3/5/12

Ethical Hacking : Agenda

Hackers Checklist Types of Ethical Hacking Types of

Click to edit Master subtitle style

3/5/12

Hackers checklist
CIA (confidentiality, integrity, and availability) Confidentiality addresses the secrecy and privacy of information. Physical examples of confidentiality include locked doors, armed guards, and fences. Logical examples of confidentiality can be seen in passwords, encryption, and firewalls. In the logical world, confidentiality must protect data in storage and in transit. Integrity provides for the correctness of information. edit Master subtitle style It allows users of information to have Click to confidence in its correctness. Correctness doesnt mean that the data is accurate, just that it hasnt been modified in storage or transit. Availability simply means that when a legitimate

3/5/12

Types of ethical hacking

High-level assessments : Called a level I assessment, Top-down look

Click to edit Master subtitle style

3/5/12

PlAyers in the market

Phreakers - The original hackers. These individuals hacked telecommunication and PBX systems to explore the capabilities and make free phone calls. Script/Click Kiddies - younger attackers who use widely available freeware vulnerability assessment tools and hacking tools. Disgruntled Employee - Employees who have lost respect and integrity for the employer. They have insider status, especially access rights andstyle Click to edit Master subtitle privileges Whackers - Whackers are typically newbies who focus their limited skills and abilities on attacking wireless LANs and WANs. Software Cracker/Hacker - Individuals who

3/5/12

Some well known hackers

Kevin Poulsen Known asDark Dante. Kevin took over all phones in Los Angeles in 1990 to ensure victory in a phone call-in contest, for a Porsche 944. He was later arrested. Robert Morris The son of a chief scientist at the NSA. Morris accidentally released the Morris Worm in 1988 from a Cornell University lab. This is now widely seen as the first release of a worm onto the Internet. Kevin Mitnick Known as Condor, Mitnick was the first hacker to hit the FBI Most Wanted list. Broke into such organizations as Digital Equipment Corp., Motorola, Nokia Mobile Phones, Fujitsu, and others. He was arrested in 1994 and has now been released and works as a legitimate security consultant. Vladimir Levin A Russian hacker who led a team of hackers who siphoned off $10 million from Citibank and transferred the money to Click to edit Master subtitle style bank accounts around the world. Levin eventually stood trial in the United States and was sentenced to three years in prison. Authorities recovered all but $400,000.00 of the stolen money. Adrian Lamo Known asthe Homeless Hacker because of his transient lifestyle. Lamo spent his days squatting in abandoned buildings and traveling to Internet cafes, libraries, and universities to exploit security weaknesses in high-profile company networks, such as Microsoft, NBC,

3/5/12

Attackers process
Performing Reconnaissance : locate, gather, identify, and record information about the target. Going through Victims trash, Social engineering, Internet information about the victim Scanning and enumeration : attempting to connect to systems to elicit a response. Hackers begin injecting packets into the network and might start using scanning tools such as Nmap. The goal is to map Click to edit Master subtitle style open ports and applications. To avoid IDS, use slow scanning. Gaining access : hacker might find an open wireless access point that allows him a

3/5/12

P2P Communication

Application Layer : applications are mapped not by name but by port. FTP, SSH, Telnet, SMTP, DNS, HTTP, SNMP are couple Click to edit Master subtitle style of services. FTP is mostly hacked service. Host-to-Host layer : TCP and UDP are two primary protocol. Internet Layer : Internet protocol(IP) and ICMP(Internet control messaging protocol)

3/5/12

Source Routing: The Hackers Friend

Source Routing is ability to specify route that a packet should take through a network. Routers will respect if router info is present in packet header. Hackers use it to route packet to him regardless of the actual route. If network access layer does not support size of a datagram IP protocol fragments the packet. This fragmentation can be exploited by hacker .subtitle style Click to edit Master

3/5/12

Google, have the capability to perform much more Google searches than most powerful Hacking people ever dream of.

By using basic search techniques combined with advanced operators, Google can become a powerful vulnerability search tool. Filetype: search particular type of file. Eg filetype:xls Inurl: search only within the specified URL of a document. Eg inurl:search-text Link: search within hyperlinks for a specific term. eg link:www.domain.com Intitle: search for a term within the title of a document. Example intitle: "Index ofetc" Click to edit Master subtitle style Eg. allinurl:tsweb/default.htm This query will search in a URL for the tsweb/default.htm string. The search found over 200 sites that had the tsweb/default folder. One of them is Remote Desktop Web

3/5/12

Big Brother is a program application to Insecure that can be used monitor computer equipment. It can monitor and report the status of items, such as the central processing unit (CPU) utilization, disk usage, ssh status, http status, pop3 status, telnet status, and so on. Big Brother can collect this information and forward it to a central web page or location. Big Brother doesn't need to run as root. Therefore, the installation guide recommends that the user create a user named bb and configure that user Click to edit Master subtitle style with user privileges Because the account isn't used by a human, it might have an easy password or one that is not changed often. If the webpage to show the data is not password protected all someone has to do is go to google and search for

3/5/12

The primary tool Enumeration DNS to query DNS servers is nslookup. Nslookup provides machine name and address information.
nslookup www.google.com will return Server: dnsr1.sbcglobal.net Address: 68.94.156.1 Non-authoritative answer: Name: www.l.google.com Addresses: 64.233.187.99, 64.233.187.104 Aliases: www.google.com

A zone transfer is unlike a normal lookup in that the user is attempting to retrieve a copy of the entire zone file for a domain from a DNS server. To perform zone transfer u must be connected

to dns server which is authoritative server for that zone. Here is how u do it. 1. nslookup-Enter nslookup from the command line. 2. server <ipaddress>-Enter the IP address of the authoritative server for that zone. 3. set type = any-Tells nslookup to query for any record. 4. ls -d <domain.com>-Domain.com is the name of the targeted

Click to edit Master subtitle style

Determining the Network Range

3/5/12

Now that the pen test team has been able to locate name, phone numbers, addresses, some server names, and IP addresses, it's important to find out what range of IP addresses are available for scanning and further enumeration. address of a web server discovered earlier and enter it into the Whois lookup at www.arin.net, the network's range can be determined. and ping are also powerful tool to gather information about the network. ping a large amount of hosts, a ping sweep

IP

Traceroute

To

Port Scanning
Use tools such as Nmap to perform port scanning and know common Nmap switches. Nmap was developed by a hacker named Fyodor Yarochkin. This popular application is available for Windows and Linux as a GUI and command-line program
nmap -sT 192.168.1.108 for TCP nmap -sU 192.168.1.108 for UDP

3/5/12

SuperScan :Version 4 of SuperScan is written to run on Windows XP and 2000. It's a

OS Fingerprinting
The hacker's first choice is passive fingerprinting. The hacker's second choice is to perform active fingerprinting, which basically sends malformed packets to the target in hope of eliciting a response that will identify it. Passive fingerprinting is really sniffing, as the hacker is sniffing packets as they come by. These packets are examined for certain characteristics that can be pointed out to determine the OS. most up-to-date passive fingerprinting tool is the Linux based tool P0f.

3/5/12

3/5/12

Password Hacking
Phishing: Prepare a web site quite similar to famous web site. Then send the link through social engineering to a victim who thinking it the original website gives userid and password. Brute Forcing: Try out all dictionary words. Nowadays with alpha numeric password and locking the account after few attempts, this has become difficult. KeyLogging: Will record each keystroke and send that info to the attacker. Anti virus softwares look for such things. There is program called crypters which makes keyloggers undetectable.

3/5/12

Web Hacking
SQL Injection: Injecting malicious text into content of form which queries db based on the input XSS: Injecting malicious script into the content of form accepting html Shells: a malicious .php script. What you have to do is, find a place in any website where you can upload. If uploaded then you can open it from the url bar and will give u access to the ftp account of that web hosting. RFI: Once shell is placed at yoursite.com/shell.txt

3/5/12

Case Study
The Scenario You go to a coffee shop for a cup of coffee and to utilize the shops Wi-Fi HotSpot to surf the web.You connect to the hotspot network and decide to perform some online banking or to purchase something online.

As an end-user, you feel quite secure, as you see the lock in the bottom corner of your Internet browser, symbolizing that the online banking or online credit card transaction is safe

3/5/12

Case Study
User is not aware of well known easy-to-do ssl exploit called SSL MITM (Man-in-the-middle) attack.

3/5/12

Case Study

The first thing hacker will do is turn on FragRouter so that his machine can performip forwarding. FragRouter -81

After that, hell want to direct your Wi-Fi network traffic to his machine instead of your data traffic going directly to the Internet.This enables him to be the Man-in-the-Middle between your machine and the Internet.Using arpspoof, a real easy way to do this, he determines your IP address is 192.168.1.15 and the Default Gateway of the Wi-Fi network is 192.168.1.1: arpsproof t 192.168.1.15 192.168.1.1

ARP spoofing is a technique where attacker sends spoofed ARP message to LAN to attach attackers MAC address with IP address of another host causing any traffic to come to attackers machine.

3/5/12

Case Study

The next step is to enable DNS Spoofing via DNSSpoof: dnsspoof forges replies to arbitrary DNS address / pointer queries on the LAN. This is useful in bypassing hostname-based access controls, or in implementing a variety of man-inthe-middle attacks. Since he will be replacing the Bank's or Online Stores valid certificate with his own fake one, he will need to turn on the utility to enable his system to be the Man-in-the-Middle for web sessions and to handle certificates. This is done via webmitm. webmitm d webmitm transparently proxies and sniffs HTTP /

3/5/12

Case Study
Sample Ethereal Screen:

3/5/12

Case Study

He now has the data, but it is still encrypted with 128bit SSL.No problem, since he has the key. What he simply needs to do now is decrypt the data using the certificate that he gave you.He does this with SSL Dump.

ssldump r Bankcapture k webmitm.crt d > bankoutput

The data is now decrypted and he runs a Cat command to view the now decrypted SSL information.With this information, he can now log into your Online Banking Account with the same access and privileges as you. He could transfer money, view account data, etc.

Note : Theres a big step and end-user can take to

3/5/12

3/5/12

Finally
What you want to do? Enjoy food??? Oh yes, definitely. After all that is tech talk all about. White Hat Hacking ??? May be. Some people are making a living doing this. This is what we call ethical hacking. Black Hat Hacking??? NO. NO. NO.

Remember slide 5? No? Thats slide on wellknown hackers. And all of them are now in jail.