Introduction to Network Security

Honours Course – Ethical Hacking

Suvarna Chaure
Assistant Professor
Dept. of Computer Engineering,
SIES Graduate School of Technology

1
Suvarna Chaure
 Topics

Information gathering, reconnaissance, scanning, vulnerability

assessment, Open VAS, Nessus, System hacking: Password cracking,
penetration testing, Social engineering attacks, Malware threats, hacking
wireless networks (WEP, WPA, WPA2), Proxy network, VPN security,
Study of various tools for Network Security such as Wireshark, John the
Ripper, Metasploit, etc. Self-learning Topics: Ransomware(Wannacry),
Botnets, Rootkits, Mobile device security

2
Suvarna Chaure
 Information Gathering
● “Information is power,” as the saying goes. And in most scenarios it’s true: having
critical information, at the right time, and especially knowing how to use it, can be
a great source of power.
● Information Gathering means gathering different kinds of information about the
target.
● It is basically, the first step or the beginning stage of Ethical Hacking, where the
penetration testers or hackers (both black hat or white hat) tries to gather all the
information about the target, in order to use it for Hacking

3
Suvarna Chaure
 Information Gathering
Any basic cybersecurity information gathering process often includes these two types
of data collection goals:

1. Collecting network data: Such as public, private and associated domain names,
network hosts, public and private IP blocks, routing tables, TCP and UDP running
services, SSL certificates, open ports and more.
2. Collecting system-related information: This includes user enumeration, system
groups, OS hostnames, OS system type (probably by fingerprinting), system
banners (as seen in the banner grabbing blog post), etc.

But there’s a lot more involved. Let’s learn about it, by exploring the most popular
techniques used during this phase.

4
Suvarna Chaure
 Information Gathering Techniques and Methods
● Social engineering: This includes in-person chat, phone conversations and email
spoofing attacks. What all these methods have in common is the psychology of
human weakness, needed to get maximum data about the target.
● Search engines: Web crawlers can be used to fetch information about anything,
and this includes companies, persons, services, and even real hacks, as seen in our
previous article about Google Hacking.
● Social networks: Facebook, Twitter, LinkedIn and other social networks are
great sources of information to build a profile, especially when targeting
individuals.
● Domain names: These are registered by organizations, governments, public and
private agencies, and people.
● Internet servers: authoritative DNS servers are a great source of information, as
they often include every single surface point exposed to the Internet—which
means a direct link to related services such as HTTP, email, etc. In our previous
article about passive DNS, we analyzed the importance of DNS servers, and
especially passive DNS-recon services, such as the ones we offer here at
SecurityTrails.
5
Suvarna Chaure
 Reconnaissance

• A reconnaissance attack occurs when an adversary tries to learn information

about your network
• Reconnaissance is the unauthorized discovery and mapping of systems,
services, or vulnerabilities.
• Reconnaissance is also known as information gathering
• Reconnaissance is somewhat analogous to a thief investigating a
neighbourhood for vulnerable homes, such as an unoccupied residence or a
house with an easy-to-open door or window.
• In many cases, intruders look for vulnerable services that they can exploit
later when less likelihood that anyone is looking exists.
• Is the preparatory phase to understand the system, its networking ports and
services and other aspects of security, that are needful for launching the
attack

6
Suvarna Chaure
 Reconnaissance

An attacker attempts to gather information in two phases

• Passive attack
• Active attacks

7
Suvarna Chaure
 Reconnaissance
Passive attacks
• Involves gathering information about the target without his/ her knowledge.
• Google or yahoo search: to locate information about employees
• Surfing online community group: facebook; to gain information about an
individual
• Organizations website: for personnel directory or information about key
employees; used in social engineering attack to reach the target
• Blogs, newsgroups, press releases, etc
• Going through job postings
• Network sniffing: information on Internet Protocol address ranges, hidden
servers or networks or services on the system.//’

8
Suvarna Chaure
 Reconnaissance
• Tools used during passive attacks
Google earth
• Internet Archive: permanent access for researchers , historians and scholars
to historical collections
• Professional community: linkedIn
• People Search
• Domain Name Confirmation
• WHOIS
• Nslookup
• Dnsstuff
• Traceroute
• VisualRoute Trace
• TrackerPro
• HTTrack

9
Suvarna Chaure
 Reconnaissance
• Active Attacks Rattling the doorknobs Active reconnaissance
Involves probing the network to discover individual hosts to confirm
the information gathered in the passive attack phase.
Can provide confirmation to an attacker about security measures in
place.
• Tools used during active attacks
• Arphound
• Arping
• Bing
• Bugtraq
• Dig
• DNStacer
• Dsniff
• Filesnarf
• FindSMB
• Hmap ,Hping, Hunt, Netcat, Nmap, TCPdump. TCPreplay

10
Suvarna Chaure
 Scanning and Scrutinizing gathered information
• Is a key step to examine intelligently while gathering information about the
target.
• The objectives are:
Port scanning
Network scanning
Vulnerability scanning

11
Suvarna Chaure
 What is Port Scanning?
• The act of systematically scanning a computer's ports.
• Since a port is a place where information goes into and out of a computer,
port scanning identifies open doors to a computer.
• It is similar to a thief going through your neighbourhood and checking every
door and window on each house to see which ones are open and which ones
are locked.
• There is no way to stop someone from port scanning your computer while
you are on the Internet because accessing an Internet server opens a port,
which opens a door to your computer.
• There are, however, software products that can stop a port scanner from
doing any damage to your system.

12
Suvarna Chaure
 What is Port Scanning?
• TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are
two of the protocols that make up the TCP/IP protocol suite which is used
universally to communicate on the Internet.
• Each of these has ports 0 through available so essentially there are more
than 65,000 doors to lock.
• The first 1024 TCP ports are called the Well-Known Ports and are associated
with standard services such as FTP, HTTP, SMTP or DNS.
• Some of the addresses over 1023 also have commonly associated services,
but the majority of these ports are not associated with any service and are
available for a program or application

13
Suvarna Chaure
 Types of port scans
• vanilla: the scanner attempts to connect to all 65,535 ports
• strobe: a more focused scan looking only for known services to exploit
• fragmented packets: the scanner sends packet fragments that get through
simple packet filters in a firewall
• UDP: the scanner looks for open UDP ports
• sweep: the scanner connects to the same port on more than one machine
• FTP bounce: the scanner goes through an FTP server in order to disguise the
source of the scan
• stealth scan: the scanner blocks the scanned computer from recording the
port scan activities.

14
Suvarna Chaure
 Scrutinizing
Scrutinizing phase Called as “enumeration” in the hacking world
The objective behind this step is to identify:
• The valid user accounts or groups
• Network resources and/or shared resources
• OS and different applications that are running on the OS.

15
Suvarna Chaure
 Vulnerability Assessment

•A vulnerability assessment is a systematic review of security weaknesses in an

information system. It evaluates if the system is susceptible to any known
vulnerabilities, assigns severity levels to those vulnerabilities, and recommends
remediation or mitigation, if and whenever needed.

Examples of threats that can be prevented by vulnerability assessment include:

1. SQL injection, XSS and other code injection attacks.

2. Escalation of privileges due to faulty authentication mechanisms.
3. Insecure defaults – software that ships with insecure settings, such as a guessable
admin passwords.

16
Suvarna Chaure
 Vulnerability Assessment
There are several types of vulnerability assessments. These include:

1. Host assessment – The assessment of critical servers, which may be vulnerable

to attacks if not adequately tested or not generated from a tested machine image.
2. Network and wireless assessment – The assessment of policies and practices to
prevent unauthorized access to private or public networks and network-
accessible resources.
3. Database assessment – The assessment of databases or big data systems for
vulnerabilities and misconfigurations, identifying rogue databases or insecure
dev/test environments, and classifying sensitive data across an organization’s
infrastructure.
4. Application scans – The identifying of security vulnerabilities in web
applications and their source code by automated scans on the front-end or
static/dynamic analysis of source code.

17
Suvarna Chaure
 Nessus
▪ First released in 1998
▪ Free, open source tool
▪ Uses a client/server technology
▪ Can conduct tests from different locations
▪ Can use different OSs for client and
network

18

Suvarna Chaure
 Nessus (continued)
▪ Server
▪ Any *NIX platform
▪ Client
▪ Can be *NIX or Windows
▪ Functions much like a database server
▪ Ability to update security checks plug-ins
▪ Some plug-ins are considered dangerous
19

Suvarna Chaure
 20

Suvarna Chaure
 Nessus (continued)
▪ Finds services running on ports
▪ Finds vulnerabilities associated with
identified services

21

Suvarna Chaure
 22

Suvarna Chaure
 Social Engineering
• Technique to influence and persuasion to deceive people to obtain the
information or perform some action.
• A social engineer usually uses telecommunications or internet to get them to
do something that is against the security practices and/ or policies of the
organization.
• SE involves gaining sensitive information or unauthorized access privileges
by building inappropriate trust relationships with insiders.
• It is an art of exploiting the trust of people.

23
Suvarna Chaure
 Social Engineering
• Social engineering is a non-technical method of intrusion hackers use that
relies heavily on human interaction and often involves tricking people into
breaking normal security procedures.
• A social engineer runs what used to be called a "con game."or example, a
person using social engineering to break into a computer network might try to
gain the confidence of an authorized user and get them to reveal information
that compromises the network's security.
• Social engineers often rely on the natural helpfulness of people as well as on
their weaknesses.
• They might, for example, call the authorized employee with some kind of
urgent problem that requires immediate network access.
• Appealing to vanity, appealing to authority, appealing to greed, and old-
fashioned eavesdropping are other typical social engineering techniques..

24
Suvarna Chaure
 Classification of Social Engineering
1. Human-Based Social Engineering
needs interaction with humans; it means person-to-person contact and then
retrieving the desired information. People use human based social
engineering techniques in different ways; the top popular methods are:
• Impersonating an employee or valid user
• Posing as an important user
• Using a third person
• Calling technical support
• Shoulder surfing
• Dumpster diving
2. Computer –Based Social Engineering
Computer-based social engineering uses computer software that attempts
to retrieve the desired information.
• Fake Emails
• Email attachments
• Pop-up windows

25
Suvarna Chaure
 Social Engineering
Impersonation
• In this type of social-engineering attack, the hacker pretends to be an
employee or valid user on the system.
• A hacker can gain physical access by pretending to be a janitor, employee,
or contractor.
• To attackers, sets of valid credentials are a coveted asset.
• An attacker who has obtained valid user credentials through social
engineering techniques has the ability to roam the network with impunity
searching for valuable data. In log data, the attacker’s activities are easily
hidden due to the inability to see the subtle differences in behaviors and
access characteristics.
• Yet, this phase of the classic attack chain often represents the lengthiest
portion of the attack.

26
Suvarna Chaure
 Social Engineering
Posing as an important user
• In this type of attack, the hacker pretends to be a VIP or high-level
manager who has the authority to use computer systems or files.
• Most of the time, low-level employees don’t ask any questions of
someone who appears in this position.

Being a third party

• In this attack, the hacker pretends to have permission from an
authorized person to use the computer system.
• It works when the authorized person is unavailable for some time.

Desktop support
• Calling tech support for assistance is a classic social-engineering
technique.
• Help desk and technical support personnel are trained to help users,
which makes them good prey for social engineering attacks.

27
Suvarna Chaure
 Social Engineering
Shoulder surfing
• Shoulder surfing—Shoulder surfing is the technique of gathering
passwords by watching over a person’s shoulder while they log in to the
system.
• A hacker can watch a valid user log in and then use that password to
gain access to the system.

Dumpster diving
• Dumpster diving involves looking in the trash for information written
on pieces of paper or computer printouts.
• The hacker can often find passwords, filenames, or other pieces of
confidential information like SSN, PAN, Credit card ID numbers etc
• Also called dumpstering, binning, trashing, garbaging or garbage
gleaning.scavenging

28
Suvarna Chaure
 Social Engineering
Fake E-Mails
• Phishing involves false s, chats, or websites designed to impersonate
real systems with the goal of capturing sensitive data.
• A message might come from a bank or other well-known institution
with the need to “verify” your login information.
• It will usually be a mocked-up login page with all the right logos to
look legitimate.
• The term was coined in 1996 by hackers who were stealing AOL
Internet accounts by scamming passwords without the knowledge of AOL
users.
• They replaced “f” by “ph”

29
Suvarna Chaure
 Social Engineering
Baiting:
• Baiting involves dangling something you want to entice you to take
an action the criminal desires. (a false promise to pique a victim's greed
or curiosity.)
• It can be in the form of a music or movie download on a peer-to-peer
site or it can be a USB flash drive with a company logo labeled “Executive
Salary Summary Q1 2013″ left out in the open for you to find.
• Then, once the device is used or downloaded, the person or
company’s computer is infected with malicious software allowing the
criminal to advance into your system.

E-mail attachments
E-mails sent by scammers may have attachments that include malicious
code inside the attachment. Those attachments can include keyloggers to
capture users’ passwords, viruses, Trojans, or worms.
Pop-up windows
Sometimes pop-up windows can also be used in social engineering
attacks. Pop-up windows that advertise special offers may tempt users to
unintentionally install malicious software. 30
Suvarna Chaure
 Don’t become a victim
Slow down. Spammers want you to act first and think later. If the message
conveys a sense of urgency, or uses high-pressure sales tactics be
skeptical; never let their urgency influence your careful review.
Research the facts. Be suspicious of any unsolicited messages. If the looks
like it is from a company you use, do your own research. Use a search
engine to go to the real company’s site, or a phone directory to find their
phone number.
Delete any request for financial information or passwords. If you get
asked to reply to a message with personal information, it’s a scam.
Reject requests for help or offers of help. Legitimate companies and
organizations do not contact you to provide help. If you did not
specifically request assistance from the sender, consider any offer to
’help’ restore credit scores, refinance a home, answer your question, etc.,
a scam. Similarly, if you receive a request for help from a charity or
organization that you do not have a relationship with, delete it. To give,
seek out reputable charitable organizations on your own to avoid falling
for a scam.

31
Suvarna Chaure
 Don’t become a victim
Don’t let a link in control of where you land. Stay in control by finding the
website yourself using a search engine to be sure you land where you
intend to land. Hovering over links in will show the actual URL at the
bottom, but a good fake can still steer you wrong.
hijacking is rampant. Hackers, spammers, and social engineerers taking over
control of people’s accounts (and other communication accounts) has
become rampant. Once they control someone’s account they prey on the
trust of all the person’s contacts. Even when the sender appears to be
someone you know, if you aren’t expecting an with a link or attachment
check with your friend before opening links or downloading.
Beware of any download.
Foreign offers are fake. If you receive from a foreign lottery or sweepstakes,
money from an unknown relative, or requests to transfer funds from a
foreign country for a share of the money it is guaranteed to be a scam.
Secure your computing devices. Install anti-virus software, firewalls, filters
and keep these up-to-date. Set your operating system to automatically
update, and if your smartphone doesn’t automatically update, manually
update it whenever you receive a notice to do so.
32
Suvarna Chaure
 Password Cracking

• Password cracking techniques are used to recover passwords from

the data that have stored in or transmitted by computer systems.
• Attackers use password-cracking techniques to gain unauthorized
access to the vulnerable system.
• Most of the password cracking techniques are successful due to weak
or easily guessable passwords.

33
Suvarna Chaure
 Password Cracking
Purpose of Password cracking:
• To recover forgotten password
• As preventive measures by system administrators to check easily crack
able passwords
• To gain unauthorized access to a system

Password cracking Steps:

• Find a valid user account such as an admin or guest
• Create a list of possible passwords
• Rank the password from high to low probability
• Key-in each password
• Try again until a successful password is found

34
Suvarna Chaure
 Password Cracking
Examples of guessable passwords:
• Blank
• The word like “password”, “passcode”, “admin”
• Series of letters from keyboard
• Users name or login name
• Name of user’s friend/relative
• User’s birthplace, dob,
• user’s vehicle number

35
Suvarna Chaure
 Password Cracking
Password cracking attacks:
• Online attacks
• Offline Attacks
• Non-electronic attacks( Social engineering, shoulder surfing, dumpster
diving)

36
Suvarna Chaure
 Password Cracking
Online attacks
• An attacker can create a script file for gaining access
• Man in the middle attack

Offline Attacks
• Dictionary attack
• Hybrid attack
• Brute force attack

37
Suvarna Chaure
 Password Cracking
Strong, weak and random passwords:
Weak passwords are easily guessed
• Common names, repeated letters, common name of pet, abc123, admin,
1234, password

Strong passwords are difficult to guess

• 4pRte!ai@3, Convert_&0 etc

Random passwords
• A person who created password is able to remember.

38
Suvarna Chaure
 Password Cracking
Password cracking tools
Defaultpassword
openwalls
John
Aircrack
Airsnort
Solarwinds

39
Suvarna Chaure
 Malware Threats
Types of Malwares
1. Keyloggers
2. Spywares
3. Virus and worms
4. Trojan Horse

40
Suvarna Chaure
1. keyloggers and Spywares

41
Suvarna Chaure
 Keyloggers
• A keylogger is an invisible tool for surveillance that allows you to
monitor the activities carried out by the users of your computer
without them knowing.
• A keylogger is great for both companies who want to keep track of
their employee’s internet and computer usage or for private persons
where the family shares one or many computers.
• This great product is not always used for surveillance, it can also be a
great tool for the person with many passwords and user names to
easier remember them.

42
Suvarna Chaure
 Keyloggers
Types of Keyloggers:
• Software Keyloggers
• Hardware Keyloggers

43
Suvarna Chaure
 Keyloggers
Software Keylogger
• Are hard to detect
• Can be deployed remotely (if attacker is competent) via a software-
vulnerability attack(could be an exploit a la “buffer overflow” or
“format string”), virus, or trojan.
• Are fairly easy to write
• Ex. Clever use of getch(), putch(), save() wrapped in a virus template

44
Suvarna Chaure
 Keyloggers
Hardware Keylogger
• These are small hardware devices.
• Devices are connected to PC or keyboard and save every keystrokes.

Antikeyloggers
• Tool that can detect the keyloggers installed on the computer

Advantages of antikeyloggers
• Firewalls cannot detect the installation of keyloggers on the system.
• This software does not require regular updates
• Prevents internet banking frauds
• Prevents ID theft
• It secures E-mail and messaging/ chatting

45
Suvarna Chaure
 2. Spywares
• It is a type of malware.
• Applications that send information from your computer to the creator
of the spyware
• Sometimes consists of an apparent core functionality and a hidden
functionality of information gathering (Trojan)
• Can be used by web sites for marketing information, to determine their
stance with regard to competitors and market trends
• Can also be used to log keystrokes and send those to whomever
• Software or hardware installed on a computer without the user's
knowledge which gathers information about that user for later
retrieval by whomever controls the spyware.
• Spyware can be broken down into two different categories:
surveillance spyware
advertising spyware.

46
Suvarna Chaure
 Spywares
• Surveillance software:
Includes key loggers, screen capture devices, and Trojans. These
would be used by corporations, private detectives, law enforcement,
intelligence agencies, suspicious spouses.
• Advertising spyware:
Software that is installed alongside other software or via active x
controls on the internet, often without the user's knowledge, or without
full disclosure that it will be used for gathering personal information
and/or showing the user ads.
Advertising spyware logs information about the user, possibly
including passwords, email addresses, web browsing history, online
buying habits, the computer's hardware and software configuration, the
name, age, gender etc.

47
Suvarna Chaure
Spywares

48
Suvarna Chaure
 3. Viruses & Worms
A virus is a small piece of software that piggybacks on real programs in
order to get executed
- Once it’s running, it spreads by inserting copies of itself into other
executable code or documents
Worm - is a self-replicating program, similar to a computer virus. A virus
attaches itself to, and becomes part of, another executable program;
however, a worm is self-contained and does not need to be part of another
program to propagate itself.
- It is a small piece of software that uses computer networks and security
holes to replicate itself. A copy of the worm scans the network for
another machine that has a specific security hole. It copies itself to the
new machine using the security hole, and then starts replicating from
there, as well.
- They are often designed to exploit the file transmission capabilities
found on many computers.

49
Suvarna Chaure
 Viruses & Worms
Viruses can take some typical actions
• Display a message to prompt an action which may set of the virus.
• Delete files inside the system into which viruses enter.
• Scramble data on a hard disk.
• Cause erratic screen behavior
• Halt the system
• Just replicates themselves to propagate further harm.

50
Suvarna Chaure
How Viruses spread

51
Suvarna Chaure
How Viruses spread

52
Suvarna Chaure
How Viruses spread

53
Suvarna Chaure
 Viruses & Worms
• True virus can only spread from one system to another

• A worm spreads itself automatically to other computers through

networks by exploiting security vulnerabilities

54
Suvarna Chaure
 Types of Viruses
• Categorized based on attacks on various element of the system
1. Boot sector viruses:
• Infects the storage media on which OS is stored and
which is used to start the computer system
• Spread to other systems when shared infected disks & pirated
software(s) are used
2. Program viruses:
• Active when program file(usually with extensions .bin,
.com, .exe, .ovl, .drv) is executed
• Makes copy of itself

55
Suvarna Chaure
 Types of Viruses
3. Multipartite Viruses:
• Hybrid of a boot sector and program viruses

4. Stealth viruses:
• Masks itself
• Antivirus S/W also cannot detect
• Alter its file system and hide in the computer memory to remain in
the system undetected
• 1st computer virus named as Brain

56
Suvarna Chaure
 Types of Viruses
5. Polymorphic viruses:
• Like “chameleon” that changes its virus signature (i.e., binary pattern)
every time it spread through the system (i.e., multiplies & infect a new
file)
• Polymorphic generators are routines that can be linked with the
existing viruses
• Generators are not viruses but purpose to hide actual viruses under
the cloak of polymorphism

57
Suvarna Chaure
 Types of Viruses
6. Macroviruses:
• Infect documents produced by victims computer

7. Active X and Java control:

58
Suvarna Chaure
 Three ways the worm spread
1. Sendmail
Exploit debug option in sendmail to allow shell access
Opens TCP connection to machine's SMTP port
Invokes debug mode

2. Fingerd
Written in C and runs continuously
Exploit a buffer overflow in the fgets function
Apparently, this was the most successful attack
3. Rsh
Exploit trusted hosts
Password cracking

59
Suvarna Chaure
 Some historical worms
Worm Date Distinction
Morris 11/88 Used multiple vulnerabilities, propagate to “nearby” sys
ADM 5/98 Random scanning of IP address space
Ramen 1/01 Exploited three vulnerabilities
Lion 3/01 Stealthy, rootkit worm
Cheese 6/01 Vigilante worm that secured vulnerable systems
Code Red 7/01 First sig Windows worm; Completely memory resident
Walk 8/01 Recompiled source code locally
Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, …
Scalper 6/02 11 days after announcement of vulnerability; peer-to-peer
network of compromised systems
Slammer 1/03 Used a single UDP packet for explosive growth
Storm 1/07 Backdoor Trojan horse affects Microsoft Oss.
worm

60
Suvarna Chaure
Difference between Virus and Worm

61
Suvarna Chaure
 Viruses & Worms
• Typical definition of Virus/Worms have different aspects
1. A virus attacks specific file types.
2. A virus manipulates a program to execute tasks unintentionally.
3. An infected program produces more viruses.
4. An infected program may run without error for a long time.
5. Viruses can modify themselves and may possibly escape detection
this way

62
Suvarna Chaure
4. Trojan Horses

63
Suvarna Chaure
Trojan Horses

64
Suvarna Chaure
 Trojan Horses
• Trojan horse is a program in which malicious or harmful code is
contained inside apparently harmless programming or data in such a
way that it can get control and cause harm
• A Trojan horse is a malicious program that is disguised as legitimate
software.
• Like the gift horse left outside the gates of Troy by the Greeks, Trojan
Horses appear to be useful or interesting to an unsuspecting user, but
are actually harmful
• Get into system from no. of ways, including web browser, via E-Mail, or
with S/W download from the Internet

65
Suvarna Chaure
 Trojan Horses (Virus or Worm?)
• Trojan horse programs cannot replicate themselves, in contrast to
some other types of malware, like viruses or worms.

• A Trojan horse can be deliberately attached to otherwise useful

software by a cracker, or it can be spread by tricking users into
believing that it is a useful program.

66
Suvarna Chaure
 Trojan Horses
 Examples of threats by Trojans:
• Erase, overwrite or corrupt data on computer
• Help to spread other malware
• Deactivate or interfere with antivirus and firewall
• Allow to remote access to your computer
• Upload and download files without user knowledge
• Gather E-Mail address and use them for spam
• Slow down , restart or shutdown the system
• Reinstall themselves after being disable
• Disable task manager or control panel
• Copy fake links to false websites, display porno sites, play
sounds/videos and display images
• Log keystrokes to steal info such as password or credit card no

67
Suvarna Chaure
 Trojan Horses
 How can you be infected
• Websites: You can be infected by visiting a rogue website. Internet
Explorer is most often targeted by makers of Trojans and other pests.
Even using a secure web browser, such as Mozilla's Firefox, if Java is
enabled, your computer has the potential of receiving a Trojan horse.

• Instant message: Many get infected through files sent through various
messengers. This is due to an extreme lack of security in some instant
messengers, such of AOL's instant messenger.

• E-mail: Attachments on e-mail messages may contain Trojans. Trojan

horses via SMTP.

68
Suvarna Chaure
 Trojan Horses
 Sample Delivery
• Attacker will attach the Trojan to an e-mail with an enticing header
• The Trojan horse is typically a Windows executable program file, and
must have an executable file extension such as .exe, .com, .scr, .bat, or
.pif.
• Since Windows is configured by default to hide extensions from a user,
the Trojan horse's extension might be "masked" by giving it a name
such as 'Readme.txt.exe'.
• With file extensions hidden, the user would only see 'Readme.txt' and
could mistake it for a harmless text file.

69
Suvarna Chaure
 Trojan Horses
 Where They Live
• Autostart Folder
The Autostart folder is located in C:\Windows\Start
Menu\Programs\startup and as its name suggests, automatically starts
everything placed there.
• Win.ini
Windows system file using load=Trojan.exe and run=Trojan.exe to
execute the Trojan
• System.ini
Using Shell=Explorer.exe trojan.exe results in execution of every file
after Explorer.exe
• Wininit.ini
Setup-Programs use it mostly; once run, it's being auto-deleted, which
is very handy for trojans to restart

70
Suvarna Chaure
 Trojan Horses
 Are you Infected?
• Its normal to visit a web site and several more pop-ups to appear with
the one you've visited. But when you do completely nothing and
suddenly your browser directs you to some page unknown to you, take
that serious.
• A strange and unknown Windows Message Box appears on your
screen, asking you some personal questions.
• Your Windows settings change by themselves like a new screensaver
text, date/time, sound volume changes by itself, your mouse moves by
itself, CD-ROM drawer opens and closes.

71
Suvarna Chaure
 Trojan Horses
 Well known Trojans
• AceBot is a tremendous backdoor Trojan, which was designed for
performing a lot of different destructive actions. The parasite detects,
terminates and totally disables running antivirus software installed on
the target computer.
• AceBot also connects to the IRC network and uses it for giving the
hacker a remote control over the compromised system. Moreover, the
Trojan is able to connect to various malicious servers and download
other harmful parasites from there.

72
Suvarna Chaure
 Trojan Horses
 Well known Trojans
• The Secup Trojan displays fake security related messages. When the
user clicks on such a message the Trojan opens malicious web site that
quietly installs potentially harmful software. Secup also serves
undesirable commercial advertisements.

• Dmsys is a dangerous Trojan that specializes in infecting various

instant messengers and stealing user confidential information. By using
its keystroke logging technique, Dmsys easily steals user passwords
and captures private conversations. This information is written into
a log file, which is then sent to the hacker.

73
Suvarna Chaure
 Penetration Testing
• A penetration test, also known as a pen test, is a simulated cyber attack against
your computer system to check for exploitable vulnerabilities.
• The purpose of this simulated attack is to identify any weak spots in a system’s
defenses which attackers could take advantage of.

What are the benefits of penetration testing?

• Find weaknesses in systems
• Determine the robustness of controls
• Support compliance with data privacy and security regulations (e.g., PCI DSS,
HIPAA, GDPR)
• Provide qualitative and quantitative examples of current security posture and
budget priorities for management

74
Suvarna Chaure
 Penetration Testing
• Penetration testing stages

75
Suvarna Chaure
 Penetration Testing

Types of pen tests

● Open-box pen test - In an open-box test, the hacker will be provided with some information ahead of time
regarding the target company’s security info.
● Closed-box pen test - Also known as a ‘single-blind’ test, this is one where the hacker is given no background
information besides the name of the target company.
● Covert pen test - Also known as a ‘double-blind’ pen test, this is a situation where almost no one in the
company is aware that the pen test is happening, including the IT and security professionals who will be
responding to the attack. For covert tests, it is especially important for the hacker to have the scope and other
details of the test in writing beforehand to avoid any problems with law enforcement.
● External pen test - In an external test, the ethical hacker goes up against the company’s external-facing
technology, such as their website and external network servers. In some cases, the hacker may not even be
allowed to enter the company’s building. This can mean conducting the attack from a remote location or
carrying out the test from a truck or van parked nearby.
● Internal pen test - In an internal test, the ethical hacker performs the test from the company’s internal
network. This kind of test is useful in determining how much damage a disgruntled employee can cause from
behind the company’s firewall.
76
Suvarna Chaure
 Tools for Network Security

Wireshark

John the Ripper

Metasploit

77
Suvarna Chaure
 Packet Sniffing
• Packet is the smallest unit of communication over a computer network.
• Also called a block, a segment, a datagram or a cell.
• The act of capturing(sniffing) data packet across the computer network is called packet
sniffing.
• A packet sniffer itself is passive. It observes messages being sent and received by
applications and protocols running on your computer, but never sends packets itself.
• ISPs use packet sniffing to track all your activities such as:
• who is receiver of your email
• what is content of that email
• what you download
• sites you visit
• what you looked on that website
• downloads from a site
• streaming events like video, audio, etc.

Suvarna Chaure
Suvarna Chaure
 Wireshark
• Wireshark (Originally named Ethereal)is a free and open-source packet analyzer
• It is used for network troubleshooting, analysis, software and communication
protocol development, and education.
• Wireshark captures network packets in real time and display them in human-readable
format
• It provides many advanced features including live capture and offline analysis, three-
pane packet browser, coloring rules for analysis.
• It has a graphical front-end, and many more information sorting and filtering
options.

Suvarna Chaure
 Features
• Available for UNIX and Windows.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark,
and a number of other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
• Save packet data captured.
• Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.
…​and a lot more!

Suvarna Chaure
 Installing Wireshark
• The Kali Linux has Wireshark installed. You can just launch the Kali Linux VM and
open Wireshark there. Wireshark can also be downloaded from here:
https://www.wireshark.org/download.html

Suvarna Chaure
 Starting Wireshark
• When you run the Wireshark program, the Wireshark graphic user interface will be shown
as in figure. Currently, the program is not capturing the packets.

Suvarna Chaure
Suvarna Chaure
Suvarna Chaure
Suvarna Chaure
Color Coding

Suvarna Chaure
 WIRESHARK
FILTERS
Two types of filters:
• Capture Filters
• Display Filters

• Wireshark contains a powerful capture filter engine that helps remove unwanted
packets from a packet trace and only retrieves the packets of our interest.

• Display filters let you compare the fields within a protocol against a specific value,
compare fields against fields, and check the existence of specified fields or protocols

Suvarna Chaure
 Capture Filters
Examples
• tcp port 80
Displays packets with tcp protocol on port 80.
• ip src host 136.159.5.20
Displays packets with source IP address equals to 136.159.5.20.
• host 136.159.5.1
Displays packets with source or destination IP address equals to 136.159.5.1.
• src port range 2000-2500
Displays packets with source UDP or TCP ports in the 2000-2500 range.
• src host 136.159.5.20 and not dst host 136.159.5.1
Displays packets with source IP address equals to 136.159.5.20 and in the same time
not with the destination IP address 136.159.5.1.

Suvarna Chaure
 Display Filters
Examples
1. ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or
dest]
2. ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the
two defined IP addresses]
3. http or dns [sets a filter to display all http and dns]
4. tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]
5. tcp.flags.reset==1 [displays all TCP resets]
6. http.request [displays all HTTP GET requests]
7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’.
Excellent when searching on a specific string or user ID]
8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may
be background noise. Allowing you to focus on the traffic of interest]
9. udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any
offset]
10. tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when
tracking down slow application performance and packet loss]

Suvarna Chaure
 John the Ripper

• John the Ripper is a fast password cracker, currently

available for many flavors of Unix (11 are officially
supported, not counting different architectures), DOS,
Win32, BeOS, and OpenVMS. Its primary purpose is to
detect weak Unix passwords. (openfirewall.com)

91
Suvarna Chaure
 John the Ripper

In order to run John the Ripper, we went to a site and

downloaded the documents for windows that gave instructions on
how to run it. (this included the password file, and other
documents about john)
To run John, we did the following:
Start >Accessories>Windows Explorer>My computer>John>
In the command prompt, we typed:
– cd c:\John\john171w\john1701\run
-dir
-john386pass
This invoked John

92
Suvarna Chaure
 Metasploit
• Metasploit is an automated exploitation
framework
– Open source, continuous development and
updates
– Tools for scanning, exploit development,
exploitation, and post-exploitation
– Extensible through plugins and modules

Suvarna Chaure
Metasploit Architecture

Suvarna Chaure
Part I – System Penetration
• System Penetration?

The act of successfully breaching security on a remote

computer system in order to gain some form of
control access.

■ So, what is Metasploit Framework?

■ First we need to learn some basic concepts before
understanding what the Metasploit Framework is and what it is
capable of providing.

Suvarna Chaure
 Many Attack Vectors!
one of the most dangerous and yet a very effective attack used
by malicious users today are Software Exploitation Attacks!

Software Exploitation Attacks can be used to gain access to

unauthorized systems, leverage user account privileges, crash
systems or provide installation of malicious software (such as
Spyware, Virus’s, Trojans, Adware, etc.) without the awareness
of the other party.

Suvarna Chaure
 Understanding S.E. Attacks.
• First, let’s understand basics.
– According to Wikipedia;

“The word vulnerability, in computer security, refers to a weakness in a

system allowing an attacker to violate the confidentiality, integrity,
availability, access control, consistency or audit mechanisms of the system
or the data and applications it hosts”

• To Software Developers, a bug is synonymous to a vulnerability.

– Ex: Errors in program’s source code or flawed program design
• Buffer overflows
• Memory leaks
• Dead locks
• Arithmetic overflow
• Accessing protected memory (Access Violation)

Suvarna Chaure
Understanding S.E. Attacks
• Regardless though which type of software bug we are
speaking of, they are used as the foundation to form
an exploit.
– Therefore, an exploit is a security attack on a vulnerability.
• In other words (again), an exploit attacking a vulnerability is generating
an event that the application/program/OS is not programmed/designed
to recover successfully and therefore the result is a system that
discontinues to function correctly

– Each exploit can be designed to meet the methodology of

your attack.
• Ex: An attacker exploits an IDS to reboot it or crash it before
he/she launches a further attack to avoid detection.

Suvarna Chaure
 Understanding Payloads
• However, Exploits have more potential!
– They are commonly used to install system malware or gain
system
• This is accomplished with the help of a payload

• The payload is a sequence of code that is executed when the vulnerability

is triggered

• To make things clear, an Exploit is really broken up into two parts, like so;

EXPLOIT = Vulnerability + Payload;

Suvarna Chaure
 Understanding Payloads
• The payload is usually written in Assembly Language
• Platform and OS dependant.
– A Win32 payload will not work in Linux (even if we are exploiting the same
bug)
• Big Endian, Small Endian Architectures

• Different payload types exist and they accomplish different tasks

– exec � Execute a command or program on the remote system
– download_exec � Download a file from a URL and execute
– upload_exec � Upload a local file and execute
– adduser � Add user to system accounts

Suvarna Chaure
 Understanding Payloads
• However, the most common payload type used with
exploits are shellcodes or aka shell payloads.
– These payloads are very useful because they provide the attacker an
interactive shell that can be used to completely control the system
remotely
– The term is inherited from Unix � /bin/sh
– For Win OS’s, shells actually refer to command prompt � cmd.exe

• There are two different types of shell payloads;

– Bind Shells � A socket is created, a port is bound to it and when an a
connection is established to it, it will spawn a shell.
– Reverse Shells � Instead of creating a listening socket, a connection is
created to a predefined IP and Port and a shell is then shoveled to the
Attacker.

Suvarna Chaure
 Metasploit – Attack Vectors
• Many from which to choose:
– Operating systems
• Windows, Linux, Mac, Unix, Cisco, etc.
– Services
• Web, database, e-mail, FTP, etc.
• Extensible and configurable

Suvarna Chaure
 Metasploit Framework

What is the Metasploit Framework?

– According to the Metasploit Team;

“The Metasploit Framework is a platform for writing, testing, and using

exploit code. The primary users of the Framework are professionals
performing penetration testing, shellcode development, and
vulnerability research.”

Suvarna Chaure
 Metasploit - Payloads
• Can be used to generate shellcode
– Framework comes with many useful payloads
• Spawn shell
• Run command
• Add privileged user
– Configurable
– Extensible

Suvarna Chaure
 Understanding MSF
• The MSF is not only an environment for exploit development
but also a platform for launching exploits on real-world
applications. It is packaged with real exploits that can provide
real damage if not used professionally.

• The fact that MSF is an open-source tool and provides such a

simplified method for launching dangerous attacks, it has and
still is attracting wannabe hackers.

Suvarna Chaure
 Msfconsole
• Most feature-full interface for Metasploit is
msfconsole
– Like a shell, just for Metasploit
• In addition to special Metasploit commands,
also accepts bash commands
– ping, ls, curl, etc

Suvarna Chaure
 Common Commands
• connect
– like netcat, connects to host on specified port
• search
– search module database, by name, platform,
app, cve, and more
• sessions
– List or manipulate your open sessions (shells,
VNC, etc)
• show
– Show anything: show modules, exploits,
payloads, options (for selected module)
Suvarna Chaure
 Basic Usage
• Using a module:
– (Optional) If your module is not loaded, load it
with loadpath
– (Optional) If you don’t know the name, search
for it with search
– Select your module with use
– Fill parameters using set (show parameters with
show options)
– Run with exploit
– Reload and run with rexploit

Suvarna Chaure
• The Meterpreter is an advanced multi-
function payload that can be used to leverage
our capabilities dynamically at run time when
we are standing in a remote system and we
don’t have our tools out there .

• it provides you an interactive shell which

allows you to use extensible features at run
time and thus increase your chances for
successful penetration test

SDPSuvarna
Ethical Chaure
Hacking
Thank You!
(suvarnacl@sies.edu.in)

110
Suvarna Chaure