ON
ETHICAL HACKING
Done by
VIMUKT
At
Submitted to
1
2
HACK’ER
/’ha-ker/
Noun
Intellectual challenge of
Creatively overcoming
Limitations.
3
BONAFIDE CERTIFICATE
Certified that this Winter Training Report is a work of VIMUKT (Enrollment No.:
41496302816) who carried out the work at Kyrion Technologies Pvt. Ltd. 1009,
Indraprakash Building, Barakhamaba Road, Connaught Place, New Delhi-110001.
4
ACKNOWLEDGEMENT
It is always a pleasure to remind the fine people in the Engineering program for their
sincere guidance I received to uphold my practical as well as theoretical skills in
engineering.
Firstly I would like to thank Prof. K.P. Chaudhary (Director of Maharaja Surajmal
Institute of Technology) for meticulously planning academic curriculum in such a
way that students are not only academically sound but also industry read.
I would also like to thank Ms. Dileep Kumar Dwivedi (Class In charge) for the
positive attitude she showed for my work, always allowing me to question him and
giving prompt replies for my uncertainties in all the fields including educational,
social and managerial work.
I would also like to acknowledge and my heartfelt gratitude to Dr. Pardeep Sangwan
(HOD) who continuously supported in every possible way, from initial advice to
encouragement till this date.
I express my immense pleasure and deep sense of gratitude to Ms. Aanchal Aggarwal,
teacher at Kyrion Tchnologies Pvt. Ltd., for her cooperation and guidance. I am also
thankful to her Lab assistant that provided staunch support throughout this training
and helped me to complete the training successfully.
5
TABLE OF CONTENTS PAGE
4. System Hacking...................................................................................30
4.1. Goals of System Hacking
6
6.4. Active Sniffing Attacks
7. Social Engineering...............................................................................47
9. Session Hijacking..................................................................................55
9.1. Session Hijacking and its types
9.2. Session Hijacking Process
9.3. Session Hijacking Levels
12. Cryptography.......................................................................................67
12.1 Introduction to Cryptography
7
CHAPTER 1
Ethical hackers are expected to report all the vulnerabilities and weakness found
during the process to the management.
Research to date indicates that criminal computer behaviour is on the rise and will
continue to be so for the next few years. Therefore it is important that we develop a
reasonable understanding of those people who become involved; elements of this
understanding must include personality characteristics, motivations, and what attracts
these criminals in the first place.
Bruce Schneier, the well-known information security guru, states: “In this same vein,
computer networks have been plagued for years by hackers breaking into them. But
these people aren’t breaking into systems for profit; they don’t commit fraud or theft.
8
They’re breaking into systems to satisfy their intellectual curiosity, for the thrill, and
just to see if they can… Hackers’ traditional and common defence is that they’re
breaking into systems to test their security. They say the only way to learn about
computer and network security is to attack systems. Never mind that these hackers
don’t own the systems they’re breaking into; that’s just the excuse.” He points out that
there is an ongoing controversial discussion about whether hackers are genuinely
committing criminal acts Page 4 of 48 while intruding into a network: “”I was only
testing security” is not a valid defence. For years, we in the computer security field
have heard that excuse. Because the hacker didn’t intend harm, because he just broke
into the system and merely looked around, it wasn’t a real crime. Here’s a thought for
you: imagine you return home and find the following note attached to your
refrigerator: "I was testing the security of back doors in the neighborhood and found
yours unlocked. I just looked around. I didn’t take anything. You should fix your
lock." Would you feel violated? Of course you would.”
No matter how deeply we discuss this topic in theory, one fact remains: hackers are
something of a myth for society, because we cannot deal rationally with them. Once
again, a person who enters your house and leaves a message on your fridge saying, “I
was testing the security of back doors in the neighborhood and found yours unlocked.
I didn’t take anything, but you should fix your system!” is violating your privacy. And
this is criminal - even though the intention of the incident was ostensibly good. This
simple example will help us both to understand hackers’ behaviour in the discussion
below, and also to gain a better understanding of the difference between malicious
hackers and those who claim to be honourable.
9
The distributed denial of service attacks on Microsoft’s and Sun’s websites in the 1st
quarter of 2004 focused more attention on hackers’ activities than any other incidents
recently. Hackers spread programmes to a large number of PCs over the Internet and
used them to overload the systems of those companies. (In this case a worm was used
to spread itself via email to PCs connected to the Internet; on 1st February more then
50.000 unprotected PCs attacked the sites.)
Not as spectacular but with lots of criminal potential is the following example. An
Italian couple hacked into the security system of two American banks and stole credit
card data of nearly 1,500 clients of the bank. They used the credit cards for various
purchases, and once they felt bored with living in luxury, they decided to play the
‘lotto’. In one month, they purchased $750,000-worth of tickets. The winnings of
$400,000 were directly transferred into their bank account.
Through incidents like these, hackers gain extraordinary publicity – whether or not it
is desired or intended. And the public is not able to distinguish – for them, a hacker is
a threat – pure and simple. Our governments are forever promising stricter laws and
regulations to defend against such attacks – but they all forget that hackers’ activities
and efforts have brought a lot of advantages to the informational community as well.
And indeed, there does seem to be a difference between good and evil hackers. We
conducted some interviews with hackers that prove this assumption. Having already
categorised hackers in the typology earlier, the most important distinction is between
‘hackers’ and so-called ‘crackers’.
Hackers have defined ethics which are respected within their community. They want
to use their knowledge for good purposes. They inform about security gaps in
networks and electronic communication, about vulnerabilities in e-commerce or about
desiderative accuracy in the programming processes of software. The builders of the
Open Source society are hackers. People including the developer of the Linux
operating system - Linus Torvalds - or Richard Stallmann, founder of the Free
Software Foundation, can all be considered hackers.
There is an encyclopedia of the hacker scene which is called “Jargon File”. Initiated
in 1975, this file is updated on a regular basis by freelance authors. The main focus is
10
a definition of hackers - by themselves - and how they differentiate themselves from
Crackers.
Types of Hackers
‘Black Hat’ Hackers
The term “black hat” originated from Western movies, where the bad guys wore black
hats and the good guys wore white hats.
A black-hat hacker is an individual who attempts to gain unauthorized entry into a
system or network to exploit them for malicious reasons. The black-hat hacker does
not have any permission or authority to compromise their targets. They try to inflict
damage by compromising security systems, altering functions of websites and
networks, or shutting down systems. They often do so to steal or gain access to
passwords, financial information, and other personal data.
White-hat hackers are often referred to as ethical hackers. This individual specializes
in ethical hacking tools, techniques, and methodologies to secure an organization’s
information systems.
Unlike black-hat hackers, ethical hackers exploit security networks and look for
backdoors when they are legally permitted to do so. White-hat hackers always
disclose every vulnerability they find in the company’s security system so that it can
be fixed before they are being exploited by malicious actors.
Some Fortune 50 companies like Facebook, Microsoft, and Google also use white-hat
hackers.
11
‘Grey Hat’ Hackers
Grey hats exploit networks and computer systems in the way that black hats do, but
do so without any malicious intent, disclosing all loopholes and vulnerabilities to law
enforcement agencies or intelligence agencies.
Usually, grey-hat hackers surf the net and hack into computer systems to notify the
administrator or the owner that their system/network contains one or more
vulnerabilities that must be fixed immediately. Grey hats may also extort the hacked,
offering to correct the defect for a nominal fee.
Phases of Hacking
1. Reconnaissance:
This is the first step of Hacking. It is also called as Footprinting and information
gathering Phase. This is the preparatory phase where we collect as much information
as possible about the target. We usually collect information about three groups,
1. Network
2. Host
3. People involved
Active: Directly interacting with the target to gather information about the
target. Eg Using Nmap tool to scan the target
Passive: Trying to collect the information about the target without directly
accessing the target. This involves collecting information from social media,
public websites etc.
2. Scanning:
Port scanning: This phase involves scanning the target for the information
like open ports, Live systems, various services running on the host.
12
Vulnerability Scanning: Checking the target for weaknesses or
vulnerabilities which can be exploited. Usually done with help of automated
tools
3. Gaining Access:
This phase is where an attacker breaks into the system/network using various tools or
methods. After entering into a system, he has to increase his privilege to administrator
level so he can install an application he needs or modify data or hide data.
4. Maintaining Access:
Hacker may just hack the system to show it was vulnerable or he can be so
mischievous that he wants to maintain or persist the connection in the background
without the knowledge of the user. This can be done using Trojans, Rootkits or other
malicious files. The aim is to maintain the access to the target until he finishes the
tasks he planned to accomplish in that target.
5. Clearing Track:
No thief wants to get caught. An intelligent hacker always clears all evidence so that
in the later point of time, no one will find any traces leading to him. This involves
modifying/corrupting/deleting the values of Logs, modifying registry values and
uninstalling all applications he used and deleting all folders he created.
13
Misconfiguration Attacks:
Attacks are targeted towards the installed applications, e.g: Buffer overflow, cross-
site scripting, SQL injection etc.
Using default or off the shelf components, it happens if the code/script is not fine-
tuned.
14
CHAPTER 2
Footprinting helps to
Know Security Posture – The data gathered will help us to get an overview of the
security posture of the company such as details about the presence of a firewall,
security configurations of applications etc.
Reduce Attack Area – Can identify a specific range of systems and concentrate on
particular targets only. This will greatly reduce the number of systems we are
focussing on.
Draw Network map – helps to draw a network map of the networks in the target
organization covering topology, trusted routers, presence of server and other
information.
Objectives of Footprinting
Network Footprinting
15
IDSes running, Rouge websites/private websites, TCP & UDP services running, VPN
points, networking protocols, ACL's, etc are collected.
The information related to the target system like user and group names, system
banners, routing tables, SNMP information, system names etc are collected using
various methods.
Footprinting Methodology
Various methods used to collect information about the target organization. They are
This is a passive information gathering process where we gather information about the
target from social media, search engines, various websites etc. Information gathered
includes name, personal details, geographical location detrails, login pages, intranet
portals etc. Even some target specific information like Operating system details, IP
details, Netblock information, technologies behind web application etc can be
gathered by searching through search engines
Google Hacking:
The entire website can be mirrored using tools like HTTtracker to gather information
at our own phase.
eg: www.archive.org
Email Footprinting
email header reveals information about the mail server, original sender’s email id,
internal IP addressing scheme, as well as the possible architecture of the target
network
Competitive Intelligence
Eg: company website, search engine, internet, online databases, press releases,
annual reports, trade journals
Whois Footprinting
Whois databases and the servers are operated by RIR - Regional Internet Registries.
These databases contain the personal information of Domain Owners. Whois is a
Query response protocol used for querying Whois databases and its protocol is
documented in RFC 3912. Whois utility interrogates the Internet domain name
17
administration system and returns the domain ownership, address, location, phone
numbers, and other details about a specified domain name.
DNS Footprinting
DNS is a naming system for computers that converts human-readable domain names
into computer readable IP-addresses and vice versa.DNS uses UDP port 53 to serve
its requests. A zone subsequently stores all information, or resource records,
associated with a particular domain into a zone file; Resource records responded by
the name servers should have the following fields:
Time to Live (TTL) — Specifying the amount of time a record can be stored
in cache before discarded.
Record Data — Providing the type and class dependent data to describe the
resources.
SOA (Start of Authority)—Identifies the DNS server responsible for the domain
information
DNS servers perform zone transfers to keep themselves up to date with the latest
information. A zone transfer of a target domain gives a list of all public hosts, their
respective IP addresses, and the record type.
18
Footprinting through Social Engineering:
Social media like twitter, facebook are searched to collect information like personal
details, user credentials, other sensitive information using various social engineering
techniques. Some of the techniques include
Reconnaissance
Information Gathering and getting to know the target systems is the first process in
ethical hacking. Reconnaissance is a set of processes and techniques (Footprinting,
Scanning & Enumeration) used to covertly discover and collect information about a
target system.
19
Determine the network range
Active Reconnaissance
In this process, you will directly interact with the computer system to gain
information. This information can be relevant and accurate. But there is a risk of
getting detected if you are planning active reconnaissance without permission. If you
are detected, then system admin can take severe action against you and trail your
subsequent activities.
Passive Reconnaissance
In this process, you will not be directly connected to a computer system. This process
is used to gather essential information without ever interacting with the target
systems.
20
CHAPTER 3
Port Scanning – detecting open ports and services running on the target.
Scanning Methodology
Check for Live Systems: Ping scan checks for the live system by sending
ICMP echo request packets. If a system is alive, the system responds with
ICMP echo reply packet containing details of TTL, packet size etc.
Check for Open Ports: Port scanning helps us to find out open ports, services
running on them, their versions etc. Nmap is the powerful tool used mainly for
this purpose.
21
We have various types of scan:
Connect scan: Identifies open ports by establishing a TCP handshake with the target.
Half-open scan : otherwise known as Stealth scan used to scan the target in a stealthy
way by not completing the TCP handshake by abruptly resetting the communication.
XMAS scan: This is also called as inverse TCP scanning. This works by sending
packets set with PSH, URG, FIN flags. The targets do not respond if the ports are
open and send a reset response if ports are closed.
FIN scan: Fin flag is set in the TCP packets sent to the target. open ports doe does not
respond while closed ports send a reset response.
ACK scan: Here the attacker sets the ACK flag in the TCP header and the target's
port status is gathered based on window size and TTL value of RESET packets
received from the target.
Null Scan: Works by sending TCP packets with no flags set to the target. Open ports
do not respond while closed ports respond with a RESET packet.
Idle Scan: Here the attacker tries to mask his identity uses an idle machine on the
network to probe the status details of target ports.
Banner Grabbing
22
Vulnerability scanning:
Mainly automated tools are used for this purpose. These automated scanners scan the
target to find out vulnerabilities or weakness in the target organization which can be
exploited by the attackers. Vulnerabilities include application vulnerabilities,
configuration vulnerabilities, network vulnerabilities, operating system vulnerabilities
etc.
Some examples include operating system is not updated, default passwords used,
plain text protocols used, vulnerable protocols running etc.
With the information gathered, the attacker can come up with a network diagram
which might give him information about network and architecture of the target
organization helping him to identify the target easily
Prepare Proxies
Proxies can use to maintain the anonymity of the attacker by masking the IP address.
It can capture information passing through it since it acts as an intermediary between
client and server and the attacker can access the resources remotely using the proxies.
Countermeasures:
23
Enumeration and its types
Enumeration is defined as the process of extracting user names, machine names,
network resources, shares and services from a system. In this phase, the attacker
creates an active connection to the system and performs directed queries to gain more
information about the target. The gathered information is used to identify the
vulnerabilities or weak points in system security and tries to exploit in the System
gaining phase.
Routing tables
Machine names
NetBIOS Enumeration
NetBIOS stands for Network Basic Input Output System. It Allows computer
communication over a LAN and allows them to share files and printers.
NetBIOS names are used to identify network devices over TCP/IP (Windows). It must
be unique on a network, limited to 16 characters where 15 characters are used for the
device name and the 16th character is reserved for identifying the type of service
running or name record type.
Nbtstat: utility used to find protocol statistics, NetBIOS name table and name cache
details
SNMP Enumeration
25
on a variety of operating systems like Windows Server, Linux & UNIX servers as
well as network devices like routers, switches etc.
3. Network Management System (NMS): These are the software systems that
are used for monitoring of the network devices.
An agent running on every SNMP device will be providing access to a read and
writable database. The database is referred to as the management information base
(MIB) which is organized hierarchically and is a virtual database containing a formal
description of all the network objects identified by a specific object identifier (OID)
that can be managed using SNMP. It's a giant repository of values and settings. There
is a manager involved in the process, and the manager will query the agent for various
details.
1. Read only: This mode permits querying the device and reading the
information, but does not permit any kind of changes to the configuration. The
default community string for this mode is “public.”
26
2. Read Write: In this mode, changes to the device are permitted; hence if one
connects with this community string, we can even modify the remote device ’s
configurations. The default community string for this mode is “private.”
when the community strings are left at the default settings, attackers take the
opportunity and find the loopholes in it.
Few tools:
Countermeasures:
5. Implement the Group Policy security option called "Additional restrictions for
anonymous connections"
6. Access to null session pipes, null session shares, and IPsec filtering should
also be restricted
LDAP Enumeration
27
usernames, addresses, departmental details that could be utilised in a brute force or
social engineering attack.
Tools:
Jxplorer - http://www.jxplorer.org/
Countermeasures:
3. Select a username different from your email address and enable account
lockout.
NTP Enumeration
The Network Time Protocol is a protocol for synchronizing time across your network,
this is especially important when utilizing Directory Services. There exists a number
of time servers throughout the world that can be used to keep systems synced to each
other. NTP utilizes UDP port 123. Through NTP enumeration you can gather
information such as lists of hosts connected to NTP server, IP addresses, system
names, and OSs running on the client system in a network. All this information can be
enumerated by querying NTP server.
SMTP Enumeration
The Simple Mail Transport Protocol is used to send email messages as opposed to
POP3 or IMAP which can be used to both send and receive messages. SMTP relies on
using Mail Exchange (MX) servers to direct the mail to via the Domain Name
Service, however, should an MX server not be detected, SMTP will revert and try an
A or alternatively SRV records. SMTP generally runs on port 25.
SMTP enumeration allows us to determine valid users on the SMTP server. This is
done with the help built-in SMTP commands, they are
28
EXPN - This command tells the actual delivery address of aliases and mailing
lists.
Countermeasures:
Don’t include information like mail relay systems being used, Internal IP
address or host information.
DNS Enumeration
DNS enumeration is the process of locating all the DNS servers and their
corresponding records for an organization. DNS enumeration will yield usernames,
computer names, and IP addresses of potential target systems. The list of DNS record
provides an overview of types of resource records (database records) stored in the
zone files of the Domain Name System (DNS). The DNS implements a distributed,
hierarchical, and redundant database for information associated with Internet domain
names and addresses.
DNS Zone Transfer used to replicate DNS data across a number of DNS servers or to
back up DNS files. A user or server will perform a specific zone transfer request from
a ―name server. If the name server allows zone transfers by an anonymous user to
occur, all the DNS names and IP addresses hosted by the name server will be returned
in human-readable ASCII text.
Tools:
Countermeasures:
2. Ensure that private hostnames are not referenced to IP addresses within the
DNS zone files of publicly accessible DNS servers.
29
CHAPTER 4
System Hacking
Goals of system hacking
Goals:
1. Gaining Access
2. Escalating privileges
3. Executing applications
4. Hiding files
5. Clearing tracks
Gaining Access
The goal here is to collect enough information to gain access to the target.
Password Cracking:
3. Rule based attack: If some details about the target are known, we can create
rules based on the information we know.
4. Rainbow table: Instead of comparing the passwords directly, taking the hash
value of the password, comparing them with a list of pre-computed hash
values until a match is found.
Rainbow table method gives an advantage to the attacker since no account lockout is
enabled for wrong hashes against the password. To prevent rainbow table attack,
30
salting can be used. Salting is a process of adding random numbers to the password so
the attacker will not be able to crack the hash without that salt added.
A passive attack is an attack on a system that does not result in a change to the system
in any way.
Wire Sniffing
Replay attack
Password guessing
Trojan/spyware/keyloggers
Hash injection
Phishing
Offline attacks
Offline attacks occur when the intruder checks the validity of the passwords. Offline
attacks are often time to consume.
Pre-computed hashes
Distributed Network
Rainbow
Non-electronic attacks
31
Non-electronic attacks are also known as non-technical attacks. This kind of attack
doesn't require any technical knowledge about the methods of intruding into another
system.
Social engineering
Shoulder surfing
Dumpster Diving
Monitor the server’s logs for brute force attacks on the user’s accounts
Never use passwords such as date of birth, spouse, or child’s or pet’s name
Enable SYSKEY with the strong password to encrypt and protect the SAM
database
Privilege Escalation
An attacker can gain access to the network using a non-admin user account, and the
next step would be to gain administrative privilege.
Escalation of Privileges:
32
2. Vertical Privilege Escalation occurs when a malicious user attempts to
access resources and functions that belong to a user with higher privileges,
such as application or site administrators.
Executing Applications
Intruder executes malicious applications after gaining administrative privileges so
they can run malicious programs remotely, to capture all sensitive data, crack
passwords, capture screenshots or to install a backdoor.
Keylogger
keystroke loggers are programs or hardware devices that monitor each keystroke a
user types on a keyboard, logs onto a file, or transmits them to a remote location.
record all the login names, bank and credit card numbers and passwords
including hidden passwords or data that are in asterisk or blank spaces
Types of Keylogger
Hardware Keylogger
Software Keylogger
33
Hiding Files
Rootkits
Rootkits are programs that hackers use in order to evade detection while trying to gain
unauthorized access to a computer. Rootkits when installing on a computer, are
invisible to the user and also take steps to avoid being detected by security software.
A rootkit is a set of binaries, scripts and configuration files that allows someone to
covertly maintain access to a computer so that he can issue commands and scavenge
data without alerting the system's owner.
Depending on where they are installed there are various types of rootkits:
Hardware/Firmware Rootkits
Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000
and Windows XP) to help support Macintosh Hierarchical File System (HFS) which
uses resource forks to store icons and other information for a file. Using Alternative
Data Streams a user can easily hide files that can go undetected unless close
inspection.
Steganography
The secret message is called overt file and the covering file is called covert file.
Types of Steganography
Image Steganography
Document Steganography
34
Folder Steganography
Video Steganography
Audio Steganography
Covering Tracks
Once an attacker finishes his work, he wants to erase all tracks leading the
investigators tracing back to him. This can be done using
1. Disable auditing.
2. Clearing logs.
35
CHAPTER 5
Virus
Trojans
Worms
Rootkits
Spyware
Ransomware
Virus
A virus is a self-replicating program that produces its own copy by attaching itself to
another program, computer boot sector or document.
Alters Data
Transforms itself
Encrypts Itself
Self Propagates
36
Different types of Viruses:
Boot sector virus: Replaces itself with boot sector moving boot sector into another
location on the hard disk
File overwriting or cavity Virus: Replaces the content of files with some other
content leaving the file unusable
Crypter: Encrypts the contents of the file which causes the file unusable for the user
Polymorphic virus: The virus code mutates itself by keeping the algorithm intact.
Tunnelling Virus: These viruses trace the steps of interceptor programs that monitor
operating system request so that they get into the BIOS and DOS to install
themselves. To perform this activity they even tunnel under anti-virus software
programs
Metamorphic virus: They rewrite themselves every time, reprogram themselves into
a completely different code and back to normal vice versa
Macro Virus: Infects Microsoft products like WORD and EXCEL. They are usually
written in the macro language visual basic language or VBA
Cluster Virus: Modifies the directory entries so it always directs the user to the virus
code instead of the actual program
Stealth/ tunnelling virus: They intercept the anti-virus call to the operating system
and give back uninfected version of the files requested for thereby evading anti-virus
Extension Virus: Hides the extension of the virus files, deceiving the unsuspecting
user to download the files.
Add-on Virus: Add-on viruses append their code to the host code without making
any changes to the latter or relocate the host code to insert their own code at the
beginning.
37
Trojans
Trojans are malicious files which are used by the attacker to create a backdoor
without the knowledge of the user. It usually deletes or replaces operating system
critical files, steal data, send notifications to remote attacker, and remotely control the
target. Trojans usually hide behind a genuine code or program or file to avoid getting
noted by the user. Behind the original program, it establishes a backdoor connection
with the remote attacker. It has 3 parts
1. Dropper: This is the code which installs malicious code into the target.
2. Malicious code: This is the code which exploits the system and gives the
attacker control over the target.
3. Wrapper: Wrapper wraps dropper, malicious code, genuine code into one exe
package.
When victims try to download an infected file, dropper installs the malicious
code first and then the genuine program.
Purpose of Trojans
Disable fw and av
38
There are various types of Trojans like
Hypervisior Trojan
HTTP/HTTPS Trojan
FTP Trojans
VNC Trojans
Banking Trojans
Destructive Trojan
Botnet Trojan
Proxy Trojan
Countermeasures:
Always upgrade and keep firewalls, IDS and anti-virus updated with latest
patches and signatures
Worms
The worm is a standalone malicious program which spreads from computer to
computer, but unlike a virus, it has the capability to travel without any human action.
A worm takes advantage of file or information transport features on the system, which
is what allows it to travel unaided. Often, it uses a computer network to spread itself,
relying on security failures on the target computer to access it.
39
Difference between Worms and Viruses
Virus:
A virus is a program that replicates, i.e. it spreads from file to file on your
system
Worm:
When a worm finds another computer, it replicates itself onto that computer
and continues to look for other connected computers on which to replicate.
40
and return a good version of the software. It either duplicates or replaces OS system
files making it difficult to detect it.
Methods of Detection:
Behavioural-based methods
signature scanning,
When dealing with firmware rootkits, removal may require hardware replacement or
specialized equipment.
Spyware
This malware when installed on the target, monitor the Target for every action and
report to the remote attacker. Cookie stealing, Password stealing, identity theft,
information theft are few attacks which are common using spyware
Ransomware
These are malicious software which restricts access to computer system files and
folders asking for an online ransom amount to remove the restrictions.
Usually, they encrypt the data, making the user pay them a huge ransom to get the
decrypted data.
41
CHAPTER 6
Active Sniffing:
Sniffing in the switch is active sniffing. A switch is a point to point network device.
The switch regulates the flow of data between its ports by actively monitoring the
MAC address on each port, which helps it pass data only to its intended target. In
order to capture the traffic between target sniffers has to actively inject traffic into the
LAN to enable sniffing of the traffic. This can be done in various ways.
Passive Sniffing:
This is the process of sniffing through the hub. Any traffic that is passing through the
non-switched or unbridged network segment can be seen by all machines on that
segment. Sniffers operate at the data link layer of the network. Any data sent across
the LAN is actually sent to each and every machine connected to the LAN. This is
called passive since sniffers placed by the attackers passively wait for the data to be
sent and capture them.
42
ARP Table
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol
address (IP address) to a physical machine address that is recognized in the local
network. A table is used to maintain a correlation between each MAC address and its
corresponding IP address. ARP provides the protocol rules for making this correlation
and providing address conversion in both directions.
CAM Table
Content Addressable Memory (CAM) table is a system memory construct used by
Ethernet switch logic which stores information such as MAC addresses available on
physical ports with their associated VLAN Parameters. The CAM table, or content
addressable memory table, is present in all switches for layer 2 switching. This allows
switches to facilitate communications between connected stations at high speed and in
full-duplex regardless of how many devices are connected to the switch. Switches
learn MAC addresses from the source address of Ethernet frames on the ports, such as
Address Resolution Protocol (ARP) response packets.
43
Active Sniffing Attacks
Mac-Attacks:
MAC-flooding is an attack where the CAM table is flooded with fake MAC-IP pairs,
so CAM table overflows causing traffic to flood all ports on switch (i.e) changing
switch to behave like a hub
ARP Spoofing:
In this case, an attacker can spoof the MAC address of a trusted host and forge ARP
request/replies to overload the Switch. Then the switch is set in “forward mode” an
attacker can now sniff the packets on the traffic.
ARP Poisoning:
Attacker chooses targets and floods their ARP cache with forged entries thus
replacing the MAC address of targets with MAC address of attacker. ARP poisoning
is used in Man in the middle attack.
Man-in-the-middle Attack:
It’s a targeted attack, where attacker sniffs the traffic and chooses targets. It uses ARP
poisoning method to forge fake ARP request/reply to targets forcing them to update
their ARP cache with MAC address of Attacker machine in the place of the genuine
target. So the traffic between target’s will be split into two. One connection between
target1 and attacker and other between target2 and attacker. So the attacker being the
man in the middle can modify/replay the traffic. He will be able to capture sensitive
information between the targets.
DHCP Poisoning
44
The DHCP client requests an IP address by broadcasting a DHCP Discover message
to the local subnet.
The client is offered an address when a DHCP server responds with a DHCP Offer
message containing an IP address and configuration information for lease to the
client.
The client indicates acceptance of the offer by selecting the offered address and
broadcasting a DHCP Request message in response.
The client is assigned the address and the DHCP server broadcasts a DHCP Ack
message in response, finalizing the terms of the lease.
When the client receives the acknowledgement, it configures its TCP/IP properties by
using the DHCP option information in the reply and completes its initialization of
TCP/IP.
It’s a denial of service attack, an attacker sends forged DHCP requests to the server
and leases all the available IP’s thus the legitimate clients will not get an IP assigned;
or the Attacker may send bogus request/replies luring the client to connect to
attacker’s machine instead of valid DHCP server.
Here the attacker sends fake DNS packets to the server, thus causing fake entries in
the DNS table for the target website. So when a client sends a request to the website,
DNS server resolves the domain to IP using injected DNS records and redirects the
user to a Fake or malicious website intended by the attacker.
Countermeasures:
45
Avoid using clear text protocols.
Implement DNSSEC.
Use Firewall.
Some tools:
Wireshark
46
CHAPTER 7
Social Engineering
Social engineering is the art of convincing people to reveal confidential information.
By taking advantage of, basic human nature like trust or a lack of knowledge, the
attacker deceives people to reveal sensitive information.
1. Human-based
2. Mobile-based
3. Computer-based
Human-Based Attacks:
They may act as a legitimate user and request for information or they pose as a higher
authority and may ask for sensitive information or they pose as a technical support
person and try to gather sensitive and confidential details.
Tailgating: When an authorised person enters into a restricted area, the unauthorised
person also enters the restricted AREA without the employee’s knowledge.
Piggybacking: Here the attacker may pose as an employee and ask the authorised
employee to allow him to enter along with him. He may give fake reasons like he
forgot his smart badge, etc.
47
Shoulder surfing: It is a direct observation technique like looking over someone’s
shoulder to know the sensitive information like password, pin numbers, etc.
Hoax Letters: These are fake emails sending warnings about malware, virus and
worms causing harm to the computers.
Spam Messages: These are unwanted irrelevant emails trying to gather information
about users.
Phishing: Creating a cloned fake website trying to gather sensitive information about
users. It can be done by sending a fake email as though coming from an original
website and then trying to collect confidential information.
SMS based: Sending a fake SMS saying that the user has won a bounty, urging
him/her to register with confidential information or try and collect other important
details.
Through Malicious Apps: Applications downloaded from third party sources may be
malicious; they can access authentication information and other sensitive details.
Through Email and messengers: Attackers can send spam emails or malicious links
through messenger applications. When the victim clicks on it- he may be redirected to
a malicious site, or a malware could be downloaded or it may lead to some other
malicious activity.
Develop relationship: Develop a friendship with this person and maintain this
relationship to the point he trusts you.
48
Exploit the relationship: Extract the information about the company and other
sensitive information exploiting the trust that he placed in you.
Insider Attacks
Countermeasures:
Educating the employees about the security policies and frameworks, best
practices, etc.
Creating awareness among the users and employees about social engineering
attacks.
49
CHAPTER 8
Unlike a Denial of Service (DoS) attack, in which one computer and one Internet
connection is used to flood a targeted resource with packets, a DDoS attack uses
many computers and many Internet connections, often distributed globally in what is
referred to as a botnet.
A large scale volumetric DDoS attack can generate a traffic measured in tens of
Gigabits (and even hundreds of Gigabits) per second. We are sure your normal
network will not be able to handle such traffic.
Botnets can be used for sending more number of connection requests than a
server can handle at a time.
Due to the distributed nature of these machines, they can be used to generate
distributed high traffic which may be difficult to handle. It finally results in a
complete blockage of a service.
50
Types of DDoS Attacks
DDoS attacks can be broadly categorized into three categories −
Volume-based Attacks
Protocol Attacks
Volume-Based Attacks
Volume-based attacks include TCP floods, UDP floods, ICMP floods, and other
spoofedpacket floods. These are also called Layer 3 & 4 Attacks. Here, an attacker
tries to saturate the bandwidth of the target site. The attack magnitude is measured
in Bits per Second (bps).
UDP Flood − A UDP flood is used to flood random ports on a remote host
with numerous UDP packets, more specifically port number 53. Specialized
firewalls can be used to filter out or block malicious UDP packets.
ICMP Flood − This is similar to UDP flood and used to flood a remote host
with numerous ICMP Echo Requests. This type of attack can consume both
outgoing and incoming bandwidth and a high volume of ping requests will
result in overall system slowdown.
HTTP Flood − The attacker sends HTTP GET and POST requests to a
targeted web server in a large volume which cannot be handled by the server
and leads to denial of additional connections from legitimate clients.
Protocol Attacks
Protocol attacks include SYN floods, Ping of Death, fragmented packet attacks,
Smurf DDoS, etc. This type of attack consumes actual server resources and other
resources like firewalls and load balancers. The attack magnitude is measured
in Packets per Second.
51
DNS Flood − DNS floods are used for attacking both the infrastructure and a
DNS application to overwhelm a target system and consume all its available
network bandwidth.
SYN Flood − The attacker sends TCP connection requests faster than the
targeted machine can process them, causing network saturation.
Administrators can tweak TCP stacks to mitigate the effect of SYN floods.
To reduce the effect of SYN floods, you can reduce the timeout until a stack
frees memory allocated to a connection, or selectively dropping incoming
connections using a firewall or iptables.
Application Attack − This is also called Layer 7 Attack, where the attacker
makes excessive log-in, database-lookup, or search requests to overload the
application. It is really difficult to detect Layer 7 attacks because they
resemble legitimate website traffic.
52
Zero-day DDoS Attacks − A zero-day vulnerability is a system or
application flaw previously unknown to the vendor, and has not been fixed or
patched. These are new type of attacks coming into existence day by day, for
example, exploiting vulnerabilities for which no patch has yet been released.
Your DDoS protection starts from identifying and closing all the possible OS and
application level vulnerabilities in your system, closing all the possible ports,
removing unnecessary access from the system and hiding your server behind a proxy
or CDN system.
If you see a low magnitude of the DDoS, then you can find many firewall-based
solutions which can help you in filtering out DDoS based traffic. But if you have
high volume of DDoS attack like in gigabits or even more, then you should take the
help of a DDoS protection service provider that offers a more holistic, proactive and
genuine approach.
You must be careful while approaching and selecting a DDoS protection service
provider. There are number of service providers who want to take advantage of your
situation. If you inform them that you are under DDoS attack, then they will start
offering you a variety of services at unreasonably high costs.
We can suggest you a simple and working solution which starts with a search for a
good DNS solution provider who is flexible enough to configure A and CNAME
records for your website. Second, you will need a good CDN provider that can
handle big DDoS traffic and provide you DDoS protection service as a part of their
CDN package.
Create a A Record in DNS zone file as shown below with a DNS identifier,
for example, ARECORDID and keep it secret from the outside world.
53
Now ask your CDN provider to link the created DNS identifier with a URL,
something like cdn.someotherid.domain.com.
You can take the help from your system administrator to understand these points and
configure your DNS and CDN appropriately. Finally, you will have the following
configuration at your DNS.
Now, let the CDN provider handle all type of DDoS attacks and your system will
remain safe. But here the condition is that you should not disclose your system's IP
address or A record identifier to anyone; else direct attacks will start again.
An attacker can select the Zombies randomly or topologically and once compromised,
he sets up a command and controller to control the zombies that attack the target. A
bot is a malicious software installed on compromised machines, this gives the attacker
control over the zombies. The network of Bots is called botnet.
54
CHAPTER 9
Session Hijacking
Session Hijacking and its Types
Session hijacking is defined as taking over an active TCP/IP communication session
without the user’s permission. When implemented successfully, attackers assume the
identity of the compromised user, enjoying the same access to resources as the
compromised user. Identity theft, Information theft, stealing sensitive data are some of
the common impacts of session hijacking.
Active:
The attacker will silence one of the machines, usually the client computer, and take
over the clients’ position in the communication exchange between the workstation
and the server. The active attack also allows the attacker to issue commands on the
network making it possible to create new user accounts on the network, which can
later be used to gain access to the network without having to perform the session
hijack attack.
Passive:
In Passive session hijacking attack, the attacker monitors the traffic between the
workstation and server. The primary motivation for the passive attack is to monitor
network traffic and potentially discover valuable data or passwords.
55
Session Hijacking Process
The first step in the session hijack attack is locating a target user. Attackers look for
two things prior to their attack- first, they look for networks that have a high level of
utilization; high volume networks help attackers to remain anonymous and they also
provide a healthy supply of users to choose from, which also helps the attack.
Secondly, users who use insecure network protocols such as Telnet, rlogin (remote
login), and FTP (file transfer protocol) are easy targets due to their inherently insecure
design. Packet sniffing software can be used to sniff network traffic for the purpose of
locating vulnerable protocols like FTP, Telnet, and rlogin. Port scanning software can
also be used to identify servers that have FTP, Telnet, or rlogin ports open.
The attacker then finds an active session between the target and another machine and
places himself between them. Using a sniffer like Wireshark, he captures the traffic
and tries to gather information about the session.
2. Monitor:
He then monitors the traffic for vulnerable protocols like HTTP, telnet, rlogin, etc.,
and tries to find any valid authentication packets passing through.
3. Session Id Retrieval:
The attacker tries to predict the session id using available information. Now that a
target has been chosen, the next step in the session hijacking process is sequence
number prediction. Sequence number prediction is a critical step because failing to
predict the correct sequence number will result in the server sending reset packets and
terminating the connection attempt. If the attacker guesses the sequence numbers
wrong repeatedly, the likelihood of detecting the attack increases.
4. Stealing:
In application-level hijacking, active attacks are pursued to steal the session Id. Man
in the middle attack, cross-site scripting, sniffing are used to steal the session id.
56
While sequencing number guessing can be done manually by skilled attackers,
software tools are available to automate the process.
Once a session is chosen and sequence numbers predicted, one of the targets has to be
silenced. This is generally done with a denial of service attack. The attacker must
ensure that the client computer remains offline for the duration of the attack, or the
client computer will begin transmitting data on the network causing the workstation
and the server to repeatedly attempt to synchronize their connections; resulting in a
condition known as an ACK storm.
The final phase of the session hijack attack entails taking over the communication
session between the workstation and server. The attacker will spoof their client IP
address, to avoid detection, and include a sequence number that was predicted earlier.
If the server accepts this information, the attacker has successfully attacked the
communication session.
1. Network Level
2. Application Level
By using automated tools/spoofing methods the attacker splits the connection between
the targets into two. One connection between the client and attacker and another one
57
between attacker and server. Since the attacker becomes the man in the middle, all the
traffic goes through him, hence he can capture the session Id.
Cross-site scripting:
Using Proxy:
By setting up a proxy and causing the traffic to flow through the proxy, one can
capture the session Id details.
Man-in the–Browser:
By installing a Trojan in the victim’s browser will notify the attacker the session Id.
Session Replay:
Capturing the authentication packets by sniffing the traffic; replaying those packets
after a time interval may cause the attacker to successfully login to the session of the
authorized user.
After the handshake, it is just a matter of sending packets and incrementing the
sequence number to verify that the packets are getting sent and received.
The goal of the TCP session hijacker is to create a state where the client and server
are unable to exchange data; enabling him/her to forge acceptable packets for both
ends, which mimic the real packets. Thus, the attacker is able to gain control of the
session.
58
IP Spoofing: IP spoofing is a technique which is used to gain unauthorized access to
computers where the intruder sends a message to a computer with an Ip address
indicating that the message is coming from a trusted host.
Man in the middle Attack: Attacker tries to get the session Id by doing ARP
spoofing and man in the middle attack.
Blind Hijacking: In cases where source routing is disabled, the session hijacker can
also use blind hijacking where he injects his malicious data into intercepted
communications in the TCP session. It is called blind because he cannot see the
response; though the hijacker can send the data or commands, he is basically guessing
the responses of the client and server.
Counter Measures:
Using secure protocols instead of clear text protocols like HTTP, FTP.Telnet,
Rlogin, etc.
Implement timeout for the session when the session is logged out, or session id
expires.
59
CHAPTER 10
Attacks:
Parameter Tampering:
This involves modifying parameters exchanged between client and server, which may
lead to XSS attack and SQL injection attack. Usually, HTML data goes as a name-
value pair; if the attacker is able to modify the values of the parameter during transfer,
it may lead to many other attacks.
Unvalidated inputs:
Web applications accept user inputs, queries are constructed based on dynamic user
input. If these inputs are not properly sanitised they will open a way for the attacker to
launch attacks like XSS, SQL injection attack, Directory traversal attack, etc., identity
theft, data theft are dangerous outcomes of this attack.
This is a type of vulnerability where an attacker is able to access beyond the web root
directory, into the restricted directories on the web server. Then an attacker will be
able to access system files, run OS commands, access configuration information, etc.
60
Injection Flaws
SQL Injection:
User login screens, URLs, search boxes are the point of interest to an attacker since
they are dynamic inputs, based on which web application requests are constructed. If
an attacker is successful in making the browser construct a malicious query and get it
executed by the back-end database, it is called SQL injection. An attacker may
modify, delete or even do a DOS attack on the database.
Command Injection:
If a user is able to inject operating system commands on any user input field, it may
lead to attacker injecting malicious commands to get sensitive information from the
web server.
LDAP injection:
Reflected XSS:
Here the attacker will send a script as an input, and the attacker's contents will be
reflected back to the victim. He can craft malicious scripts to get session cookies,
redirect to a malicious web page, inject data, execute system commands and much
more.
61
Stored XSS:
Here the input entered by the attacker will be stored in the database; e.g. blog. Anyone
visiting the page will have this script running, thus affecting everyone who visits that
page.
An attacker with/without the help of bots can flood the target system and reduce,
restrict or prevent the target system from providing service to the authorised clients.
Hacking Methodology
Web footprinting:
Whois information
Netcraft information
Firewall information
Hidden contents
Vulnerability scanners:
Scanners like Nikto, Nessus, URLscan, Acunetix can be used to find out
vulnerabilities in a web application.
The next step is to know the entry points like login screens, URLs, cookies, and
output points like display screens, reports, etc. We need to find vulnerabilities to
bypass the access controls and break into the application. All the above discussed
attacks should be tested for the possibility.
Countermeasures:
62
Limit the entry in the input fields.
Check for arbitrary inputs like scripts, SQL injection codes, etc.
Use prepared statements and parameterised sql queries to avoid Sql injection.
Encrypt cookies.
63
CHAPTER 11
SQL Injection
Introduction to SQL Injection
SQL injection is an attack where the hacker makes use of unvalidated user input to
enter arbitrary data or SQL commands; malicious queries are constructed and when
executed by the backend database it results in unwanted results. The attacker should
have the knowledge of background database and he must make use of different strings
to construct malicious queries to post them to the target.
For Example, in user login screen, username and password are the dynamic fields
where users enter the data. Depending upon the user’s inputs dynamic queries will be
constructed; the usual query will be
If the input fields are not sanitized properly, then the malicious user can enter some
data like this
Password = password
Here both username and password are incorrect. But the query which is constructed
will be
The query will run and the user will be granted access. This is because the first part of
the query is
Because – is a comment line in SQL, everything following that will be ignored. The
query will only validate between username=’blah’ or 1=1.
64
Types of SQL Injection
Error based Injection:
The attacker sends some malicious query to the database which results in errors. The
errors should be very generic, otherwise, they may give useful hints to the attacker.
Comment-Line: Using comment line to cause the database to ignore a part of a valid
query.
E.g. Select * from stores where product_id = blah’ or 1=1-- (everything after this will
be neglected)
Tautology: There are a lot of strings which always evaluates to be true, like ‘1’ = ‘1’
‘a’ = ‘a’, etc., using them in the query to create constantly true conditions.
Incorrect queries: Coming up with logically incorrect queries to see the error
messages to get more information about the target database.
The above query will result in a syntax error and might reveal the backend database
type.
This is a type of SQL injection where we don’t have a clue as to whether the web
application is vulnerable to injection attack or not.
65
Types:
Boolean: Only correct queries show the result, wrong queries do not return anything.
Attackers should try to generate logically correct queries.
Select * from users where id=’blah’ or 1=1#, we will see the user results.
If we give blah’ and 1=2# as input which is a wrong query then we don’t see any
results.
Time delay: Depending on some conditions, setting a time delay. If that condition is
satisfied, we can observe the time delay; thereby, concluding that the input we gave
produced a positive result. This is a time consuming process.
Tools:
Use encryption.
66
CHAPTER 12
Cryptography
Introduction to Cryptography
Cryptography is the art of converting text into another form for secret transmission
and reception. It works by converting plain text into cipher text using some encryption
algorithm at the sender’s side and converting ciphertext into plain text at the
receiver’s. Cryptography is used to provide confidentiality, integrity, authenticity and
non-repudiation.
Key terms:
Symmetric cryptography:
Here one single key is used for encryption and same key is used for decryption. DES
and AES are examples of symmetric key cryptography.
Here two keys are used, Public key is used for encryption and Private key is used for
decryption; e.g. RSA.
67
Block Cipher:
The input plain text is broken into fixed size blocks and they are encrypted /decrypted
as a block; e.g. DES, AES.
Stream cipher:
Digital Signatures:
Digital signatures are used to identify the genuinity of the source; the sender signs
with his private key, and at the receiver’s end it can be decrypted only with the public
key of the sender. This enables the receiver to know who has sent the message.
Hash Algorithms:
Hash algorithms are used to maintain the integrity of the data by finding a definite
number for the file and verifying it at the receiver’s end.
At the sender’s side, the hash algorithm generates a fixed size number for any-sized
file. This number or hash value is sent along with the cipher text to the receiver. At
the receiver’s end, the cipher text is first decrypted, and then using hash algorithm a
hash value is generated. If the hash value matches with the hash value that came with
the cipher text, then the message was not corrupted. If it is different, then we can
understand that the message has been intercepted and modified.
PKI is a set of roles, policies and procedures needed to create, manage, distribute, use,
store, and revoke digital certificates, and manage public-key encryption. Here the
binding of the public key to respective identities, like people or organisation is done.
In public environment, where third-party verifications are required, this PKI is used.
There are three parties involved here-
Registration authority
Validation Authority
68
Certification authority
When a user needs a public key certificate he first goes to the certification authority,
which then redirects him to the registration authority. RA collects all information like
name, personal identity information, public key, etc., and creates a certificate and
passes it on to the certification authority. The certifying authority gets one copy of the
certificate and signs it using the private key, authorising the public key of the user.
One copy is stored in the database of validation authority; at any future point in time,
the user’s public key can be verified with validation authority.
Every certificate issued by CA has an expiry date, the private key of CA and the
public key of the user. Upon expiry, or if stolen, the certificate can be renewed or re-
issued.
Secure Socket Layer is a public key cryptosystem, which is used over application
layer to provide encryption to the data passing over HTTP. SSL breaks the incoming
data into fixed size blocks, fragments them, compresses them, encrypts and adds a
MAC header and passes it to the receiving end. It has four protocols.
Cryptography attacks:
Timing Attack
69
BIBLIOGRAPHIES
www.google.com
www.wikipedia.com
www.greycampus.com
www.hackerone.com
www.cubrary.it
www.securitytube.net
www.hitb.org
www.exploit-db.com
70