kyrion ethical hacking workshop handouts

Training Material

Ethical Hacking & Information Security

Kyrion Technologies Pvt. Ltd.Corporate Office: B-92, G.T Karnal Road, Industrial Area, Delhi

E-mail:

---------------------------------------------------------------------------------------------------------------------Ethical Hacking & Information Security is the need of the

To equip the technical support of our nation, Kyrion Technologies Pvt. Ltd. is all geared up to provide the best of

Training Material for

Workshop

On


Kyrion Technologies Pvt. Ltd. 92, G.T Karnal Road, Industrial Area, Delhi-110033

mail: [email protected] Website: www.kyrion.in Tel.: +91-11-4708-5343

---------------------------------------------------------------------------------------------------------------------Ethical Hacking & Information Security is the need of the hour.


knowledge and services.


110033 (India)

---------------------------------------------------------------------------------------------------------------------


Kyrion Digital Securities


Table of Contents

S. No. Topic Page No.

1 About Us 3

2 EHIS Course Module 5

3 Concept of Hacking 8

4 Email Hacking 15

5 System Hacking 19

6 Trojans 23

7 Attacks on Network 26

8 Web Server as a Target 29

9 Wireless Hacking 35

10 Tool Kit Description 39

Training Programs Available with Kyrion

• EHIS Free Seminar – 4 hours (For Schools & Colleges)

• EHIS Workshop – 12 hours (For Schools & Colleges)

• EHIS Lab Workshop – 18 hours (For Schools & Colleges)

• EHIS Short Term Certification – 25 hours (For Institutes)

• EHIS Long Term Certification – 120 hours (For Institutes)

• Kyrion Digital Security Expert – 54 hours (Summer Training)

• Kyrion Cyber Security Expert – 250 hours

• Network Security – 75 hours

• Security Tool Development – 75 hours

Join us at:

Yahoo Group: [email protected]

Orkut Community: Kyrion Digital Securities



About Us



Kyrion Technologies Pvt. Ltd., an IIT Delhi Alumni Venture, aims to lay a strong underpinning for the technical development of our country, by developing an active interest among youth in new technologies such as Ethical Hacking & Information Security. Computer and Internet being the backbone of every institution, necessitates the measures to be taken to keep the data and network safe from unauthorized access. For this most companies go in for the help of Ethical Hacking, which makes them aware of the shortcomings in their security systems and help them overcome them as effectively as possible. With the ever increasing requirements of professionals in the field of Ethical Hacking & Information Security, Kyrion Technologies Pvt. Ltd. is all geared up to lay the foundation of a new venture, Kyrion Digital Securities. A recent study conducted by NASSCOM, the expected demand of Ethical Hacking professionals by the year 2012 would be around 1,88,000, as opposed to current availability of only about 22,000 professionals. This in itself is a great motivation for students to take up this potential career option. One can hope to be as on the seventh cloud if one gives his/her cent-percent. Kyrion Digital Securities at Kyrion Technologies Pvt. Ltd. has been founded by a group of IT Security Experts & Professors of Top Engineering Colleges such as IIT & NITs. It has laid a foundation in the field of Ethical Hacking & Information Security. Kyrion Digital Securities has conceptualized various workshops, products and resources to cater the needs of different section of students' communities and eventually reaching out to an excess of 4,000 students and tutors in different cities across the country. Key Points of Kyrion Digital Securities:

• An IIT Delhi Alumni Venture

• Help government to conduct Education and Awareness Programs on Ethical Hacking & Information Security. (ISEA Project)

• We are providing services to Software Giant such as Microsoft.

• We have a rich experience of working on cyber cases and giving workshops to Delhi & Uttar Pradesh Police.

• The Ministry of Home Affair (Forensic Lab, Hyderabad) supports our Head Trainer.

• We have developed our own software, spywares, bombers, remote administration tools (Trojans) etc.

• We provide students the knowledge in the field of Ethical Hacking & Information Security by giving live hacking and gateway demonstrations. This would enable them to secure themselves from such kind of attacks.



Client List of Kyrion Digital Securities:

• Indian Institute of Science, Bangalore

• Indian Institute of Technology, Kharagpur

• Indian Institute of Technology, Roorkee

• Indian Institute of Technology, Guwahati

• Indian Institute of Technology, Delhi

• National Institute of Technology, Jalandhar

• National Institute of Technology, Warangal

• National Institute of Technology, Suratkal

• Vellore Institute of Technology, Vellore

• SRM University, Chennai

• Pune Institute of Computer Technology, Pune

• Banasthali University, Rajashtan

• Ramrao Adik Institute of Technology, Mumbai

• North Eastern Institute of Science & Technology, Itanagar

• Keshav Mahavidyalaya, Delhi

• Assam Engineering College, Guwahati

• Jaipur Engineering College, Kukas

• Haryana College of Technology and Management, Kaithal

• GLA Group of Institution, Mathura

• Uttaranchal Institute of Technology, Dehradun Classroom Training Centers: (In Delhi and NCR)

• South Ex • Pitampura • Janakpuri

• Preet Vihar • Gurgoan • Faridabad

• Ghaziabad



EHIS Course Module



Concept of Hacking

• Reading the Hacker’s mind and Understanding the hacking psychology and methodology

o Get to know how a Hacker thinks and prepares for his attack o Types of Hackers and their mentality o Steps performed by a Hacker to attack the target o How an attacker uses the freely available resources in his attack o Hiding your identity while performing the attack o Proxy Server

Email Hacking

• Email Forgery o How an Email travels from sender to the receiver o Sending fake Emails, how terrorists send threatening Emails

• Email Password Hacking o Cracking the Email ID Passwords using the fake Websites

• Email analysis o Tracing the Email path and locating the Original Sender of the Email o IP Tracing

System Hacking

• Targeting a Windows System o Cracking Windows password using the Bruteforce technique o How to bypass the Login Screen and directly Login as the Administrator of the

Computer o Grant unlimited access to a limited user o How to use a keylogger to hack the passwords on a computer o Hiding secret messages behind images

• Protecting your System resources o Configuring strong passwords o Change the Boot sequence o Applying the File and Folder security o Hiding files. Encrypting data on the hard disk with a password o Detecting the Keylogger on a Local Computer

Trojans

• How does a Trojan works

• Building a Trojan server and binding it with any other file as hidden

• Controlling the remote computer from your computer

• Detection of Trojan on a Local computer and removing it manually

Attacks on Network

• Performing the LAN based attacks o Enumerating the Network details



o Sniffing the Network Data o Poisoning the Network details and hacking the passwords o Perform the DNS Spoofing attack

• Counter apart the Network attacks o Trace the attacker on the Local Area Network and shutting down the network

attacks

Web Server as a Target

• Web Application Attacks: Live Demonstrations o Working of Web Server o Apache vs IIS o Working of database server o CRUD operation o Login operation o Input Validation attacks o Placing backdoors in Website o Google Hacking o Website Enumeration

• Putting breaks on Web Application attacks o Proper Input validation o Directory access controls o Deny Google to your website

Wireless Hacking

• Cracking Wireless Network Password o Checking out the Wireless network details and cracking the WEP key encryption

on the Wireless network

• Wireless Security o How can you make your Wireless network secure and very hard to be cracked?



Concept of Hacking



Hacking

• Hacker is a computer person who is very curious and wants to learn as much as possible about computer systems.

• Hacking was developing and improving software to increase the performance of computing systems.

• Hacking has a lot of meanings depending upon the person’s knowledge and his work intentions. Hacking is an Art as well as a Skill. It is the knowledge by which one gets to achieve his goals, anyhow, using his skills and power.

Ethical Hacking

• Ethical Hacking is testing the resources for a good cause and for the betterment of technology.

• Technically Ethical Hacking means penetration testing which is focused on Securing and Protecting IT Systems.

Types of Hackers

• White Hat Hacker

• Black Hat Hacker

• Grey Hat Hacker White Hat Hacker

• A White Hat Hacker is computer guy who perform Ethical Hacking. These are usually security professionals with knowledge of hacking and the hacker toolset and who use this knowledge to locate security weaknesses and implement countermeasures in the resources.

• They are also known as an Ethical Hacker or a Penetration Tester. They focus on Securing and Protecting IT Systems.


Black Hat Hacker

• A Black Hat Hacker is computer guy who performs Unethical Hacking. These are the Criminal hackers or Crackers who use their skills and knowledge for illegal or malicious purposes. They break into or otherwise violate the system integrity of remote machines

• These are also known as an Unethical Hacker or a Security Cracker. They focus on Security Cracking and Data stealing.

Grey Hat Hacker

• A Grey Hat Hacker is a Computer guy who sometimes acts legally, sometimes in good will, and sometimes not. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits.

• They are hybrid between White Hat and Black Hat Hackers.

Classification of Hackers

• Coders

• Admin

• Script Kiddies Coders

• Coders are the programmers who have the ability to find the unique vulnerability in existing software and to create working exploit codes.

• These are the individuals with a deep understanding of the OSI Layer Model and TCP/IP Stacks.

Admin

• Admin the computer guys who have experience with several operating systems, and know how to exploit several existing vulnerabilities.

• A majority of Security Consultants fall in this group and work as a part of Security Script Kiddies

• Script Kiddies are the bunnies who use script and programs developed by others to attack computer systems and Networks.

• They get the least respect but are most annoying and dangerous and can cause big problems without actually knoware doing.



A Black Hat Hacker is computer guy who performs Unethical Hacking. These are the Criminal hackers or Crackers who use their skills and knowledge for illegal or malicious purposes. They break into or otherwise violate the system integrity of remote machines, with malicious intent.

These are also known as an Unethical Hacker or a Security Cracker. They focus on Security Cracking and Data stealing.

A Grey Hat Hacker is a Computer guy who sometimes acts legally, sometimes in good metimes not. They usually do not hack for personal gain or have malicious

intentions, but may or may not occasionally commit crimes during the course of their

They are hybrid between White Hat and Black Hat Hackers.

of Hackers

Coders are the programmers who have the ability to find the unique vulnerability in existing software and to create working

These are the individuals with a deep understanding of the OSI yer Model and TCP/IP Stacks.

Admin the computer guys who have experience with several operating systems, and know how to exploit several existing vulnerabilities.

A majority of Security Consultants fall in this group and work as a part of Security

Script Kiddies are the bunnies who use script and programs developed by others to attack computer systems and Networks.

They get the least respect but are most annoying and dangerous and can cause big problems without actually knowing what they

A Grey Hat Hacker is a Computer guy who sometimes acts legally, sometimes in good metimes not. They usually do not hack for personal gain or have malicious

intentions, but may or may not occasionally commit crimes during the course of their

Admin the computer guys who have experience with several operating systems, and

A majority of Security Consultants fall in this group and work as a part of Security Team.



Steps Performed by a Hacker

1. Performing Reconnaissance 2. Scanning and enumeration 3. Gaining access 4. Maintaining access and Placing backdoors 5. Covering tracks or Clearing Logs

Phase I: Reconnaissance

• Reconnaissance can be described as the pre-attack phase and is a systematic attempt to locate, gather, identify, and record information about the target. The hacker seeks to find out as much information as possible about the target.

Phase II: Scanning and Enumeration

• Scanning and enumeration is considered the second pre-attack phase. This phase involves taking the information discovered during reconnaissance and using it to examine the network.

• Scanning involves steps such as intelligent system port scanning which is used to determine open ports and vulnerable services. In this stage the attacker can use different automated tools to discover system vulnerabilities.

Phase III: Gaining Access

• This is the phase where the real hacking takes place. Vulnerabilities discovered during the reconnaissance and scanning phase are now exploited to gain access. The method of



connection the hacker uses for an exploit can be a local area network, local access to a PC, the Internet, or offline. Gaining access is known in the hacker world as owning the system.

• During a real security breach it would be this stage where the hacker can utilize simple techniques to cause irreparable damage to the target system.

Phase IV: Maintaining Access and Placing Backdoors

• Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Sometimes, hackers harden the system from other hackers or security personnel by securing their exclusive access with backdoors, rootkits, and Trojans.

• The attacker can use automated scripts and automated tools for hiding attack evidence and also to create backdoors for further attack.

Phase V: Clearing Tracks

• In this phase, once hackers have been able to gain and maintain access, they cover their tracks to avoid detection by security personnel, to continue to use the owned system, to remove evidence of hacking, or to avoid legal action.

• At present, many successful security breaches are made but never detected. This includes cases where firewalls and vigilant log checking were in place.

Proxy Servers

• A proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service.

• Hackers generally use the Proxy server on the Internet to make their Identity invisible to the target.



Web Proxies

• A Proxy site is a web page which allows you to browse your favorite web sites -- even though your access to those web sites might be blocked by a content filter.

• If you find that you are blocked from your favorite websites, use one of these web proxy sites to get around the block.

How Proxy Sites Work Proxy sites enable you to bypass your own Internet provider and browse through the proxy web site. All that you have to do is type the web site address you would like to visit in the form they provide, and start browsing. Once you keep browsing using that form, you are protected and your real IP address is not being logged. Given below is a list of Web Proxies:

• http://cellphonemp3s.info

• http://thenbanews.info

• http://slumdogproxy.info

• http://it-digits.com

• http://insurance77.info

• http://rinsemyproxy.co.uk

• http://darkcorn.info

• http://eyeground.info

• http://towsh.info

• http://www.getaniphone.info

• http://proxylight.co.cc

• http://iwati.com

• http://carrotproxy.co.cc

• http://www.oxytopia.info

• http://s360.info

• http://www.surfnsafari.info

• http://stableunblocker.co.cc

• http://www.jot28.info

• http://smartfriend.co.cc

• http://eowsh.info

• http://baywatchnights.info

• http://unblockwebsense.net

• http://socialproxy.co.cc

• http://www.evilproxy.co.uk

• http://springsurf.info Anonymous Proxies

• An anonymous proxy is a piece of software designed to protect the privacy and anonymity of web browsers from web site operators, Internet snoops, and even unfriendly governments.



• The anonymous proxy software resides on a proxy server. The web browser connects to the proxy server and the proxy server connects to the web server.

• The web server does not know who you are, it only knows who the proxy server is. The proxy server does know who you are -- so you had better choose a proxy server that you trust.

In addition to hiding your IP address, an anonymous proxy server will typically remove traffic such as:

• Cookies

• Pop-ups

• Banners

• Scripts

• Referrer information Some of the Anonymous Proxy Servers are:

• Ultrasurf

• Freegate



Email Hacking



Electronic mail – often abbreviated as e-mail or email is any method of creating, transmitting, or storing primarily text-based human communications with digital communications systems.

Email Travel path

Fake Email Fake Email means an Email which has come from an Email ID which was not sent by the Original Email ID Owner. There are so many ways to send the Fake Emails even without knowing the password of the Email ID. The Internet is so vulnerable that you can use anybody's Email ID to send a threatening Email to any official personnel.

Different methods to send Fake Emails

• Open Relay Server

• Web Scripts



Sending Fake Email using the Open Relay Server

• An open mail relay is an SMTP (Simple Mail Transfer Protocol) server configured in such a way that it allows anyone on the Internet to send Email through it, not just mail destined to or originating from known users.

• An attacker can connect the Open Relay Server via Telnet and instruct the server to send the Email.

• It requires no password to send the Email. Sending Fake Email via Web Scripts

• Web languages such as PHP and ASP contain the mail sending functions which can be used to send Emails by programming Fake headers i.e. From: To: Subject:

• There are so many websites available on the Internet which already contains these mail sending scripts. Most of them provide the free service.

Some of them are:

• Fakemailer.net

• Fakemailer.info

• Deadfake.com

• Will Go On and On……

Email Password Hacking

• There is no specified attack available just to hack the password of Email accounts. Also, it is not so easy to compromise the Email server like Yahoo, Gmail, etc.

• Email Password hacking can accomplished via some of the client side attacks. We try to compromise the user and get the password of the Email account before it reaches the desired Email server.

• We will cover many attacks by the workshop flows, but at this time we will talk about the very famous 'Phishing attack'.

Phishing

• The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

• The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site,



however, is bogus and set up only to steal the user’s information.

Email Tracing

• Tracing an Email means locating the Original Sender and getting to know the IP address of the network from which the Email was actually generated.

• Locating Original Sender in not always possible but we have tried our best to get it. To get the information about the sender of the Email we first must know the structure of the Email.

• As we all know the travelling of the Email. Each message has exactly one header, which is structured into fields. Each field has a name and a value. Header of the Email contains all the valuable information about the path and the original sender of the Email.

Header Fields

• From: Email Address where the Email has come from.

• To: Email Address of the destination.

• Subject: Subject of the Email

• Date: The Local Time of the server when the message was sent.

• Bcc: Blind Carbon Copy

• Cc: Carbon copy

• Content-Type: Information about how the message has to be displayed, usually a MIME type

• In-Reply-To: Message-ID of the message that this is a reply to.

• Received: Tracking information generated by mail servers that have previously handled a message

• References: Message-ID of the message that this is a reply to, and the message-id of this message, etc.

• Reply-To: Address that should be used to reply to the sender. You can easily get the IP Address of the sender from the header and then can locate the sender.



System Hacking



Windows User account Password Security Architecture

• Windows User Login Passwords are stored and transmitted in an Encrypted form called a Hash. These Hashes are saved in the SAM File. SAM stands for Security Account Manager.

• SAM File can be found at C:\Windows\System32\Config\SAM

• When a User is created, the Username and Password are stored in the SAM file in the form of Hash.

• When a user logs on to the System and Enters the password, a Hash is generated and compared to the stored Hash. If the entered and the stored hashes match, the user is authenticated. This is called the LM/NTLM Challenge/Response.

• Passwords may be cracked manually or with automated tools such as a Brute-force method or the Rainbow table attack.

• Once the Windows start it start using the information in the SAM file, so the SAM file becomes Inaccessible. It cannot be Opened, Copied, Moved, Renamed or Deleted.

Cracking Windows User Login Password Live Boot Disk Attack

• Software: Active Password Recovery can be used to create Live Boot Disks for Windows Operating System.



• Live Boot Disk can be used to start the Windows and access the SAM File.

• Attacker can Remove the Passwords from the User Accounts or can set new Passwords on the Accounts.

Brute Force Attack

• Bruteforce Password Guessing is just what it sounds like: Trying a Random approach by Attempting Different Passwords and hoping that One works. Some logic can be applied by trying passwords related to the person’s name, job title, hobbies, or other similar items.

• Brute force randomly generates passwords and their associated hashes.

• There are Tools available to perform the Brute force attack on the Windows SAM File. One of the most famous of them is Cain and Able.

Net User: Command Prompt

• Windows Command Prompt Utility, Net User, can be also be used to manipulate the User accounts in Windows. The Commands are as follows:

• To check the User Accounts: Net User

• To Add a New User Account: Net User Username Password /add

• To Delete a User Account: Net User Username /delete

• To Change the Password of User Account: Net User Username *

Sticky Keys Backdoor

• Sticky Keys application can be used as the Backdoor in Windows Operating System.

• Command Prompt file ‘CMD.EXE’ can be renamed to ‘SETHC.EXE’ in C:\Windows\System32 Folder.

• After this one can hit the Shift Key 5 times on the User Login Screen and will get the Command Prompt right there. Net User can be used to modify User Accounts thereafter.

Privilege Escalation

• Once the Administrator account is Cracked, one can easily Login with the Administrator User Account and Promote any User Account to give him the Administrator privileges.

• One more thing which an attacker can do is to boot the computer from the Live CD and change the SAM file to promote any Limited User account to Administrator.

Counter Measures for the Windows User Login Password Attack Configuring a Strong Login Password

• A strong password is less susceptible to attack by a hacker. The following rules should be applied when you’re creating a password, to protect it against attacks:

• Must not contain any part of the user’s account name

• Must have a minimum of eight characters



Must contain characters from at least three of the following categories:

• Non alphanumeric symbols ($,:”%@!#)

• Numbers

• Uppercase letters

• Lowercase letters

Change the Boot Sequence

• You should change the boot sequence in the BIOS so that your computer is not configured to boot from the CD first. It should be configured as Hard Disk as the First Boot Device.

• This will protect your computer from the Live Boot Disks Attack.

Keyloggers

• Keystroke loggers (or Keyloggers) intercept the Target’s Keystrokes and either saves them in a file to be read later, or transmit them to a predetermined destination accessible to the Hacker.

• Since Keylogging programs record every Keystroke typed in via the Keyboard, they can capture a wide variety of Confidential Information, including Passwords, Credit Card Numbers, Private Email correspondence, Names, Addresses, and Phone Numbers.

• Once installed on the target machine, either Directly by the User, or through Stealthier means, the Keylogger program runs continually in the Background. After the Keystrokes are logged, they can be hidden in the machine for later retrieval or transmitted to the Attacker via the Internet.

Steganography

• Steganography is the technique to place text content behind the images.

• This is generally performed by the Terrorists to Hide the Secret messages behind the Images and conveying the message via sending the Image via Internet.

• Windows Internal Commands as well as Steganography tool ‘ImageHide’ can be used to perform this technique.

• Let us say, image file is ‘Pic.jpg’ and text file is ‘Message.txt’. The command to hide the message would be: Copy /b Pic.jpg+Message.txt Final.jpg

• To View the Hidden message, Right Click on Final.jpg > Open with > Notepad > Go to the End of the File



Applying the permissions on the Files and Folders

• You can set permissions on the Files and Folders in Windows so that no one else can

open or access them.

• Windows carries Access Control List command ‘CACLS’ to apply the Access security on the Files and Folders.

• Let’s say we have a folder ‘Info’, to set the permission on ‘Info’, command is as follows: CACLS Info /E /P Everyone:N

• To remove the restrictions on the folder , command is as follows: CACLS Info /E /P Everyone:F

Hiding Files behind Folders on the Local Hard Disk: ADS

• You can hide your important Files behind the Folders in your Hard Disk.

• Let us say we have a text file ‘Secret.txt’ and a folder ‘C:\Info’.

• To Hide the Text file behind the Folder, command is as follows Type Secret.txt > C:\Info:Secret.txt

• Now delete the Original File, to view the hidden file, command is as follows Start C:\Info:Secret.txt

• To search the hidden files, ADS Tool ‘Streams’ can be used.

• To Search the Hidden Files: Streams –S C:\Info

• To Delete the Hidden Files: Streams –D C:\Info

Process Monitoring for System Security

• Process Explorer is a GUI-based process viewer utility that displays detailed information about processes running under Windows.

• For each process it displays memory, threads, and module usage. For each DLL, it shows full path and version information.

Autorun Application Monitoring for System Security

• Autoruns is a GUI-based Application viewer utility that displays detailed information about the applications which automatically runs when your computer starts.

• For each Autorun application it displays a full path and application information.



Trojan



Definition

• Trojans are malicious pieces of code used to install hacking software on a target system and aid the hacker in gaining and retaining access to that system. Trojans and their counterparts are important pieces of the hacker’s toolkit.

• Trojans is a program that appears to perform a desirable and necessary function but that, because of hidden and unauthorized code, performs functions unknown and unwanted by the user.

• Trojan generally consists of two parts: a client component and a server component. For the Trojan to function as a backdoor, the server component has to be installed on the victim’s machine.

• Server is part of the Trojan on the Victim’s Computer. It opens a port in the Victim’s computer and invites the attacker to connect and administrate the computer.

• Client Trojan is the part of the Trojan on the Attacker’s computer. It tries to connect the Victim computer and administrate the computer without the permission of the User.

Wrapper

• A wrapper is a program used to combine two or more executables into a single packaged program. The wrapper attaches a harmless executable, like a game, to a Trojan’s payload, the executable code that does the real damage, so that it appears to be a harmless file.

• Hackers use it to bind the Server part of the Software behind any image or any other file. Some Famous Trojans

• Back Orifice

• NetBus

• Zlob

• Pest Trap

• ProRat

• Sub7

• Vundo

Modes of Transmission

• CD or DVD Autorun



• Pen Drive

• Email

• Website

• Shared Drives

Trojan Countermeasures

• Awareness and preventive measures are the best defense against Trojans.

• Educate users not to install applications downloaded from the Internet and email attachments.

• Most commercial anti-virus products can automatically scan and detect backdoor programs before they can cause damage.

TCPView

• TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.

• On Windows NT, 2000, and XP, TCPView also reports the name of the process that owns the endpoint.



Attacks on Network


Sniffing

• Sniffing is the process of gathering traffic from a network by capturing the data as they pass and storing them to analyze later.

• Sniffers are used to capture traffic sent between two systems. Depending on how the sniffer is used and the security measures in place, a hacker can use a sniffer to discover usernames, passwords, and other confidential information transmitted on the netwo

• It is a Passive Process.

ARP Poisoning: Man in the Middle Attack

• The concept of ARP Poisoning (or ARP spoofing) is to set up a manattack that allows the attacker to insert himself into the communications stream between the victim and the victim’s intended communications recipient.

• It involves sending bogus ARP requests to the network device so outbound traffic will be routed to the attacker.

• Hacker uses the concept of ARP Poisoning to redirect all the network traffic to the Sniffer device and get all the Username and Password sent in the Network.

DNS spoofing



Sniffing is the process of gathering traffic from a network by capturing the data as they pass and storing them to analyze later.

Sniffers are used to capture traffic sent between two systems. Depending on how the sniffer is used and the security measures in place, a hacker can use a sniffer to discover usernames, passwords, and other confidential information transmitted on the netwo

ARP Poisoning: Man in the Middle Attack

The concept of ARP Poisoning (or ARP spoofing) is to set up a manattack that allows the attacker to insert himself into the communications stream between

nd the victim’s intended communications recipient.

It involves sending bogus ARP requests to the network device so outbound traffic will be routed to the attacker.

Hacker uses the concept of ARP Poisoning to redirect all the network traffic to the device and get all the Username and Password sent in the Network.

Sniffing is the process of gathering traffic from a network by capturing the data as they

Sniffers are used to capture traffic sent between two systems. Depending on how the sniffer is used and the security measures in place, a hacker can use a sniffer to discover usernames, passwords, and other confidential information transmitted on the network.

The concept of ARP Poisoning (or ARP spoofing) is to set up a man-in-the-middle attack that allows the attacker to insert himself into the communications stream between

It involves sending bogus ARP requests to the network device so outbound traffic will

Hacker uses the concept of ARP Poisoning to redirect all the network traffic to the device and get all the Username and Password sent in the Network.



• DNS spoofing (or DNS poisoning) is a technique that tricks a DNS server into believing it has received authentic information when in reality it hasn’t.

• When a user requests a certain website URL, the address is looked up on a DNS server to find the corresponding IP address. If the DNS server has been compromised, the user is redirected to a website other than the one that was requested, such as a fake website.

Counter apart the Network attacks

• Generally a Client User is not really the concerned person to secure the Network; it is the part of the Network Administration.

• However, still the User is the one who will directly or indirectly effect with the Network Attacks.

Trace Your Sever

• Trace your Server to check if there unreliable device in between your computer to your Server.

• Command: Tracert ServerIP

Check the Network Connections

• A User must check the network connections which his computer has made to outer devices.

• Command: Netstat –a

• Or you can use the TCP View to check the network connection details.

Checking the ARP Table

• ARP is Address Resolution Protocol, which converts the IP Address of a device to its Physical Address.

• “Arp –a”, use this command to check the ARP table for your computer and you can easily detect the MITM Attack.



Web Server as the Target



Web Operations Web Server A computer that is responsible for accepting HTTP requests from clients (user agents such as web browsers), and serving them HTTP responses along with optional data contents, which usually are web pages such as HTML documents and linked objects (images, etc.). Software to setup a Web Server:

• Apache

• Internet Information Services(IIS) How Webserver Works: The Basic Process Let's say that you are sitting at your computer, surfing the Web. So you type that URL into your browser and press return. And magically, no matter where in the world that URL lives, the page pops up on your screen. At the most basic level possible, the following diagram shows the steps that brought that page to your screen: Web browser formed a connection to a Web server, requested a page and received it.

1. Client sends the request for a Webpage on the Webserver. 2. Webserver receives the request the sends the Webpage code to the Client. 3. Client receives the Webpage code, and the Web Browser converts that code in to design

and displays it to the User. Database Server

• The database server is a key component in a client/server environment. It holds the database management system (DBMS) and the databases.

• Upon requests from the client machines, it searches the database for selected records and passes them back over the network.

Software to setup a Database Server:

• Oracle

• SQL Server

• MySql



The Login Process on the Website Let's say that you are sitting at your computer, surfing the Web, and you open a Website to Login to your account. You types in the Login Username and Password and clicks on Sign in and you get in to your account.

1. Client sends the request for the Login page on the Webserver. 2. Webserver receives the request the sends the Login page code to the Client. 3. Client receives the Login page code, and the Web Browser converts that code in to

design and displays it to the User. 4. Client puts in the Username and Password in the Login page and sends it to the Web

Server. 5. Web Server receives the Username and Password and forwards it to the Database server. 6. Database server receives the Username and Password from the Web Server and checks

its tables for that Username and Password. 7. After the finding process is complete, the Database Server sends the result of the

authentication to the Web Server. 8. Web Server receives the Authentication result from the Database Server and on the basis

of the result, redirects the User to the proper Webpage. If the Authentication is True, User gets signed in to the Account, and if it fails User is asked to Sign in again. Operations of a Database Server. Database server consists of tables and records. Records are kept in tables. These tables and records the updated on a regular basis. Below are the four main working functions of a Database Server.

1. Creation of Records: CREATE

• Create or add new entries 2. Accessing the Records: READ

• Read, retrieve, search, or view existing entries 3. Updating the Records: UPDATE

• Update or edit existing entries 4. Deleting the Records: DELETE

• Delete existing entries This is known as CRUD operation of a Database Server. Syntax Queries:

1. Creating or Inserting the records in the Table

• INSERT INTO tablename (column1, [column2, ... ]) VALUES (value1, [value2, ...]);

• The number of columns and values must be the same. If a column is not specified, the default value for the column is used.



2. Accessing or Reading the Records

• SELECT (column1, [column2, ... ]) FROM tablename;

• SELECT * FROM tablename (for all the fields) 3. Updating the Records

• UPDATE tablename SET C1 = 1 WHERE C2 = 'a';

4. Deletion of records

• DELETE FROM tablename [WHERE condition];

SQL injection

• An SQL injection attack exploits vulnerabilities in a web server database that allow the attacker to gain access to the database and read, modify, or delete information.

• A simple example of a SQL injection attack is to use the single quotation mark as part of an input value to a Web page. These values can be inserted into a login as follows:

o Login: admin’-- o Login: admin'#

• Database Server ignores everything after "--" or "#" because these characters are the single line comment sequence. They are needed for inputs and queries to terminate without an error.

• Another example of a SQL injection attack is making the condition true by giving the identical value to a web page.

• These values can be inserted into a login as follows: o Login: 1' or '1'='1 and Password= 1' or '1'='1 o Login: 1' or '1'='1';--

• When the Username argument is evaluated, ‘1’=’1’ will assess to TRUE, and an authentic username will be returned.



Website Enumeration

• Website Enumeration is checking the structure of a Web site.

• Acquiring the files and folders from the Website to the Local Computer. This is also known as Web Ripping.

• It is the ability to copy the structure of a Web site to a local disk and obtain a complete profile of the site and all its files and links.

PHP Injection: Placing PHP Backdoors

• This attack provides the means for a hacker to execute his or her system level code on a target web server. With this capability, an attacker can compromise the web server and access files with the same rights as the server system software.

• For example, a number of PHP programs contain a vulnerability that could enable the transfer of unchecked user commands to the eval( ) function.

Google Hacking

• As we all know, Google is a Search Engine. It keeps snapshots of pages it has crawled that we can access via the cached link on the search results page.

• Google hacking can be used to explore the Website by using some Advance Google search operators.

You can look for the particular File type, Password files and Directories. Even you can find out the IP based CCTV Cameras.

• Intitle: Searches the text in the title of the Website.

• Inurl: Finding the text in the URL of the Website.

• Filetype: Searching for Files of a Specific Type

• Site: To narrow the Search to Specific Sites

To Find the IP Based CCTV Cameras Inurl:indexframe.shtml axis The Wayback Machine

• Archive.org, called the Wayback Machine.

• Hackers use this website to have a look how other websites looked in the past.



Putting breaks on Web Application attacks

• Input Validation on the SQL injection

• There are measures that can be applied to mitigate SQL injection attacks. Use of these practices does not guarantee that SQL injection can be completely eliminated, but they will make it more difficult for hackers to conduct these attacks.

• Javascripts are available which allow only known good input from the Web server to the Database server.

Directory access controls

• Htaccess files provide a way to make configuration changes on a per-directory basis.

• .htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system.

Deny Google to your website

• A robots.txt file on a website will function as a request that specified robots ignore specified files or directories in their search.

• For websites with multiple subdomains, each subdomain must have its own robots.txt file. If example.com had a robots.txt file but a.example.com did not, the rules that would apply for example.com would not apply to a.example.com.

Basic Website Security

• Put an Input Validation to countermeasure the SQL Injection.

• Always change the default Username and Passwords.

• Do not allow every type of file to get uploaded on your Website.

• Check the files on the Website regularly.



Wireless Hacking



The popularity in Wireless technology is driven by two major factors: Convenience and Cost. A Wireless Local Area Network (WLAN) allows workers to access Digital Resources without being locked to their desks. Mobile users can connect to a Local Area Network (LAN) through a Wireless (radio) connection.

Basic Terminologies in Wireless connection

• Access Point: Device which is transmitting the Wireless Network.

• SSID: Name of the Wireless Connection. It is also known as the ESSID.

• BSSID: MAC Address of the Wireless Device Access Point.

• Channel: Frequency of the Wireless Network.

• Power: Strength of the Wireless Network Signals

Wireless Security Overview

• Two methods exist for authenticating wireless LAN clients to an access point: Open system or Shared key authentication.

• Open system does not provide any security mechanisms but is simply a request to make a connection to the network.

• Shared key authentication has the wireless client hash a string of challenge text with the WEP key to authenticate to the network.

War Driving

• War Driving is detecting the Wireless Networks and checking out their properties.

• WAR Driving is of two types: o Active War Driving o Passive War Driving



Active War Driving

• Active War Driving is detecting the Wireless Networks whose SSIDs are broadcasted or the Wireless Networks which are shown to all the Wireless Adapters.

• It can be done through any Wireless Card.

Passive War Driving

• Passive War Driving is detecting the Wireless Networks whose SSIDs are not Broadcasted or the Hidden Wireless Networks.

• The Wireless card should support the Monitor Mode.

WEP Key Cracking

• Wired Equivalent Privacy (WEP) was the first security option for 802.11 WLANs. WEP is used to encrypt data on the WLAN and can optionally be paired with shared key authentication to authenticate WLAN clients. WEP uses an RC4 64-bit or 128-bit encryption key.

• The process by which RC4 uses IVs is the real weakness of WEP: It allows a hacker to crack the WEP key.

Applying the Wireless Security Hide the Wireless Network: Do not broadcast the SSID of the Wireless Network. This will help you in protecting your Wireless being invisible to the people who do not know about Passive War Driving. Use a WEP Key: You can use the WEP Key protection on your Wireless Network to protect your Wireless Network Connection. Although this is not the ultimate security measure but will



help you a lot against the Script Kiddies who do not know how to break into the WEP Protection. WPA: Wi-Fi Protected Access: WPA employs the Temporal Key Integrity Protocol (TKIP)—which is a safer RC4 implementation—for data encryption and either WPA Personal or WPA Enterprise for authentication. WPA Enterprise is a more secure robust security option but relies on the creation and more complex setup of a RADIUS server. TKIP rotates the data encryption key to prevent the vulnerabilities of WEP and, consequently, cracking attacks. Mac Filtering: An early security solution in WLAN technology used MAC address filters: A network administrator entered a list of valid MAC addresses for the systems allowed to associate with the Wireless Access Point. Choosing the Best Key: Always use a long WPA Key with lower as well as upper case letters including numbers and special characters. A Sample Key: 12345@abcde&FGHI



Tool Kit Description



Concept of Hacking

• Book: Hacking for Dummies by Kevin Beaver o This book outlines computer hacker tricks and techniques — in plain English —

to assess the security of your own information systems, find security vulnerabilities, and fix the vulnerabilities before malicious and criminal hackers have an opportunity to take advantage of them.

• UltraSurf: Https Tunneling Tool o UltraSurf protects your Internet privacy with anonymous surfing and browsing:

hide IP addresses and locations, clean browsing history, cookies and more. It supports https tunneling. You can visit “https” websites through UltraSurf. Because contents in “https” websites are encrypted already, data from these websites will be double protected through UltraSurf.

Email Hacking

• Putty: Telnet Connection tool o Putty is a Connection based tool used to Setup the Telnet connection with the

Open Relay Server to send the Fake Emails.

• Fakemail.php: PHP Fakemail Web Script o This is the PHP Webmail Script, which is used to send Fake Emails when

uploaded on the Web Server.

System Hacking

• Cain and Abel: Password Cracking Tool o Cain is the tool to crack the Windows Password using several types of

Automated Password Guessing attacks like Brute Force.

• Image Hide: Steganography Tool o Image Hide loads of text in images using the concept of Steganography.

• Streams: Streaming Tool o Streams will examine the files and directories you specify and inform you of the

name and sizes of any named streams it encounters within those files. Streams make use of an undocumented native function for retrieving file stream information.

• Offline Password Cracker: Windows Live Disk o This is Windows Live Disk used to reset the Password of any User Account in

Windows XP and Windows Vista. This is disk is also used for the Privilege Escalation.

• Active Password Cracker This is Windows Live USB Disk used to Crack the Windows User Accounts password.

• Soft Central Keylogger: Keylogger o This is Software Keylogger which can be installed automatically on the Victim's

computer. This program record every keystroke typed in via the keyboard, it can capture a wide variety of confidential information, including passwords, credit card numbers, private email correspondence, names, addresses, and phone numbers.



• Password Recovery Tools

• Process Explorer o This is the utility that displays detailed information about processes running

under Windows. For each process it displays memory, threads, and module usage. For each DLL, it shows full path and version information.

Trojan

• Beast: Trojan

• Netbus: Trojan o These are the Trojans which are used for the Remote Administrator of the

Victim's computer.

• Microjoiner: Wrapper Program o This is the program to bind the Server part of the Software behind any image or

any other file.

• TCPView: Local Network Connection Viewer o TCPView is a Windows program that will show you detailed listings of all TCP

and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.

Sniffing

• Cain and Abel: ARP Poisoning Tool o Apart from Password Cracking, Cain can also be used to Sniff the Network

traffic and launch the Man in the Middle attack. Hacker uses this tool to redirect all the network traffic to the Sniffer device and get all the Username and Password sent in the Network.

Web Server Hacking

• Book: Dangerous Google-Searching For Secrets

• Black Widow: Web Ripper o Black Widow has the ability to copy the structure of a Web site to a local disk

and obtain a complete profile of the site and all its files and links.

• PH.php: Remote Execution Script o This PHP Script provides the means for a hacker to execute his or her system

level code on a target web server.

Wireless Hacking

• Net Stumbler: War Driving Tool

o This is the best War Driving tool available for Windows.

kyrion ethical hacking workshop handouts

Documents

kyrion digital

kyrion technologies

ethical hacking

war driving

private email

credit card

shows full

grey hat hacker