Based on : Hands on Ethical

Hacking and Network Defense

by Michael T.Simpson,
Kent Backman, and James
E.Corley

Ethical
Hacking
Study material

Jiby P Joseph
Module I Vulnerabilities and attacks
[Definition of ethical hacking, Malicious software – Viruses, Worms, Trojans programs,
Spyware, Adware, protection methods, Network and system attacks - Denial of Service

(DoS), Distributed Denial of Service (DDoS), Buffer overflow, Ping of death, Session
Hijacking, Brute force attack, Man-in-the middle, Dictionary attack, Replay attack]

Hacking
Hacking generally refers to unauthorized intrusion into a computer or a network. The
person engaged in hacking activities is known as a hacker. This hacker may alter system or
security features to accomplish a goal that differs from the original purpose of the system.

Hackers employ a variety of techniques for hacking, including:

 Vulnerability scanner: checks computers on networks for known weaknesses

 Password cracking: the process of recovering passwords from data stored or transmitted by
computer systems
 Packet sniffer: applications that capture data packets in order to view data and passwords in
transit over networks
 Spoofing attack: involves websites which falsify data by mimicking legitimate sites, and
they are therefore treated as trusted sites by users or other programs
 Root kit: represents a set of programs which work to subvert control of an operating system
from legitimate operators
 Trojan horse: serves as a back door in a computer system to allow an intruder to gain access
to the system later
 Viruses: self-replicating programs that spread by inserting copies of themselves into other
executable code files or documents
 Key loggers: tools designed to record every keystroke on the affected machine for later
retrieval.

Ethical hacking

An ethical hacker (also known as a white hat hacker) is the ultimate security
professional. Ethical hackers know how to find and exploit vulnerabilities and weaknesses in
various systems—just like a malicious hacker (or a black hat hacker). In fact, they both use
the same skills; however, an ethical hacker uses those skills in a legitimate, lawful manner to
try to find vulnerabilities and fix them before the bad guys can get there and try t o break in.

Apart from testing duties, ethical hackers are associated with other responsibilities. The main
idea is to replicate a malicious hacker at work and instead of exploiting the vulnerabilities for

1
malicious purposes, seek countermeasures to shore up the system’s defenses. An ethical
hacker might employ all or some of these strategies to penetrate a system:

 Scanning ports and seeking vulnerabilities: An ethical hacker uses port scanning
tools like Nmap or Nessus to scan one’s own systems and find open ports. The
vulnerabilities with each of the ports can be studied and remedial measures can be
taken.
 An ethical hacker will examine patch installations and make sure that they cannot be
exploited.
 The ethical hacker may engage in social engineering concepts like dumpster diving
through trash bins for passwords, charts, sticky notes, or anything with crucial
information that can be used to generate an attack.
 An ethical hacker may also employ other social engineering techniques like shoulder
surfing to gain access to crucial information or play the kindness card to trick
employees to part with their password.
 An ethical hacker will attempt to evade IDS (Intrusion Detection systems), IPS
(Intrusion Prevention systems), honeypots, and firewalls.
 Sniffing networks, bypassing and cracking wireless encryption, and hijacking web
servers and web applications.
 Ethical hackers may also handle issues related to laptop theft and employee fraud.

Hacker : A user who attempts to break into a computer system or network without
authorization
from the owner.

Crackers Hackers who break into systems with the intent of doing harm or destroying data.

Ethical hackers : Users who attempt to break into a computer system or network with the
owner’s permission.

packet monkeys :A derogatory term for unskilled crackers or hackers who steal program
code and use it to hack into network systems instead of creating the programs themselves.
penetration test :In this test, a security professional performs an attack on a network with
permission from the owner to discover vulnerabilities; penetration testers are also called
ethical hackers.
script kiddies : Similar to packet monkeys, a term for unskilled hackers or crackers who use
scripts or programs written by others to penetrate networks.

white box model: A model for penetration testing in which testers can speak with company
staff and are given a full description of the network topology and technology.

Malicious Software (Malware)

Malicious software is software that is intentionally included or inserted in a system for a
harmful purpose. Malware is malicious software, such as a virus, worm, or Trojan program,
2
introduced into a network for just that reason. The main goal of malware used to be to destroy or
corrupt data or to shut down a network or computer system.

Types of malicious software

Malicious software can be divided into two categories: those that need a host program, and
those that are independent. The former, referred to as parasitic, are essentially fragments of programs
that cannot exist independently of some actual application program, utility, or system program. Viruses,
logic bombs, and backdoors are examples. Independent malware is a self-contained program that can
be scheduled and run by the operating system. Worms and bot programs are examples.

1. Adware:. The least dangerous and most lucrative Malware. Adware displays ads on
your computer.
2. Spyware:. Spyware is software that spies on you, tracking your internet activities in
order to send advertising (Adware) back to your system.
3. Virus: A virus is a contagious program or code that attaches itself to another piece of
software, and then reproduces itself when that software is run. Most often this is
spread by sharing software or files between computers.
4. Worm: A program that replicates itself and destroys data and files on the computer.
Worms work to “eat” the system operating files and data files until the drive is empty.
5. Trojan: The most dangerous Malware. Trojans are written with the purpose of
discovering your financial information, taking over your computer’s system
resources, and in larger systems creating a “denial-of-service attack ” Denial-of-
service attack: an attempt to make a machine or network resource unavailable to those
attempting to reach it. Example: AOL, Yahoo or your business network becoming
unavailable.
6. Rootkit: This one is likened to the burglar hiding in the attic, waiting to take from
you while you are not home. It is the hardest of all Malware to detect and therefore to
remove; many experts recommend completely wiping your hard drive and reinstalling
everything from scratch. It is designed to permit the other information gathering
Malware in to get the identity information from your computer without you realizing
anything is going on.
7. Backdoors: Backdoors are much the same as Trojans or worms, except that they
open a “backdoor” onto a computer, providing a network connection for hackers or
other Malware to enter or for viruses or SPAM to be sent.
8. Keyloggers: Records everything you type on your PC in order to glean your log-in
names, passwords, and other sensitive information, and send it on to the source of the
keylogging program. Many times keyloggers are used by corporations and parents to
acquire computer usage information.
9. Rogue security software: This one deceives or misleads users. It pretends to be a
good program to remove Malware infections, but all the while it is the Malware.
Often it will turn off the real Anti-Virus software. The next image shows the typical
screen for this Malware program, Antivirus 2010
10. Ransomware: If you see this screen that warns you that you have been locked out of
your computer until you pay for your cybercrimes. Your system is severely infected
with a form of Malware called Ransomware. It is not a real notification from the FBI,
3
 but, rather an infection of the system itself. Even if you pay to unlock the system, the
system is unlocked, but you are not free of it locking you out again. The request for
money, usually in the hundreds of dollars is completely fake.
11. Browser Hijacker: When your homepage changes to one that looks like those in the
images inserted next, you may have been infected with one form or another of a
Browser Hijacker. This dangerous Malware will redirect your normal search activity
and give you the results the developers want you to see. Its intention is to make
money off your web surfing. Using this homepage and not removing the Malware lets
the source developers capture your surfing interests. This is especially dangerous
when banking or shopping online. These homepages can look harmless, but in every
case they allow other more infectious

VIRUS
A virus is a program that attaches itself to a file or another program, often sent via e-mail. A
virus doesn’t stand on its own, so it can’t replicate itself or operate without the presence of a host. A
virus attaches itself to a host file or program (such as Microsoft Word), just as the flu attaches itself to
a host organism, and then performs whatever the creator designed it to do.

The typical virus becomes embedded in a program on a computer. Then, whenever the infected
computer comes into contact with an uninfected piece of software, a fresh copy of the virus passes into
the new program. Thus, the infection can be spread from computer to computer by unsuspecting users
who either swap disks or send programs to one another over a network. In a network environment, the
ability to access applications and system services on other computers provides a perfect culture for the
spread of a virus. A virus can do anything that other programs do. The difference is that a virus attaches
itself to another program and executes secretly when the host program is run. Once a virus is executing,
it can perform any function, such as erasing files and programs that is allowed by the privileges of the
current user.

Viruses may be classified into the following categories:

o Boot sector infector: Infects a master boot record or boot record and spreads when a
system is booted from the disk containing the virus.

o File infector: Infects files that the operating system or shell consider to be
executable.

o Macro virus: Infects files with macro code that is interpreted by an application.

o Encrypted virus:. A portion of the virus creates a random encryption key and
encrypts the remainder of the virus. The key is stored with the virus. When an
infected program is invoked, the virus uses the stored random key to decrypt the
virus. When the virus replicates, a different random key is selected. Because the bulk
of the virus is encrypted with a different key for each instance, there is no constant bit
pattern to observe.

4
 o Stealth virus: A form of virus explicitly designed to hide itself from detection by
antivirus software. Thus, the entire virus, not just a payload is hidden.

o Polymorphic virus: A virus that mutates with every infection, making detection by
the “signature” of the virus impossible.
o Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates
with every infection. The difference is that a metamorphic virus rewrites itself
completely at each iteration, increasing the difficulty of detection. Metamorphic
viruses may change their behavior as well as their appearance.

o Macro Viruses : A macro virus is a virus encoded as a macro in programs that

support a macro programming language, such as Visual Basic for Applications
(VBA).
.
o E-Mail Viruses

Examples for virus

 Gumblar
 Luckysploit
 Zlob
 Gpcode

Virus Countermeasures

1. Antivirus

The ideal solution to the threat of viruses is prevention: Do not allow a virus to get into the
system in the first place, or block the ability of a virus to modify any files containing executable code
or macros. This goal is, in general, impossible to achieve, although prevention can reduce the number
of successful viral attacks.
Advances in virus and antivirus technology go hand in hand. Early viruses were relatively simple
code fragments and could be identified and purged with relatively simple antivirus software packages.
As the virus arms race has evolved, both viruses and, necessarily, antivirus software have grown more
complex and sophisticated.

2. Digital Immune System

The digital immune system is a comprehensive approach to virus protection developed by

IBM. The motivation for this development has been the rising threat of Internet-based virus
propagation.
The objective of this system is to provide rapid response time so that viruses can be stamped
out almost as soon as they are introduced. When a new virus enters an organization, the immune
system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and
5
passes information about that virus to systems running IBM AntiVirus so that it can be detected
before it is allowed to run elsewhere.

WORMS
A worm is a program that replicates and propagates itself without having to attach itself to a
host (unlike a virus, which needs to attach itself to a host). The most infamous worms are Code Red,
Nimda, and Conficker.

Network worm programs use network connections to spread from system to system. Once
active within a system, a network worm can behave as a computer virus or bacteria, or it could
implant Trojan horse programs or perform any number of disruptive or destructive actions. To
replicate itself, a network worm uses some sort of network vehicle such as E-mail, remote execution
capability,remote login capability.

Examples for WORM

1) Storm
2) Mytob
3) Waledac
4) Conficker
5) Slammer
6) Mod_ssl

WORM Countermeasures
Once a worm is resident on a machine, antivirus software can be used to detect it. In addition,
because worm propagation generates considerable network activity, network activity and usage
monitoring can form the basis of a worm defense.
A. Signature-based worm scan filtering: This type of approach generates a worm signature, which is
then used to prevent worm scans from entering/leaving a network/host. Typically, this approach
involves identifying suspicious flows and generating a worm signature.
B. Filter-based worm containment: This approach is similar to class A but focuses on worm content
rather than a scan signature. The filter checks a message to determine if it contains worm code.
C. Payload-classification-based worm containment: These network-based techniques examine
packets to see if they contain a worm. Various anomaly detection techniques can be used, but care is
needed to avoid high levels of false positives or negatives.
D. Threshold random walk (TRW) scan detection: TRW exploits randomness in picking
destinations to connect to as a way of detecting if a scanner is in operation.TRW is suitable for
deployment in high-speed, low-cost network devices. It is effective against the common behavior seen
in worm scans.
E. Rate limiting: This class limits the rate of scanlike traffic from an infected host. Various strategies
can be used, including limiting the number of new machines a host can connect to in a window of time,
detecting a high connection failure rate, and limiting the number of unique IP addresses a host can scan
in a window of time

6
TROJAN PROGRAMS
A program that disguises itself as a legitimate program or application but has a hidden
payload that might send information from the attacked computer to the creator or to a recipient
located anywhere in the world.
Trojan horse programs can be used to accomplish functions indirectly that an unauthorized user
could not accomplish directly. For example, to gain access to the files of another user on a shared
system, a user could create a Trojan horse program that, when executed, changes the invoking user’s
file permissions so that the files are readable by any user. The author could then induce users to run the
program by placing it in a common directory and naming it such that it appears to be a useful utility
program or application
An example of a Trojan horse program that would be difficult to detect is a compiler that has
been modified to insert additional code into certain programs as they are compiled, such as a system
login program . The code creates a backdoor in the login program that permits the author to log on to
the system using a special password. This Trojan horse can never be discovered by reading the source
code of the login program.
Another common motivation for the Trojan horse is data destruction. The program appears to
be performing a useful function (e.g., a calculator program), but it may also be quietly deleting the
user’s files.

Trojan horses fit into one of three models:

• Continuing to perform the function of the original program and additionally performing a
separate malicious activity
• Continuing to perform the function of the original program but modifying the function to
perform malicious activity (e.g., a Trojan horse version of a login program that collects
passwords) or to disguise other malicious activity (e.g., a Trojan horse version of a process
listing program that does not display certain processes that are malicious)
• Performing a malicious function that completely replaces the function of the original program.

1In Greek mythology, the Trojan horse was used by the Greeks during their siege of Troy. Epeios
constructed a giant hollow wooden horse in which thirty of the most valiant Greek heroes concealed
themselves.The rest of the Greeks burned their encampment and pretended to sail away but actually
hid
nearby. The Trojans, convinced the horse was a gift and the siege over, dragged the horse into the
city.
That night, the Greeks emerged from the horse and opened the city gates to the Greek army. A
bloodbath
ensued, resulting in the destruction of Troy and the death or enslavement of all its citizens.

SPYWARE
Software installed on users’ computers without their knowledge that records personal
information from the source computer and sends it to a destination computer.

7
 A spyware program sends information from the infected computer to the person who initiated
the spyware program on your computer. This information could be confidential financial data,
passwords, PINs—just about any data stored on your computer. You need to make sure users
understand that this information collection is possible, and spyware programs can register each
keystroke entered.

ADWARE
Both Adware and spyware programs can be installed without users being aware of their
presence. Adware, however, sometimes displays a banner that notifies users of its presence. Adware’s
main purpose is to determine a user’s purchasing habits so that Web browsers can display
advertisements tailored to this user. The biggest problem with adware is that it slows down the
computer it’s running on.

PROTECTING AGAINST MALWARE ATTACKS

 Educate users: conducting structured training of all employees and management.
 Update antivirus software periodically
 Use spyware /adware removal programs
 Install firewalls to protect a network

NETWORK AND SYSTEM ATTACKS

Security professionals must be aware of attacks that can take place on both network
infrastructures and stand-alone computers.
Network and computer attacks can be perpetrated by insiders as well as outside attackers.
Popular Network and system attacks are:

 Brute force attacks

 Denial of Service attacks
 Distributed Denial of Service attacks
 Buffer overflow attacks
 Ping of death
 Session hijacking
 Man-in-the middle attack
 Dictionary attack
 Replay attack

BRUTEFORCE ATTACKS
A brueforce attack is guessing a user id/password combination on a service that attempts to
authenticate the user before access is granted.
8
 The common types of services that can be brute-forced are telnet, FTP, SSH, HTTP, POP,
IMAP etc.
Once attackers have a list of user accounts, they can begin trying to gain shell access to the
target system by guessing the password associated with one of the IDs.

Most passwords are guessed via an automated brute-force utility. Attackers can use several
tools to automate brute forcing such as THC-Hydra, POP.C, SNMPbrute

Brute force attack- countermeasures

 The best defense for brute force guessing is to use strong passwords that are not easily
guessed. A one time password mechanism would be most desirable.

 Effective password management is essential. Some possible password policies are:

Passlength Minimum password length

Minweek Minimum number of weeks before a password
can be changed.
Maxweek Maximum number of weeks before passwords
must be changed.
Warnweeks Number of weeks to warn a user ahead of time
their password is about to expire.
History Number of passwords stored in password
history.users will not be allowed to reuse these
values.
Minalpha, mindigit, minspecial, minlower, Minimum number of alphabets, digits, special
minupper characters, lowercase letters, uppercase letters
etc.

Denial-of-Service (DoS) Attack

Denial of Service is an attack is a malicious attempt to make a server or a network resource
unavailable to users,usually by temporarily interrupting or suspending the services of a host connected
to the Internet.

Motivation for DoS attack

 Frustration after repeated hacking attempts

 Political vendettas against someone/organization

There are many types of attacks crafted specially for

9
  Congesting network resources
 Draining CPU memory
 Reducing computing power
 Exploiting timers
 Poisoning domain name translations etc.

There are several flavors of Denial of Service that could disrupt a normal service. The attacking
methods are classified into two methods:-

 First type would be to flood the network not leaving enough bandwidth for the
legitimate packets to get through. This could also be termed as Flooding.

 The other method is to crash a hardware or software item and make it inoperable. Web
servers, routing devices, DNS look up servers are the common targets that could be
crashed during an attack.

Distributed Denial of Service Attack

In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to
attack another computer. By taking advantage of security vulnerabilities or weaknesses, an
attacker could take control of your computer. He or she could then force your computer to send
huge amounts of data to a website or send spam to particular email addresses. The attack is
"distributed" because the attacker is using multiple computers, including yours, to launch the
denial-of-service attack.

There are basically three types of DDOS attacks:

1. Application layer DDOS attack

10
Application-layer DDOS attacks are attacks that target Windows, Apache, OpenBSD, or other software
vulnerabilities to perform the attack and crash the server.

2. Protocol DDOS attack

A protocol DDOS attacks is a DOS attack on the protocol level. This category includes Synflood, Ping
of Death, and more.

3. Volume-based DDOS attack

This type of attack includes ICMP floods, UDP floods, and other kind of floods performed via spoofed
packets.

There are many tools available for free that can be used to flood a server and perform an attack.
A few tools also support a zombie network to perform DDOS attacks.

Tools Available

LOIC (Low Orbit Ion Canon)

LOIC is one of the most popular DOS attacking tools freely available on the Internet. It can be
used simply by a single user to perform a DOS attack on small servers. This tool is really easy to use,
even for a beginner. This tool performs a DOS attack by sending UDP, TCP, or HTTP requests to the
victim server. You only need to know the URL of IP address of the server and the tool will do the rest.

4. XOIC

XOIC is another nice DOS attacking tool. It performs a DOS attack an any server with an IP
address, a user-selected port, and a user-selected protocol. In general, the tool comes with three
attacking modes. The first one, known as test mode, is very basic. The second is normal DOS attack
mode. The last one is a DOS attack mode that comes with a TCP/HTTP/UDP/ICMP Message.

5. DDOSIM—Layer 7 DDOS Simulator

As the name suggests, it is used to perform DDOS attacks by simulating several zombie hosts.
All zombie hosts create full TCP connections to the target server.

Ping of Death
In a Ping of Death attack, the attacker crafts an ICMP packet to be larger than the maximum
65,535 bytes, which causes the recipient system to crash or freeze. Most systems today aren’t affected
by this exploit.

11
 The size of a correctly-formed IPv4 packet including the IP header is 65,535 bytes, including
a total payload size of 84 bytes. Many historical computer systems simply could not handle larger
packets, and would crash if they received one. This bug was easily exploited in early TCP/IP
implementations in a wide range of operating systems including Windows, Mac, Unix, Linux, as well
as network devices like printers and routers.

Since sending a ping packet larger than 65,535 bytes violates the Internet Protocol, attackers
would generally send malformed packets in fragments. When the target system attempts to
reassemble the fragments and ends up with an oversized packet, memory overflow could occur and
lead to various system problems including crash.

Ping of Death attacks were particularly effective because the attacker’s identity could be
easily spoofed. Moreover, a Ping of Death attacker would need no detailed knowledge of the machine
he/she was attacking, except for its IP address.

Countermeasures for Ping of death

To avoid Ping of Death attacks, and its variants, many sites block ICMP ping messages
altogether at their firewalls. However, this approach is not viable in the long term.
The smarter approach would be to selectively block fragmented pings, allowing actual ping
traffic to pass through unhindered.
DDoS Protection services intelligently and preemptively identify and filter out all
abnormally large packets, even if they are fragmented—eliminating the threat of PoD and similar
packet-based attacks altogether.

SESSION HIJACKING

In session hijacking, the attacker joins a TCP session and makes both parties think he
or she is the other party.

12
 Session hijacking, also known as TCP session hijacking, is a method of taking over a
Web user session by surreptitiously obtaining the session ID and masquerading as the
authorized user. Once the user's session ID has been accessed (through session prediction),
the attacker can masquerade as that user and do anything the user is authorized to do on the
network.

The session ID is normally stored within a cookie or URL. For most

communications, authentication procedures are carried out at set up. Session hijacking takes
advantage of that practice by intruding in real time, during a session. The intrusion may or
may not be detectable, depending on the user's level of technical knowledge and the nature of
the attack. If a Web site does not respond in the normal or expected way to user input or
stops responding altogether for an unknown reason, session hijacking is a possible cause.

BUFFER OVERFLOW ATTACK

A buffer overflow condition exists when a program attempts to put more data in a buffer than
it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a
buffer is a sequential section of memory allocated to contain anything from a character string to an
array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash
the program, or cause the execution of malicious code.

Since buffers are created to contain a defined amount of data, the extra data can overwrite
data values in memory addresses adjacent to the destination buffer unless the program includes
sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.

Programming languages like C and C++ are prone to buffer overflow attacks as they have no
built-in protection against accessing or overwriting data in any part of their memory and as actors can
perform direct memory manipulation with common programming constructs. Modern programming
languages like C#, Java and Perl reduce the chances of coding errors creating buffer overflow

13
vulnerabilities, but buffer overflows can exist in any programming environment where direct memory
manipulation is allowed.

Counter measures

 Secure coding practices

 Test and audit each programs
 Disable unused/dangerous services
 Stack execution protection

Man-in –the middle attack

A man-in-the-middle attack is a type of cyber attack where a malicious actor inserts him/herself
into a conversation between two parties, impersonates both parties and gains access to information
that the two parties were trying to send to each other.

A man-in-the-middle attack allows a malicious actor to intercept, send and receive data meant for
someone else, or not meant to be sent at all, without either outside party knowing until it is too late.
Man-in-the-middle is a type of eavesdropping attack that occurs when a malicious actor inserts
himself as a relay/proxy into a communication session between people or systems.

14
 A MITM attack exploits the real-time processing of transactions, conversations or transfer of other
data.
 Man-in-the-middle attacks allow attackers to intercept, send and receive data never meant to be for
them without either outside party knowing until it is too late.

Tools used are: ettercap, cain and abel, DSniff etc.

DICTIONARY ATTACK
A dictionary attack is a method of breaking into a password-protected computer or server by
systematically entering every word in a dictionary as a password. A dictionary attack can also be used
in an attempt to find the key necessary to decrypt an encrypted message or document.

Dictionary attacks work because many computer users and businesses insist on using
ordinary words as passwords. Dictionary attacks are rarely successful against systems that employ
multiple-word phrases, and unsuccessful against systems that employ random combinations of
uppercase and lowercase letters mixed up with numerals. In those systems, the brute-force method of
attack (in which every possible combination of characters and spaces is tried up to a certain maximum
length) can sometimes be effective, although this approach can take a long time to produce results.

Counter measures

 Delayed Response: A slightly delayed response from the server prevents a hacker or
spammer from checking multiple passwords within a short period of time.

15
  Strengthen password requirements

- Increase password complexity, limiting the number of attempts allowed within a

given period of time, and by wisely choosing the password or key.

 Failed Login Attempts Lockout

 Disable root login for remote connections.

REPLAY ATTACK
A replay attack occurs when a cybercriminal eavesdrops on a secure network communication,
intercepts it, and then fraudulently delays or resends it to misdirect the receiver into doing what the
hacker wants.
During replay attacks the intruder sends to the victim the same message as was already used in
the victim's communication. The message is correctly encrypted, so its receiver may treat is as a correct
request and take actions desired by the intruder.

The attacker might either have eavesdropped a message between two sides before or he may
know the message format from his previous communication with one of the sides. This message may
contain some kind of the secret key and be used for authentication.

Counter measures

 Use right method of encryption

 Both sender and receiver should establish a completely random session key, which is a type
of code that is only valid for one transaction and can't be used again.

16
  Use timestamps on all messages. This prevents hackers from resending messages sent longer
ago than a certain length of time.

 Another method to avoid becoming a victim is to have a password for each transaction
that's only used once and discarded. That ensures that even if the message is recorded and
resent by an attacker, the encryption code has expired and no longer works.

Denial-of-service (DoS) attack

A denial-of-service (DoS) attack prevents authorized users from accessing network
resources. The attack is usually accomplished through excessive use of bandwidth, memory,
and CPU cycles.
Distributed denial-of-service (DDoS)
A distributed denial-of-service (DDoS) is an attack on a host from multiple servers or
computers.
Buffer overflow attacks
The main purpose of buffer overflows is to insert executable code into an area of
memory that elevates the attacker’s permissions to the level of an administrator or the
program owner or creator.
Ping of Death
In a Ping of Death attack, the attacker crafts an ICMP packet to be larger than the maximum
65,535 bytes, which causes the recipient system to crash or freeze. Most systems today aren’t
affected by this exploit.
Man-in –the middle attack
A man-in-the-middle attack is a type of cyber attack where a malicious actor inserts
him/herself into a conversation between two parties, impersonates both parties impersonates
both parties and gains access to information that the two parties were trying to send to each
other.

Dictionary Attack
A dictionary attack is a method of breaking into a password-protected computer or server by
systematically entering every word in a dictionary as a password. A dictionary attack can
also be used in an attempt to find the key necessary to decrypt an encrypted message or
document.

Replay Attack
A replay attack occurs when a cybercriminal eavesdrops on a secure network communication,
intercepts it, and then fraudulently delays or resends it to misdirect the receiver into doing what the
hacker wants.

Brute force Attacks

A brute force attack is guessing a user id/password combination on a service that attempts to
authenticate the user before access is granted.

17
Module II Hacking techniques
[ Footprinting - Web tools are used for footprinting, Competitive intelligence, Other footprinting tools,
DNS zone transfer - Social engineering - Shoulder surfing, Dumpster diving, Piggy backing - Port
scanning - Types of port scans, Port scanning tools - Nmap, Unicornscan, Nessus and OpenVAS - Ping
sweeps - Crafting IP packets ]

Hacking can be summarized into the following steps:

 Footprinting
 Scanning
 Enumeration

Footprinting

Footprinting is a first step that a penetration tester used to evaluate the security of any IT
infrastructure. Footprinting is the process of gathering network information with web tools and utilities.

Footprinting is a first and the important step because after this a penetration tester know how
the hacker sees this network. To measure the security of a computer system, it is good to know more
and more as you can because after this you will able to determine the path that a hacker will use to
exploit this network. the systematic and methodical footprinting of an organization enables attackers to
create a near complete profile of an organization’s security posture.

This is the basic block diagram which shows the steps that are include in the penetration testing
methodology.

18
Footprinting and scanning can be divided into seven basic steps.

1.Information gathering
2. Determining the network range
3. Identifying active machines
4. Finding open ports and access points
5. OS fingerprinting
6. Fingerprinting services
7. Mapping the network

Why footprinting is necessary?

Because it gives you a picture of what the hacker sees.If you know what the hacker sees, you know
what potential security exposures you have in your environment. When you know what exposures
you have, you know, how to prevent exploitation.

Footprinting techniques are primarily aimed at discovering information related to the environments
such as Internet, Intranet, remote access and extranet.

Internet: Domain name, network blocks, IP addresses open to Net, TCP and UDP services running,
ACLs, IDSes
Intranet: Protocols (IP,NETBIOS), internal domain names, etc
Remote Access: Phone numbers, remote control, telnet, authentication
Extranet: Connection origination, destination, type, access control

Website on an organisation is a first place from where penetration testing start, you can get the
sensitive information about the network by using websites, you can get Phone Numbers, Contact
Names, E-mail Addresses, and Personal Details. Beside the official website of the company an
attacker might be use some social networking website like facebook to gather the appropriate
information.

19
Footprinting tools

1. Whois
Different web server give their own information on the internet, i am not going on the
theory behind the whois, i just demonstrate you how to use whois command to gather
the information. In your command prompt type whois domain.com

20
21
 2. Nslookup

Nslookup is an another useful command to find the information about DNS server
including IP addresses of Computers and MX records etc.
nslookup www.cisco.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
www.cisco.com canonical name = www.cisco.com.akadns.net.
www.cisco.com.akadns.net canonical name = geoprod.cisco.com.akadns.net.
geoprod.cisco.com.akadns.net canonical name = origin-www.cisco.com.
Name: origin-www.cisco.com
Address: 72.163.4.161

22
You have seen a simple query now for a name server (NS) type:
nslookup -querytype=ns www.cisco.com

3. Traceroute

Traceroute(Linux) or Tracert(Windows) is one the important command that would

help you to determine the path and the way by which your computer send the packet to
the desire(victim) computer.

Traceroute command shows the hope or a router between your computer to the
destination computer.
23
COMPETITIVE INTELLIGENCE
Competitive intelligence is the action of defining, gathering, analyzing, and
distributing intelligence about products, customers, competitors, and any aspect of the environment
needed to support executives and managers in strategic decision making for an organization.

Competitive intelligence is a legal business practice, as opposed to industrial espionage, which is

illegal.

Competitive intelligence is the process of gathering information about the competitors through
observation and web tools.

Conducting competitive intelligence

 Analyzing a company’s web site

24
Network attacks often begin by gathering information from a company’s Web site because Web
pages are an easy way for attackers to discover critical information about an organization. Many tools
are available for this type of information gathering. For example, Paros is a powerful tool for UNIX
and Windows OSs that can be downloaded free (www.parosproxy.org).

 Using other footprinting tools

The Whois utility is a commonly used Web tool for gathering IP address and domain information.
With just a company’s Web address, you can discover a tremendous amount of information.

 Using Email addresses

Based on an e-mail account listed in DNS output, you might discover that the company’s
e-mail address format is first name initial, followed by last name and the @companyname.com
sequence. You can guess other employees’ e-mail accounts by getting a company phone directory or
searching the Internet for any @companyname.com references. Groups.google.com is the perfect tool
for this job.

 Using HTTP basics

A security tester can pull information from a Web server by using HTTP commands. You’ve probably
seen HTTP client error codes before, such as 404 Not Found. A basic understanding of HTTP can be
beneficial to security testers, and you don’t have to learn too many codes to get data from a Web
server. If you know the return codes a Web server generates, you can determine what OS is used on
the computer where you’re conducting a security test.

 Detecting cookies and web bugs

DNS Zone transfer

Zone transfer is a way of gather information when footprinting a network is through Domain
Name System (DNS). DNS is the network component responsible for resolving hostnames to IP
addresses and vice versa. People would much rather memorize a URL than an IP address. DNS is a
major area of potential vulnerability for network attacks. DNS uses name servers to resolve names.
After you determine what name server a company is using, you can attempt to transfer all the records
for which the DNS server is responsible. This process, called a zone transfer, can be done with the
Dig command.

To determine a company’s primary DNS server, you can look for a DNS server containing a
Start of Authority (SOA) record. An SOA record shows for which zones or IP addresses the DNS
server is responsible. After you determine the primary DNS server, you can perform another zone
transfer to see all host computers on the company network. In other words, the zone transfer give you
an organization’s network diagram. You can use this information to attack other servers or computers
that are part of the network infrastructure.

25
SOCIAL ENGINEERING
Social engineering means using knowledge of human nature to get information from people.
In computer attacks, the information is usually a password to a network or other information an
attacker
could use to compromise a network.

Social engineers use many different techniques in their attempts to gain information from
unsuspecting people:

● Urgency—“I need the information now or the world will come to an end!” For example, a social
engineer might tell a user he needs the information quickly or the network will be down for a long
time, thus creating a false sense of urgency.

● Quid pro quo—“I can make your life better if you give me the information I need.” The social
engineer might promise the user faster Internet access, for example, if he or she helps by supplying
information.

● Status quo—“Everyone else is doing it, so you should, too.” By using the names of other
employees, a social engineer can easily convince others to reveal their passwords.

● Kindness—This tactic is probably the most dangerous weapon social engineers wield. People want
to help those who are kind to them. The saying “It’s easier to catch flies with honey than with
vinegar” also applies to social engineering.

● Position—Convincing an employee that you’re in a position of authority in the company can be a

powerful means of gaining information. This is especially true in the military, where rank has its
privileges. Social engineers can claim that a high-ranking officer is asking for the information, so it’s
imperative to give it as quickly as possible.

Social engineering is the ability to use an understanding of human nature to get

information from unsuspecting people.
Social engineers use many methods to convince users to give them information, such as
creating a false sense of urgency, pretending to have a position of authority, being kind and
friendly, offering something in return for complying with the request, or giving the
impression that everyone else has complied with the request.

Attacking techniques used for Social Engineering

 Shoulder surfing
 Dumpster diving
 Piggybacking
 Phishing

26
SHOULDER SURFING
Shoulder surfing refers to the act of obtaining personal or private information through direct
observation. Shoulder surfing involves looking over a person's shoulder to gather pertinent
information while the victim is oblivious. A shoulder surfer is skilled at reading what users enter on
their keyboards, especially logon names and passwords. This skill certainly takes practice, but with
enough time, it can be mastered easily.

Countermeasures

 Educate users not to type logon names and passwords when someone is standing directly
behind them—or even standing nearby.
 Caution users about typing passwords when someone nearby is talking on a cell phone
because of the wide availability of camera phones.
 Make sure all computer monitors face away from the door or the cubicle entryway. Warn
your users to change their passwords immediately if they suspect someone might have
observed them entering their passwords.

DUMPSTER DIVING
Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash
container.) In the world of information technology, dumpster diving is a technique used to retrieve
information that could be used to carry out an attack on a computer network.

Dumpster diving isn't limited to searching through the trash for obvious treasures like access
codes or passwords written down on sticky notes. Seemingly innocent information like a phone list,
calendar, or organizational chart can be used to assist an attacker using social engineering techniques
to gain access to the network.

Here are some items that can be useful to dumpster divers:

 Financial reports
 Inter office memos
 Discarded computer programs
 Company organizational charts showing managers’ names
 Resumes of employees
 Company policies or systems and procedures manuals
 Professional journals or magazines
 Utility bills

27
  Solicitation notices from outside vendors
 Regional manager reports
 Quality assurance reports
 Risk management reports
 Minutes of meetings

To prevent dumpster divers from learning anything valuable from your trash, experts
recommend that your company establish a disposal policy where all paper, including print-outs, is
shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is
educated about the danger of untracked trash.

PIGGYBACKING

Piggybacking is a method attackers use to gain access to restricted areas in a company. The
attacker follows an employee closely and enters the area with that employee.

Piggybacking is trailing closely behind an employee who has access to an area without the
person
realizing you didn’t use a PIN or a security badge to enter the area. Those skilled in piggybacking
watch authorized personnel enter secure areas and wait for the opportune time to join them quickly at
the security entrance. They count on human nature and the desire of others to be polite and hold open
a secured door.

Preventive measures
 Use turnstiles (a form of gate which allows one person to pass at a time) at areas where
piggybacking can occur
 Train personnel to notify security; when they notice a stranger in a restricted area.
 Ensure all employees use access cards to gain entry.

PHISHING

A type of attack carried out by e-mail; e-mails includes links to fake Web sites intended to
entice victims into disclosing private information or installing malware.
The targets are contacted by email, telephone or text message by someone posing as a
legitimate institution to lure individuals into providing sensitive data such as personally identifiable
information, banking and credit card details, and passwords.

Spear phishing

A type of phishing attack that targets specific people in an organization,using information

gathered from previous reconnaissance and footprinting.
28
PORT SCANNING
Port scanning, also referred to as service scanning, is the process of examining a range of IP
addresses to determine what services are running on a system or network.

Open ports : An open port allows access to applications and can be vulnerable to an attack.
Closed ports : Ports that aren’t listening or responding to a packet.
Filtered ports : Ports protected with a network-filtering device, such as a firewall.

Port scanning helps you answer questions about open ports and services by enabling you to
scan thousands or even tens of thousands of IP addresses quickly. Many port-scanning tools produce
reports of their findings, and some give you best-guess assessments of which OS is running on a
system. Most scanning programs report open ports, closed ports, and filtered ports in a matter of
seconds.

When a Web server needs to communicate with applications or other computers, for example,
port 80 is opened. A closed port doesn’t allow entry or access to a service. For instance, if port 80 is
closed on a Web server, users can’t access Web sites. A port reported as filtered might indicate that a
firewall is being used to allow specified traffic into or out of the network.

Objectives of Port scanning

 Determining the system is alive?
 Identifying both the TCP and UDP services running on the target system.
 Identifying the type of operating system of the target system
 Identifying specific applications or versions of a particular service.

Types of port scans

● SYN scan—In a normal TCP session, a packet is sent to another computer with the SYN flag set.
The receiving computer sends back a packet with the SYN/ACK flag set, indicating an
acknowledgment. The sending computer then sends a packet with the ACK flag set. If the port the
SYN packet is sent to is closed, the computer responds with an RST/ACK (reset/acknowledgment)
packet. If an attacker’s computer receives a SYN/ACK packet, it responds quickly with an RST/ACK
packet, closing the session.

This is done so that a full TCP connection is never made and logged as a transaction. In this sense,
it’s “stealthy.” After all, attackers don’t want a transaction logged showing their connection to the
attacked computer and listing their IP addresses.

● Connect scan—This type of scan relies on the attacked computer’s OS, so it’s a little more risky to
use. A connect scan is similar to a SYN scan, except that it does complete the three-way handshake.
This means the attacked computer most likely logs the transaction or connection, indicating that a

29
session took place. Therefore, unlike a SYN scan, a connect scan isn’t stealthy and can be detected
easily.

● NULL scan—In a NULL scan, all packet flags are turned off. A closed port responds to a NULL
scan with an RST packet, so if no packet is received, the best guess is that the port is open.

● XMAS scan—In this type of scan, the FIN, PSH, and URG flags are set. Closed ports respond to
this type of packet with an RST packet. This scan can be used to determine which ports are open. For
example, an attacker could send this packet to port 53 on a system and see whether an RST packet is
returned. If not, the DNS port might be open.

● ACK scan—Attackers typically use ACK scans to get past a firewall or other filtering device. A
filtering device looks for the SYN packet, the first packet in the three-way handshake, that the ACK
packet was part of. Remember this packet order: SYN, SYN/ACK, and ACK. If the attacked port
returns an RST packet, the packet filter was fooled, or there’s no packet-filtering device. In either
case, the attacked port is considered to be “unfiltered.”

● FIN scan—In this type of scan, a FIN packet is sent to the target computer. If the port is closed, it
sends back an RST packet. When a three-way handshake ends, both parties send a FIN packet to end
the connection.

● UDP scan—In this type of scan, a UDP packet is sent to the target computer. If the port sends back
an ICMP “Port Unreachable” message, the port is closed. Again, not getting that message might
imply the port is open, but this isn’t always true. A firewall or packet-filtering device could
undermine your assumptions.

Port scanning tools

Nmap

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery
and security auditing. Many systems and network administrators also find it useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what
services (application name and version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are in use, and dozens of other
characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

Nmap runs on all major computer operating systems, and official binary packages are
available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap
executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data
transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a
packet generation and response analysis tool (Nping).

30
Nmap is ...

Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP
filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms
(both TCP & UDP), OS detection, version detection, ping sweeps, and more.

Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of
machines.

Portable: Most operating systems are supported, including Linux, Microsoft

Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun
OS, Amiga, and more.

Easy: While Nmap offers a rich set of advanced features for power users, you can start out as
simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI)
versions are available to suit your preference. Binaries are available for those who do not
wish to compile Nmap from source.

Free: The primary goals of the Nmap Project is to help make the Internet a little more secure
and to provide administrators/auditors/hackers with an advanced tool for exploring their
networks. Nmap is available for free download, and also comes with full source code that you
may modify and redistribute under the terms of the license.

Well Documented: Significant effort has been put into comprehensive and up-to-date man
pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.

Supported: While Nmap comes with no warranty, it is well supported by a vibrant

community of developers and users.

Popular: Thousands of people download Nmap every day, and it is included with many
operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc).

OpenVAS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful
vulnerability scanning and vulnerability management solution. The framework is part of Greenbone
Networks' commercial vulnerability management solution from which developments are contributed
to the Open Source community since 2009.
All OpenVAS products are Free Software. Most components are licensed under the GNU General
Public License (GNU GPL).

31
The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools.
The core of this SSL-secured service-oriented architecture is the OpenVAS Scanner. The scanner
very efficiently executes the actual Network Vulnerability Tests (NVTs) which are served via
the OpenVAS NVT Feed or via a commercial feed service.

The OpenVAS Manager is the central service that consolidates plain vulnerability scanning into a
full vulnerability management solution. The Manager controls the Scanner via OTP (OpenVAS
Transfer Protocol) and itself offers the XML-based, stateless OpenVAS Management Protocol
(OMP). All intelligence is implemented in the Manager so that it is possible to implement various
lean clients that will behave consistently e.g. with regard to filtering or sorting scan results. The
Manager also controls a SQL database (sqlite-based) where all configuration and scan result data is
centrally stored. Finally, Manager also handles user management includiung access control with
groups and roles.

OpenVAS CLI contains the command line tool "omp" which allows to create batch processes to
drive OpenVAS Manager. Another tool of this package is a Nagios plugin.

Nessus
Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and
Exposures architecture for easy cross-linking between compliant security tools. Nessus employs the
Nessus Attack Scripting Language (NASL), a simple language that describes individual threats and
potential attacks.

Nessus has a modular architecture consisting of centralized servers that conduct scanning, and remote
clients that allow for administrator interaction. Administrators can include NASL descriptions of all
suspected vulnerabilities to develop customized scans.

32
 Significant capabilities of Nessus include:

 Compatibility with computers and servers of all sizes.

 Detection of security holes in local or remote hosts.
 Detection of missing security updates and patches.
 Simulated attacks to pinpoint vulnerabilities.
 Execution of security tests in a contained environment.
 Scheduled security audits.

The Nessus server is currently available for Unix, Linux and FreeBSD. The client is available for
Unix- or Windows-based operating systems.

Unicornscan
Unicornscan was developed to assist security testers in conducting tests on large networks
and to consolidate many of the tools needed for large-scale endeavors. The developers thought that
many current products were too slow at scanning thousands of IP addresses. Also, maintaining
several security tools can be daunting, so the Unicornscan developers created a product to meet all the
needs of security testers.

Features:

 Asynchronous stateless TCP banner grabbing

 Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a
response).
 Active and Passive remote OS, application, and component identification by analyzing
responses.
 PCAP file logging and filtering.
 Relational database output.
 Custom module support.
 Customized data-set views.

PING SWEEP

Port scanners can also be used to conduct a ping sweep of a large network to identify which
IP addresses belong to active hosts. In other words, to find out which hosts are “live,” ping sweeps
simply ping a range of IP addresses and see what type of response is returned.

The problem with relying on ping sweeps to identify live hosts is that a computer might be
shut
down at the time of the sweep and indicate that the IP address doesn’t belong to a live host.

33
 Another problem with ping sweeps is that many network administrators configure nodes to
not respond to an ICMP Echo Request (type 8) with an ICMP Echo Reply (type 0). This response
doesn’t mean the computer isn’t running; it just means it isn’t replying to the attack computer.

Another problem is that a firewall filtering out ICMP traffic, and you have many reasons
for using caution when running ping sweeps.

Many tools can be used to conduct a ping sweep of a network:

Fping :An enhanced Ping utility for pinging multiple targets simultaneously.
With the Fping tool (www.fping.com), you can ping multiple IP addresses simultaneously.
Fping, included on the BackTrack DVD, can accept a range of IP addresses entered at a command
prompt, or you can create a file containing multiple IP addresses and use it as input for the Fping
command. For example, the fping -f ip_address.txt command uses ip_address.txt, which contains a
list of IP addresses, as its input file. The input file is usually created with a shell-scripting language so
that you don’t need to type the thousands of IP addresses needed for a ping sweep

Hping :An enhanced Ping utility for crafting TCP and UDP packets to be used in port scanning
activities.
Hping tool (www.hping.org/download) can also be used to perform ping sweeps. However,
many security testers use it to bypass filtering devices by injecting crafted or otherwise modified IP
packets. This tool offers a wealth of features, and security testers should spend as much time as
possible learning this advanced port-scanning tool.

CRAFTING IP PACKETS

Packets contain source and destination IP addresses as well as information about the flags
you learned earlier: SYN, ACK, FIN, and so on. You can create a packet with a specific flag set. For
example, if you aren’t satisfied with the response you get from the host computer after sending a SYN
packet, you can create another packet with the FIN flag set. The SYN flag might have returned a
“closed port” message, but a FIN packet sent to the same computer might return a “filtered port”
message. You can craft any type of packet you like.

Hping and Fping are helpful tools for crafting IP packets

34
Module III Operating System Vulnerabilities
[ Windows OS vulnerabilities - Windows file system, Windows RPC, NetBIOS, Server Message
Block, common Internet File System, Null sessions, Web Services, Buffer overflows, Windows passwords
and authentication, Tools for identifying Windows vulnerabilities, Hardening Windows systems
Linux OS vulnerabilities - Tools for identifying Linux vulnerabilities, Countermeasures against
Linux attacks ]

WINDOWS OS VULNERABILITIES

■Default installations of Windows OSs can contain serious vulnerabilities that attackers exploit. The
CVE Web site is a good place to start when checking for Windows vulnerabilities.

■ Vulnerabilities in Windows file systems include lack of ACL support in FAT and risk of
malicious ADSs in NTFS.

■ Other Windows vulnerabilities involve RPC, an inter process communication mechanism that
allows a program running on one host to run code on a remote host; NetBIOS, which is still used for
backward compatibility; and SMB, which is also still used for backward compatibility and contains a
vulnerability that enables attackers to intercept SMB traffic and collect usernames and password
hashes.

■ In Windows, null sessions and default installations can leave passwords blank and resources
unprotected, causing major problems.

■ Many Windows services leave systems vulnerable to attack, especially Web services and IIS in
particular. The IIS Lockdown Wizard is available for locking down IIS versions 4.0 and 5.0, but
clients should be encouraged to upgrade to the most recent IIS version.

Windows File system

The purpose of any file system, regardless of the OS, is to store and manage information.
The
file system organizes information that users create as well as the OS files needed to boot the
system, so the file system is the most vital part of any OS. In some cases, this critical component
of the OS can be a vulnerability.

File Allocation Table File Allocation Table (FAT)

File Allocation Table File Allocation Table (FAT), the original Microsoft file system, is
supported by nearly all desktop and server OSs.

Versions
FAT12 , FAT16, FAT32, and Extended FAT (exFAT, developed for Windows Embedded CE),
provide for larger file and disk sizes. For example, FAT32 allows a single file to be up to 4 GB and a
disk volume to be up to 8 terabytes (TB).
35
 The most serious drawback of FAT is that it doesn’t support file-level access control lists
(ACLs), which are necessary for setting permissions on files. For this reason, using FAT in a
multiuser environment results in a critical vulnerability.

NTFS New Technology File System (NTFS)

NTFS New Technology File System (NTFS) was first released as a high-end file system in
Windows NT 3.1, and in Windows NT 3.51.

Features

 added support for larger files and disk volumes

 ACL file security
 Subsequent Windows versions have included upgrades for compression,disk quotas,
journaling, file-level encryption, transactional NTFS, symbolic links, and self-healing.

Even with strong security features, NTFS has some inherent vulnerabilities. For example, one little-
known NTFS feature is alternate data streams (ADSs), written for compatibility with Apple
Hierarchical File System (HFS). information behind existing files without affecting their function,
size, or other information, which makes it possible for system intruders to hide exploitation tools and
other malicious files.

REMOTE PROCEDURE CALL

Remote Procedure Call (RPC) is an interprocess communication mechanism that allows a

program running on one host to run code on a remote host. RPC uses client/server model. The
requesting program is a client and the service providing program is the server. The client stub act as a
proxy for the remote procedure. The server stub acts as a correspondent to the client stub.

36
 The Conficker worm took advantage of a vulnerability in RPC to run arbitrary code on
susceptible hosts. Microsoft advised users of this critical vulnerability that allowed attackers to run
their own code and offered a patch to correct the problem.

Microsoft Baseline Security Analyzer (MBSA) is an excellent tool for determining whether a
system is vulnerable because of an RPC-related issue.

NetBIOS
Network resources are identified with 16-byte NetBIOS names. NetBIOS isn’t a protocol; it’s
just the interface to a network protocol that enables a program to access a network resource. It usually
works with NetBIOS Extended User Interface (NetBEUI), a fast, efficient protocol that requires little
configuration and allows transmitting NetBIOS packets over TCP/IP and various network topologies,
such as token ring and Ethernet. NetBIOS over TCP/IP is called NBT in Windows 2000 Server; in
Windows Server 2003, it’s called NetBT. (NetBIOS isn’t available in Windows Vista, Server 2008,
and later versions of Windows.)
Systems running newer Windows OSs can share files and resources without using NetBIOS;
however, NetBIOS is still used for backward compatibility. As long as newer Windows OSs have to
work with older NetBIOS-based systems, security will always be a challenge.

Server Message Block (SMB)

In Windows, Server Message Block (SMB) is used to share files and usually runs on top of
NetBIOS, NetBEUI, or TCP/IP. Several hacking tools that target SMB can still cause damage
to Windows networks. Two well-known SMB hacking tools are L0phtcrack’s SMB Packet
Capture utility and SMBRelay, which intercept SMB traffic and collect usernames and password
hashes.

Common Internet File System (CIFS)

Common Internet File System (CIFS) is a standardized protocol that replaced SMB in
Windows 2000 Server and later, but to allow backward compatibility, the original SMB is still used.
CIFS is a remote file system protocol that enables computers to share network resources over the
Internet. In other words, files, folders, printers, and other resources can be made available to users
throughout a network. For sharing to occur, there must be an infrastructure that allows placing these
resources on the network and a method to control access to resources. CIFS relies on other protocols
to handle service announcements notifying users what resources are available on the network and to
handle authentication and authorization for accessing these resources. CIFS is also available for many
*nix systems.

To share files and folders, CIFS relies on SMB, but it offers many enhancements, including the
following:

● Locking features that enable multiple users to access and update a file simultaneously without
conflicts
● Caching and read-ahead/write-behind capability
37
● Support for fault tolerance
● Capability to run more efficiently over slow dial-up lines
● Support for anonymous and authenticated access to files to improve security

To prevent unauthorized access to these files, CIFS relies on SMB’s security model. An administrator
can select two methods for server security:
 Share-level security—A folder on a disk is made available to users for sharing. A password
can be configured for the share but isn’t required.
 User-level security—The resource is made available to network users; however, a username
and password are required to access the resource. The SMB server maintains an encrypted
version of users’ passwords to enhance security.

NULL SESSIONS

Null session is an anonymous connection established without credentials, such as a

username and password. Also called an anonymous logon, a null session can be used to display
information about users, groups, shares, and password policies. Null sessions are necessary only if
networks need to support older Windows versions. Nonetheless, many organizations still have null
sessions enabled, even though all their old Windows systems have been removed from the network.

Web services

Many Windows services leave systems vulnerable to attack, especially Web services and IIS in
particular.

Buffer overflows
Buffer overflow occurs when data is written to a buffer (temporary memory space) and,
because of insufficient bounds checking, corrupts data in memory next to the allocated buffer.
Normally, this problem occurs when copying strings of characters from one buffer to another.

Because of design flaws, several functions don’t verify that the text they generate fits in the
buffer supplied to hold them. If this lack of verification is exploited, it can allow attackers to run shell
code. Both C and C++ lack built-in protection against overwriting data in memory, so applications
written in these languages are vulnerable to buffer overflow attacks. Because these programming
languages are widely used, buffer overflow vulnerabilities are prevalent in many applications and
OSs.

Buffer overflow attacks don’t require an authenticated user and can be carried out remotely.

PASSWORDS AND AUTHENTICATION

The weakest security link in any network is authorized users. A comprehensive password
policy to be adopted by companies to address this issue.
A password policy should include the following:

38
● Change passwords regularly on system-level accounts (every 60 days at minimum).
● Require users to change their passwords regularly (at least quarterly).
● Require a minimum password length of at least eight characters (and 15 characters for
administrative accounts).
● Require complex passwords; in other words, passwords must include letters, numbers, symbols,
punctuation characters, and preferably both uppercase and lowercase letters.
● Passwords can’t be common words, words found in the dictionary (in any language), or slang,
jargon, or dialect.
● Passwords must not be identified with a particular user, such as birthdays, names, or company-
related words.
● Never write a password down or store it online or in a file on the user’s computer.
● Don’t hint at or reveal a password to anyone over the phone, in e-mail, or in person.
● Use caution when logging on to make sure no one sees you entering your password.
● Limit reuse of old passwords.

TOOLS FOR IDENTIFYING VULNERABILITIES IN WINDOWS

Popular OS vulnerability scanners

 eEye Retina, Tenable Nessus, QualysGuard, GFI Languard, OpenVAS ( These are used for
both windows and Linux scanner )
 Microsoft baseline Security Analyser (MBSA) is a built in windows tool.

MBSA performs the following actions during a scan:

 Checks for available updates to the operating system, Microsoft Data Access Components
(MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server.
 Scans a computer for insecure configuration settings. When MBSA checks for Windows
service packs and patches, it includes in its scan Windows components, such as Internet
Information Services (IIS) and COM+.
 Uses Microsoft Update and Windows Server Update Services (WSUS) technologies to
determine what updates are needed.

HARDENING WINDOWS SYSTEMS

A security tester must not only find vulnerabilities; he or she must be familiar with methods of
correcting them. There are some general things you can do to make and keep a network secure.

 Patching systems
 Antivirus solutions
 Enable logging and review logs regularly
39
  Disable unused services and filtering ports
 Other security practices
 Use TCP/IP filtering.
 Delete unused scripts and sample applications.
 Delete default hidden shares and unnecessary shares.
 Use a different unique naming scheme and passwords for public interfaces.
 Be careful of default permissions.
 Use packet-filtering technologies such as firewalls
 Use open-source or commercial tools to assess system security.
 Use a file-integrity checker to monitor unauthorized file system modifications
 Disable the Guest account.
 Rename the default Administrator account.
 Make sure there are no accounts with blank passwords.

LINUX OS VULNERABILITIES

Like any OS, linux can be made more secure if users are aware of its vulnerabilities and keep
current on new releases and fixes. A typical linux distribution has thousands of packages developed
by many contributors around the world. These programming flaws may lead to vulnerabilities.

40
Samba

To address the issue of interoperability, a group of programmers created Samba

(www.samba.org) in 1992 as an open-source implementation of CIFS. With Samba, *nix servers
can share resources with Windows clients, and Windows clients can access a *nix resource without
realizing that the resource is on a *nix computer.

Linux vulnerabilities found at CVE

Tools for identifying Linux vulnerabilities

 Visiting the CVE website for discovering possible vulnerabilities

Tools

 Open VAS – is an enumeration tool used widely.

 chkrootkit ,Tripwire - can detect rootkits installed on Linux systems

41
  SELinux – is a built-in tool available for configuring linux systems securely.
 Nikto – web vulnerability scanner for linux
 Metasploit – is apenetration testing tool

Countermeasures against Linux attacks

 User awareness training

 Keeping current – do not run outdated versions
 Secure configuration – Built-in Linux tools, such as SELinux, are available for
configuring systems securely. In addition, free benchmark tools are available from the
Center for Internet Security, and commercial tools with templates can be used to
tighten security configurations quickly and easily.

42
MODULE – IV: Hacking Web Servers and Wireless Networks
[ Web server hacking - Web applications and their components - Web application vulnerabilities
and countermeasures - Tools for web attackers and hackers
Wireless hacking - Wireless network technology - Components of a wireless network –
Wardriving - Tools for wireless hacking - Countermeasures against wireless attacks ]

Web Server Hacking

 Web server stored valuable information and are accessible to the public domain. This makes
them targets for attackers.
 The commonly used web servers include Apache and Internet Information Service IIS
 Attacks against web servers take advantage of the bugs and Misconfiguration in the operating
system, web servers, and networks
 Popular web server hacking tools include Neosploit, MPack, and ZeuS.
 A good security policy can reduce the chances of been attacked

Types of Web Servers

The following is a list of the common web servers

 Apache– This is the commonly used web server on the internet. It is cross platform but is it’s
usually installed on Linux. Most PHP websites are hosted on Apache servers.
 Internet Information Services (IIS)– It is developed by Microsoft. It runs on Windows and
is the second most used web server on the internet. Most asp and aspx websites are hosted on
IIS servers.
 Apache Tomcat – Most Java server pages (JSP) websites are hosted on this type of web
server.
 Other web servers – These include Novell's Web Server and IBM’s Lotus Domino servers.

Types of Attacks against Web Servers

Directory traversal attacks– This type of attacks exploits bugs in the web server to gain
unauthorized access to files and folders that are not in the public domain. Once the attacker has
gained access, they can download sensitive information, execute commands on the server or install
malicious software.

 Denial of Service Attacks– With this type of attack, the web server may crash or become
unavailable to the legitimate users.
 Domain Name System Hijacking – With this type of attacker, the DNS setting are changed
to point to the attacker’s web server. All traffic that was supposed to be sent to the web server
is redirected to the wrong one.
 Sniffing– Unencrypted data sent over the network may be intercepted and used to gain
unauthorized access to the web server.
 Phishing– With this type of attack, the attack impersonates the websites and directs traffic to
the fake website. Unsuspecting users may be tricked into submitting sensitive data such as
login details, credit card numbers, etc.
 Pharming– With this type of attack, the attacker compromises the Domain Name System
(DNS) servers or on the user computer so that traffic is directed to a malicious site.
43
  Defacement– With this type of attack, the attacker replaces the organization’s website with a
different page that contains the hacker’s name, images and may include background music
and messages.

Effects of successful attacks

 An organization’s reputation can be ruined if the attacker edits the website content and
includes malicious information or links to a porn website
 The web server can be used to install malicious software on users who visit the
compromised website. The malicious software downloaded onto the visitor’s computer can
be a virus, Trojan or Botnet Software, etc.
 Compromised user data may be used for fraudulent activities which may lead to business
loss or lawsuits from the users who entrusted their details with the organization

How to avoid attacks on Web server

An organization can adopt the following policy to protect itself against web server attacks.

 Patch management– this involves installing patches to help secure the server. A patch is an
update that fixes a bug in the software. The patches can be applied to the operating system
and the web server system.
 Secure installation and configuration of the operating system
 Secure installation and configuration of the web server software
 Vulnerability scanning system– these include tools such as Snort, NMap, Scanner Access
Now Easy (SANE)
 Firewalls can be used to stop simple DoS attacks by blocking all traffic coming the identify
source IP addresses of the attacker.
 Antivirus software can be used to remove malicious software on the server
 Disabling Remote Administration
 Default accounts and unused accounts must be removed from the system
 Default ports & settings should be changed to custom port & settings

Web application and their components

Normally, a Web application is supported by a Web server that runs on a general-purpose or
embedded OS. Each component (application, server, and OS) has its own set of vulnerabilities, but
when these components are combined, there’s an increased risk of Web applications being
compromised. Skilled hackers can often exploit a minor vulnerability in one function, such as a Web
mail application, and use it as a stepping stone to launch additional attacks against the OS. With all
the available platforms and e-commerce Web sites, it’s no wonder that security vulnerabilities
abound.

44
Common examples for web application components are:

 Web forms
 Common Gateway Interface (CGI)
 Active Server pages (ASP)
 Web servers
 PHP
 Cold Fusion
 VB script, Javascript
 OLE DB(Object Linking and Embedding database), ODBC
 Active x Data objects

Web application vulnerabilities and countermeasures

After attackers gain control of a Web server, they can do the following:

● Deface the Web site.

● Destroy the company’s database or offer to sell its contents.
● Gain control of user accounts.
● Launch secondary attacks from the Web site or infect site visitors’ systems with
malware.
● Gain root access to other application servers that are part of the network infrastructure.

Open Web Application Security Project (OWASP) is a not-for-profit foundation dedicated

to finding and fighting the causes of Web application vulnerabilities. OWASP (www.owasp.org)
publishes the Ten Most Critical Web Application Security Vulnerabilities paper, which has been built
into the Payment Card Industry (PCI) Data Security Standard (DSS).

1. Cross-site scripting (XSS) flaws—In this vulnerability, a Web browser might carry out code sent
from a Web site. Attackers can use a Web application to run a script on the Web browser of the
system they’re attacking. XSS is one of the easiest types of attacks to perform, which also makes it
one of the most common; attackers simply save the form to their local computers and change the form
field values. Luckily, this type of attack is also one of the easiest to protect against by making sure
that any “post” action is coming from your Web site.

2.Injection flaws—Many Web applications pass parameters when accessing an external system. For
example, a Web application that accesses a database server needs to pass logon information to the
database server. An attacker can embed malicious code and run a program on the database server or
send malicious code in an HTTP request. Basically, the attacker is tricking the Web application into
running malware or making unauthorized changes to data.

3. Malicious file execution—Some Web applications allow users to reference or upload files
containing malware. If these references or files aren’t checked before the Web application executes
them, they can give attackers complete control of the system.
45
4. Unsecured direct object reference—This vulnerability occurs when information returned via the
URL to a user’s Web browser contains information (references) about files, directories, or database
records. By simply changing the information in the URL, attackers can gain unauthorized access to
information. For example, a Web application from the IRS with this vulnerability might show your
Social Security number in the URL returned to your Web browser. By changing the SSN in the URL
and sending it back to the Web application, you could then access another person’s information.

5.Cross-site request forgery (CSRF)—This vulnerability is also known as a one-click or session-

riding attack. To send malicious code to a Web application, the attacker exploits a Web browser that
has already been authenticated and is, therefore, trusted. Because the malicious code is coming from a
trusted Web browser, it’s normally executed without being checked or validated. This vulnerability
can be extremely dangerous.

6. Information leakage and incorrect error handling—If an error occurs during normal operations
and isn’t handled correctly, information sent to users might reveal information attackers can use. For
example, attackers can take advantage of error messages that reveal what was executed on the stack
or indicate what Web software is used.

7. Broken authentication and session management— These vulnerabilities enable attackers to

compromise passwords or session cookies to gain access to accounts. To reduce this risk, using strong
authentication methods is critical, and credentials must be kept secret. You can also incorporate back-
end servers to authenticate credentials instead of just relying on the Web server.

8. Unsecured cryptographic storage—Storing keys, certificates, and passwords on a Web server can
be dangerous. If an attacker can gain access to these mechanisms, the server is vulnerable to attack.
To decrease the chances of a compromise, don’t store confidential data, such as customers’ credit
card numbers, on your Web server. Instead, require that confidential data be entered each time users
visit the Web site.

9. Unsecured communication—Connections between the Web browser and the Web application
should be encrypted to protect information as it travels across the Internet. Web applications need to
encrypt not only the session to the Web browser, but also sessions to any other servers, such as back-
end databases. This vulnerability occurs when sessions are left unencrypted. The PCI DSS requires
encrypting all credit card information sent over any network, whether it’s the Internet or a private
LAN.

10.Failure to restrict URL access—This vulnerability occurs when developers don’t use
adequate access controls for URLs. Instead, they rely on a “security through obscurity” model, which
depends on users simply not being aware of the location of critical files and directories. It’s like
assuming that because a door isn’t advertised as unlocked, no one will try to open it.

Web server attack tools

46
Some of the common web server attack tools include;

 Metasploit– this is an open source tool for developing, testing and using exploit code. It can
be used to discover vulnerabilities in web servers and write exploits that can be used to
compromise the server.
 MPack– this is a web exploitation tool. It was written in PHP and is backed by MySQL as
the database engine. Once a web server has been compromised using MPack, all traffic to it is
redirected to malicious download websites.
 Zeus– this tool can be used to turn a compromised computer into a bot or zombie. A bot is a
compromised computer which is used to perform internet-based attacks. A botnet is a
collection of compromised computers. The botnet can then be used in a denial of service
attack or sending spam mails.
 Neosplit – this tool can be used to install programs, delete programs, replicating it, etc.
 Cgiscan: A CGI Scanning Tool

Wapiti
Wapiti is a Web application vulnerability scanner that uses a black box approach, meaning it doesn’t
inspect code. Instead, it inspects a Web site by searching from the outside for ways to take advantage
of XSS, SQL, PHP, JSP, and file-handling vulnerabilities. Although Wapiti can detect common forms
that allow uploads or command injection, it uses what’s called “fuzzing”—trying to inject data into
whatever will accept it. In this way, even new vulnerabilities can be discovered. Other scanners
search for only known vulnerability signatures. Wapiti is just one of the many Web application
vulnerability tools included on this book’s DVD. To start it, use the wapiti http://URL command
(replacing URL with the URL of the Web site you’re inspecting) in a Konsole shell.

Wfetch
If you’re tired of all these text-mode programs, Wfetch is a GUI tool that can be downloaded free
from Microsoft and is included in the IIS Resource Kit. The 1.4 version works in Windows XP
through Windows 7. Microsoft warns users that Wfetch has advanced features that might expose a
server to potential security risks, so be careful. Despite these cautions, this helpful tool enables
security testers to query a Web server’s status and attempt authentication by using any of the methods
in the fourth bullet in the following list. Wfetch 1.4 offers these features:
● Multiple HTTP methods, such as GET, HEAD, TRACE, POST, and OPTIONS
● Configuration of hostname and TCP port
● HTTP 1.0 and HTTP 1.1 support
47
● Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiate authentication types
● Multiple connection types, such as HTTP, HTTPS, PCT 1.0, SSL 2.0, SSL 3.0, and TLS 3.1
● Proxy support
● Client-certificate support
● Capability to enter requests manually or have them read from a file
● Onscreen and file-based logging

WIRELESS HACKING
The term “wireless” is generally used to describe equipment and technologies operating in the
radio frequency (RF) spectrum between 3 Hz and 300 GHz. Examples of wireless equipment include
cell phones, AM/FM radios, wireless networking devices, and radar systems. Most wireless
networking equipment operates in a smaller portion of the RF spectrum, between 2.4 GHz and 66
GHz..

Components of a wireless network

Any network needs certain components to work: communication devices to transmit and
receive signals, protocols, and a medium for transmitting data. On a typical LAN, these components
are network interface cards (NICs), TCP/IP, and an Ethernet cable (the wire serving as the connection
medium). As complex as wireless networks might seem, they too have only a few basic components:

 Wireless network interface cards (WNICs), which transmit and receive wireless signals, and
access points (APs), which are the bridge between wired and wireless networks
 Wireless networking protocols, such as Wi-Fi Protected Access (WPA)
 A portion of the RF spectrum, which replaces wire as the connection medium

Access Points
An access point (AP) is a radio transceiver that connects to a network via an Ethernet cable
and bridges a wireless LAN (WLAN) with a wired network. An AP enables users to connect to a
LAN with wireless technology. It can be configured to transmit and receive only within a defined area
or square footage, depending on the technology. It’s possible to have a wireless network that doesn’t
connect to a wired network, such as a peer-to-peer network, but this topology isn’t covered because
security testers are seldom, contracted to secure a peer-to-peer wireless network. Most companies
where you conduct security tests use a WLAN that connects to the company’s wired network
topology.

48
Service Set Identifiers

A service set identifier (SSID) is the name used to identify a WLAN, much the same way a
workgroup is used on a Windows network. An SSID is configured on the AP as a unique, 1- to 32-
character, case-sensitive alphanumeric name. For wireless-enabled computers to access the WLAN
the AP connects to, they must be configured with the same SSID as the AP. The SSID name, or
“code,” is attached to each packet to identify it as belonging to that wireless network. The AP usually
beacons (broadcasts) the SSID several times a second so that users who have WNICs can see a
display of all WLANs within range of the AP’s signal. In Figure 11-2, the Windows Vista wireless
connection manager
shows SSIDs advertised by APs within range of the wireless computer. Some WNICs come with
built-in wireless connection software that looks different from the Windows utility.
Wireless NICs
For a computer to be able to send information over any medium, it must follow the rules for
the medium it’s traversing, so the correct software and drivers for the NIC must be installed. For
example, data traveling over a copper wire must follow rules for how Ethernet signals are sent over
that medium. For wireless technology to work, each node or computer must have a WNIC, which
converts the radio waves it receives into digital signals the computer understands.
There are many WNICs on the market, but be careful deciding which one to purchase if
you’re considering using specific tools for detecting APs and decrypting WEP keys or using antennas
that can cover a large distance. For instance, AirCrack NG, a program for cracking WEP encryption
on a WLAN, requires using a specific chipset on a WNIC, so only certain brands of WNICs can be
used.

WAR DRIVING
To conduct war driving, an attacker or a security tester simply drives around with a laptop
computer containing a WNIC, an antenna, and software that scans the area for SSIDs. Not all WNICs
are compatible with scanning software, so you might want to look at the software requirements first
before purchasing the hardware. Antenna prices vary, depending on their quality and the range they
can cover. Some are as small as a cell phone’s antenna, and some are as large as a bazooka, which
you might have seen in old war films. The larger ones can sometimes return results on networks miles
away from the attacker. The smaller ones might require being in close proximity to the AP. Most
scanning software detects the company’s SSID, the type of security enabled, and the signal strength,
indicating how close the AP is to the attacker. Because attacks against WEP are simple and attacks
49
against WPA are possible, any 802.11 connection not using WPA2 should be considered inadequately
secured.

Tools for war driving

WLANs can be attacked with many of the same tools used for hacking wired LANs.
For eg. Wireshark( sniffer) can also be used to scan WLANs.
 NetStumbler – is a freeware tool for windows to detect WLANs.
 iwScanner
 Kismet – can detect hidden network SSIDs. It is a passive scanner.

Countermeasures against wireless attack

Some methods for protecting a wireless network are disabling SSID broadcasts, renaming default
SSIDs, using an authentication server, placing the AP in the DMZ , using EAP , upgrading to WPA2,
assigning static IP addresses to wireless clients and using router to filter unauthorized MAC and IP
addresses and prevent them from having network access.

 Use anti-war driving software to make it more difficult for attackers to discover your WLAN.
 There are measures for preventing radio waves from leaving or entering a building so that
wireless technology can be used only by people in the facility. One is using a certain type of
paint on the walls.
 Use a router to filter unauthorized MAC and IP addresses and prevent them from having
network access.
 Use an authentication server such as RADIUS that can refer all users to a server.
 Use EAP, which allows using different protocols that enhance security.
 Place access point in the demilitarized zone (DMZ) and use firewall .
 Assign static IP addresses to wireless clients instead of using DHCP.
 Change the default SSID and disable SSID broadcasts.

50