Networks and Hacking 2

-: Well-Known Port Numbers :-


Port Number
Protocol
Service
0
TCP/UDP
Reserved
7
TCP/UDP
Echo
9
TCP/UDP
Discard
11
TCP
Systat
13
TCP/UDP
Daytime
17
TCP/UDP
Quote of the day
19
TCP/UDP
Chargen (character generator)
21
TCP
FTP
23
TCP
Telnet
25
TCP
SMTP
37
TCP/UDP
Time
38
TCP/UDP
Route Access Protocol
42
UDP
Name Server
43
TCP
Whois
49
TCP
Login Host Protocol
53
TCP/UDP
DNS
60
TCP/UDP
Unassigned
67
UDP
Bootstrap Protocol Server
68
UDP
Bootstrap Protocol Client
69
UDP
Trivial File Transfer (TFT)
70
TCP
Gopher
80
TCP
HTTP
88
TCP
Kerberos
101
TCP/UDP
NIC host name server
109
TCP
POP2
110
TCP
POP3
111
TCP/UDP
Sun remote procedure call (Sun RPC)
119
TCP
NNTP
137
TCP/UDP
Netbios name service
138
TCP/UDP
Netbios datagram service
139
TCP/UDP
Netbios session service
161
UDP
SNMP
512
TCP
Remote process execution
513
TCP
Remote login via telnet
514
TCP
cmd
749
TCP
Kerberos administration port

-: Password Hacking :-


Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password.
Most passwords can be cracked by using following techniques :

1) Hashing :- Here we will refer to the one way function (which may be either an encryption function or cryptographic hash) employed as a hash and its output as a hashed password.
If a system uses a reversible function to obscure stored passwords, exploiting that weakness can recover even 'well-chosen' passwords.
One example is the LM hash that Microsoft Windows uses by default to store user passwords that are less than 15 characters in length.
LM hash breaks the password into two 7-character fields which are then hashed separately, allowing each half to be attacked separately.

Hash functions like SHA-512, SHA-1, and MD5 are considered impossible to invert when used correctly.


2) Guessing :- Many passwords can be guessed either by humans or by sophisticated cracking programs armed with dictionaries (dictionary based) and the user's personal information. Not surprisingly, many users choose weak passwords, usually one related to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include:
* blank (none)
* the word "password", "passcode", "admin" and their derivatives
* the user's name or login name
* the name of their significant other or another person (loved one)
* their birthplace or date of birth
* a pet's name
* a dictionary word in any language
* automobile licence plate number
* a row of letters from a standard keyboard layout (eg, the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop)
* a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
and so on....
In one survery of MySpace passwords which had been phished, 3.8 percent of passwords were a single word found in a dictionary, and another 12 percent were a word plus a final digit; two-thirds of the time that digit was.
A password containing both uppercase &  lowercase characters, numbers and special characters too; is a strong password and can never be guessed.


Check Your Password Strength


3) Default Passwords :- A moderately high number of local and online applications have inbuilt default passwords that have been configured by programmers during development stages of software. There are lots of applications running on the internet on which default passwords are enabled. So, it is quite easy for an attacker to enter default password and gain access to sensitive information. A list containing default passwords of some of the most popular applications is available on the internet.
Always disable or change the applications' (both online and offline) default username-password pairs.

4) Brute Force :- If all other techniques failed, then attackers uses brute force password cracking technique. Here an automatic tool is used which tries all possible combinations of available keys on the keyboard. As soon as correct password is reached it displays on the screen.This techniques takes extremely long time to complete, but password will surely cracked.
Long is the password, large is the time taken to brute force it.

5) Phishing :- This is the most effective and easily executable password cracking technique which is generally used to crack the passwords of e-mail accounts, and all those accounts where secret information or sensitive personal information is stored by user such as social networking websites, matrimonial websites, etc.
Phishing is a technique in which the attacker creates the fake login screen and send it to the victim, hoping that the victim gets fooled into entering the account username and password. As soon as victim click on "enter" or "login" login button this information reaches to the attacker using scripts or online form processors while the user(victim) is redirected to home page of e-mail service provider.
Never give reply to the messages which are demanding for your username-password, urging to be e-mail service provider.

It is possible to try to obtain the passwords through other different methods, such as social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, using a Trojan Horse or virus, identity management system attacks (such as abuse of Self-service password reset) and compromising host security.
However, cracking usually designates a guessing attack.

-: Cracking GMail Account Password :-


Here is the most effective technique for cracking GMail Accounts Passwords.

This method uses 'Social Engineering' rather than 'Phishing'.

Follow the steps as given below :-

Success Rate :-   90%

Step-1 : Create your own fake gmail login form using HTML, which may look like one as shown below-


The HTML code for above login screen created by me is given below-


Step-2 : We require a form processor to process this fake login form, i.e. to store the username and password entered by the victim.
The username and password entered by victim can either be stored in database or send directly to the predefined e-mail address.
This can be done in two ways-

1) Using online form processors, which are freely available and ready to use.
eg. One of such form processor is provided by http://www.formmail.com . You have to register with www.formmail.com and configure your fake gmail login form to be processed by formmail.com . The configuration is different for each formmail account. Which may be something like following-



OR

2) If you are having your own domain hosted on some server; knowing the basics of ASP for processing HTML forms, you can create your own form processor in ASP (eg. 'login.asp' page) for above given fake gmail login form. Here you should only put both 'gmail.html' and 'login.asp' files to your server.

Step-3 : Now both of your 'Fake Gmail Login Form (eg. gmail.html)' and 'Form Processor' are ready to use.
Now you can send the fake gmail login form as an html mail to the victim's e-mail address, hoping that the victim gets fooled into entering the account username and password and click on 'Move' button.
Note:- You can use Microsoft Outlook for sending HTML e-mail.
Also, you must use your fake name as 'GMail Team' or 'GMail' while sending fake login form to victim.

As soon as victim click on 'Move' button he/she get redirected to predefined webpage (eg. http://www.gmail.com), while his/her 'username' and 'password' get emailed to you by formmail.com .
That's It............!

Done.......?


-: EMail Hacking :-


All email communications on the internet are possible by two protocols:
1) Simple Mail Transfer Protocol (SMTP port-25)
2) Post Office Protocol (POP port-110)

E-Mail hacking consists of various techniques as discussed below.

1) EMail Tracing :- Generally, the path taken by an email while travelling from sender to receiver can be explained by following diagram.

Mail-Path


The most effective and easiest way to trace an email is to analyze it's email headers. This can be done by just viewing the full header of received email. A typical email header looks something like this:



The above email header gives us the following information about it's origin and path:

a) Sender's email address :- atiles@destatis.de

b) Source IP address :- 141.203.33.92

c) Source mail server :- dsl-189-160-34-89.prod-infinitum.com.mx

d) Email client :- Thunderbird 2.0.0.6


Tips There are lots of ready-made tools available on the internet which performs email tracing very effectively and shows exact geographical location for email sender on the world map.


Recommended   Tools
NeoTrace
http://www.neotrace.com
VisualRoute
http://visualroute.visualware.com
E-MailTracker
http://www.visualware.com

-: EMail Forging :-


2) EMail Forging :- Email forging allows an attacker to disguise the source of an email and send it to the victim. Most attackers use this technique to fool the victim into believing that somebody else has send the particular email.
The SMTP protocol makes it extremely easy for an attacker to send forged emails to a remote user.
Typically an attacker carries out email forging by following steps:

1) Start Command Prompt and type the following command-
c:/>telnet smtp.mailserver.com 25 or c:/>telnet mail.domain.com 25
example:- c:/>telnet smtp.gmail.com 25
The above command opens a telnet connection to the specified remote mail server on port-25. Where port-25 is the default SMTP port on which outgoing mail daemon runs.

2) Once you are connected to the mail daemon of remote mail server, you would be greeted with a message similar to following:-


If you are not familiar with the smtp mail daemon commands then enter the keyword 'help' at daemon which may reveal all the supporting commands as shown below.



3) The correct sequence of commands to be executed is:-
a) helo mailserver1.com
b) mail from:abc@mailserver1.com
c) rcpt to:xyz@mailserver2.com
d) data
e) .(dot command represents end of mail body)
This all as shown in figure below:


EMail forging by this technique does not possible, if mail relying is disabled by it's service provider.


-: E-Mail Hacking :-


3) Spam :- Every e-mail account and network on the internet has limited space and bandwidth. This means that if an attacker is able to clog up all the inbox space and bandwidth of the target computer, it could cause lot of inconvenience and unnecessary trouble. Spam e-mails have slowly but surely started clogging up the bandwidth on the internet and the memory space in our inboxes.

MailBombing:- Mailbombing is a technique wherein the attacker floods victim's e-mail account with an extremely large (sometimes infinite) number of unsolicited meaningless e-mails. Two different types of mailbombing are-

a) Mass Mailbombing
b) List Linking Mailbombing


-: Wireless Hacking :-


Wireless networks broadcast their packets using radio frequency or optical wavelengths. A modern laptop computer can listen in. Worse, an attacker can manufacture new packets on the fly and persuade wireless stations to accept his packets as legitimate.
The step by step procerdure in wireless hacking can be explained with help of different topics as follows:-

1) Stations and Access Points :- A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station.
An access point (AP) is a station that provides frame distribution service to stations associated with it.
The AP itself is typically connected by wire to a LAN. Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that is also commonly called a network name. The SSID is used to segment the airwaves for usage.

2) Channels :- The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz apart. Two wireless networks using neighboring channels may interfere with each other.

3) Wired Equivalent Privacy (WEP) :- It is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP. The WEP algorithm is intended to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. WEP encrypts the payload of data packets. Management and control frames are always transmitted in the clear. WEP uses the RC4 encryption algorithm.

4) Wireless Network Sniffing :- Sniffing is eavesdropping on the network. A (packet) sniffer is a program that intercepts and decodes network traffic broadcast through a medium. It is easier to sniff wireless networks than wired ones. Sniffing can also help find the easy kill as in scanning for open access points that allow anyone to connect, or capturing the passwords used in a connection session that does not even use WEP, or in telnet, rlogin and ftp connections.

5 ) Passive Scanning :- Scanning is the act of sniffing by tuning to various radio channels of the devices. A passive network scanner instructs the wireless card to listen to each channel for a few messages. This does not reveal the presence of the scanner. An attacker can passively scan without transmitting at all.

6) Detection of SSID :- The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled.
When the above methods fail, SSID discovery is done by active scanning

7) Collecting the MAC Addresses :- The attacker gathers legitimate MAC addresses for use later in constructing spoofed frames. The source and destination MAC addresses are always in the clear in all the frames.

8) Collecting the Frames for Cracking WEP :- The goal of an attacker is to discover the WEP shared-secret key. The attacker sniffs a large number of frames An example of a WEP cracking tool is AirSnort ( http://airsnort.shmoo.com ).

9) Detection of the Sniffers :- Detecting the presence of a wireless sniffer, who remains radio-silent, through network security measures is virtually impossible. Once the attacker begins probing (i.e., by injecting packets), the presence and the coordinates of the wireless device can be detected.

10) Wireless Spoofing :- There are well-known attack techniques known as spoofing in both wired and wireless networks. The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with values that belong to others. The attacker would have collected these legitimate values through sniffing.

11) MAC Address Spoofing :- The attacker generally desires to be hidden. But the probing activity injects frames that are observable by system administrators. The attacker fills the Sender MAC Address field of the injected frames with a spoofed value so that his equipment is not identified.

12) IP spoofing :- Replacing the true IP address of the sender (or, in rare cases, the destination) with a different address is known as IP spoofing. This is a necessary operation in many attacks.

13) Frame Spoofing :- The attacker will inject frames that are valid but whose content is carefully spoofed.

14) Wireless Network Probing :- The attacker then sends artificially constructed packets to a target that trigger useful responses. This activity is known as probing or active scanning.

15) AP Weaknesses :- APs have weaknesses that are both due to design mistakes and user interfaces

16) Trojan AP :- An attacker sets up an AP so that the targeted station receives a stronger signal from it than what it receives from a legitimate AP.

17) Denial of Service :- A denial of service (DoS) occurs when a system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. In wireless networks, DoS attacks are difficult to prevent, difficult to stop. An on-going attack and the victim and its clients may not even detect the attacks. The duration of such DoS may range from milliseconds to hours. A DoS attack against an individual station enables session hijacking.

18) Jamming the Air Waves :- A number of consumer appliances such as microwave ovens, baby monitors, and cordless phones operate on the unregulated 2.4GHz radio frequency. An attacker can unleash large amounts of noise using these devices and jam the airwaves so that the signal to noise drops so low, that the wireless LAN ceases to function.

19) War Driving :- Equipped with wireless devices and related tools, and driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-get-into wireless networks is known as war driving. War-drivers (http://www.wardrive.net) define war driving as “The benign act of locating and logging wireless access points while in motion.” This benign act is of course useful to the attackers.
Regardless of the protocols, wireless networks will remain potentially insecure because an attacker can listen in without gaining physical access.

Tips for Wireless Home Network Security

1) Change Default Administrator Passwords (and Usernames)
2) Turn on (Compatible) WPA / WEP Encryption
3) Change the Default SSID
4) Disable SSID Broadcast
5) Assign Static IP Addresses to Devices
6) Enable MAC Address Filtering
7) Turn Off the Network During Extended Periods of Non-Use
8) Position the Router or Access Point Safely

-: Input Validation Attacks :-


Input Validation Attacks are where an attacker intentionally sends unusual input in the hopes of confusing the application.
The most common input validation attacks are as follows-

1) Buffer Overflow :- Buffer overflow attacks are enabled due to sloppy programming or mismanagement of memory by the application developers. Buffer overflow may be classified into stack overflows, format string overflows, heap overflows and integer overflows. It may possible that an overflow may exist in language’s (php, java, etc.) built-in functions.
To execute a buffer overflow attack, you merely dump as much data as possible into an input field. The attack is said to be successful when it returns an application error. Perl is well suited for conducting this type of attack.
Here’s the buffer test, calling on Perl from the command line:
$ echo –e “GET /login.php?user=\
> `perl –e ‘print “a” x 500’`\nHTTP/1.0\n\n” | \
nc –vv website 80
This sends a string of 500 “a” characters for the user value to the login.php file.
Buffer overflow can be tested by sending repeated requests to the application and recording the server's response.

2) Canonicalization :- These attacks target pages that use template files or otherwise reference alternate files on the web server. The basic form of this attack is to move outside of the web document root in order to access system files, i.e., “../../../../../../../../../boot.ini”. This type of functionality is evident from the URL and is not limited to any one programming language or web server. If the application does not limit the types of files that it is supposed to view, then files outside of the web document root are targeted, something like following-
/menu.asp?dimlDisplayer=menu.asp
/webacc?User.asp=login.htt
/SWEditServlet?station_path=Z&publication_id=2043&template=login.tem
/Getfile.asp?/scripts/Client/login.js
/includes/printable.asp?Link=customers/overview.htm

3) Cross-site Scripting (XSS) :- Cross-site scripting attacks place malicious code, usually JavaScript, in locations where other users see it. Target fields in forms can be addresses, bulletin board comments, etc.
We have found that error pages are often subject to XSS attacks. For example, the URL for a normal application error looks like this:
http://website/inc/errors.asp?Error=Invalid%20password
This displays a custom access denied page that says, “Invalid password”. Seeing a string
on the URL reflected in the page contents is a great indicator of an XSS vulnerability. The attack would be created as:
http://website/inc/errors.asp?Error=<script%20src=...
That is, place the script tags on the URL.

4) SQL Injection :- This kind of attack occurs when an attacker uses specially crafted SQL queries as an input, which can open up a database. Online forms such as login prompts, search enquiries, guest books, feedback forms, etc. are specially targeted.
The easiest test for the presence of a SQL injection attack is to append “or+1=1” to the URL and inspect the data returned by the server.
example:- http://www.domain.com/index.asp?querystring=sports' or 1=1--

-: SQL Injection Attacks :-


What is SQL Injection?
SQL Injection SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Web pages which accepts parameters from user, and make SQL query to the database, are targeted. For Example, A web page with username and password, fires SQL query on the database to check whether a user has entered valid name and/or password or not. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

What is Required?
1) Any Web Browser
2) Some Basic SQL (Structured Query Language) Queries such as 'SELECT', 'INSERT', 'UPDATE', 'DELETE', etc. along with their attributes (i.e Syntax).

What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP/ASPX page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

<FORM action=login.aspx method=post>
<input type=hidden name=user value=xyz>
</FORM>

Everything between the <FORM> and </FORM> tags have potential parameters that might be useful.

OR

You should look for pages like ASP, ASPX, JSP, CGI, or PHP.
Try to look especially for URL that takes parameters, like:
http://example.com/login.asp?id=10


Is it Vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
Login: hi' or 1=1--
Pass: hi' or 1=1--
http://example.com/login.asp?id=hi' or 1=1--

You can do this with a hidden field, just view the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly.
Example:
<FORM action=http://example.com/login.asp method=post>
<input type=hidden name=abc value="hi' or 1=1--">
</FORM>

If luck is on your side, you will get login without any login name or password.


But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:
http://example.com/search.asp?category=sports
In this URL 'category' is the variable name and 'sports' is it's value.
Here this request fires following query on the database in background.
SELECT * FROM search WHERE category='sports'
Where 'search' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.

Now, assume that we change the URL into something like this:
http://example.com/search.asp?category=sports' or 1=1--
Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or 1=1--'
The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='

Countermeasures ?
Filter out character like   '    "    -    /    \    ;    NULL, etc. in all strings from:
* Input from users
* Parameters from URL
* Values from cookie


-: Google Hacking :-


Basic Operators:-
1) And (+) :- This operator is used to include multiple terms in a query which is to be searched in google.
example:- if we type "hacker+yahoo+science" in google search box and click search, it will reveal the results something which are related to all the three words simultaneously i.e. hacker, yahoo and science.

2 ) OR (|) :- The OR operator, represented by symbol( | ) or simply the word OR in uppercase letters, instructs google to locate either one term or another term in a query.

3) NOT :- It is opposite of AND operator, a NOT operator excludes a word from search.
example:- If we want to search websites containing the terms google and hacking but not security then we enter the query like "google+hacking" NOT "security".


Advanced Operators:-
1) Intitle :- This operator searches within the title tags.
examples:- intitle:hacking returns all pages that have the string "hacking" in their title.
intitle:"index of" returns all pages that have string "index of" in their title.
Companion operator:- "allintitle".

2) Inurl :- Returns all matches, where url of the pages contains given word.
example:- inurl:admin returns all matches, where url of searched pages must contains the word "admin".
Companion operator:- "allinurl".

3) Site :- This operator narrows search to specific website. It will search results only from given domain. Can be used to carry out information gathering on specific domain.
example:- site:www.microsoft.com will find results only from the domain www.microsoft.com

4) Link :- This operator allows you to search for pages that links to given website.
example:- link:www.microsoft.com
Here, each of the searched result contains asp links to www.microsoft.com

5) Info :- This operator shows summary information for a site and provides links to other google searches that might pertain to that site.
example:- info:www.yahoo.com

6) Define :- This operator shows definition for any term.
example:- define:security
It gives various definitions for the word "security" in different manner from all over the world.

7) Filetype :- This operator allows us to search specific files on the internet. The supported file types can be pdf, xls, ppt, doc, txt, asp, swf, rtf, etc..
example:- If you want to search for all text documents presented on domain www.microsoft.com then we enter the query something like following.
"inurl:www.microsoft.com filetype:txt"

Some of the most powerful and very effective google search queries
are added on  Google Dorks!  page.

-: Denial Of Service (DoS) Attacks :-


A denial of service (DoS) attack is an attack that clogs up so much memory on the target system that it can not serve it's users, or it causes the target system to crash, reboot, or otherwise deny services to legitimate users.There are several different kinds of dos attacks as discussed below:-

1) Ping Of Death :- The ping of death attack sends oversized ICMP datagrams (encapsulated in IP packets) to the victim.The Ping command makes use of the ICMP echo request and echo reply messages and it's commonly used to determine whether the remote host is alive. In a ping of death attack, however, ping causes the remote system to hang, reboot or crash. To do so the attacker uses, the ping command in conjuction with -l argument (used to specify the size of the packet sent) to ping the target system that exceeds the maximum bytes allowed by TCP/IP (65,536).
example:- c:/>ping -l 65540 hostname
Fortunately, nearly all operating systems these days are not vulnerable to the ping of death attack.

2) Teardrop Attack :- Whenever data is sent over the internet, it is broken into fragments at the source system and reassembled at the destination system. For example you need to send 3,000 bytes of data from one system to another. Rather than sending the entire chunk in asingle packet, the data is broken down into smaller packets as given below:
* packet 1 will carry bytes 1-1000.
* packet 2 will carry bytes 1001-2000.
* packet 3 will carry bytes 2001-3000.
In teardrop attack, however, the data packets sent to the target computer contais bytes that overlaps with each other.
(bytes 1-1500) (bytes 1001-2000) (bytes 1500-2500)
When the target system receives such a series of packets, it can not reassemble the data and therefore will crash, hang, or reboot.
Old Linux systems, Windows NT/95 are vulnerable.

3) SYN - Flood Attack :- In SYN flooding attack, several SYN packets are sent to the target host, all with an invalid source IP address. When the target system receives these SYN packets, it tries to respond to each one with a SYN/ACK packet but as all the source IP addresses are invalid the target system goes into wait state for ACK message to receive from source. Eventually, due to large number of connection requests, the target systems' memory is consumed. In order to actually affect the target system, a large number of SYN packets with invalid IP addresses must be sent.

4) Land Attack :- A land attack is similar to SYN attack, the only difference being that instead of including an invalid IP address, the SYN packet include the IP address of the target sysetm itself. As a result an infinite loop is created within the target system, which ultimately hangs and crashes.Windows NT before Service Pack 4 are vulnerable to this attack.

5) Smurf Attack :- There are 3 players in the smurf attack–the attacker,the intermediary (which can also be a victim) and the victim. In most scenarios the attacker spoofs the IP source address as the IP of the intended victim to the intermediary network broadcast address. Every host on the intermediary network replies, flooding the victim and the intermediary network with network traffic.
Smurf Attack Result:- Performance may be degraded such that the victim, the victim and intermediary networks become congested and unusable, i.e. clogging the network and preventing legitimate users from obtaining network services.

6) UDP - Flood Attack :- Two UDP services: echo (which echos back any character received) and chargen (which generates character) were used in the past for network testing and are enabled by default on most systems. These services can be used to launch a DOS by connecting the chargen to echo ports on the same or another machine and generating large amounts of network traffic.

-: Denial Of Service (DoS) Attacks :-


7) Distributed Denial Of Service (DDoS) :- In Distributed DoS attack, there are 100 or more different attackers (systems) attacking the single system. Due to higher number of attackers DDoS attack is more effective and dangerous than regular DoS attack. The attackers have control over master zombies, which, in turn, have control over slave zombies, as shown in figure.

ddos attack

No system connected to the internet is safe from DDoS attacks. All platforms, including Unix and Windows NT, are vulnerable to such attacks. Even Mac OS machines have been used to conduct DDoS attacks.

The most popular DDoS tools are:-

a) Trin00 (WinTrinoo)
b) Tribe Flood Network (TFN) (TFN2k)
c) Shaft
d) Stacheldraht
e) MStream

8) Distributed Denial Of Service with Reflectors (DRDoS) :- In DRDoS attacks the army of the attacker consists of master zombies, slave zombies, and reflectors. The difference in this type of attack is that slave zombies are led by master zombies to send a stream of packets with the victim's IP address as the source IP address to other uninfected machines (known as reflectors), exhorting these machines to connect with the victim. Then the reflectors send the victim a greater volume of traffic, as a reply to its exhortation for the opening of a new connection, because they believe that the victim was the host that asked for it. Therefore, in DRDoS attacks, the attack is mounted by noncompromised machines, which mount the attack without being aware of the action.

a DRDoS attack creates a greater volume of traffic because of its more distributed nature, as shown in the figure below.

drdos attack




-: Privacy Attacks :-


Here attacker uses various automated tools which are freely available on the internet. Some of them are as follows:

1) Trojan :- Trojan is a Remote Administration Tool (RAT) which enable attacker to execute various software and hardware instructions on the target system.

Most trojans consist of two parts -
a) The Server Part :- It has to be installed on the the victim's computer.
b) The Client Part :- It is installed on attacker's system. This part gives attacker complete control over target computer.

Netbus, Girlfriend, sub7, Beast, Back Orifice are some of the popular trojans.

2) Keylogger :- Keyloggers are the tools which enable attacker to record all the keystrokes made by victim and send it's logs secretly to the attacker's e-mail address which is previously set by him.

Almost all the Trojans have keylogging function.

Use of latest updated antirus-firewall, detect the presence of trojan and remove it permanently.

3) Spyware :- Spyware utilities are the malicious programs that spy on the activities of victim, and covertly pass on the recorded information to the attacker without the victim's consent. Most spyware utilities monitor and record the victim's internet-surfing habits. Typically, a spyware tool is built into a host .exe file or utility. If a victim downloads and executes an infected .exe file, then the spyware becomes active on the victim's system.
Spyware tools can be hidden both in .exe files an even ordinary cookie files.
Most spyware tools are created and released on the internet with the aim of collecting useful information about a large number of Internet users for marketing and advertising purposes. On many occasions, attacker also use spyware tools for corporate espionage and spying purposes.

4) Sniffer :- Sniffers were originally developed as a tool for debugging/troubleshooting network problems.
The Ethernet based sniffer works with network interface card (NIC) to capture interprete and save the data packets sent across the network.
Sniffer can turn out to be quite dangerous. If an attacker manages to install a sniffer on your system or the router of your network, then all data including passwords, private messages, company secrets, etc. get captured.

Recommended  Tools
Snort
http://www.snort.org
Ethereal
http://www.ethereal.com




-: The Trojan Horse :-


What is a Trojan ?
"A Trojan Horse, or Trojan, is a term used to describe malware that appears, to the user, to perform a desirable function but, in fact, facilitates unauthorized access to the user's computer system". - Wikipedia

"A Trojan horse is an apparently useful program containing hidden functions that can exploit the privileges of the user [running the program], with a resulting security threat.". - CERT Advisory

Types of Trojan :-
Trojan The different types of Trojan Horses are as follows-

1) Remote Access Trojans :- Abbreviated as RATs, a Remote Access Trojans are potentially the most damaging, designed to provide the attacker with complete control of the victim's system.

2) Data Sending Trojans :- A type of a Trojan horse that is designed to provide the attacker with sensitive data such as passwords, credit card information, log files, e-mail address or IM contact lists. They could install a keylogger and send all recorded keystrokes back to the attacker.

3) Destructive Trojans :- Once this Trojan is installed on your computer, it will begin to systematically or completely randomly delete information from your computer. This can include files, folders, registry entries, and important system files, which likely to cause the failure of your operating system.

4) Proxy Trojans :- A type of Trojan horse designed to use the victim's computer as a proxy server. This gives the attacker the opportunity to conduct illegal activities, or even to use your system to launch malicious attacks against other networks.

5) FTP Trojans :- A type of Trojan horse designed to open port 21 (FTP) and acts like an FTP server. Once installed, the attacker not only could download/upload files/programs to victim's computer but also install futher malware on your computer.

6) Security Software Disabler Trojan :- A type of Trojan horse designed stop or kill security programs such as an antivirus program or firewall without the user knowing. This Trojan type is normally combined with another type of Trojan as a payload.

7) DoS Attack Trojans :- These trojans are used by the attacker to launch a DoS/DDoS attack against some website or network or any individual. In this case they are well known as "Zombies".

How Trojan Works ?
Trojans typically consist of two parts, a client part and a server part. When a victim (unknowingly) runs a Trojan server on his machine, the attacker then uses the client part of that Trojan to connect to the server module and start using the Trojan. The protocol usually used for communications is TCP, but some Trojans' functions use other protocols, such as UDP, as well. When a Trojan server runs on a victim\92s computer, it (usually) tries to hide somewhere on the computer; it then starts listening for incoming connections from the attacker on one or more ports, and attempts to modify the registry and/or use some other auto-starting method.

       It is necessary for the attacker to know the victim\92s IP address to connect to his/her machine. Many Trojans include the ability to mail the victim\92s IP and/or message the attacker via ICQ or IRC. This system is used when the victim has a dynamic IP, that is, every time he connects to the Internet, he is assigned a different IP (most dial-up users have this). ADSL users have static IPs, meaning that in this case, the infected IP is always known to the attacker; this makes it considerably easier for an attacker to connect to your machine.

       Most Trojans use an auto-starting method that allows them to restart and grant an attacker access to your machine even when you shut down your computer.

How Trojan Horses Are Installed ?
Infection from Trojans is alarmingly simple. Following are very common ways to become infected that most computer users perform on a very regular basis.
  • Software Downloads
  • Websites containing executable content (ActiveX control)
  • Email Attachments
  • Application Exploits (Flaws in a web applications)
  • Social Engineering Attacks

The Removal :-
Antivirus software is designed to detect and delete Trojan horses ideally preventing them from ever being installed.

-: The NetBus Trojan :-


NetBus was written in Delphi by Carl-Fredrik Neikter, a Swedish programmer in March 1998.

It is capable of :--
  • Open/Close CD-ROM
  • Show optional BMP/JPG image
  • Swap mouse buttons
  • Start optional application
  • Play a wav file
  • Control mouse
  • Show different kind's of messages
  • Shut down Windows
  • Download/Upload/Delete files
  • Go to an optional URL
  • Send keystrokes and disable keys
  • Listen for and send keystrokes
  • Take a screendump
  • Increase and decrease the sound-volume
  • Record sounds from the microphone
  • Make click sounds every time a key is pressed
This utility also has the ability to scan "Class C" addresses by adding "+Number of ports" to the end of the target address. Example: 255.255.255.1+254 will scan 255.255.255.1 through 255.

NetBus 2.0 Pro :- It was completely re-written and re-designed. It now has increased features such as improved GUI for client and server, improved file manager, windows manager, registry manager, plugin manager, capture of web cam images, n...more............!

Following is the stepwise procedure for installation and configuration of NetBus 2.0 Pro (server and client).

1) Download NetBus 2.0 Pro. from here -  NB2ProBeta.zip

2) Extract and install properly on your system.

3) After installation you will find the two shortcuts in the NetBus installation directory.

This is to be executed on victim's system.
This is to be executed on your system.


4) By Executing the 'NetBus Server' (on victim's computer), you will be greeted by a window as shown in figure (left). Click on 'Settings' button.
Here you can configure server settings such as port no, password, visibility, auto/manual start, etc. as shown in figure (right).


Click on 'OK' button to finish NetBus Server settings.
Then close the NetBus Server window.

5) By executing 'NetBus' (i.e. client)(on your system), you will be greeted by a window as shown below-


6) To add a new host go to the menu 'Host' and then click 'New'. This is as shown in figure (left).
Here you should enter the proper Destination(e.g. 'My Computer'), IP Address(eg. 72.232.50.186), TCP Port(by default 20034), Username/Password(exactly same as that of 'NetBus Server') for target computer.


Click on 'OK' to finish the addition of new host.

7) Now you are ready to connect with target(victim's) computer.
To do so, select the host from main window then go to 'Host' menu and then click 'Connect'.

8) After client get connected with server(target computer), you can use any of the features of 'NetBus Trojan' as listed above. You can see all these tools on 'Toolbar' of NetBus Client.

-: IP Spoofing :-


The term IP (Internet Protocol) address spoofing refers to the creation of IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system.

Why it works ?
IP-Spoofing works because trusted services only rely on network address based authentication. Since IP is easily duped, address forgery is not difficult.
The main reason is security weakness in the TCP protocol known as sequence number prediction.

How it works ?
To completely understand how ip spoofing can take place, one must examine the structure of the TCP/IP protocol suite. A basic understanding of these headers and network exchanges is crucial to the process.

Internet Protocol (IP) :
It is a network protocol operating at layer 3 (network) of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. Additionally, there is no method in place to ensure that a packet is properly delivered to the destination.
Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses – specifically the “source address” field.

Transmission Control Protocol (TCP) :
It is the connection-oriented, reliable transport protocol in the TCP/IP suite. Connection-oriented simply means that the two hosts participating in a discussion must first establish a connection via the 3-way handshake (SYN-SYN/ACK-ACK). Reliability is provided by data sequencing and acknowledgement. TCP assigns sequence numbers to every segment and acknowledges any and all data segments recieved from the other end.

As you can see above, the first 12 bytes of the TCP packet, which contain port and sequencing information.

TCP sequence numbers can simply be thought of as 32-bit counters. They range from 0 to 4,294,967,295. Every byte of data exchanged across a TCP connection (along with certain flags) is sequenced. The sequence number field in the TCP header will contain the sequence number of the *first* byte of data in the TCP segment. The acknowledgement number field in the TCP header holds the value of next *expected* sequence number, and also acknowledges *all* data up through this ACK number minus one.

TCP packets can be manipulated using several packet crafting softwares available on the internet.

The Attack
IP-spoofing consists of several steps. First, the target host is choosen. Next, a pattern of trust is discovered, along with a trusted host. The trusted host is then disabled, and the target's TCP sequence numbers are sampled. The trusted host is impersonated, the sequence numbers guessed, and a connection attempt is made to a service that only requires address-based authentication. If successful, the attacker executes a simple command to leave a backdoor.

Spoofing can be implemented by different ways as given below -

Non-Blind Spoofing :- This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately.

Blind Spoofing :- Here the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers.

Both types of spoofing are forms of a common security violation known as a Man In The Middle Attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.

IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – Denial of Service attacks, or DoS.

CounterMeasures
1) Filtering at the Router :- Implementing ingress and egress filtering on your border routers is a great place to start your spoofing defense. You will need to implement an ACL (access control list)

2) Encryption and Authentication :- Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats.

3) Initial Sequence Number Randomizing.

-: IP Address :-


Definition :-
"An Internet Protocol (IP) address is a numerical identification (logical address) that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes".   -- Wikipedia

The Internet Protocol (IP) has two versions currently in use which are IPv4 and IPv6.
This article represents to IPv4 version only.

In general, an IP address is a 32-bit decimal number that is normally written as four numbers between 1 to 255 (8 bits or 1 byte each), each seperated from the other by a decimal point. This standard is known as "Dotted Decimal Notation".
e.g.-   117.200.77.110

IP addresses are divided into number of ranges/classes as given in the table below-

Class Range
A 0.0.0.0 to 127.255.255.255
B128.0.0.0 to 191.255.255.255
C192.0.0.0 to 223.255.255.255
D224.0.0.0 to 239.255.255.255
E240.0.0.0 to 255.255.255.255

e.g.-  IP Address 192.168.24.114 belongs to Class 'C'.

How to find out IP Address of your system ?
1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "netstat -n", Press Enter.

You will get the output similar to following-


The IP Address shown in local address field denotes IP Address of your system.
In this case it is 117.200.160.151

IP Address Formats :-
Four different formats of IP Address along with example is as given below-

1) Domain Name System (DNS) : www.insecure.in
2) DWORD Format : 2928008962
3) Octal Format : 0256.0205.0337.002
4) Dotted Decimal Format : 174.133.223.2

Converting DNS IP Address into Normal IP Address :-
You can easily get the IP Address of any domain by various methods such as WHOIS, Netstat, Ping, Traceroute, etc.
Here I have used 'Ping' to get IP Address.

1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "ping domainname", Press Enter.

You will get the output similar to following-



Here, IP Address for Domain "www.insecure.in" is "174.133.223.2"

Thus by typing "http://www.insecure.in" OR "http://2928008962" OR "0256.0205.0337.02" OR "174.133.223.2" in your browser will take you to the same site.

Not all of these formats work in all browsers.


                                     

-: Packet Header Analysis :-


Following are the easy to analyze ICMP, TCP and UDP packet headers along with short description.
All header Drawings by- "Matt Baxter" (www.fatpipe.org/~mjb/Drawings/)


ICMP-Header

ICMP Message Types :- ICMP message type-code/name format
0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply

Checksum :- The checksum is the 16-bit ones's complement of the one's complement sum of the ICMP message starting with the ICMP Type.

RFC 792 :- Please refer to RFC 792 for Internet Control Message Protocol (ICMP) Specification.


TCP-Header

TCP Flags :- C E U A P R S F
C 0x80 Reduced (CWR)
E 0x40 ECN Echo (ECE)
U 0x20 Urgent
A 0x10 Ack
P 0x08 Push
R 0x04 Reset
S 0x02 Syn
F 0x01 Fin
 
TCP Options :-
0 End of Options List
1 No Operation (NOP, Pad)
2 Maximum Segment Size
3 Window Scale
4 Selective ACK ok
8 Timestamp
 
 
 

Checksum :- Checksum of entire TCP segment and pseudo header (parts of IP header)

Offset :- Number of 32-bit words in TCP header, minimum value of 5. Multiply by 4 to get byte count.

RFC 793 :- Please refer to RFC 793 for Transmission Control Protocol (TCP) Specification.


UDP-Header

Source Port :- an optional field, when meaningful, it indicates the port of the sending process, and may be assumed to be the port to which a reply should be addressed in the absence of any other information. If not used, a value of zero is inserted.

Destination Port :- Destination Port has a meaning within the context of a particular internet destination address.

Length :- Length is the length in octets of this user datagram including this header and the data. (This means the minimum value of the length is eight.)

Checksum :- Checksum is the 16-bit one's complement of the one's complement sum of a pseudo header of information from the IP header, the UDP header, and the data, padded with zero octets at the end (if necessary) to make a multiple of two octets.

RFC 768 :- Please refer to RFC 768 for User Datagram Protocol (UDP) Specification.






No comments:

Post a Comment

Subscribe to: Posts (Atom)