping track of which areas of
the media belong to which file and which are not
being used.
 The file system manages access to the data of the files,
and manages the available space of the device(s) which
contain it.
 File system is a system for organizing data in an
efficient manner, directories and files, generally in
terms of how it is implemented in the disk operating
system, collection of files and directories stored on a
given drive (floppy drive, hard drive, RAM drive, etc.).
 File systems allocate space, multiple physical units on
the device.
 A file system can be thought of as an index or
database containing the physical location of every
piece of data on a hard drive. A file system is setup on a
drive during a format.
 FS is the method for storing and retrieving files on a disk. It
is system software that takes commands from the operating
system to read and write the disk clusters (groups of
sectors).
 FS is a data processing application that manages individual
files. It opens, closes, reads and writes the file as a single
entity.
 Some file systems store files in packages as small as 512
bytes, while others store files in larger chunks called
allocation units or clusters. Some are very simple file
systems with few features and little overhead (such as the
FAT file system used in DOS and Windows 9x), and others
have many features but comparatively higher overhead
(NTFS used in NT).
 FAT is a brief for File Allocation Table, which dates
back to the beginnings of DOS programming. The File
Allocation Table (FAT) file system was the primary file
system in Microsoft's older operating systems, it is a
file system that was created by Microsoft in 1977. FAT
was the primary file system used in all of Microsoft's
consumer operating systems from MS-DOS through
Windows ME The version of this type is: FAT 12
 FAT 16 FAT 32
 NTFS is a file system type that is commonly used for
Microsoft Windows. It is the standard file system for
Windows NT, Windows 2000, Windows XP, Windows
Vista and Windows 7. It provides numerous
improvements over the FAT file system, including
better security and better disk utilization. NTFS is a
proprietary file system developed by Microsoft
Corporation for its Windows line of operating systems,
beginning with Windows NT 3.1 and Windows 2000,
including Windows XP, Windows Server 2003, and all
their successors to date
Application and other specialized
Attacks
 http and smtp applications are frequently attacked
 VoIP faces increasing attacks as it finds its way into
more and more business
 Unsecured files containing sensitive information are
scattered throughout work stations and server shares.
Database systems also contain numerous
vulnerabilities that malicious users can exploit.
Obey EH commandments
 Working ethically – support the company’s goals
 No hidden agendas allowed
 Respecting privacy –treat the information you gather
with atmost respect. All information you obtain during
your testing.
 Not crashing your systems – lack of planning
EH Process
 Formulating your plan
 Selecting tools
 Executing the plan
 Evaluating the results
 Moving on
Formulating your plan
 Specific systems to be tested : start with most critical
systems and processes.
 Risks involved: handle social engineering and DoS
attacks carefully.
 Dates the tests will be performed and your overall
timeline : determining when the tests are performed.
 Whether or not you intend to be detected: one of your
goals might be to perform the tests without being
detected.
Contd..
 Knowledge of the systems you have before you start
testing : dont need extensive knowledge of the
systems you’re testing.
 Actions you will take when a major vulnerability is
discovered: don’t stop after you find 1 or 2 security
holes.
 The specific deliverables : this includes vulnerability
scanner reports and your own distilled report outlining
the important vulnerabilities to address, along with
countermeasures to implement.
Selecting Tools
 To crack passwords, you need cracking tools, such as
ophcrack and proactive password auditor.
 For an in-depth analysis of a web application, a web
vulnerability scanner is more appropriate than a
network analyzer.
 When selecting the right security tool ask around.
- Cain & Abel
- Omni peek, Qualys Guard, Web Inspect
- Ophcrack , GFI Lan Guard, common view for wifi
 Whichever tools you use, familiarize yourself with
them before you start using them.
- Read the read me / online help files and FAQs
- Study the user guides
- Use the tools in a lab or test environment
- Consider formal classs room training from the security
tool vendor or another third party training provider, if
available.
 Look for these characteristics in tools for EH
- Adequate documentation
- Detailed reports on the discovered vulnerabilities,
including how they might be exploited and fixed
- General industry acceptance
- Availability of updates and support
- High level reports that can be presented to managers
or non technical types.
Executing the plan
 Be sure you keep everything as quiet and private as
possible.
 This is especially critical when transmitting and
storing your test results. If possible encrypt any emails
and files containing sensitive test information with
PGP.
Contd..
 Start with a broad view and narrow your focus
- search the internet for your organizations name, your
computer and network system names, and your ip
addresses.
- Narrow your scope, targeting the specific systems you
are testing.
- Further narrow your focus with a more critical eye.
Perform actual scans and other detailed tests to
uncover vulnerabilities on your systems.
Evaluating Results
 Assess your results to see what you have uncovered.
 Your skill at evaluating the results and correlating the
specific vulnerabilities discovered will get better with
practice.
Moving on
 When you finish your EH tests, you still need to
implement your recomendations to make sure the
systems are secure. Otherwise, all the time, money and
effort spent on EH goes to waste.
 Unit-3
CRACKING HACKERS MINDSET
Thinking like the bad guys
 Evading an intrusion prevention system : by changing
their MAC address or IP address every few minutes to
get further into a network without being completely
blocked.
 Bypassing web access controls: by changing a
malicious sites URL to its dotted decimal IP address
equivalent and then converting it to hexadecimal for
use in the web browser.
 Using unauthorized software that would otherwise be
blocked at the firewall.
 Setting up a wireless “evil twin”
 Using overly trusting colleague’s user id and password.
 Unplugging the power cord or ethernet connection to
a networked security camera.
 Performing sql injection.
Who breaks into computer systems
 Hackers are unique individuals, so an exact profile is hard
to outline.
 hackers aren’t equal.
 Hackers skill levels fall into 3 categories.
- Script Kiddies
- Criminal Hackers
- Security Researchers
 Hackers skill level
- Hactivists
- Cyber Terrorists
- Hackers for hire
 Script Kiddies: these are computer novices who take
advantage of the hacker tools, vulnerability scanners
and documentation available free on the internet but
who dont have any real knowledge of what’s really
going on behind the scenes.
 Criminal Hackers :
- These are skilled criminal experts and who write some
of the hacking tools and scripts.
- These folks also write such malware as viruses and
worms.
 Security Researchers :
-these are highly technical and publicly known IT
professionals who not only monitor and track
computer , network, and application vulnerabilities
but also write the tools and other code to exploit them.
- If these guys didnt exist, ethical hackers wouldn’t have
much in the way of open source and even certain
commercial testing tools.
 Hactivist:
- These guys are try to disseminate political or social
messages through their work.
- A hactivist wants to raise public awareness of an issue.
• Cyber terrorists : attack government computers or public
utility infrastructures, such as power grids and air traffic
control towers.
- They crash critical systems or steal classified
govt.information .
Hackers for Hire : are part of organized crime on the internet.
Why they do it?
 Many hackers thrive on making headlines and being
notorious cyberoutlaws.
- Wide spread use of networks and internet
connectivity.
- Anonymity provided by computer systems working
over the internet and often on the internal network.
- Greater number and availability of hacking tools.
- Large number of open wireless networks that help
hackers cover their tracks
- Greater complexity and size of the code base in the
applications and database being developed today
- Computer savvy children
Planning and Performing Attacks
 Some hackers prepare far in advanceof an attack:
- They gather small bits of information and
methodically carry out their hacks. These hackers are
the most difficult to track.
- Other hackers – usually script kiddies-without hiding
their identity they enter.
- Malicious users are all over the map
 Whatever approach they take, most malicious
attackers prey on ignorance.
 The majority of the systems aren’t managed properly:
- The computer systems are not properly patched,
hardened or monitored.
- Attackers can often fly below the radar of the average
firewall.
- This is especially true for malicious users whose
actions are often not monitored at all.
 Most network and security administrators simply cant
keep up with the deluge of new vulnerabilities and
attack methods:
- These people often have too many tasks to stay on top
of and too many other fires to put out. Network and
security administrators may also fail to notice or
respond to security events because of poor time
management and goal setting.
 Information systems grow more complex every year:
- This is yet another reason why overburdened
administrators find it difficult to know whats
happening across the wire and hard drives of all their
systems.
- Attacks are frequently carried out after typical
business hours.
Maintaining Anonymity
 Hackers often remain anonymous by using the following
resources.
- Borrowed or stolen remote desktop and VPN accounts from
friends or previous employers.
- Public computers at libraries, schools, or kiosks at the local mall.
- Open wireless networks
- Internet proxy servers
- Anonymous or disposable e-mail accounts from free e-mail
services
- Open e-mail relays
- Infected computers
- Workstations or servers on the victims own network.