Professional Documents
Culture Documents
One phreak, John Draper (aka "Cap'n Crunch"), discovers a toy whistle inside Cap'n Crunch cereal gives 2600-hertz signal, and can access AT&T's long-distance switching system. calls. Steve Wozniak and Steve Jobs, future founders of Apple Computer, make and sell blue boxes. THE GOLDEN AGE (1980-1991) 1980: Hacker Message Boards and Groups Hacking groups form; such as Legion of Doom (US), Chaos Computer Club (Germany). 1983: Kids' Games Movie "War Games" introduces public to hacking. Draper builds a "blue box" used with whistle allows phreaks to make free
1. ETHICAL HACKING
An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat.
Cyber ethics is a code of behavior for using the Internet. Since we are going to view it as the hackers prospective, we will first dissect what the word hacker stands for?
HACKER:
A person, who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. It is used to refer to someone skilled in the use of computer systems, especially if that skill was obtained in an exploratory way. The term is often misused in a pejorative context, where cracker would be the correct term. And due to that the term evolved to be applied to individuals, with or without skill, who break into security systems. Several subgroups of the computer are underground with different attitudes and aims use different terms to demarcate themselves from each other, or try to exclude some specific group with which they do not agree. In hackers culture there are many different categories, such as white hat (ethical hacking), grey hat, black hat and script kiddies. Usually the term cracker refers to black hat hackers, or, more generally hackers with unlawful intentions. WHITE HAT HACKER A white hat hacker, also rendered as ethical hacker, is, in the realm of information technology, a person who is ethically opposed to the abuse of computer systems. Realization that the Internet now represents human voices from around the world has made the defense of its integrity an important pastime for many. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them Terminology. The term white hat hacker is also often used to describe those who attempt to break into systems or networks in order to help the owners of the system by making them aware of security flaws, or to perform some other altruistic activity. Many such people are employed by computer security companies; these professionals are sometimes called sneakers. Groups of these people are often called tiger teams.
GREY HAT HACKER A Grey Hat in the computer security community, refers to a skilled hacker who sometimes acts legally, sometimes in good will, and sometimes not. They are a hybrid between white and black hat hackers. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits Disambiguation .One reason a grey hat might consider himself to be grey is to disambiguate from the other two extremes: black and white. It might be a little misleading to say that grey hat hackers do not hack for personal gain. BLACK HAT HACKER A black hat is a person who compromises the security of a computer system without permission from an authorized party, typically with malicious intent. The term white hat is used for a person who is ethically opposed to the abuse of computer systems, but is frequently no less skilled. The term cracker was coined by Richard Stallman to provide an alternative to using the existing word hacker for this meaning.[1] The somewhat similar activity of defeating copy prevention devices in software which may or may not be legal in a country's laws is actually software cracking. Terminology. Use of the term "cracker" is mostly limited (as is "black hat") to some areas of the computer and security field and even there, it is considered controversial. Until the 1980s, all people with a high level of skills at computing were known as "hackers".
PHREAKER Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. As telephone networks have become computerized, phreaking has become closely linked with computer hacking. This is sometimes called the H/P culture (with H standing for hacking and P standing for phreaking).The term phreak is a portmanteau of the words phone and freak, and may also refer to the use of various audio frequencies to manipulate a phone system. Phreak, phreaker, or phone phreak are names used for and by individuals who participate in phreaking. A large percentage of the phone Phreaks were blind. Because identities were usually masked, an exact percentage cannot be calculated.
SCRIPT KIDDIES A script kiddie or skiddie, occasionally skid, script bunny, script kitty, script-running juvenile (SRJ) or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites.
HACKTIVISTS Hacktivism (a portmanteau of hack and activism) is the use of computers and computer networks as a means of protest to promote political ends. The term was first coined in 1998 by a member of the Cult of the Dead Cow hacker collective named Omega. If hacking as "illegally breaking into computers" is assumed, then hacktivism could be defined as "the nonviolent use of legal and/or illegal digital tools in pursuit of political ends". These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sitins, typosquatting and virtual sabotage. If hacking as "clever computer usage/programming" is assumed, then hacktivism could be understood as the writing of code to promote political ideology: promoting expressive politics, free speech, human rights, and information ethics through software development. Acts of hacktivism are carried out in the belief that proper use of code will be able to produce similar results to those produced by regular activism or civil disobedience.
Scanning :- Scanning the target system for open ports and services running on the open ports etc. Gaining Access:- Gaining the actual access to the particular system by exploiting the system. Maintaining Access:- Keeping the access of the system even after leaving the system so as not to perform all the steps from the scratch. Clearing Tracks:- To remove the footprints if any so as to remain undetected from the victim.
Altavista Search : www.altavista.com Fast Search : www.alltheweb.com Gigablast : www.gigablast.com Snap Search: www.snap.com
Maltego With the continued growth of your organization, the people and hardware deployed to ensure that it remains in working order is essential, yet the threat picture of your environment is not always clear or complete. In fact, most often its not what we know that is harmful - its what we dont know that causes the most damage. This being stated, how do you develop a clear profile of what the current deployment of your infrastructure resembles? What are the cutting edge tool platforms designed to offer the granularity essential to understand the complexity of your network, both physical and resource based? Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltegos unique advantage is to demonstrate the complexity
6
and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.
Intelius:
Whois Lookup:
Domain tools :
samspade.org:
.In registry
Reverse IP Mapping : Reverse IP mapping is the method to find number of websites hosted on same server
Here by selecting the Reverse IP link we can get list of websites hosted on "IP Address." Trace Route: Traceroute gives useful information regarding number of servers between your computers & remote computers. 1) USeful for investigation as well as different attacks. 2) Visualroute, Neotrace.
Geowhere: Find Websites using popular news groups, also finds out mailing lists, news groups & extract information from 20 search engines.
10
Email Spiders: Email spiders are automated softwares which captures email id's using spiders & store them on the database. Spammers are using email spiders to collect thousand emails for spamming purposes.
11
1.3 SCANNING
Many time ago we scanned the different ports making telnet manually. Today people use more sophisticated programs with massive methods to scan IP ranges searching a lot of ports. Scanning is the process of finding out open/close ports, vulnerabilities in remote system, sever & networks, Scanning will reveal IP address, Operating systems, Services running on remote computer. There are three types of Scanning. PORT SCANNING Port Scanning is one of the most popular technique attacker use to discover the service they break into. 1) All machines connected to a LAN or connected to internet via a modem run many services that listen at well-known and so well-known ports. 2)There are 1 to 65535 ports are available in the computer. 3)By the scanning the attacker finds which ports are available.
PORTS: THE PORT NUMBERS ARE UNIGUE ONLY WITHIN A COMPUTER SYSTEM 1) Port numbers are 16-bit unsigned numbers 2) The port numbers are divided into three ranges: *Well Known Ports (0.1023) *The Registered Ports (102449151) * The Dynamic and/or Private ports (4915265535)
Echo File Transfer[Default Data] File Transfer[Control] SSH Remote Login Protocol
Telnet Domain Name Service WorlWideWeb HTTP. Simple mail Transfer protocol
REGISTERED PORTS: wins radius yahoo x11 1512/tcp 1812/udp 5010 Microsoft Windows Internet Name Service RADIUS authentication protocol Yahoo Messenger
SYN-Synchronize-it is used to initiate connection between hosts. ACK-Acknowlegment- it is used to establish connection between hosts. PSH-push- Tells receiving system to send all buffer data. URG-urgent- Stats that data contain in packet should be process immediately. FIN-Finish- tells remote system that there will be no more transmission. TTL-Time to Live.
13
TCPCONNECT() 1.The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. 2.If the port is listening, connect() will succeed, otherwise the port isn't reachable.
STEALTH SCAN: 1.A stealth scan is a kind of scan that is designed to go undetected by auditing tools. 2.Fragmented Scan: The scanner splits the TCP header into several IP fragments. 3.This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules.
SYN SCAN 1.This technique is called half open scanning because a TCP connection is not completed. 2.A SYN packet is sent to remote system. 3.The target host responds with a SYN+ACK, this indicates the port listening and an RST indicates a non-listener.
14
SPYWARE Spyware is a piece of software that gets installed on computer without your consent. It collects your personal information without you being aware of it. Change how your computer or web browser is configured and bombard you with online advertisements. Spyware programs are notorious for being difficult to remove on your own and slow down your PC. A program gets installed in the background while you are doing something else on Internet. Spyware has fairly widespread because your cable modem or DSL connection is always connected.
DIFFERENCE BETWEEN VIRUS,WORMS AND TROJANS Virus is an application that self replicates by injecting its code into other data files. Virus spreads and attempts to consume specific targets and are normally executables. Worm copies itself over network. It is a program that views the infection points another computer rather than as other executables files on an already infected computer. Trojan is a program that once executed performs a task other than expected.
MODE OF TRANSMISSION IRC ICQ Email Attachments Physical Access Browser & email Software Bugs Advertisements NetBIOS Fake Programs
15
VIRUS PROPERTIES Your computer can be infected even if files are just copied. Can be Polymorphic. Can be memory or non-memory resident. Can be a stealth virus Viruses can carry other viruses. Can make the system never show outward signs. Can Stay on the computer even if the computer is formatted.
VIRUS OPERATION PHASE Most of the viruses operate in two phases. INFECTION PHASE
In this phase virus developers decide -When to infect program -Which programs to infect Some viruses infect the computer as soon as virus file installed in computer Some viruses infect computer at specific date,time or particular event. TSR viruses loaded into memory & later infect the PC's.
ATTACK PHASE In this phase Virus will -Delete files. -Replicate itself to another PC's. -Corrupt targets only.
16
VIRUS INDICATIONS system. Following are some of the common indications of virus when it infects Files have strange name than the normal. File extensions can also be changed. Program takes longer time to load than normal. Computer's hard drives constantly runs out of free space. Victim will not be able to open some programs. Programs getting corrupted without any reasons.
VIRUS TYPES Following are some of the common indications of virus when it infects system. Macro Virus - Spreads & Infects database files. File Virus - Infects Executables. Source Code Virus - Affects & Damage source code. NetworkVirus - Spreads via network elements & protocols. Boot virus - Infects boot sectors & Records.
Shell virus - Virus code forms shell around target host's genuine program & host it as subroutine. Terminate & stay resident virus - Remains permanently in the memory during the work session even after target host is executed & terminated.
17
-In order to avoid detection by users, some viruses employ different kinds of deception. -Some old viruses, especially on the MS-DOS platform, make sure that the " last modified" date of a host file stays the same when the file is infected by the virus. -This approach sometimes fool anti-virus software. OVERWRITING UNUSED AREAS OF THE .EXE FILES. KILLING TASKS OF ANTIVIRUS SOFTWARES.
-Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them. AVOIDING BAIT FILES & OTHER UNDESIRABLE HOSTS.
-Bait files(goat files) are files that are specially created but anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. -Many anti-virus programs perform an integrity check of their own code. -Infecting such programs will therefore increase the likelihood that the virus is detected. -Anti-virus professionals can use bait files to take a sample of a virus. MAKING STEALTH VIRUS
-Some viruses try to trick anti-virus software by intercepting its requests to the operating system. -The virus can then return an uninfected version of the file to the anti-virus software, so that it seems the file is "clean." SELF MODIFICATION ON EACH INFECTION
-Some viruses try to trick anti-viruses software by modifying themselves on each modifications. -As file signatures are modified, Antivirus softwares find it difficult to detect. ENCRYPTION WITH VARIABLE KEY.
-Some viruses use simple methods to encipher the code. -The virus is encrypted with different encryption keys on each infections. -The AV cannot scan such files directly using conventional methods.
18
-It is dissembler & debugger tool. -Runs both on Linux & Windows. -Can be used in Source Code Analysis, Vulnerabilities Research & Reverse Engineering.
AUTORUNS
PROCESS EXPLORER
19
"SSL secures my site" - SSL secures the transport of data between the web server and the user's browser. - SSL does not protect against attacks against the server and applications. - SSL is the hackers best friend due to the false sense of security. The Source of Problem " Malicious hackers don't create security holes; they simply exploit them. Security holes and vulnerabilities - the real root cause of the problem - are the result of bad software design and implementation." -John Viega & Gary McGraw.
* Vulnerability Used
21
2.4.
SECURITY GUIDELINES
-Validate Input and Output. -Fail Securely(Closed). -Keep it Simple. -Use and Reuse trusted Components. -Defence in Depth. -Only as Secure as the Weakest Link. -Security By Obscurity Won't Work. -Least Privilege -Compartmentalization (Separation of Privileges)
Validate Input and Output. All User input and user output should be checked to ensure it is both appropriate and expected. Allow only explicitly defined characteristics and drop all other data.
Fail Securely When it fails, it fails closed. It should fail to a state that rejects all subsequent security requests. A good analogy is a firewall fails it should drop all subsequent packets.
Keep it Simple If a security system is too complex for its user base, it will either not be used or users will try to find measures to bypass it. This message applies equally to tasks that an administrator must perform in order to secure an application.
22
This message is also intended for security layer API's that application developers.must use to build the system.
Use and Reuse trusted Components Using and reusing trusted components makes sense both from a resource stance and from a security stance. When someone else has proven they got it, take advantage of it.
Defence in Depth unrealistic. Relying on one component to perform its function 100%of the time is
While we hope to build software and hardware that works as planned, predicting the unexpected is difficult. Good systems don't predict the unexpected, but plan for it.
Only as Secure as the Weakest Link Careful thought must be given to what one is securing. Attackers are lazy and will find the weakest point and attempt to exploit it.
Security By Obscurity Won't Work of time. short term. It's naive to think that hidings things from prying eyes doesn't buy some amount This strategy doesn't work in the long term and has no guarantee of working in the
Least Privilege Systems should be designed in such a way that they run with the least amount of system privilege they need to do their job.
23
Compartmentalization (Separation of Privileges) occur. Compartmentalization is an important concept widely adopted in the information security realm. Compartmentalizing users, processes and data helps contain problems if they do
Operates in the 2.4000GHz to 2.2835GHz frequency range and can operate at up to 11 megabits per second.
24
802.11a
Operates in the5.15-5.35GHz frequency range and can operate at up to 54 megabits per second. 802.11g
Operates in the 2.4GHz frequency range (increased bandwidth range) and can operate at up to 54megabits per second. When setting up a WLAN, the channel and service set identifier(SSID) must be configured in addition to traditional network settings such as IP address and a subnet mask. The channel is a number between 1 and 11 ( 1 and 13 inEUROPE) and designates the frequency on which the network will operate. The SSID is an alphanumeric string that differentiates networks operating on the same channel. It just essentially a configurable name that identifies an individual network. These settings are important factors when identifying WLAN's and sniffing traffic.
SSIDs The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. SSID acts as a single shared password between access points and clients. Security concerns arise when the default values are not changed as these units can be easily compromised. ATTACKERS POINT OF VIEW: If the target access point responds to a broadcast SSID probe,then he might just be in luck.This is because most wireless card drivers are configured with an SSID of ANY so that they will be able to associate with the wireless network .When the SSID is set to ANY the driver sends a probe request to the broadcast address with a zero-length SSID and info. Though this configuration makes it easier for the user,as the user does not have to remember the SSID to connect to the wireless LAN,it makes it much simpler for the attackers to gather SSIDs.Some of the common default passwords are 3com AirConnect 2.4 GHz DS(newer 11 mbit,Harris/Intersil Prism based)
25
Addtron (Model:?)
default SSID:'WLAN'
APPLE AIRPORT
Default channel :1
Compaq WL -100/200/300/400
27
WPA and WPA2 Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy). WPA (sometimes referred to as the draft IEEE 802.11i standard) became available around 1999 and was intended as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. WPA2 became available around 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard.
28
A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup, allows WPA and WPA2 security to be bypassed and effectively broken in many situations. HACKING TOOL: Netstumbler: http://netstumbler.org
airodump: 802.11 packet capture program aireplay: 802.11 packet injection program aircrack: static WEP and WPA-PSK key cracker airdecap: decrypts WEP/WPA capture files
This document has been translated in Spanish (thanks to ShaKarO). Is there an aircrack discussion forum ? Sure: http://100h.org/forums/. Also, check out #aircrack on irc.freenode.net Where to download aircrack ? The official download location is http://www.cr0.net:8040/code/network/. However, if you can't access port 8040 for some reason, you may use this mirror instead:http://100h.org/wlan/aircrack/. Aircrack is included in the Troppix LiveCD, which features { Prism2 / PrismGT / Realtek / Atheros / Ralink } drivers patched for packet injection, as well as the acx100, ipw2200 (Centrino) and zd1211 drivers. It says "cygwin1.dll not found" when I start aircrack.exe. You can download this library from: http://100h.org/wlan/aircrack/. To use aircrack, drag&drop your .cap or .ivs capture file(s) over aircrack.exe. If you want to pass options to the program you'll have to start a shell (cmd.exe) and manually type the command line; there is also a GUI for aircrack, developed by hexanium. Example: C:\TEMP> aircrack.exe -n 64 -f 8 out1.cap out2.cap ... See below for a list of options.
29
How do I crack a static WEP key ? The basic idea is to capture as much encrypted traffic as possible using airodump. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack on the resulting capture file. aircrack will then perform a set of statistical attacks developped by a talented hacker named KoreK. How do I know my WEP key is correct ? There are two authentication modes for WEP:
Open-System Authentication: this is the default mode. All clients are accepted by the AP, and the key is never checked: association is always granted. However if your key is incorrect you won't be able to receive or send packets (because decryption will fail), so DHCP, ping etc. will timeout. Shared-Key Authentication: the client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so it's never enabled by default.
In summary, just because you seem to have successfully connected to the access point doesn't mean your WEP key is correct ! To check your WEP key, try to decrypt a capture file with the airdecap program. Countermeasures First, always use a complex pass phrase. Include upper case and lower case letters, numbers and special characters in the pass phrase. Next, the pass phrase should be as long as possible. Using the full 63 character space for WPA is best however if you must keep it simple, make sure it is at least 12 or more characters. Enable MAC address filtering and statically assign IP addresses to MAC addresses if your network (like most) uses DHCP to dynamically assign IP addresses. In addition, configure the DHCP scope to include only IP addresses statically assigned to a network host. Employ IEEE 802.1x and/or directory server authentication in addition to a wireless encryption protocol. Wireless network clients would be required to associate with a wireless AP and then authenticate with the directory servers before access is granted. Remember that each security measure takes time for would be hackers to crack. If it takes too long, they will move on to the next target.
30
4. CONCLUSION :
The word "hacker" carries weight. People strongly disagree as to what a hacker is. Hacking may be defined as legal or illegal, ethical or unethical. The medias portrayal of hacking has boosted one version of discourse. The conflict between discourses is important for our understanding of computer hacking subculture. Also, the outcome of the conflict may prove critical in deciding whether or not our society and institutions remain in the control of a small elite or we move towards a radical democracy (a.k.a. socialism). It is my hope that the hackers of the future will move beyond their limitations (through inclusion of women, a deeper politicization, and more concern for recruitment and teaching) and become hacktivists. They need to work with nontechnologically based and technology-borrowing social movements (like most modern social movements who use technology to do their task more easily) in the struggle for global justice. Otherwise the non-technologically based social movements may face difficulty continuing to resist as their power base is eroded while that of the new technopower elite is growing and the fictionesque cyberpunk-1984 world may become real.
If you know the enemy and know yourself, you need not fear the results of a hundred battles.
HACKING - An ART of EXPLOITING.
31
5. REFERENCES:
^ http://www.eccouncil.org/cnda.htm ^ a b http://www.eccouncil.org/certification/certified_ethical_hacker.aspx ^ https://eccouncil.org/cehv7.aspx ^ EC-Council. "CEH v7 Exam (312-50)". Retrieved May 3, 2011. ^ D'Ottavi, Alberto (2003-02-03). "Interview: Father of the Firewall". Retrieved 200806-06. ^ http://hotjobs.yahoo.com/career-articles-6_unusual_high_paying_careers-600 ^ http://www.eccouncil.org/pressroom/Recognition%20of%20ECCouncil%20Certifications.pdf ^ http://www.darkreading.com/security/management/showArticle.jhtml?articleID=21300 0149 ^ http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html
32