WINTER TRAINING REPORT

ON

ETHICAL HACKING
Done by

VIMUKT

Enrollment No. : 41496302816

At

Kyrion Technologies Pvt. Ltd.

1009, Indraprakash Building, Barakhamaba Road,

Connaught Place, New Delhi-110001

Submitted to

Department of Electronics and Communication Engineering

MAHARAJA SURAJMAL INSTITUTE OF

TECHNOLOGY
C-4, Lal Sain Mandir Marg, Janak Puri, New Delhi, Delhi 110058

1
2
HACK’ER

/’ha-ker/

Noun

One who enjoys the

Intellectual challenge of

Creatively overcoming

Limitations.

3
 BONAFIDE CERTIFICATE

Certified that this Winter Training Report is a work of VIMUKT (Enrollment No.:
41496302816) who carried out the work at Kyrion Technologies Pvt. Ltd. 1009,
Indraprakash Building, Barakhamaba Road, Connaught Place, New Delhi-110001.

Class In charge HOD

(Mr. Dileep Kumar Dwivedi) (Dr. Pardeep Sangwan)

4
 ACKNOWLEDGEMENT
It is always a pleasure to remind the fine people in the Engineering program for their
sincere guidance I received to uphold my practical as well as theoretical skills in
engineering.

Firstly I would like to thank Prof. K.P. Chaudhary (Director of Maharaja Surajmal
Institute of Technology) for meticulously planning academic curriculum in such a
way that students are not only academically sound but also industry read.

I would also like to thank Ms. Dileep Kumar Dwivedi (Class In charge) for the
positive attitude she showed for my work, always allowing me to question him and
giving prompt replies for my uncertainties in all the fields including educational,
social and managerial work.

I would also like to acknowledge and my heartfelt gratitude to Dr. Pardeep Sangwan
(HOD) who continuously supported in every possible way, from initial advice to
encouragement till this date.

I express my immense pleasure and deep sense of gratitude to Ms. Aanchal Aggarwal,
teacher at Kyrion Tchnologies Pvt. Ltd., for her cooperation and guidance. I am also
thankful to her Lab assistant that provided staunch support throughout this training
and helped me to complete the training successfully.

5
TABLE OF CONTENTS PAGE

1. Introduction to Ethical Hacking........................................................8

1.1. What is Ethical Hacking?
1.2. Hackers - The Anonymous Threat?
1.3. The good and the evil-Ideology and Ethics of the Hacker
1.4. Types of Hackers
1.5. Phases of Hacking
1.6. Different Types of Attacks

2. Footprinting and Reconnaissance.....................................................15

2.1. What is Footprinting?
2.2. Objectives of Footprinting
2.3. Footprinting Methodologies
2.4. Reconnaissance

3. Scanning and Enumeration...............................................................21

3.1. What is Scanning?
3.2. Scanning Methodology
3.3. Enumeration and its types

4. System Hacking...................................................................................30
4.1. Goals of System Hacking

5. Introduction to Malware and its types..............................................36

5.1. Virus
5.2. Trojans
5.3. Worms
5.4. Rootkits, Spyware and Ransomware
6. Sniffing and its types...........................................................................42

6.1. What is Sniffing?

6.2. ARP Table
6.3. CAM Table

6
 6.4. Active Sniffing Attacks

7. Social Engineering...............................................................................47

8. Distributed Denial of Service..............................................................50

8.1. What are Botnets?
8.2. Types of DDoS Attacks

9. Session Hijacking..................................................................................55
9.1. Session Hijacking and its types
9.2. Session Hijacking Process
9.3. Session Hijacking Levels

10. Web Application Attacks.....................................................................60

11. SQL Injection........................................................................................64

11.1. Introduction to SQL Injection
11.2. Types of SQL Injection

12. Cryptography.......................................................................................67
12.1 Introduction to Cryptography

7
 CHAPTER 1

Introduction to Ethical Hacking

What is Ethical Hacking?
Ethical Hacking sometimes called as Penetration Testing is an act of
intruding/penetrating into system or networks to find out threats, vulnerabilities in
those systems which a malicious attacker may find and exploit causing loss of data,
financial loss or other major damages. The purpose of ethical hacking is to improve
the security of the network or systems by fixing the vulnerabilities found during
testing. Ethical hackers may use the same methods and tools used by the malicious
hackers but with the permission of the authorized person for the purpose of improving
the security and defending the systems from attacks by malicious users.

Ethical hackers are expected to report all the vulnerabilities and weakness found
during the process to the management.

Hackers – The anonymous threat?

To understand a person’s intention and motivation to hack into a system we have first
to analyse their background, psychology and social environment. We have to be very
clear how intruders tick. The image of the typical computer criminal that is often
conveyed by the media can be misleading – and can hamper our efforts to implement
an appropriate defence…

Research to date indicates that criminal computer behaviour is on the rise and will
continue to be so for the next few years. Therefore it is important that we develop a
reasonable understanding of those people who become involved; elements of this
understanding must include personality characteristics, motivations, and what attracts
these criminals in the first place.

Bruce Schneier, the well-known information security guru, states: “In this same vein,
computer networks have been plagued for years by hackers breaking into them. But
these people aren’t breaking into systems for profit; they don’t commit fraud or theft.

8
They’re breaking into systems to satisfy their intellectual curiosity, for the thrill, and
just to see if they can… Hackers’ traditional and common defence is that they’re
breaking into systems to test their security. They say the only way to learn about
computer and network security is to attack systems. Never mind that these hackers
don’t own the systems they’re breaking into; that’s just the excuse.” He points out that
there is an ongoing controversial discussion about whether hackers are genuinely
committing criminal acts Page 4 of 48 while intruding into a network: “”I was only
testing security” is not a valid defence. For years, we in the computer security field
have heard that excuse. Because the hacker didn’t intend harm, because he just broke
into the system and merely looked around, it wasn’t a real crime. Here’s a thought for
you: imagine you return home and find the following note attached to your
refrigerator: "I was testing the security of back doors in the neighborhood and found
yours unlocked. I just looked around. I didn’t take anything. You should fix your
lock." Would you feel violated? Of course you would.”

The good and the evil - Ideology and ethics of hackers

There is a consistent perception amongst the population about the typical hacker.
These images are usually driven by the media. When incidents involving hackers take
place it is very common for the press to project all manner of evil on this interest
group. But who can blame them? Marc Rogers’ classification above is not widely
known or understood, with the result that most people do not distinguish between a
hacker and a criminal.

No matter how deeply we discuss this topic in theory, one fact remains: hackers are
something of a myth for society, because we cannot deal rationally with them. Once
again, a person who enters your house and leaves a message on your fridge saying, “I
was testing the security of back doors in the neighborhood and found yours unlocked.
I didn’t take anything, but you should fix your system!” is violating your privacy. And
this is criminal - even though the intention of the incident was ostensibly good. This
simple example will help us both to understand hackers’ behaviour in the discussion
below, and also to gain a better understanding of the difference between malicious
hackers and those who claim to be honourable.

9
The distributed denial of service attacks on Microsoft’s and Sun’s websites in the 1st
quarter of 2004 focused more attention on hackers’ activities than any other incidents
recently. Hackers spread programmes to a large number of PCs over the Internet and
used them to overload the systems of those companies. (In this case a worm was used
to spread itself via email to PCs connected to the Internet; on 1st February more then
50.000 unprotected PCs attacked the sites.)

Not as spectacular but with lots of criminal potential is the following example. An
Italian couple hacked into the security system of two American banks and stole credit
card data of nearly 1,500 clients of the bank. They used the credit cards for various
purchases, and once they felt bored with living in luxury, they decided to play the
‘lotto’. In one month, they purchased $750,000-worth of tickets. The winnings of
$400,000 were directly transferred into their bank account.

Through incidents like these, hackers gain extraordinary publicity – whether or not it
is desired or intended. And the public is not able to distinguish – for them, a hacker is
a threat – pure and simple. Our governments are forever promising stricter laws and
regulations to defend against such attacks – but they all forget that hackers’ activities
and efforts have brought a lot of advantages to the informational community as well.

And indeed, there does seem to be a difference between good and evil hackers. We
conducted some interviews with hackers that prove this assumption. Having already
categorised hackers in the typology earlier, the most important distinction is between
‘hackers’ and so-called ‘crackers’.

Hackers have defined ethics which are respected within their community. They want
to use their knowledge for good purposes. They inform about security gaps in
networks and electronic communication, about vulnerabilities in e-commerce or about
desiderative accuracy in the programming processes of software. The builders of the
Open Source society are hackers. People including the developer of the Linux
operating system - Linus Torvalds - or Richard Stallmann, founder of the Free
Software Foundation, can all be considered hackers.

There is an encyclopedia of the hacker scene which is called “Jargon File”. Initiated
in 1975, this file is updated on a regular basis by freelance authors. The main focus is

10
a definition of hackers - by themselves - and how they differentiate themselves from
Crackers.

Types of Hackers
‘Black Hat’ Hackers
The term “black hat” originated from Western movies, where the bad guys wore black
hats and the good guys wore white hats.
A black-hat hacker is an individual who attempts to gain unauthorized entry into a
system or network to exploit them for malicious reasons. The black-hat hacker does
not have any permission or authority to compromise their targets. They try to inflict
damage by compromising security systems, altering functions of websites and
networks, or shutting down systems. They often do so to steal or gain access to
passwords, financial information, and other personal data.

‘White Hat’ Hackers

White-hat hackers, on the other hand, are deemed to be the good guys, working with
organizations to strengthen the security of a system. A white hat has permission to
engage the targets and to compromise them within the prescribed rules of
engagement.

White-hat hackers are often referred to as ethical hackers. This individual specializes
in ethical hacking tools, techniques, and methodologies to secure an organization’s
information systems.

Unlike black-hat hackers, ethical hackers exploit security networks and look for
backdoors when they are legally permitted to do so. White-hat hackers always
disclose every vulnerability they find in the company’s security system so that it can
be fixed before they are being exploited by malicious actors.
Some Fortune 50 companies like Facebook, Microsoft, and Google also use white-hat
hackers.

11
‘Grey Hat’ Hackers
Grey hats exploit networks and computer systems in the way that black hats do, but
do so without any malicious intent, disclosing all loopholes and vulnerabilities to law
enforcement agencies or intelligence agencies.

Usually, grey-hat hackers surf the net and hack into computer systems to notify the
administrator or the owner that their system/network contains one or more
vulnerabilities that must be fixed immediately. Grey hats may also extort the hacked,
offering to correct the defect for a nominal fee.

Phases of Hacking
1. Reconnaissance:

This is the first step of Hacking. It is also called as Footprinting and information
gathering Phase. This is the preparatory phase where we collect as much information
as possible about the target. We usually collect information about three groups,

1. Network

2. Host

3. People involved

There are two types of Footprinting:

 Active: Directly interacting with the target to gather information about the
target. Eg Using Nmap tool to scan the target

 Passive: Trying to collect the information about the target without directly
accessing the target. This involves collecting information from social media,
public websites etc.

2. Scanning:

Three types of scanning are involved:

 Port scanning: This phase involves scanning the target for the information
like open ports, Live systems, various services running on the host.

12
  Vulnerability Scanning: Checking the target for weaknesses or
vulnerabilities which can be exploited. Usually done with help of automated
tools

 Network Mapping: Finding the topology of network, routers, firewalls

servers if any, and host information and drawing a network diagram with the
available information. This map may serve as a valuable piece of information
throughout the haking process.

3. Gaining Access:

This phase is where an attacker breaks into the system/network using various tools or
methods. After entering into a system, he has to increase his privilege to administrator
level so he can install an application he needs or modify data or hide data.

4. Maintaining Access:

Hacker may just hack the system to show it was vulnerable or he can be so
mischievous that he wants to maintain or persist the connection in the background
without the knowledge of the user. This can be done using Trojans, Rootkits or other
malicious files. The aim is to maintain the access to the target until he finishes the
tasks he planned to accomplish in that target.

5. Clearing Track:

No thief wants to get caught. An intelligent hacker always clears all evidence so that
in the later point of time, no one will find any traces leading to him. This involves
modifying/corrupting/deleting the values of Logs, modifying registry values and
uninstalling all applications he used and deleting all folders he created.

Different types of attacks

Operating System Attacks:

Finding OS Vulnerabilities and Exploit them For.eg. buffer overflow, un-patched

system.

13
Misconfiguration Attacks:

Targeted towards databases, networks, web servers, application platforms etc, It

Happens due to the misconfiguration of the deployed devices or system.

Application Level Attacks:

Attacks are targeted towards the installed applications, e.g: Buffer overflow, cross-
site scripting, SQL injection etc.

Shrink Wrap Code Attacks:

Using default or off the shelf components, it happens if the code/script is not fine-
tuned.

14
 CHAPTER 2

Footprinting and Reconnaissance

What is Footprinting?
Refers to the process of collecting as much as information as possible about the target
system to find ways to penetrate into the system. An Ethical hacker has to spend the
majority of his time in profiling an organization, gathering information about the host,
network and people related to the organization.

Information such as ip address, Whois records, DNS information, an operating system

used, employee email id, Phone numbers etc is collected.

Footprinting helps to

Know Security Posture – The data gathered will help us to get an overview of the
security posture of the company such as details about the presence of a firewall,
security configurations of applications etc.

Reduce Attack Area – Can identify a specific range of systems and concentrate on
particular targets only. This will greatly reduce the number of systems we are
focussing on.

Identify vulnerabilities – we can build an information database containing the

vulnerabilities, threats, loopholes available in the system of the target organization.

Draw Network map – helps to draw a network map of the networks in the target
organization covering topology, trusted routers, presence of server and other
information.

Objectives of Footprinting
Network Footprinting

This is the process of collecting information related to a target network. Information

like Domain name, subdomains, network blocks, IP addresses of reachable systems,

15
IDSes running, Rouge websites/private websites, TCP & UDP services running, VPN
points, networking protocols, ACL's, etc are collected.

Collect System Information

The information related to the target system like user and group names, system
banners, routing tables, SNMP information, system names etc are collected using
various methods.

Collect Organization's information

The information related to employee details, organization website, Location details,

security policies implemented, the background of the organization may serve as an
important piece of information for compromising the security of the target using
direct or social engineering attacks.

Footprinting Methodology
Various methods used to collect information about the target organization. They are

Footprinting through Search Engines

This is a passive information gathering process where we gather information about the
target from social media, search engines, various websites etc. Information gathered
includes name, personal details, geographical location detrails, login pages, intranet
portals etc. Even some target specific information like Operating system details, IP
details, Netblock information, technologies behind web application etc can be
gathered by searching through search engines

Eg: collecting information from Google, Bingo etc

Google Hacking:

Google hacking refers to collecting information using google dorks (keywords) by

constructing search queries which result in finding sensitive information.details
collected include compromised passwords, default credentials, competitor
information, information related to a particular topic etc.

Eg:inurl:, site:, allintitle etc

Examining HTML Source and Examining Cookies

16
Html source codes of a web application may give us an understanding of the
application functionality, hidden fields, comments, variable names etc. Cookies are
used to identify a user in his session. these cookies may be stored in the browser or
passed in the URL, or in the HTTP header.

The entire website can be mirrored using tools like HTTtracker to gather information
at our own phase.

Extract website Archives: older versions of website can be obtained

which may reveal some information related to the target.

eg: www.archive.org

Email Footprinting

email header reveals information about the mail server, original sender’s email id,
internal IP addressing scheme, as well as the possible architecture of the target
network

Competitive Intelligence

Competitive intelligence gathering is the process of gathering information about the

competitors from resources such as the Internet.

Eg: company website, search engine, internet, online databases, press releases,
annual reports, trade journals

Google Hacking/Google Dorks

This is a process of creating search queries to extract hidden information by using

Google operators to search specific strings of text inside the search results.

Some google operators, site, allinurl, inurl, allintitle

Whois Footprinting

Whois databases and the servers are operated by RIR - Regional Internet Registries.
These databases contain the personal information of Domain Owners. Whois is a
Query response protocol used for querying Whois databases and its protocol is
documented in RFC 3912. Whois utility interrogates the Internet domain name

17
administration system and returns the domain ownership, address, location, phone
numbers, and other details about a specified domain name.

DNS Footprinting

DNS is a naming system for computers that converts human-readable domain names
into computer readable IP-addresses and vice versa.DNS uses UDP port 53 to serve
its requests. A zone subsequently stores all information, or resource records,
associated with a particular domain into a zone file; Resource records responded by
the name servers should have the following fields:

 Domain Name — Identifying the domain name or owner of the records

 Record Types — Specifying the type of data in the resource record

 Record Class — Identifying a class of network or protocol family in use

 Time to Live (TTL) — Specifying the amount of time a record can be stored
in cache before discarded.

 Record Data — Providing the type and class dependent data to describe the
resources.

A (address)—Maps a hostname to an IP address

SOA (Start of Authority)—Identifies the DNS server responsible for the domain
information

CNAME (canonical name)—Provides additional names or aliases for the address

record

MX (mail exchange)—Identifies the mail server for the domain

SRV (service)—Identifies services such as directory services

PTR (pointer)—Maps IP addresses to hostnames

NS (name server)—Identifies other name servers for the domain

HINFO = Host Information Records

DNS servers perform zone transfers to keep themselves up to date with the latest
information. A zone transfer of a target domain gives a list of all public hosts, their
respective IP addresses, and the record type.

18
Footprinting through Social Engineering:

Social media like twitter, facebook are searched to collect information like personal
details, user credentials, other sensitive information using various social engineering
techniques. Some of the techniques include

 Eavesdropping: It is the process of intercepting unauthorized communication

to gather information
 Shoulder surfing: Secretly observing the target to gather sensitive
information like passwords, personal identification information, account
information etc
 Dumpster Diving: This is a process of collecting sensitive information by
looking into the trash bin. Many of the documents are not shredded before
disposing them into the trash bin . Retrieving these documents from trash bin
may reveal sensitive information regarding contact information, financial
information, tender information etc.
 Footprinting countermeasures:
o Creating awareness among the employees and users about the dangers
of social engineering
o Limiting the sensitive information
o encrypting sensitive information
o using privacy services on whois lookup database
o Disable directory listings in the web servers
o Enforcing security policies

Reconnaissance
Information Gathering and getting to know the target systems is the first process in
ethical hacking. Reconnaissance is a set of processes and techniques (Footprinting,
Scanning & Enumeration) used to covertly discover and collect information about a
target system.

During reconnaissance, an ethical hacker attempts to gather as much information

about a target system as possible, following the seven steps listed below −

 Gather initial information

19
  Determine the network range

 Identify active machines

 Discover open ports and access points

 Fingerprint the operating system

 Uncover services on ports

 Map the network

Reconnaissance takes place in two parts − Active Reconnaissance and Passive

Reconnaissance.

Active Reconnaissance
In this process, you will directly interact with the computer system to gain
information. This information can be relevant and accurate. But there is a risk of
getting detected if you are planning active reconnaissance without permission. If you
are detected, then system admin can take severe action against you and trail your
subsequent activities.

Passive Reconnaissance
In this process, you will not be directly connected to a computer system. This process
is used to gather essential information without ever interacting with the target
systems.

20
 CHAPTER 3

Scanning and Enumeration

What is Scanning?
Scanning is a set of procedures for identifying live hosts, ports, and services,
discovering Operating system and architecture of target system, Identifying
vulnerabilities and threats in the network. Network scanning is used to create a profile
of the target organization.

Scanning refers to collecting more information using complex and aggressive

reconnaissance techniques.

The purpose of each scanning process is given below:

 Port Scanning – detecting open ports and services running on the target.

 Network Scanning – IP addresses, Operating system details, Topology

details, trusted routers information etc

 Vulnerability scanning – scanning for known vulnerabilities or weakness in a

system

Scanning Methodology

 Check for Live Systems: Ping scan checks for the live system by sending
ICMP echo request packets. If a system is alive, the system responds with
ICMP echo reply packet containing details of TTL, packet size etc.
 Check for Open Ports: Port scanning helps us to find out open ports, services
running on them, their versions etc. Nmap is the powerful tool used mainly for
this purpose.

21
We have various types of scan:

Connect scan: Identifies open ports by establishing a TCP handshake with the target.

Nmap command: nmap -sT -v -p- <TargetIP>

Half-open scan : otherwise known as Stealth scan used to scan the target in a stealthy
way by not completing the TCP handshake by abruptly resetting the communication.

Nmap command: nmap -sS -v <TargetIp>

XMAS scan: This is also called as inverse TCP scanning. This works by sending
packets set with PSH, URG, FIN flags. The targets do not respond if the ports are
open and send a reset response if ports are closed.

FIN scan: Fin flag is set in the TCP packets sent to the target. open ports doe does not
respond while closed ports send a reset response.

Nmap command: nmap -SF <targetIp>

ACK scan: Here the attacker sets the ACK flag in the TCP header and the target's
port status is gathered based on window size and TTL value of RESET packets
received from the target.

Nmap command: nmap -SA -v <targetip>

Null Scan: Works by sending TCP packets with no flags set to the target. Open ports
do not respond while closed ports respond with a RESET packet.

Nmap Command: nmap -sN -p- <targetIP>

Idle Scan: Here the attacker tries to mask his identity uses an idle machine on the
network to probe the status details of target ports.

Nmap command : nmap -Pn -sI ZombieIp TargetIp

Banner Grabbing

Banner grabbing is a process of collecting information like operating system details,

the name of the service running with its version number etc.

22
Vulnerability scanning:

Mainly automated tools are used for this purpose. These automated scanners scan the
target to find out vulnerabilities or weakness in the target organization which can be
exploited by the attackers. Vulnerabilities include application vulnerabilities,
configuration vulnerabilities, network vulnerabilities, operating system vulnerabilities
etc.

Some examples include operating system is not updated, default passwords used,
plain text protocols used, vulnerable protocols running etc.

Tools: Nessus, Acunetix

Draw Network Diagrams

With the information gathered, the attacker can come up with a network diagram
which might give him information about network and architecture of the target
organization helping him to identify the target easily

Tools: Network View, Opmanager etc

Prepare Proxies

Proxies can use to maintain the anonymity of the attacker by masking the IP address.
It can capture information passing through it since it acts as an intermediary between
client and server and the attacker can access the resources remotely using the proxies.

Eg: TOR browsers, Onion sites etc, Proxify, Psiphon etc

Countermeasures:

 Configure IDS and firewall to block probes.

 Keep firewall, routers, IDS firmware update

 Run port scanners to verify the security of the target.

 Add rules in firewall restricting access to ports.

 Disable ICMP based scanning at firewall.

23
Enumeration and its types
Enumeration is defined as the process of extracting user names, machine names,
network resources, shares and services from a system. In this phase, the attacker
creates an active connection to the system and performs directed queries to gain more
information about the target. The gathered information is used to identify the
vulnerabilities or weak points in system security and tries to exploit in the System
gaining phase.

Types of information enumerated by intruders:

 Network Resource and shares

 Users and Groups

 Routing tables

 Auditing and Service settings

 Machine names

 Applications and banners

 SNMP and DNS details

Techniques for Enumeration

 Extracting user names using email ID's

 Extract information using the default password

 Brute Force Active Directory

 Extract user names using SNMP

 Extract user groups from Windows

 Extract information using DNS Zone transfer

Services and Port to Enumerate

 TCP 53: DNS Zone transfer

 TCP 135: Microsoft RPC Endpoint Mapper

 TCP 137: NetBIOS Name Service

24
  TCP 139: NetBIOS session Service (SMB over NetBIOS)

 TCP 445: SMB over TCP (Direct Host)

 UDP 161: SNMP

 TCP/UDP 389: LDAP

 TCP/UDP 3368: Global Catalog Service

 TCP 25: Simple Mail Transfer Protocol (SMTP)

NetBIOS Enumeration

NetBIOS stands for Network Basic Input Output System. It Allows computer
communication over a LAN and allows them to share files and printers.

NetBIOS names are used to identify network devices over TCP/IP (Windows). It must
be unique on a network, limited to 16 characters where 15 characters are used for the
device name and the 16th character is reserved for identifying the type of service
running or name record type.

Attackers use the NetBIOS enumeration to obtain:

 List of computers that belong to a domain

 List of shares on the individual hosts on the network

 Policies and passwords

Commands and tools used:

Nbtstat: utility used to find protocol statistics, NetBIOS name table and name cache
details

Superscan: GUI tool used to enumerate windows machine

Net view: command line tool to identify shared resources on a network

SNMP Enumeration

SNMP (Simple Network Management Protocol) is an application layer protocol

which uses UDP protocol to maintain and manage routers, hubs and switches other
network devices on an IP network. SNMP is a very common protocol found enabled

25
on a variety of operating systems like Windows Server, Linux & UNIX servers as
well as network devices like routers, switches etc.

SNMP enumeration is used to enumerate user accounts, passwords, groups, system

names, devices on a target system.

It consists of three major components:

1. Managed Device: A managed device is a device or a host (technically known

as a node) which has the SNMP service enabled. These devices could be
routers, switches, hubs, bridges, computers etc.

2. Agent: An agent can be thought of as a piece of software that runs on a

managed device. Its primary job is to convert the information into SNMP
compatible format for the smooth management of the network using SNMP
protocol.

3. Network Management System (NMS): These are the software systems that
are used for monitoring of the network devices.

An agent running on every SNMP device will be providing access to a read and
writable database. The database is referred to as the management information base
(MIB) which is organized hierarchically and is a virtual database containing a formal
description of all the network objects identified by a specific object identifier (OID)
that can be managed using SNMP. It's a giant repository of values and settings. There
is a manager involved in the process, and the manager will query the agent for various
details.

Community strings is a text string used to authenticate communications between the

management stations and network devices on which SNMP agents are hosted.
Community Strings travel in clear text over the network, hence are subject to network
sniffing attacks. Community Strings are sent with every network packet exchanged
between the node and management station.

Two types of community strings:

1. Read only: This mode permits querying the device and reading the
information, but does not permit any kind of changes to the configuration. The
default community string for this mode is “public.”

26
 2. Read Write: In this mode, changes to the device are permitted; hence if one
connects with this community string, we can even modify the remote device ’s
configurations. The default community string for this mode is “private.”

when the community strings are left at the default settings, attackers take the
opportunity and find the loopholes in it.

Few tools:

1. OpUtils Network Monitoring Toolset - http://www.manageengine.com

2. SolarWinds ( best SNMP enumeration tool) - www.solarwinds.com

3. command line tools: SNMP-WALK, SNMP-CHECK

Countermeasures:

1. Remove or disable SNMP agents on hosts

2. Block port 161 at all perimeter network access devices

3. Restrict access to specific IP addresses

4. Use SNMPv3 (more secure)

5. Implement the Group Policy security option called "Additional restrictions for
anonymous connections"

6. Access to null session pipes, null session shares, and IPsec filtering should
also be restricted

LDAP Enumeration

The Lightweight Directory Access Protocol is a protocol used to access directory

listings within Active Directory or from other Directory Services. A directory is
usually compiled in a hierarchical and logical format, rather like the levels of
management and employees in a company. LDAP tends to be tied into the Domain
Name System to allow integrated quick lookups and fast resolution of queries. LDAP
generally runs on port 389 and like other protocols tends to usually conform to a
distinct set of rules (RFC's). It is possible to query the LDAP service, sometimes
anonymously to determine a great deal of information that could glean the tester, valid

27
usernames, addresses, departmental details that could be utilised in a brute force or
social engineering attack.

Tools:

Jxplorer - http://www.jxplorer.org/

LDAP Admin Tool - http://www.ldapsoft.com

Countermeasures:

1. Use NTLM or Basic authentication to limit access to known users only.

2. By default, LDAP traffic is transmitted unsecured; use SSL technology to

encrypt the traffic.

3. Select a username different from your email address and enable account
lockout.

NTP Enumeration

The Network Time Protocol is a protocol for synchronizing time across your network,
this is especially important when utilizing Directory Services. There exists a number
of time servers throughout the world that can be used to keep systems synced to each
other. NTP utilizes UDP port 123. Through NTP enumeration you can gather
information such as lists of hosts connected to NTP server, IP addresses, system
names, and OSs running on the client system in a network. All this information can be
enumerated by querying NTP server.

SMTP Enumeration

The Simple Mail Transport Protocol is used to send email messages as opposed to
POP3 or IMAP which can be used to both send and receive messages. SMTP relies on
using Mail Exchange (MX) servers to direct the mail to via the Domain Name
Service, however, should an MX server not be detected, SMTP will revert and try an
A or alternatively SRV records. SMTP generally runs on port 25.

SMTP enumeration allows us to determine valid users on the SMTP server. This is
done with the help built-in SMTP commands, they are

 VRFY - This command is used for validating users.

28
  EXPN - This command tells the actual delivery address of aliases and mailing
lists.

 RCPT TO - It defines the recipients of the message.

Countermeasures:

 Configure SMTP server either to ignore email messages to unknown

recipients.

 Don’t include information like mail relay systems being used, Internal IP
address or host information.

 Disable open relay feature.

DNS Enumeration

DNS enumeration is the process of locating all the DNS servers and their
corresponding records for an organization. DNS enumeration will yield usernames,
computer names, and IP addresses of potential target systems. The list of DNS record
provides an overview of types of resource records (database records) stored in the
zone files of the Domain Name System (DNS). The DNS implements a distributed,
hierarchical, and redundant database for information associated with Internet domain
names and addresses.

DNS Zone Transfer used to replicate DNS data across a number of DNS servers or to
back up DNS files. A user or server will perform a specific zone transfer request from
a ―name server. If the name server allows zone transfers by an anonymous user to
occur, all the DNS names and IP addresses hosted by the name server will be returned
in human-readable ASCII text.

Tools:

nslookup, maltego, dnenum,dnsrecon

Countermeasures:

1. Disable Zone transfer by untrusted hosts

2. Ensure that private hostnames are not referenced to IP addresses within the
DNS zone files of publicly accessible DNS servers.

29
 CHAPTER 4

System Hacking
Goals of system hacking
Goals:
1. Gaining Access

2. Escalating privileges

3. Executing applications

4. Hiding files

5. Clearing tracks

Gaining Access
The goal here is to collect enough information to gain access to the target.

Password Cracking:

There are few basic methods of password cracking:

1. Bruteforce: trying all possible combinations until the password is cracked.

2. Dictionary attack: This is a compiled list of meaningful words, compared

against the password field till a match is found.

3. Rule based attack: If some details about the target are known, we can create
rules based on the information we know.

4. Rainbow table: Instead of comparing the passwords directly, taking the hash
value of the password, comparing them with a list of pre-computed hash
values until a match is found.

Rainbow table method gives an advantage to the attacker since no account lockout is
enabled for wrong hashes against the password. To prevent rainbow table attack,

30
salting can be used. Salting is a process of adding random numbers to the password so
the attacker will not be able to crack the hash without that salt added.

Types of Password Attacks

Passive online attacks

A passive attack is an attack on a system that does not result in a change to the system
in any way.

The attack is to purely monitor or record data.

 Wire Sniffing

 Man in the middle

 Replay attack

Active online attack

An active online attack is the easiest way to gain unauthorized administrator-level

access to the system

 Password guessing

 Trojan/spyware/keyloggers

 Hash injection

 Phishing

Offline attacks

Offline attacks occur when the intruder checks the validity of the passwords. Offline
attacks are often time to consume.

 Pre-computed hashes

 Distributed Network

 Rainbow

Non-electronic attacks

31
Non-electronic attacks are also known as non-technical attacks. This kind of attack
doesn't require any technical knowledge about the methods of intruding into another
system.

 Social engineering

 Shoulder surfing

 Dumpster Diving

How to defend against password cracking:

 Don't share your password with anyone

 Do not use the same passwords during password change

 Enable security auditing to help monitor and track password attack

 Do not use cleartext protocols and protocols with weak encryption

 Set the password change policy to 30 days

 Monitor the server’s logs for brute force attacks on the user’s accounts

 Avoid storing passwords in an unsecured location

 Never use passwords such as date of birth, spouse, or child’s or pet’s name

 Enable SYSKEY with the strong password to encrypt and protect the SAM
database

 Lockout an account subjected to too many incorrect password guesses.

Privilege Escalation
An attacker can gain access to the network using a non-admin user account, and the
next step would be to gain administrative privilege.

Escalation of Privileges:

There are two types of Privilege Escalation:

1. Horizontal Privilege Escalation occurs when a malicious user attempts to

access resources and functions that belong to peer users, who have similar
access permissions.

32
 2. Vertical Privilege Escalation occurs when a malicious user attempts to
access resources and functions that belong to a user with higher privileges,
such as application or site administrators.

Executing Applications
Intruder executes malicious applications after gaining administrative privileges so
they can run malicious programs remotely, to capture all sensitive data, crack
passwords, capture screenshots or to install a backdoor.

Tool: RemoteExec, PDQ Deploy, DameWare NT Utilities

Keylogger

keystroke loggers are programs or hardware devices that monitor each keystroke a
user types on a keyboard, logs onto a file, or transmits them to a remote location.

keyloggers are placed between the keyboard hardware and the OS

A key logger can

 Record each keystroke

 capture screenshots at regular intervals of time showing user activity such as

when he or she types a character or click a mouse button

 Track the activities of users by logging window titles, names of

launched applications and other information

 monitor online activity of users by recording addresses of the websites that

they are have visited and with the keywords entered by them

 record all the login names, bank and credit card numbers and passwords
including hidden passwords or data that are in asterisk or blank spaces

 record online chat conversion

Types of Keylogger

 Hardware Keylogger

 Software Keylogger

33
Hiding Files

Rootkits

Rootkits are programs that hackers use in order to evade detection while trying to gain
unauthorized access to a computer. Rootkits when installing on a computer, are
invisible to the user and also take steps to avoid being detected by security software.

A rootkit is a set of binaries, scripts and configuration files that allows someone to
covertly maintain access to a computer so that he can issue commands and scavenge
data without alerting the system's owner.

Depending on where they are installed there are various types of rootkits:

 Kernel Level Rootkits

 Hardware/Firmware Rootkits

 Hypervisor (Virtualized) Level Rootkits

 Boot loader Level (Bootkit) Rootkits

NTFS DATA Stream

Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000
and Windows XP) to help support Macintosh Hierarchical File System (HFS) which
uses resource forks to store icons and other information for a file. Using Alternative
Data Streams a user can easily hide files that can go undetected unless close
inspection.

Steganography

The art of hiding a data inside another data/medium is called steganography.

For eg: hiding data within an image file

The secret message is called overt file and the covering file is called covert file.

Types of Steganography

 Image Steganography

 Document Steganography

34
  Folder Steganography

 Video Steganography

 Audio Steganography

 White Space Steganography

Covering Tracks
Once an attacker finishes his work, he wants to erase all tracks leading the
investigators tracing back to him. This can be done using

1. Disable auditing.

2. Clearing logs.

3. Modifying logs, registry files.

4. Removing all files, folders created.

35
 CHAPTER 5

Introduction to Malware Threats and

its Types
Malware is malicious software which when enters the target host, gives an attacker
full or limited control over the target. They can either damage or modify the
functionalities of target host helping an attacker to steal or destroy information.

Various types of malware

 Virus

 Trojans

 Worms

 Rootkits

 Spyware

 Ransomware

Virus
A virus is a self-replicating program that produces its own copy by attaching itself to
another program, computer boot sector or document.

 It infects other programs,

 Alters Data

 Transforms itself

 Encrypts Itself

 Corrupt files and Programs

 Self Propagates

36
Different types of Viruses:

Boot sector virus: Replaces itself with boot sector moving boot sector into another
location on the hard disk

File overwriting or cavity Virus: Replaces the content of files with some other
content leaving the file unusable

Crypter: Encrypts the contents of the file which causes the file unusable for the user

Polymorphic virus: The virus code mutates itself by keeping the algorithm intact.

Tunnelling Virus: These viruses trace the steps of interceptor programs that monitor
operating system request so that they get into the BIOS and DOS to install
themselves. To perform this activity they even tunnel under anti-virus software
programs

Metamorphic virus: They rewrite themselves every time, reprogram themselves into
a completely different code and back to normal vice versa

Macro Virus: Infects Microsoft products like WORD and EXCEL. They are usually
written in the macro language visual basic language or VBA

Cluster Virus: Modifies the directory entries so it always directs the user to the virus
code instead of the actual program

Stealth/ tunnelling virus: They intercept the anti-virus call to the operating system
and give back uninfected version of the files requested for thereby evading anti-virus

Extension Virus: Hides the extension of the virus files, deceiving the unsuspecting
user to download the files.

Metamorphic Virus: As with a polymorphic virus, a metamorphic virus mutates with

every infection. The difference is that a metamorphic virus rewrites itself completely
at each iteration, increasing the difficulty of detection. Metamorphic viruses may
change their behaviour as well as their appearance.

Add-on Virus: Add-on viruses append their code to the host code without making
any changes to the latter or relocate the host code to insert their own code at the
beginning.

37
 Trojans
Trojans are malicious files which are used by the attacker to create a backdoor
without the knowledge of the user. It usually deletes or replaces operating system
critical files, steal data, send notifications to remote attacker, and remotely control the
target. Trojans usually hide behind a genuine code or program or file to avoid getting
noted by the user. Behind the original program, it establishes a backdoor connection
with the remote attacker. It has 3 parts

1. Dropper: This is the code which installs malicious code into the target.

2. Malicious code: This is the code which exploits the system and gives the
attacker control over the target.

3. Wrapper: Wrapper wraps dropper, malicious code, genuine code into one exe
package.

When victims try to download an infected file, dropper installs the malicious
code first and then the genuine program.

Purpose of Trojans

 Steal information such as passwords, security codes, credit card information

using keyloggers

 Use victim´s PC as a botnet to perform DDoS attacks

 Delete or replace OS critical files

 Generate fake traffic to create DoS

 Download spyware, adware and malware

 Record screenshots, audio and video of victim´s PC

 Disable fw and av

 Infect victim´s PC as a proxy server for relaying attacks

 Use victim´s PC as a botnet to perform DoS, spamming and blasting email

messages

38
There are various types of Trojans like

 Hypervisior Trojan

 HTTP/HTTPS Trojan

 Remote access Trojan

 FTP Trojans

 VNC Trojans

 Banking Trojans

 DOM based Trojan

 Destructive Trojan

 Botnet Trojan

 Proxy Trojan

 Data hiding Trojan

Countermeasures:

 Avoid opening emails from unknown users

 Do not download free software’s from untrusted sites

 Always upgrade and keep firewalls, IDS and anti-virus updated with latest
patches and signatures

 Block all unnecessary ports

 Periodically check startup programs and processes running to find any

malicious files running.

Worms
The worm is a standalone malicious program which spreads from computer to
computer, but unlike a virus, it has the capability to travel without any human action.
A worm takes advantage of file or information transport features on the system, which
is what allows it to travel unaided. Often, it uses a computer network to spread itself,
relying on security failures on the target computer to access it.

39
Difference between Worms and Viruses

Virus:

 A virus is a program that replicates, i.e. it spreads from file to file on your
system

 It may be programmed to erase or damage data.

 A virus is a set of code which adds itself to existing files.

Worm:

 A worm is a malicious program that originates on a single computer and

searches for other computers connected through a local area network or
Internet Connection.

 When a worm finds another computer, it replicates itself onto that computer
and continues to look for other connected computers on which to replicate.

 A worm continues to attempt to replicate itself indefinitely or until a self-

timing mechanism halts the process.

 It does not infect other files.

 A worm code is a stand-alone code. In other words, a worm is a separate file.

Rootkits, Spyware and Ransomware

Rootkits

A rootkit is a collection of malicious computer software created to get access to a

target computer and often hides its existence or the existence of other software. The
term rootkit is a concatenation of "root" (the privileged account on Unix-like
operating systems) and the word "kit" (which refers to the software components that
implement the tool).

A rootkit can be installed by an attacker directly or remotely by exploiting a known

vulnerability. Once installed, it hides and runs with administrator privilege. Rootkit
detection is difficult because a rootkit intercepts operating system calls by antivirus

40
and return a good version of the software. It either duplicates or replaces OS system
files making it difficult to detect it.

Methods of Detection:

 Behavioural-based methods

 signature scanning,

 Integrity scanning by taking snapshots

 Memory dump analysis.

The usual solution is to reinstall the operating system.

When dealing with firmware rootkits, removal may require hardware replacement or
specialized equipment.

Spyware

This malware when installed on the target, monitor the Target for every action and
report to the remote attacker. Cookie stealing, Password stealing, identity theft,
information theft are few attacks which are common using spyware

Ransomware

These are malicious software which restricts access to computer system files and
folders asking for an online ransom amount to remove the restrictions.

Usually, they encrypt the data, making the user pay them a huge ransom to get the
decrypted data.

41
 CHAPTER 6

Sniffing and its types

What is sniffing?
Sniffing is a process of monitoring and capturing all data packets passing through
given network. Sniffers are used by network/system administrator to monitor and
troubleshoot network traffic. Attackers use sniffers to capture data packets containing
sensitive information such as password, account information etc. Sniffers can be
hardware or software installed in the system. By placing a packet sniffer on a network
in promiscuous mode, a malicious intruder can capture and analyze all of the network
traffic.

There are two types:

Active Sniffing:

Sniffing in the switch is active sniffing. A switch is a point to point network device.
The switch regulates the flow of data between its ports by actively monitoring the
MAC address on each port, which helps it pass data only to its intended target. In
order to capture the traffic between target sniffers has to actively inject traffic into the
LAN to enable sniffing of the traffic. This can be done in various ways.

Passive Sniffing:

This is the process of sniffing through the hub. Any traffic that is passing through the
non-switched or unbridged network segment can be seen by all machines on that
segment. Sniffers operate at the data link layer of the network. Any data sent across
the LAN is actually sent to each and every machine connected to the LAN. This is
called passive since sniffers placed by the attackers passively wait for the data to be
sent and capture them.

42
ARP Table
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol
address (IP address) to a physical machine address that is recognized in the local
network. A table is used to maintain a correlation between each MAC address and its
corresponding IP address. ARP provides the protocol rules for making this correlation
and providing address conversion in both directions.

CAM Table
Content Addressable Memory (CAM) table is a system memory construct used by
Ethernet switch logic which stores information such as MAC addresses available on
physical ports with their associated VLAN Parameters. The CAM table, or content
addressable memory table, is present in all switches for layer 2 switching. This allows
switches to facilitate communications between connected stations at high speed and in
full-duplex regardless of how many devices are connected to the switch. Switches
learn MAC addresses from the source address of Ethernet frames on the ports, such as
Address Resolution Protocol (ARP) response packets.

Protocols vulnerable to sniffing

Telnet and Rlogin: Keystrokes including usernames and passwords.

HTTP: Data sent in clear text.

SMTP: Passwords and data sent in clear text.

NNTP: Passwords and data sent in clear text.

POP: Passwords and data sent in clear text.

FTP: Passwords and data sent in clear text.

IMAP: Passwords and data sent in clear text.

43
Active Sniffing Attacks
Mac-Attacks:

MAC-flooding is an attack where the CAM table is flooded with fake MAC-IP pairs,
so CAM table overflows causing traffic to flood all ports on switch (i.e) changing
switch to behave like a hub

ARP Spoofing:

In this case, an attacker can spoof the MAC address of a trusted host and forge ARP
request/replies to overload the Switch. Then the switch is set in “forward mode” an
attacker can now sniff the packets on the traffic.

ARP Poisoning:

Attacker chooses targets and floods their ARP cache with forged entries thus
replacing the MAC address of targets with MAC address of attacker. ARP poisoning
is used in Man in the middle attack.

Man-in-the-middle Attack:

It’s a targeted attack, where attacker sniffs the traffic and chooses targets. It uses ARP
poisoning method to forge fake ARP request/reply to targets forcing them to update
their ARP cache with MAC address of Attacker machine in the place of the genuine
target. So the traffic between target’s will be split into two. One connection between
target1 and attacker and other between target2 and attacker. So the attacker being the
man in the middle can modify/replay the traffic. He will be able to capture sensitive
information between the targets.

DHCP Poisoning

Dynamic Host Configuration Protocol (DHCP) is used to assIP's DHCP-enabled

clients. The server holds valid TCP/IP configuration parameters, valid IP addresses
and time period of the lease offer. When a client needs an IP, it sends a request to the
DHCP server. The DHCP server asks the client to send the required parameters and
once it receives the parameters, DHCP server sends the acknowledgement which
contains the IP address of the client.

44
The DHCP client requests an IP address by broadcasting a DHCP Discover message
to the local subnet.

The client is offered an address when a DHCP server responds with a DHCP Offer
message containing an IP address and configuration information for lease to the
client.

The client indicates acceptance of the offer by selecting the offered address and
broadcasting a DHCP Request message in response.

The client is assigned the address and the DHCP server broadcasts a DHCP Ack
message in response, finalizing the terms of the lease.

When the client receives the acknowledgement, it configures its TCP/IP properties by
using the DHCP option information in the reply and completes its initialization of
TCP/IP.

DHCP Starvation attack:

It’s a denial of service attack, an attacker sends forged DHCP requests to the server
and leases all the available IP’s thus the legitimate clients will not get an IP assigned;
or the Attacker may send bogus request/replies luring the client to connect to
attacker’s machine instead of valid DHCP server.

DNS poisoning attack:

Here the attacker sends fake DNS packets to the server, thus causing fake entries in
the DNS table for the target website. So when a client sends a request to the website,
DNS server resolves the domain to IP using injected DNS records and redirects the
user to a Fake or malicious website intended by the attacker.

Countermeasures:

 Enable Port security.

 DHCP snooping binding must be enforced.

 Use HTTPS instead of HTTP.

 Use SFTP instead of FTP.

 Use SSH instead of telnet.

45
  Avoid using clear text protocols.

 Always encrypt the wireless traffic using WPA2.

 Check whether NIC’s running in promiscuous mode.

 Implement DNSSEC.

 Use Firewall.

Some tools:

 Cain and Able

 Yersinia for DHCP starvation

 Wireshark

46
 CHAPTER 7

Social Engineering
Social engineering is the art of convincing people to reveal confidential information.
By taking advantage of, basic human nature like trust or a lack of knowledge, the
attacker deceives people to reveal sensitive information.

The social engineering attacks can be grouped into three types:

1. Human-based

2. Mobile-based

3. Computer-based

Human-Based Attacks:

Impersonation: Acting like someone else to get access to the information.

They may act as a legitimate user and request for information or they pose as a higher
authority and may ask for sensitive information or they pose as a technical support
person and try to gather sensitive and confidential details.

Other types are Human-based attacks are:

Tailgating: When an authorised person enters into a restricted area, the unauthorised
person also enters the restricted AREA without the employee’s knowledge.

Piggybacking: Here the attacker may pose as an employee and ask the authorised
employee to allow him to enter along with him. He may give fake reasons like he
forgot his smart badge, etc.

Dumpster Diving: Any confidential or sensitive document should be properly

shredded before disposed into the dustbin. If not, an attacker may just look into the
dustbin to access the confidential information.

Eavesdropping: Unauthorised listening to conversations thereby collecting important

data is called as eavesdropping.

47
Shoulder surfing: It is a direct observation technique like looking over someone’s
shoulder to know the sensitive information like password, pin numbers, etc.

Hoax Letters: These are fake emails sending warnings about malware, virus and
worms causing harm to the computers.

Chain letters: Asking people to forward emails or messages for money.

Spam Messages: These are unwanted irrelevant emails trying to gather information
about users.

Instant Chat messengers: Gathering personal information from a single user by

chatting with them.

Phishing: Creating a cloned fake website trying to gather sensitive information about
users. It can be done by sending a fake email as though coming from an original
website and then trying to collect confidential information.

Phishing can also be executed through fake mobile applications.

Mobile based Attacks:

SMS based: Sending a fake SMS saying that the user has won a bounty, urging
him/her to register with confidential information or try and collect other important
details.

Through Malicious Apps: Applications downloaded from third party sources may be
malicious; they can access authentication information and other sensitive details.

Through Email and messengers: Attackers can send spam emails or malicious links
through messenger applications. When the victim clicks on it- he may be redirected to
a malicious site, or a malware could be downloaded or it may lead to some other
malicious activity.

Social engineering on corporate side:

Find an insider: It can be a disgruntled employee who may be the target.

Develop relationship: Develop a friendship with this person and maintain this
relationship to the point he trusts you.

48
Exploit the relationship: Extract the information about the company and other
sensitive information exploiting the trust that he placed in you.

Insider Attacks

An insider attack is very difficult to detect. If a disgruntled employee wants to take

revenge; he can install malicious applications to steal/modify information, causing
significant damage to the organization or he can be bribed by the competitor to reveal
or steal company secrets, intellectual property information, etc.

Countermeasures:

 Educating the employees about the security policies and frameworks, best
practices, etc.

 Creating awareness among the users and employees about social engineering
attacks.

 Enforcing strict perimeter policy, authentication mechanisms.

 Coming up with effective security policies.

 Enforcing proper access privileges.

 Classifying information and protecting access to them.

 Using Updated antivirus, anti-phishing tools.

 Monitoring and auditing.

49
 CHAPTER 8

Distributed Denial of Service

A Distributed Denial of Service (DDoS) attack is an attempt to make an online
service or a website unavailable by overloading it with huge floods of traffic
generated from multiple sources.

Unlike a Denial of Service (DoS) attack, in which one computer and one Internet
connection is used to flood a targeted resource with packets, a DDoS attack uses
many computers and many Internet connections, often distributed globally in what is
referred to as a botnet.

A large scale volumetric DDoS attack can generate a traffic measured in tens of
Gigabits (and even hundreds of Gigabits) per second. We are sure your normal
network will not be able to handle such traffic.

What are Botnets?

Attackers build a network of hacked machines which are known as botnets, by
spreading malicious piece of code through emails, websites, and social media. Once
these computers are infected, they can be controlled remotely, without their owners'
knowledge, and used like an army to launch an attack against any target.

A DDoS flood can be generated in multiple ways. For example −

 Botnets can be used for sending more number of connection requests than a
server can handle at a time.

 Attackers can have computers send a victim resource huge amounts of

random data to use up the target's bandwidth.

Due to the distributed nature of these machines, they can be used to generate
distributed high traffic which may be difficult to handle. It finally results in a
complete blockage of a service.

50
Types of DDoS Attacks
DDoS attacks can be broadly categorized into three categories −

 Volume-based Attacks

 Protocol Attacks

 Application Layer Attacks

Volume-Based Attacks
Volume-based attacks include TCP floods, UDP floods, ICMP floods, and other
spoofedpacket floods. These are also called Layer 3 & 4 Attacks. Here, an attacker
tries to saturate the bandwidth of the target site. The attack magnitude is measured
in Bits per Second (bps).

 UDP Flood − A UDP flood is used to flood random ports on a remote host
with numerous UDP packets, more specifically port number 53. Specialized
firewalls can be used to filter out or block malicious UDP packets.

 ICMP Flood − This is similar to UDP flood and used to flood a remote host
with numerous ICMP Echo Requests. This type of attack can consume both
outgoing and incoming bandwidth and a high volume of ping requests will
result in overall system slowdown.

 HTTP Flood − The attacker sends HTTP GET and POST requests to a
targeted web server in a large volume which cannot be handled by the server
and leads to denial of additional connections from legitimate clients.

 Amplification Attack − The attacker makes a request that generates a large

response which includes DNS requests for large TXT records and HTTP
GET requests for large files like images, PDFs, or any other data files.

Protocol Attacks
Protocol attacks include SYN floods, Ping of Death, fragmented packet attacks,
Smurf DDoS, etc. This type of attack consumes actual server resources and other
resources like firewalls and load balancers. The attack magnitude is measured
in Packets per Second.

51
  DNS Flood − DNS floods are used for attacking both the infrastructure and a
DNS application to overwhelm a target system and consume all its available
network bandwidth.

 SYN Flood − The attacker sends TCP connection requests faster than the
targeted machine can process them, causing network saturation.
Administrators can tweak TCP stacks to mitigate the effect of SYN floods.
To reduce the effect of SYN floods, you can reduce the timeout until a stack
frees memory allocated to a connection, or selectively dropping incoming
connections using a firewall or iptables.

 Ping of Death − The attacker sends malformed or oversized packets using a

simple ping command. IP allows sending 65,535 bytes packets but sending a
ping packet larger than 65,535 bytes violates the Internet Protocol and could
cause memory overflow on the target system and finally crash the system. To
avoid Ping of Death attacks and its variants, many sites block ICMP ping
messages altogether at their firewalls.

Application Layer Attacks

Application Layer Attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks
that target Apache, Windows or OpenBSD vulnerabilities and more. Here the goal is
to crash the web server. The attack magnitude is measured in Requests per Second.

 Application Attack − This is also called Layer 7 Attack, where the attacker
makes excessive log-in, database-lookup, or search requests to overload the
application. It is really difficult to detect Layer 7 attacks because they
resemble legitimate website traffic.

 Slowloris − The attacker sends huge number of HTTP headers to a targeted

web server, but never completes a request. The targeted server keeps each of
these false connections open and eventually overflows the maximum
concurrent connection pool, and leads to denial of additional connections
from legitimate clients.

 NTP Amplification − The attacker exploits publically-accessible Network

Time Protocol (NTP) servers to overwhelm the targeted server with User
Datagram Protocol (UDP) traffic.

52
  Zero-day DDoS Attacks − A zero-day vulnerability is a system or
application flaw previously unknown to the vendor, and has not been fixed or
patched. These are new type of attacks coming into existence day by day, for
example, exploiting vulnerabilities for which no patch has yet been released.

How to Fix a DDoS Attack

There are quite a few DDoS protection options which you can apply depending on
the type of DDoS attack.

Your DDoS protection starts from identifying and closing all the possible OS and
application level vulnerabilities in your system, closing all the possible ports,
removing unnecessary access from the system and hiding your server behind a proxy
or CDN system.

If you see a low magnitude of the DDoS, then you can find many firewall-based
solutions which can help you in filtering out DDoS based traffic. But if you have
high volume of DDoS attack like in gigabits or even more, then you should take the
help of a DDoS protection service provider that offers a more holistic, proactive and
genuine approach.

You must be careful while approaching and selecting a DDoS protection service
provider. There are number of service providers who want to take advantage of your
situation. If you inform them that you are under DDoS attack, then they will start
offering you a variety of services at unreasonably high costs.

We can suggest you a simple and working solution which starts with a search for a
good DNS solution provider who is flexible enough to configure A and CNAME
records for your website. Second, you will need a good CDN provider that can
handle big DDoS traffic and provide you DDoS protection service as a part of their
CDN package.

Assume your server IP address is AAA.BBB.CCC.DDD. Then you should do the

following DNS configuration −

 Create a A Record in DNS zone file as shown below with a DNS identifier,
for example, ARECORDID and keep it secret from the outside world.

53
  Now ask your CDN provider to link the created DNS identifier with a URL,
something like cdn.someotherid.domain.com.

 You will use the CDN URL cdn.someotherid.domain.com to create two

CNAME records, the first one to point to www and the second record to point
to @ as shown below.

You can take the help from your system administrator to understand these points and
configure your DNS and CDN appropriately. Finally, you will have the following
configuration at your DNS.

Now, let the CDN provider handle all type of DDoS attacks and your system will
remain safe. But here the condition is that you should not disclose your system's IP
address or A record identifier to anyone; else direct attacks will start again.

Denial of service attack (DOS) is an attack against computer or network which

reduces, restricts or prevents accessibility of its system resources to authorized users.

Distributed Denial of Service (DDoS) attack is an attack where multiple compromised

systems simultaneously attack a single system; thereby, causing a DOS attack for the
users of the target.

An attacker can select the Zombies randomly or topologically and once compromised,
he sets up a command and controller to control the zombies that attack the target. A
bot is a malicious software installed on compromised machines, this gives the attacker
control over the zombies. The network of Bots is called botnet.

54
 CHAPTER 9

Session Hijacking
Session Hijacking and its Types
Session hijacking is defined as taking over an active TCP/IP communication session
without the user’s permission. When implemented successfully, attackers assume the
identity of the compromised user, enjoying the same access to resources as the
compromised user. Identity theft, Information theft, stealing sensitive data are some of
the common impacts of session hijacking.

Types of session hijacking attacks:

There are two types of session hijacking depending on how they are done. If the
attacker directly gets involved with the target, it is called active hijacking, and if an
attacker just passively monitors the traffic, it is passive hijacking.

Active:
The attacker will silence one of the machines, usually the client computer, and take
over the clients’ position in the communication exchange between the workstation
and the server. The active attack also allows the attacker to issue commands on the
network making it possible to create new user accounts on the network, which can
later be used to gain access to the network without having to perform the session
hijack attack.

Passive:
In Passive session hijacking attack, the attacker monitors the traffic between the
workstation and server. The primary motivation for the passive attack is to monitor
network traffic and potentially discover valuable data or passwords.

55
Session Hijacking Process
The first step in the session hijack attack is locating a target user. Attackers look for
two things prior to their attack- first, they look for networks that have a high level of
utilization; high volume networks help attackers to remain anonymous and they also
provide a healthy supply of users to choose from, which also helps the attack.
Secondly, users who use insecure network protocols such as Telnet, rlogin (remote
login), and FTP (file transfer protocol) are easy targets due to their inherently insecure
design. Packet sniffing software can be used to sniff network traffic for the purpose of
locating vulnerable protocols like FTP, Telnet, and rlogin. Port scanning software can
also be used to identify servers that have FTP, Telnet, or rlogin ports open.

1. Sniffing into Active Session:

The attacker then finds an active session between the target and another machine and
places himself between them. Using a sniffer like Wireshark, he captures the traffic
and tries to gather information about the session.

2. Monitor:

He then monitors the traffic for vulnerable protocols like HTTP, telnet, rlogin, etc.,
and tries to find any valid authentication packets passing through.

3. Session Id Retrieval:

The attacker tries to predict the session id using available information. Now that a
target has been chosen, the next step in the session hijacking process is sequence
number prediction. Sequence number prediction is a critical step because failing to
predict the correct sequence number will result in the server sending reset packets and
terminating the connection attempt. If the attacker guesses the sequence numbers
wrong repeatedly, the likelihood of detecting the attack increases.

4. Stealing:

In application-level hijacking, active attacks are pursued to steal the session Id. Man
in the middle attack, cross-site scripting, sniffing are used to steal the session id.

Brute Forcing: This is a time-consuming process.

56
While sequencing number guessing can be done manually by skilled attackers,
software tools are available to automate the process.

5. Take One of the Parties Offline:

Once a session is chosen and sequence numbers predicted, one of the targets has to be
silenced. This is generally done with a denial of service attack. The attacker must
ensure that the client computer remains offline for the duration of the attack, or the
client computer will begin transmitting data on the network causing the workstation
and the server to repeatedly attempt to synchronize their connections; resulting in a
condition known as an ACK storm.

6. Take over the Session and Maintain the Connection:

The final phase of the session hijack attack entails taking over the communication
session between the workstation and server. The attacker will spoof their client IP
address, to avoid detection, and include a sequence number that was predicted earlier.
If the server accepts this information, the attacker has successfully attacked the
communication session.

Session Hijacking Levels

Session Hijacking can be done at two levels:

1. Network Level

2. Application Level

Network Level hijacking includes TCP and UDP sessions.

Application Level hijacking occurs with HTTP Sessions.

Application Level Hijacking:

Here the valid session token is stolen or predicted to take over the session. Various
attacks involved here are-

Man in the middle attack:

By using automated tools/spoofing methods the attacker splits the connection between
the targets into two. One connection between the client and attacker and another one

57
between attacker and server. Since the attacker becomes the man in the middle, all the
traffic goes through him, hence he can capture the session Id.

Cross-site scripting:

Client-side vulnerabilities like XSS attacks allow an attacker to craft a malicious

script to get the session Id from the application.

Using Proxy:

By setting up a proxy and causing the traffic to flow through the proxy, one can
capture the session Id details.

Man-in the–Browser:

By installing a Trojan in the victim’s browser will notify the attacker the session Id.

Session Replay:

Capturing the authentication packets by sniffing the traffic; replaying those packets
after a time interval may cause the attacker to successfully login to the session of the
authorized user.

Network or TCP Session Hijacking

TCP guarantees delivery of data, and also guarantees that packets will be delivered in
the same order in which they were sent. In order to guarantee that packets are
delivered in the right order, TCP uses acknowledgement (ACK) packets and sequence
numbers to create a "full duplex reliable stream connection between two endpoints",
with the endpoints referring to the communicating hosts. The connection between the
client and the server begins with a 3-way handshake.

After the handshake, it is just a matter of sending packets and incrementing the
sequence number to verify that the packets are getting sent and received.
The goal of the TCP session hijacker is to create a state where the client and server
are unable to exchange data; enabling him/her to forge acceptable packets for both
ends, which mimic the real packets. Thus, the attacker is able to gain control of the
session.

58
IP Spoofing: IP spoofing is a technique which is used to gain unauthorized access to
computers where the intruder sends a message to a computer with an Ip address
indicating that the message is coming from a trusted host.

Man in the middle Attack: Attacker tries to get the session Id by doing ARP
spoofing and man in the middle attack.

Blind Hijacking: In cases where source routing is disabled, the session hijacker can
also use blind hijacking where he injects his malicious data into intercepted
communications in the TCP session. It is called blind because he cannot see the
response; though the hijacker can send the data or commands, he is basically guessing
the responses of the client and server.

UDP session Hijacking: UDP is a connectionless protocol. UDP/IP provides very

few error recovery services offering. There is no direct way to send and receive
datagrams over an IP network. Therefore, the delivery integrity, non-duplication and
orders are not guaranteed. UDP doesn't use sequence numbers like TCP, it is mainly
used for broadcasting messages across the network or for doing DNS queries.

Counter Measures:

 Using secure protocols instead of clear text protocols like HTTP, FTP.Telnet,
Rlogin, etc.

 Encrypting session id will increase the complexity of the session id prediction.

 Sending session id over SSL.

 Use long random numbers for session id.

 Implement timeout for the session when the session is logged out, or session id
expires.

 Having different session id for each page.

 Use switches rather than hubs.

 Ensure server side and client side protection software.

 Use IDS for detecting ARP spoofing/Poisoning.

 Do not click on suspicious links.

59
 CHAPTER 10

Web Application Attacks

Web Application and its types of Attacks
Web application provides an interface between the web server and the client to
communicate. Web pages are generated at the server, and browsers present them at
the client side. The data is passed between client and server in the form of HTML
pages through HTTP protocol.

There are client-side vulnerabilities and server-side vulnerabilities which lead to a

web application attack.

Attacks:

Parameter Tampering:

This involves modifying parameters exchanged between client and server, which may
lead to XSS attack and SQL injection attack. Usually, HTML data goes as a name-
value pair; if the attacker is able to modify the values of the parameter during transfer,
it may lead to many other attacks.

Unvalidated inputs:

Web applications accept user inputs, queries are constructed based on dynamic user
input. If these inputs are not properly sanitised they will open a way for the attacker to
launch attacks like XSS, SQL injection attack, Directory traversal attack, etc., identity
theft, data theft are dangerous outcomes of this attack.

Directory traversal Attack:

This is a type of vulnerability where an attacker is able to access beyond the web root
directory, into the restricted directories on the web server. Then an attacker will be
able to access system files, run OS commands, access configuration information, etc.

60
Injection Flaws

SQL Injection:

User login screens, URLs, search boxes are the point of interest to an attacker since
they are dynamic inputs, based on which web application requests are constructed. If
an attacker is successful in making the browser construct a malicious query and get it
executed by the back-end database, it is called SQL injection. An attacker may
modify, delete or even do a DOS attack on the database.

Command Injection:

If a user is able to inject operating system commands on any user input field, it may
lead to attacker injecting malicious commands to get sensitive information from the
web server.

LDAP injection:

Lightweight Directory Access Protocol is an active directory on IP, where the

information is arranged in a hierarchical manner based on user attributes. LDAP
injection works the same as SQL injection where the attacker tries to enter arbitrary
data to craft malicious queries to be executed by the LDAP server.

Cross Site Scripting

XSS enables attackers to inject client-side scripts into web pages by exploiting
vulnerabilities in dynamically generated web pages. An attacker can execute
malicious scripts (also commonly referred to as a malicious payload) into a legitimate
website or web application and cause various damages including data theft, session
hijacking, redirecting the web page to another website, etc.

Reflected XSS:

Here the attacker will send a script as an input, and the attacker's contents will be
reflected back to the victim. He can craft malicious scripts to get session cookies,
redirect to a malicious web page, inject data, execute system commands and much
more.

61
Stored XSS:

Here the input entered by the attacker will be stored in the database; e.g. blog. Anyone
visiting the page will have this script running, thus affecting everyone who visits that
page.

Denial of Service attack:

An attacker with/without the help of bots can flood the target system and reduce,
restrict or prevent the target system from providing service to the authorised clients.

Hacking Methodology
Web footprinting:

Gathering information related to the web application like-

 Whois information

 Netcraft information

 Firewall information

 Ports and services running

 Server and OS discovery

 Hidden contents

Vulnerability scanners:

Scanners like Nikto, Nessus, URLscan, Acunetix can be used to find out
vulnerabilities in a web application.

Identify Entry Points and Attack surface:

The next step is to know the entry points like login screens, URLs, cookies, and
output points like display screens, reports, etc. We need to find vulnerabilities to
bypass the access controls and break into the application. All the above discussed
attacks should be tested for the possibility.

Countermeasures:

 Always validate the input fields.

62
 Limit the entry in the input fields.

 Check for arbitrary inputs like scripts, SQL injection codes, etc.

 Use a Web application firewall.

 Run database accounts with minimal access rights.

 Use input/output encoding.

 Use prepared statements and parameterised sql queries to avoid Sql injection.

 Configure the firewall with strict rules.

 Use secure protocols.

 Encrypt cookies.

 Use random numbers for cookies and proper session expiry.

63
 CHAPTER 11

SQL Injection
Introduction to SQL Injection
SQL injection is an attack where the hacker makes use of unvalidated user input to
enter arbitrary data or SQL commands; malicious queries are constructed and when
executed by the backend database it results in unwanted results. The attacker should
have the knowledge of background database and he must make use of different strings
to construct malicious queries to post them to the target.

For Example, in user login screen, username and password are the dynamic fields
where users enter the data. Depending upon the user’s inputs dynamic queries will be
constructed; the usual query will be

Select * from users table where username=’Username.txt’ and

password=’Password.txt’.

If the input fields are not sanitized properly, then the malicious user can enter some
data like this

Username = blah’ or 1=1—

Password = password

Here both username and password are incorrect. But the query which is constructed
will be

Select * from users where username=’blah’ or 1=1—and password=’password’

The query will run and the user will be granted access. This is because the first part of
the query is

Select * from users where username=’blah’ or 1=1—

Because – is a comment line in SQL, everything following that will be ignored. The
query will only validate between username=’blah’ or 1=1.

Because 1=1 is always true, the user will be granted access.

64
Types of SQL Injection
Error based Injection:

The attacker sends some malicious query to the database which results in errors. The
errors should be very generic, otherwise, they may give useful hints to the attacker.

Comment-Line: Using comment line to cause the database to ignore a part of a valid
query.

E.g. Select * from stores where product_id = blah’ or 1=1-- (everything after this will
be neglected)

Tautology: There are a lot of strings which always evaluates to be true, like ‘1’ = ‘1’
‘a’ = ‘a’, etc., using them in the query to create constantly true conditions.

E.g. Select * from users where username=’blah’ or ‘a’=’a’ -- and password=’pass’

Union Based SQL injection:

Using union command in SQL query to execute additional queries; thereby,

modifying/inserting/deleting or dropping the contents of the table.

E.g. Select * from stores where product_id=1 union select 1,database(),user(),4#

Stored procedures: Creating malicious inputs to execute malicious queries.

Incorrect queries: Coming up with logically incorrect queries to see the error
messages to get more information about the target database.

Select * from stores where id=1’

The above query will result in a syntax error and might reveal the backend database
type.

Blind SQL injection:

This is a type of SQL injection where we don’t have a clue as to whether the web
application is vulnerable to injection attack or not.

65
Types:

Boolean: Only correct queries show the result, wrong queries do not return anything.
Attackers should try to generate logically correct queries.

If suppose the original query to the database is

Select * from users where id=’id.txt’

If we give blah’ and 1=1# as input which evaluates to be a right query

Select * from users where id=’blah’ or 1=1#, we will see the user results.

If we give blah’ and 1=2# as input which is a wrong query then we don’t see any
results.

Select * from users where id=’blah’ or 1=2#

Time delay: Depending on some conditions, setting a time delay. If that condition is
satisfied, we can observe the time delay; thereby, concluding that the input we gave
produced a positive result. This is a time consuming process.

Tools:

SQLMAP, Marathon tool.

Perimeter tools (IDS) Evasion Techniques:

 Use encryption.

 Obfuscate string to avoid pattern matching.

 Use Concatenation to confuse the IDS.

 Use encoding like ASCII encoding, hexadecimal encoding to avoid detection.

 Insert inline comments between query.

66
 CHAPTER 12

Cryptography
Introduction to Cryptography
Cryptography is the art of converting text into another form for secret transmission
and reception. It works by converting plain text into cipher text using some encryption
algorithm at the sender’s side and converting ciphertext into plain text at the
receiver’s. Cryptography is used to provide confidentiality, integrity, authenticity and
non-repudiation.

Key terms:

Plain text: Message to be encrypted

Ciphertext: Encrypted message

Encryption: Process of converting plain text into cipher text.

Decryption: Process of converting ciphertext into plain text.

Algorithm: The method used to encrypt/decrypt the plain text.

Key: The data used for encrypting/decrypting.

There are various cryptographic algorithms present, generally we categorise them as

follows-

Symmetric cryptography:

Here one single key is used for encryption and same key is used for decryption. DES
and AES are examples of symmetric key cryptography.

Asymmetric cryptography/Public key cryptography:

Here two keys are used, Public key is used for encryption and Private key is used for
decryption; e.g. RSA.

67
Block Cipher:

The input plain text is broken into fixed size blocks and they are encrypted /decrypted
as a block; e.g. DES, AES.

Stream cipher:

The incoming data is encrypted or decrypted byte by byte; e.g. RC4.

Digital Signatures:

Digital signatures are used to identify the genuinity of the source; the sender signs
with his private key, and at the receiver’s end it can be decrypted only with the public
key of the sender. This enables the receiver to know who has sent the message.

Hash Algorithms:

Hash algorithms are used to maintain the integrity of the data by finding a definite
number for the file and verifying it at the receiver’s end.

At the sender’s side, the hash algorithm generates a fixed size number for any-sized
file. This number or hash value is sent along with the cipher text to the receiver. At
the receiver’s end, the cipher text is first decrypted, and then using hash algorithm a
hash value is generated. If the hash value matches with the hash value that came with
the cipher text, then the message was not corrupted. If it is different, then we can
understand that the message has been intercepted and modified.

There are various hash algorithms

SHA1, SHA 256 , MD5, etc.

PKI: Public Key Infrastructure

PKI is a set of roles, policies and procedures needed to create, manage, distribute, use,
store, and revoke digital certificates, and manage public-key encryption. Here the
binding of the public key to respective identities, like people or organisation is done.
In public environment, where third-party verifications are required, this PKI is used.
There are three parties involved here-

 Registration authority

 Validation Authority

68
  Certification authority

When a user needs a public key certificate he first goes to the certification authority,
which then redirects him to the registration authority. RA collects all information like
name, personal identity information, public key, etc., and creates a certificate and
passes it on to the certification authority. The certifying authority gets one copy of the
certificate and signs it using the private key, authorising the public key of the user.
One copy is stored in the database of validation authority; at any future point in time,
the user’s public key can be verified with validation authority.

Every certificate issued by CA has an expiry date, the private key of CA and the
public key of the user. Upon expiry, or if stolen, the certificate can be renewed or re-
issued.

SSL: Secure Socket Layer

Secure Socket Layer is a public key cryptosystem, which is used over application
layer to provide encryption to the data passing over HTTP. SSL breaks the incoming
data into fixed size blocks, fragments them, compresses them, encrypts and adds a
MAC header and passes it to the receiving end. It has four protocols.

 Handshake protocol- Used for establishing a connection.

 Cipher-spec protocol- To notify the handshake is over.

 Record–protocol– Carries actual data.

 Alert protocol– Used for any notification.

Cryptography attacks:

 Chosen plaintext attack

 Chosen ciphertext attack

 Known plaintext attack

 Meet in the Middle attack

 Rubber hose attack

 Timing Attack

69
 BIBLIOGRAPHIES

www.google.com

www.wikipedia.com

www.greycampus.com

www.hackerone.com

www.cubrary.it

www.securitytube.net

www.hitb.org

www.exploit-db.com

70