1/20/2017

Introduction
Hackers (or bad guys) try to compromise computers

Ethical Hacking
Ethical hackers(or good guys ) protect computers against illicit entry

Elements or Component of Information

Introduction
Security
All Security Elements follow the following three criteria
Confidentiality:
No data or information shall be disclosed to any person within or
outside the organization, other than the persons who are authorized to use that data.
Integrity:
No data/information
or programs shall be allowed to be modified by
anyone without proper authority
Availability:
All Information Systems including hardware, communication networks,
software applications and the data they hold shall be available to users at all times to
carry out business activities.

Basic Security Properties Basic Security Properties

Confidentiality: Confidentiality: Concealment of information or resources

Authenticity: Authenticity: Identification and assurance of origin of info

Integrity: Integrity: Trustworthiness of data or resources in terms of

preventing improper and unauthorized changes

Availability: Ability to use desired information or resource

Availability:
Non-repudiation: Offer of evidence that a party indeed is
Non-repudiation: sender or a receiver of certain information

Access control: Facilities to determine and enforce who is

Access control: allowed access to what resources (host, software, network, )
5 6

1
 1/20/2017

History of Hacking
Hacking has been a part of computing for 40 years.
The first computer hacker emerged at MIT.
Hacking is began in the 1960s at MIT , origin of the term
hacker.
The truth hacker amongst our societies have thirst for the
knowledge .
Boredom is never an object of challenge for the hacker

What is Hacking ?
The Process of attempting to gain or successfully
gaining, unauthorized access to computer resources
is called Hacking.

Famous Hackers in History

Who is a hacker?
In the computer security context, a hacker is someone who seeks
and exploits weaknesses in a computer system or computer
network.
The term hacker is reclaimed by computer programmers who argue Ian Murphy Kevin Mitnick Johan Helsinguis LinusTorvalds
that someone breaking into computers is better called a cracker.

Mark Abene Robert Morris

2
 1/20/2017

Why do hackers hack ? Types of Hacking

Just for fun. Website Hacking
Show off. Network Hacking
Hack other systems secretly. Ethical Hacking
Notify many people their thought. Email Hacking
Steal important information. Password Hacking
Destroy enemys computer network during the war. Online Banking Hacking
Computer Hacking

Website Hacking
Hacking a website means taking control from the
website owner to a person who hacks the
website.

Network Hacking
Network Hacking is generally means gathering information
about domain by using tools like Telnet, Ns look UP, Ping,
Tracert, Netstat, etc over the network.

3
 1/20/2017

Ethical Hacking
Ethical hacking is where a person hacks to find weaknesses in a
system and then usually patches them.

Email Hacking
Email hacking is illicit access to an email account or
email correspondence.

Password Hacking
Password Hacking Password cracking is the process of
recovering secret passwords from data that has been stored in
or transmitted by a computer system.

4
 1/20/2017

Online Banking Hacking

Online banking Hacking Unauthorized accessing bank accounts without
knowing the password or without permission of account holder is known
as Online banking hacking.

Computer Hacking
Computer Hacking is when files on your computer are viewed,
created, or edited without your authorization.

What should do after hacked? How to give a password to account

Shutdown the system Use unique passwords for your accounts.
Or turn off the system
Choose a combination of letters, numbers, or symbols to
Separate the system from network create a unique password.

Restore the system with the backup

Or reinstall all programs

Connect the system to the network

It can be good to call the police

5
 1/20/2017

How to secure our data How to secure our data

1 -> i or l |\| -> n Ex.
3 -> e |\/| -> m 1 +r4|\|$ph3rr3d R$ iooooo +0 y0ur 4[[0u|\|+ , $0 90 4h43d 4$ 0ur
pi4|\|.
4 -> a s -> z
+ -> t c -> [
9 -> g f -> ph
0 -> o ph -> f
I transferred Rs.100000 to your account, So go ahead as our
$ -> s x -> ck
plan.
| -> i or l ck -> x

Advantages of hacking Disadvantages of Hacking

Can be used to recover lost information where the computer Criminals can use it to their advantage.
password has been lost. It can harm someone's privacy
Teaches you that no technology is 100% secure. It's Illegal
To test how good security is on your own network.
They call it white hat computer hacking.

Cyberactivism and Hacktivism Cyberactivism and Hacktivism 2

Cyberactivism is a form of protest that alerts society of social problems, such as
poverty, through listservs, virtual sit-ins, and creating websites to attract the
attention of the public.
The computer is proving to be a new medium for the 21st century.
Hacktivism is the intentional vandalism of websites that do not
support or alert the attention of social problems.
Such political clash can cause jeopardy in national identity.
This is an extreme form of cyberactivism, therefore it is not practiced
as much.
New protest techniques used in the WTO Protests,Battle in Seattle, in
1999.

6
 1/20/2017

Penetration Testing Role of Penetration Tester

Penetration testing is a type of security testing that is used to test the
insecurity of an application. It is conducted to find the security risk
which might be present in the system.
If a system is not secured, then any attacker can disrupt or take
authorized access to that system. Security risk is normally an
accidental error that occurs while developing and implementing the
software. For example, configuration errors, design errors, and
software bugs, etc.
Penetration testing can be defined as a legal and authorized attempt
to locate and successfully exploit computer systems for the purpose
of making those systems more secure
A certified person can perform penetration testing. Certification held by the
tester is the indication of his skill sets and competence of capable penetration
tester.
Following are the important examples of penetration testing certification:
Certified Ethical Hacker (CEH).
Offensive Security Certified Professional (OSCP).
CREST Penetration Testing Certifications.
Communication Electronic Security Group (CESG) IT Health Check Service
certification.
Global Information Assurance Certification (GIAC) Certifications (for example,
GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration
Tester (GWAPT), Advance Penetration Tester (GXPN), and GIAC Exploit Researcher

Penetration Testing Methodology Reconnaissance

Reconnaissance, also known as information gathering, is arguably the
most important of the four phases we will discuss.
The more time you spend collecting information on your target, the
more likely you are to be successful in the later phases.
Ironically, recon is also one of the most overlooked, underutilized, and
misunderstood steps in penetration testing (PT) methodologies today

Security Vulnerabilities/Computer Attacks Ping Flood

Security Problems in the TCP/IP Protocol Suite Steve Bellovin - 89
Internet
Attacks on Different Layers
IP Attacks
Attacking System
ICMP Attacks
Routing Attacks
TCP Attacks
Application Layer Attacks
Broadcast
Enabled
Network

Victim System

7
 1/20/2017

ICMP Attacks Routing Attacks

No authentication Distance Vector Routing
ICMP redirect message Announce 0 distance to all other nodes
Blackhole traffic
Can cause the host to switch gateways
Eavesdrop
Benefit of doing this?
Man in the middle attack, sniffing Link State Routing
ICMP destination unreachable Can drop links randomly
Can claim direct link to any other routers
Can cause the host to drop connection
A bit harder to attack than DV
ICMP echo request/reply
BGP
Many more ASes can announce arbitrary prefix
http://www.sans.org/rr/whitepapers/threats/477.php ASes can alter path

TCP Attacks TCP Layer Attacks

TCP SYN Flooding
Exploit state allocated at server after initial SYN packet
SYN x Send a SYN and dont reply with ACK
SYN y | ACK x+1 Server will wait for 511 seconds for ACK
ACK y+1 Finite queue size for incomplete connections (1024)
Client
Server Once the queue is full it doesnt accept requests

Issues?
Server needs to keep waiting for ACK y+1
Server recognizes Client based on IP address/port and y+1

TCP Layer Attacks TCP Layer Attacks

TCP Session Hijack TCP Session Poisoning
When is a TCP packet valid? Send RST packet
Address/Port/Sequence Number in window Will tear down connection
How to get sequence number? Do you have to guess the exact sequence number?
Sniff traffic Anywhere in window is fine
Guess it For 64k window it takes 64k packets to reset
Many earlier systems had predictable ISN About 15 seconds for a T1
Inject arbitrary data to the connection

8
 1/20/2017

Application Layer Attacks An Example

Applications dont authenticate properly
Authentication information in clear Finger
Showmount -e
SYN
FTP, Telnet, POP Shimomura (S) Trusted (T)

DNS insecurity
Attack when no one is around
DNS poisoning Finger @S
What other systems it trusts?
DNS zone transfer showmount e
Send 20 SYN packets to S Determine ISN behavior
Mitnick

An Example An Example
SYN|ACK

Syn flood
X ACK
X
Shimomura (S) Trusted(T) Shimomura (S) trusted (T)
SYN

Finger @S Attack when no one is around Finger @S Attack when no one is around

showmount e What other systems it trusts? showmount e What other systems it trusts?

Send 20 SYN packets to S Determine ISN behavior Send 20 SYN packets to S Determine ISN behavior
Mitnick Mitnick (M)
SYN flood T T wont respond to packets SYN flood T T wont respond to packets

Send SYN to S spoofing as T S assumes that it has a session with T

Send ACK to S with a guessed

number

An Example Outline
Security Vulnerabilities
X
You are here
DoS and D-DoS
Shimomura (S)
++ > rhosts Trusted (T) Firewalls
Attack when no one is around
Intrusion Detection Systems
Finger @S
showmount e What other systems it trusts?

Send 20 SYN packets to S Determine ISN behavior

Mitnick
SYN flood T T wont respond to packets

Send SYN to S spoofing as T S assumes that it has a session with T

Send ACK to S with a guessed Give permission to anyone from

number anywhere

Send echo + + > ~/.rhosts

9
 1/20/2017

Denial of Service Denial of Service

Objective make a service unusable, usually by overloading the Crashing the victim
server or network Ping-of-Death
TCP options (unused, or used incorrectly)
Consume host resources
TCP SYN floods
ICMP ECHO (ping) floods
Forcing more computation
Taking long path in processing of packets

Consume bandwidth
UDP floods
ICMP floods

Simple DoS Coordinated DoS

The Attacker usually spoofed
source address to hide origin
Easy to block Attacker Attacker Attacker Attacker

Victim Victim Victim Victim Victim Victim

The first attacker attacks a different victim to cover up the real attack
The Attacker usually spoofed source address to hide origin
Harder to deal with

Distributed DoS Distributed DoS

Attacker

The handlers are usually very high volume servers

Easy to hide the attack packets
Handler Handler
The agents are usually home users with DSL/Cable
Already infected and the agent installed
Very difficult to track down the attacker
Agent Agent Agent Agent Agent
How to differentiate between DDoS and Flash Crowd?
Flash Crowd Many clients using a service legimitaly
Slashdot Effect
Victoria Secret Webcast
Victim
Generally the flash crowd disappears when the network is flooded
Sources in flash crowd are clustered

10
 1/20/2017

Malicious Software - Categories

Software(Malware)
A Malware is a set of instructions that run on your computer and Malicious Software
make your system do something that an attacker wants it to do.
Viruses Rabbit Hoaxes Trojan Horse Spyware Trapdoor Worms

Boot Viruses File Viruses Time Bomb Logic Bomb

Types of Malicious Software Categories of Viruses

Virus : These are the programs that spread to other

software in the system .i.e., program that incorporates Armored
copies of itself into other programs. Polymorphic Stealth Companion
Virus Virus Virus Virus
Produces Programming Hides
Creates new
Two major categories of viruses: modified & fully tricks make the modifications it
program instead
operational code. tracing and has made to
1. Boot sector virus : infect boot sector of systems. of modifying
Produces new understanding files or to the
existing program.
become resident. & different code the code difficult. disk.
Contains all
activate while booting machine every time when Complex Reports
virus code.
virus is copied & programming false values to
2. File virus : infects program files. programs as
Executed by
transmitted to a methods used to shell, instead of
activates when program is run. new host. design code, so they read files
original program.
Difficult to difficult to repair or data from
detect & remove. infected file. storage media.

Rabbit : This malicious software replicates itself Hoaxes : False alerts of spreading viruses.
without limits. Depletes some or all the systems
resources.
e.g., sending chain letters.
Re-attacks the infected systems difficult recovery.
message seems to be important to recipient, forwards
it to other users becomes a chain.
Exhausts all the systems resources such as CPU
time, memory, disk space.
Exchanging large number of messages (in chain) floods
the network resources bandwidth wastage.
Depletion of resources thus denying user access to
those resources.
Blocks the systems on network access denied due to
heavy network traffic.

11
 1/20/2017

Trojan Horse : This is a malicious program with 1.
unexpected additional functionality. It includes
harmful features of which the user is not aware. 2.
3.
4.
Perform a different function than what these are
advertised to do (some malicious action e.g., steal the
passwords).
Neither self-replicating nor self-propagating.
User assistance required for infection.
Infects when user installs and executes infected
programs. 1.
Some types of trojan horses include Remote Access
Trojans (RAT), KeyLoggers, Password-Stealers (PSW),
and logic bombs. 2.
Transmitting medium :
spam or e-mail
a downloaded file
a disk from a trusted source
a legitimate program with the Trojan inside.
Trojan looks for your personal information and
sends it to the Trojan writer (hacker). It can also
allow the hacker to take full control of your system.
Different types of Trojan Horses :
Remote access Trojan takes full control of your
system and passes it to the hacker.
The data-sending Trojan sends data back to the
hacker by means of e-mail.
e.g., Key-loggers log and transmit each keystroke.

3. The destructive Trojan has only one purpose: to
destroy and delete files. Unlikely to be detected by
anti-virus software.
4. The denial-of-service (DOS) attack Trojans combines
computing power of all computers/systems it infects
to launch an attack on another computer system.
Floods the system with traffic, hence it crashes.
5. The proxy Trojans allows a hacker to turn users
computer into HIS (Host Integration Server) server
to make purchases with stolen credit cards and
run other organized criminal enterprises in
particular users name.
6. The FTP Trojan opens port 21 (the port for FTP
transfer) and lets the attacker connect to your
computer using File Transfer Protocol (FTP).
7. The security software disabler Trojan is designed to
stop or kill security programs such as anti-virus
software, firewalls, etc., without you knowing it.
Spyware :
Spyware programs explore the files in an
information system.
Information forwarded to an address specified in
Spyware.
Spyware can also be used for investigation of
software users or preparation of an attack.

Trapdoor : Secret undocumented entry point to Types of Trapdoor

the program.

An example of such feature is so called back door,

which enables intrusion to the target by passing user
Undetectable Hardware
authentication methods.
Trapdoor Trapdoor
A hole in the security of a system deliberately left in
place by designers or maintainers. Virtually undetectable. Security-related
Trapdoor allows unauthorized access to the system. hardware flaws.
Only purpose of a trap door is to "bypass" internal
controls. It is up to the attacker to determine how this
circumvention of control can be utilized for his benefit.

12
 1/20/2017

Worms : Means of spreading Infection by Worms :

program that spreads copies of itself through a
network.
Infects one system, gain access to trusted host lists on
Does irrecoverable damage to the computer system. infected system and spread to other hosts.
Stand-alone program, spreads only through network.
Also performs various malicious activities other than Another method of infection is penetrating a system by
spreading itself to different systems e.g., deleting files. guessing passwords.

Attacks of Worms: By exploiting widely known security holes, in case,

1. Deleting files and other malicious actions on systems. password guessing and trusted host accessing fails.
2. Communicate information back to attacker e.g.,
passwords, other proprietary information. e.g., A well-known example of a worm is the ILOVEYOU
3. Disrupt normal operation of system, thus denial of worm, which invaded millions of computers through
service attack (DoS) due to re-infecting infected
system. e-mail in 2000.
4. Worms may carry viruses with them.

VIRUSES More Description Detecting virus infected files/programs :

Desirable properties of Viruses : Virus infected file changes gets bigger.

Virus program should be hard to detect by
anti-virus software. Modification detection by checksum :
Viruses should be hard to destroy or deactivate. > Use cryptographic checksum/hash function
Spread infection widely. e.g., SHA, MD5.
Should be easy to create. > Add all 32-bit segments of a file and store the sum
Be able to re-infect. (i.e., checksum).
Should be machine / platform independent, so that it
can spread on different hosts.

Identifying Viruses : Places where viruses live :

A virus is a unique program.
It as a unique object code.
Boot sector
It inserts in a deterministic manner.
Memory resident
The pattern of object code and where it is inserted
provides a signature to the virus program. Disk Applications and data stored on disk.
This virus signature can be used by virus scanners to Libraries stored procedures and classes.
identify and detect a particular virus. Compiler
Some viruses try to hide or alter their signature: Debugger
Random patterns in meaningless places. Virus checking program infected by virus unable to
Self modifying code metamorphic, polymorphic viruses. detect that particular virus signature.
Encrypt the code, change the key frequently.

13

Effect of Virus attack on computer system
Virus may affect users data in memory overwriting.
Virus may affect users program overwriting.
Virus may also overwrite systems data or programs
corrupting it disrupts normal operation of system.
Smashing the Stack Buffer overflow due to
execution of program directed to virus code.
Intruder Attacks on Networks and Computers
Attack
Any attempt by an unauthorized person to access or use
network resources
Network security
Security of computers and other devices in a network
Computer security
Securing a standalone computer--not part of a network
infrastructure
Computer crime
Fastest growing type of crime worldwide
81
Testing for DoS Vulnerabilities
Performing an attack yourself is not wise
You only need to prove that an attack could be carried out
83
1/20/2017
Preventing infection by malicious software :
Use only trusted software, not pirated software.
Test all new software on isolated computer system.
Regularly take backup of the programs.
Use anti-virus software to detect and remove viruses.
Update virus database frequently to get new virus
signatures.
Install firewall software, which hampers or prevents the
functionality of worms and Trojan horses.
Make sure that the e-mail attachments are secure.
Do not keep a floppy disk in the drive when starting a
program, unless sure that it does not include malicious
software, else virus will be copied in the boot sector.
Denial-of-Service Attacks
Denial-of-Service (DoS) attack
Prevents legitimate users from accessing network resources
Some forms do not involve computers, like feeding a paper loop through a fax
machine
DoS attacks do not attempt to access information
Cripple the network
Make it vulnerable to other type of attacks
82
Distributed Denial-of-Service Attacks
Attack on a host from multiple servers or workstations
Network could be flooded with billions of requests
Loss of bandwidth
Degradation or loss of speed
Often participants are not aware they are part of the attack
Attacking computers could be controlled using Trojan programs
84
14
 1/20/2017

Buffer Overflow Attacks

Vulnerability in poorly written code
Code does not check predefined size of input field
Goal
Fill overflow buffer with executable code
OS executes this code
Can elevate attackers permission to Administrator or even Kernel
Programmers need special training to write secure code

85 86

Ping of Death Attacks

Type of DoS attack
Not as common as during the late 1990s
How it works
Attacker creates a large ICMP packet
More than 65,535 bytes
Large packet is fragmented at source network
Destination network reassembles large packet
Destination point cannot handle oversize packet and crashes
Modern systems are protected from this (Link Ch 3n)

87 88

Session Hijacking Addressing Physical Security

Enables attacker to join a TCP session Protecting a network also requires physical security
Attacker makes both parties think he or she is the other party Inside attacks are more likely than attacks from outside the company

89 90

15
 1/20/2017

Keyloggers
Used to capture keystrokes on a computer
Hardware
Software
Software
Behaves like Trojan programs
Hardware
Easy to install
Goes between the keyboard and the CPU
KeyKatcher and KeyGhost

91 92

Keyloggers (continued)
Protection
Software-based
Antivirus
Hardware-based
Random visual tests
Look for added hardware
Superglue keyboard connectors in

93 94

Behind Locked Doors Lockpicking

Lock up your servers Average person can pick deadbolt locks in less than five minutes
Physical access means they can hack in After only a week or two of practice
Consider Ophcrack booting to a CD-based OS will bypass almost any security Experienced hackers can pick deadbolt locks in under 30 seconds
Bump keys are even easier (Link Ch 3o)

95 96

16
 1/20/2017

Card Reader Locks

Keep a log of who enters and
leaves the room
Security cards can be used instead
of keys for better security
Image from link Ch 3p

97

17