OS Fingerprinting

-: Network Hacking (OS Fingerprinting) :-


OS Fingerprinting :- OS Fingerprinting refers to detection of target computer's operating system.
Since, different operating system responds differently to the same kind of ICMP message, it is very important for an attacker to determine the exact operating system running on target system.
Also attacker can carry out attacks by taking over the vulnerabilities/bugs found in that particular operating system.
There are four areas that we will look at to determine the operating system (however there are other signatures that can be used). These signatures are:

1) TTL - What the operating system sets the Time To Live on the outbound packet.
2) Window Size - What the operating system sets the Window Size at.
3) DF - Does the operating system set the Don't Fragment bit.
4) TOS - Does the operating system set the Type of Service, and if so, at what.

There are two different types of OS Fingerprinting technique -

1) Active OS Fingerprinting :- Remote active operating system fingerprinting is the process of actively determining a targeted network node’s underlying operating system by probing the
targeted system with several packets and examining the response(s), or lack thereof, received? The traditional approach is to examine the TCP/IP stack behavior (IP, TCP, UDP, and ICMP protocols) of a targeted network element when probed with several legitimate and/or malformed packets.

Recommended Tools      
Nmap    http://insecure.org/nmap   


2) Passive OS Fingerprinting :-Passive fingerprinting is based on sniffer traces from the remote system. Instead of actively querying the remote system, all you need to do is capture packets sent from the remote system. Based on the sniffer traces of these packets, you can determine the operating system of the remote host. Just like in active fingerprinting, passive fingerprinting is
based on the principle that every operating system's IP stack has its own idiosyncrasies. By analyzing sniffer traces and identifying these differences, you may be able determine the operating system of the remote host.

Recommended Tools      
P0f    http://lcamtuf.coredump.cx/p0f.shtml      
Ettercap    http://ettercap.sourceforge.net   
 

Port Scanning

-: Network Hacking (Port Scanning) :-


Port Scanning :- Port scanning is carried out to determine a list of open ports on the remote host that have certain services or daemons running. In port scanning, the attacker connects to various TCP and UDP ports and tries to determine which ports are in listening mode.

1) TCP Ports Scanning :- Almost all port scans are based on the client sending a packet containing a particular flag to the target port of the remote system to determine whether the port is open. Following table lists the type of flags a TCP packet header can contain.

Flag    Meaning      
URG (urgent)    This flag tells the receiver that the data pointed at by the urgent pointer required urgently.      
ACK (acknowledgment)    This flag is turned on whenever sender wants to acknowledge the receipt of all data send by the receiving end.      
PSH (push)    The data must be passed on to the application as soon as possible.      
RST (reset)    There has been a problem with the connection and one wants to reset the connection with another.      
SYN (synchronize)    If system X wants to establish TCP connection with system Y, then it sends it's own sequence number to Y, requesting that a connection be established. Such apacket is known as synchronize sequence numbers or SYN packet.      
FIN (finish)    If system X has finished sending all data packets and wants to end the TCP/IP connection that it has established with Y, then it sends a packet with a FIN flag to system Y.    


A typical TCP/IP three way handshake can be described as follows :
1) The client sends a SYN packet to the server.
2) The server replies with a SYN packet and acknowledges the client's SYN packet by sending an ACK packet.
3) The client acknowledges the SYN sent by the server.

Different techniques of TCP port scanning are :-
1) TCP connect port scanning
2) TCP SYN scanning (half open scanning)
3) SYN/ACK scanning
4) TCP FIN scanning
5) TCP NULL scanning
6) TCP Xmas tree scanning

2) UDP Ports Scanning :- In UDP port scanning, aUDP packet is sent to each port on the target host one by one.
If the remote port is closed, then the server replies with a Port Unreachable ICMP error message. If the port is open then no such error message is generated.

3) FTP Bounce Port Scanning :- The FTP bounce port scanning technique was discovered by Hobbit. He revealed a very interesting loophole in the FTP protocol that allowed users connected to the FTP service of a particular system to connect to any port of another system. This loophole allows anonymous port scanning.


Recommended   Tools      
Nmap    http://www.insecure.org/nmap      
Superscan    http://www.foundstone.com   


Address Resolution Protocol


-: Address Resolution Protocol (ARP) Attacks :-


What Does ARP Mean?
Address Resolution Protocol (ARP) is a stateless protocol, was designed to map Internet Protocol addresses (IP) to their associated Media Access Control (MAC) addresses. This being said, by mapping a 32 bit IP address to an associated 48 bit MAC address via attached Ethernet devices, a communication between local nodes can be made.

On a majority of operating systems, such as Linux, FreeBSD, and other UNIX based operating systems, and even including Windows, the "arp" program is present. This program can be used to display and/or modify ARP cache entries.

An example of the "arp" utility's output would look like the following:

Windows:
> arp -a
Interface: 192.168.1.100 .- 0x10003
Internet Address        Physical Address        Type
192.168.1.1          00-13-10-23-9a-53       dynamic

Linux:
$ arp -na
? (192.168.1.1) at 00:90:B1:DC:F8:C0 [ether] on eth0

FreeBSD:
$ arp -na
? (192.168.1.1) at 00:00:0c:3e:4d:49 on bge0


How ARP works?
Specifically for Internet Protocol Version 4 (IPv4), ARP maps IP addresses between the Network layer and Data Link layer of the Open System Interconnection (OSI) model.
For a more complete and thorough explanation of how address resolution works, and protocol specifics, please consult RFC 826.


ARP Protocol Flaws :-
ARP's main flaw is in its cache. Knowing that it is possible for ARP to update existing entries as well as add to the cache, this leads one to believe that forged replies can be made, which result in ARP cache poisoning attacks.


Terms & Definitions :-
ARP Cache Poisoning : Broadcasting forged ARP replies on a local network. In a sense, "fooling" nodes on the network. This can be done because ARP lacks authentication features, thus blindly accepting any request and reply that is received or sent.

MAC Address Flooding : An ARP cache poisoning attack that is mainly used in switched environments. By flooding a switch with fake MAC addresses, a switch is overloaded. Because of this, it broadcasts all network traffic to every connected node. This outcome is referred to as "broadcast mode" because, all traffic passing through the switch is broadcasted out like a Hub would do. This then can result in sniffing all network traffic.


The ARP Attacks :-
1] Connection Hijacking & Interception : Packet or connection hijacking and interception is the act in which any connected client can be victimized into getting their connection manipulated in a way that it is possible to take complete control over.

2] Connection Resetting : The name explains itself very well. When we are resetting a client's connection, we are cutting their connection to the system. This can be easily done using specially crafted code to do so. Luckily, we have wonderful software that was made to aid us in doing so.

3] Man In The Middle : One of the more prominent ways of attacking another user in order to hijack their traffic, is by means of a Man In The Middle (MITM) attack. Unlike the other attacks, a MITM is more a packet manipulation attack which in the end however does result in packet redirection to the attacker . all traffic will get sent to the attacker doing the MITM attack. This attack however is specific. As opposed to MAC Address Flooding or other attacks against a router/switch, the MITM attack is against a victim, and also can be done outside of a switched environment. Thus meaning, an attack can be executed against a person on the other side of the country.

4] Packet Sniffing : Sniffing on a Local Area Network (LAN) is quite easy if the network is segmented via a hub, rather than a switch. It is of course possible to sniff on a switched environment by performing a MAC flood attack. As a result of the MAC flood, the switch will act as a hub, and allow the entire network to be sniffed. This gives you a chance to use any sort of sniffing software available to you to use against the network, and gather packets.

5] Denial of Service : MAC Address Flooding can be considered a Denial of service attack. The main idea of the MAC flood, is to generate enough packet data to send toward a switch, attempting to make it panic. This will cause the switch to drop into broadcast mode and broadcast all packet data. This however did not result in a crash, or the service to be dropped, but to be overloaded.

Computer Viruses

-: Computer Viruses :-

What is a Computer Virus ?
A potentially damaging computer programme capable of reproducing itself causing great harm to files or other programs without permission or knowledge of the user.
Types of viruses :-
The different types of viruses are as follows-

1) Boot Sector Virus :- Boot sector viruses infect either the master boot record of the hard disk or the floppy drive. The boot record program responsible for the booting of operating system is replaced by the virus. The virus either copies the master boot program to another part of the hard disk or overwrites it. They infect a computer when it boots up or when it accesses the infected floppy disk in the floppy drive. i.e. Once a system is infected with a boot-sector virus, any non-write-protected disk accessed by this system will become infected.

Examples of boot- sector viruses are Michelangelo and Stoned.

2) File or Program Viruses :- Some files/programs, when executed, load the virus in the memory and perform predefined functions to infect the system. They infect program files with extensions like .EXE, .COM, .BIN, .DRV and .SYS .

Some common file viruses are Sunday, Cascade.

3) Multipartite Viruses :- A multipartite virus is a computer virus that infects multiple different target platforms, and remains recursively infective in each target. It attempts to attack both the boot sector and the executable, or programs, files at the same time. When the virus attaches to the boot sector, it will in turn affect the system’s files, and when the virus attaches to the files, it will in turn infect the boot sector.
This type of virus can re-infect a system over and over again if all parts of the virus are not eradicated.

Ghostball was the first multipartite virus, discovered by Fridrik Skulason in October 1989.
Other examples are Invader, Flip, etc.

4) Stealth Viruses :- These viruses are stealthy in nature means it uses various methods for hiding themselves to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection by antivirus. They are somewhat difficult to detect. When an antivirus program tries to detect the virus, the stealth virus feeds the antivirus program a clean image of the file or boot sector.

5) Polymorphic Viruses :- Polymorphic viruses have the ability to mutate implying that they change the viral code known as the signature each time they spread or infect. Thus an antivirus program which is scanning for specific virus codes unable to detect it's presense.

6) Macro Viruses :- A macro virus is a computer virus that "infects" a Microsoft Word or similar application and causes a sequence of actions to be performed automatically when the application is started or something else triggers it. Macro viruses tend to be surprising but relatively harmless.A macro virus is often spread as an e-mail virus. Well-known examples are Concept Virus and Melissa Worm.

BlueTooth Hacking

-: Blue Tooth Hacking :-


Discovering Bluetooth Devices :-
Before any two bluetooth enabled devices can start communicating with one another, they must carry out a procedure known as discovery. It can be carried out by scanning for other active devices within the range.

Recommended Tools
BlueScanner It will try to extract as much information as possible for each newly discovered device Download
BlueSniff It is a GUI-based utility for finding discoverable and hidden Bluetooth-enabled devices Download
BTBrowser It is a J2ME application that can browse and explore the technical specification of surrounding Bluetooth enabled devices. It works on phones that supports JSR-82 - the Java Bluetooth specification Download
BTCrawler It is a scanner for Windows Mobile based devices. It also implements the BlueJacking and BlueSnarfing attacks -----

Hacking Bluetooth Devices :-
There are a variety of different types of bluetooth related threats and attacks that can be executed against unsuspecting mobile phone users. Following are some of the most common types of threats :-

1) BluePrinting Attack :- Information gathering is the first step in the quest to break into target system. Even BlueTooth devices can be fingerprinted or probed for information gathering using the technique known as BluePrinting. Using this one can determine manufacturer, model, version, etc. for target bluetooth enabled device.

Recommended Tools
BluePrint As the name suggests Download
BTScanner It is an information gathering tool that allows attacker to query devices without the need to carry out pairing Download

2) BlueJack Attack :- Bluejacking is the process of sending an anonymous message from a bluetooth enabled phone to another, within a particular range without knowing the exact source of the recieved message to the recepient.

Recommended Tools
FreeJack Bluejacking tool written in JAVA -----
CIHWB Can I Hack With Bluetooth (CIHWB) is a Bluetooth security auditing framework for Windows Mobile 2005. Supports BlueSnarf, BlueJack, and some DoS attacks. Should work on any PocketPC with the Microsoft Bluetooth stack Download

3) BlueSnarf Attack :- Bluesnarfing is the process of connecting vulnerable mobile phones through bluetooth, without knowing the victim. It involves OBEX protocol by which an attacker can forcibly push/pull sensitive data in/out of the victim's mobile phone, hence also known as OBEX pull attack.
This attack requires J2ME enabled mobile phones as the attacker tool. With J2ME enabled phone, just by using bluesnarfing tools like Blooover, Redsnarf, Bluesnarf, etc. an attacker can break into target mobile phone for stealing sensitive data such as address book, photos, mp3, videos, SMS, ......!

Recommended Tools
Blooover It is a J2ME-based auditing tool. It is intended to serve as an auditing tool to check whether a mobile phone is vulnerable. It can also be used to carry out BlueBug attack Download
RedSnarf One of the best bluesnarfing tool -----
BlueSnarfer It downloads the phone-book of any mobile device vulnerable to Bluesnarfing Download

4) Blue Backdoor Attack :- Here, the bluetooth related vulnerability exploits the pairing mechanism that is used to establish a connection between two bluetooth enabled devices.Not only does it gives the attacker complete access and control over the target but also allows the attacker to place strategic backdoors for continued access and entry.

5) BlueBug Attack :- It was first discovered by Martin Herfurt and allows attackers to gain complete control over the data, voice and messaging channels of vulnerable target mobile phones.

Recommended Tools
BlueBugger Exploits the BlueBug vulnerability Download
Bluediving It is a Bluetooth penetration testing suite. It implements attacks like Bluebug, BlueSnarf, BlueSnarf++, BlueSmack, etc. Download

6) The bluetooth protocol allows devices to use 16 digit long pairing codes. Unfortunately many applications continue to use only 4 digit pairing codes which can be easily brute-forced. This is known as short pairing codes.
Most slave bluetooth devices continue to use default pairing codes such as 0000, 1111, 1234, etc. So, easy to crack and gain access...!

Recommended Tools
BTCrack BTCrack is a Bluetooth Pass phrase (PIN) cracking tool. BTCrack aims to reconstruct the Passkey and the Link key from captured Pairing exchanges Download



-: Other Powerful BlueTooth Hacking Tools :-

Transient Bluetooth Environment Auditor :- T-BEAR is a security-auditing platform for Bluetooth-enabled devices. The platform consists of Bluetooth discovery tools, sniffing tools and various cracking tools. Download
BlueTest :- BlueTest is a Perl script designed to do data extraction from vulnerable Bluetooth-enabled devices. Download
BTAudit :- BTAudit is a set of programs and scripts for auditing Bluetooth-enabled devices. Download
RedFang :- It is a brute force tool that finds even non-discoverable device.
Download
BlueAlert :- A windows based tool that runs on bluetooth enabled computer and alerts the user each time a blurtooth device leaves or enters into its range.
BlueFang :- Similar to BlueAlert.
Bluestumbler :- One of the best BluePrinting tool.

Super Bluetooth Hack :- With this java software you can connect to another mobile and ….

Once connected to a another phone via bluetooth you can-
Read his/her messages
Read his/her contacts
Change profile
Play ringtone even if phone is on silent
Play songs
Restart the phone
Switch off the phone
Restore factory settings
Change ringing volume
Call from his phone it includes all call functions like hold, etc.
Notes:-
1) When connecting devices use a code 0000
2) At start of program on smartphones do not forget to turn on bluetooth before start of the mobile .
Download- Super_Bluetooth_Hack_v1.07.zip (99 KB)


Denial Of Service (DoS) Attacks

-: Denial Of Service (DoS) Attacks :-

A denial of service (DoS) attack is an attack that clogs up so much memory on the target system that it can not serve it's users, or it causes the target system to crash, reboot, or otherwise deny services to legitimate users.There are several different kinds of dos attacks as discussed below:-

1) Ping Of Death :- The ping of death attack sends oversized ICMP datagrams (encapsulated in IP packets) to the victim.The Ping command makes use of the ICMP echo request and echo reply messages and it's commonly used to determine whether the remote host is alive. In a ping of death attack, however, ping causes the remote system to hang, reboot or crash. To do so the attacker uses, the ping command in conjuction with -l argument (used to specify the size of the packet sent) to ping the target system that exceeds the maximum bytes allowed by TCP/IP (65,536).
example:- c:/>ping -l 65540 hostname
Fortunately, nearly all operating systems these days are not vulnerable to the ping of death attack.

2) Teardrop Attack :- Whenever data is sent over the internet, it is broken into fragments at the source system and reassembled at the destination system. For example you need to send 3,000 bytes of data from one system to another. Rather than sending the entire chunk in asingle packet, the data is broken down into smaller packets as given below:
* packet 1 will carry bytes 1-1000.
* packet 2 will carry bytes 1001-2000.
* packet 3 will carry bytes 2001-3000.
In teardrop attack, however, the data packets sent to the target computer contais bytes that overlaps with each other.
(bytes 1-1500) (bytes 1001-2000) (bytes 1500-2500)
When the target system receives such a series of packets, it can not reassemble the data and therefore will crash, hang, or reboot.
Old Linux systems, Windows NT/95 are vulnerable.

3) SYN - Flood Attack :- In SYN flooding attack, several SYN packets are sent to the target host, all with an invalid source IP address. When the target system receives these SYN packets, it tries to respond to each one with a SYN/ACK packet but as all the source IP addresses are invalid the target system goes into wait state for ACK message to receive from source. Eventually, due to large number of connection requests, the target systems' memory is consumed. In order to actually affect the target system, a large number of SYN packets with invalid IP addresses must be sent.

4) Land Attack :- A land attack is similar to SYN attack, the only difference being that instead of including an invalid IP address, the SYN packet include the IP address of the target sysetm itself. As a result an infinite loop is created within the target system, which ultimately hangs and crashes.Windows NT before Service Pack 4 are vulnerable to this attack.

5) Smurf Attack :- There are 3 players in the smurf attack–the attacker,the intermediary (which can also be a victim) and the victim. In most scenarios the attacker spoofs the IP source address as the IP of the intended victim to the intermediary network broadcast address. Every host on the intermediary network replies, flooding the victim and the intermediary network with network traffic.
 Result:- Performance may be degraded such that the victim, the victim and intermediary networks become congested and unusable, i.e. clogging the network and preventing legitimate users from obtaining network services.

6) UDP - Flood Attack :- Two UDP services: echo (which echos back any character received) and chargen (which generates character) were used in the past for network testing and are enabled by default on most systems. These services can be used to launch a DOS by connecting the chargen to echo ports on the same or another machine and generating large amounts of network traffic.
-: Denial Of Service (DoS) Attacks :-

7) Distributed Denial Of Service (DDoS) :- In Distributed DoS attack, there are 100 or more different attackers (systems) attacking the single system. Due to higher number of attackers DDoS attack is more effective and dangerous than regular DoS attack. The attackers have control over master zombies, which, in turn, have control over slave zombies, as shown in figure.


No system connected to the internet is safe from DDoS attacks. All platforms, including Unix and Windows NT, are vulnerable to such attacks. Even Mac OS machines have been used to conduct DDoS attacks.

The most popular DDoS tools are:-

a) Trin00 (WinTrinoo)
b) Tribe Flood Network (TFN) (TFN2k)
c) Shaft
d) Stacheldraht
e) MStream

8) Distributed Denial Of Service with Reflectors (DRDoS) :- In DRDoS attacks the army of the attacker consists of master zombies, slave zombies, and reflectors. The difference in this type of attack is that slave zombies are led by master zombies to send a stream of packets with the victim's IP address as the source IP address to other uninfected machines (known as reflectors), exhorting these machines to connect with the victim. Then the reflectors send the victim a greater volume of traffic, as a reply to its exhortation for the opening of a new connection, because they believe that the victim was the host that asked for it. Therefore, in DRDoS attacks, the attack is mounted by noncompromised machines, which mount the attack without being aware of the action.

a DRDoS attack creates a greater volume of traffic because of its more distributed nature, as shown in the figure below.

Intrusion Detection System

-: Intrusion Detection System (IDS) :-


An intrusion detection system (IDS) is software and/or hardware based system that monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.

Typical locations for an intrusion detection system is as shown in the following figure -



Following are the types of intrusion detection systems :-

1) Host-Based Intrusion Detection System (HIDS) :- Host-based intrusion detection systems or HIDS are installed as agents on a host. These intrusion detection systems can look into system and application log files to detect any intruder activity.

2) Network-Based Intrusion Detection System (NIDS) :- These IDSs detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts. Network-based IDSs often consist of a set of single-purpose sensors or hosts placed at various points in a network. These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console.

Some important topics comes under intrusion detection are as follows :-

1) Signatures - Signature is the pattern that you look for inside a data packet. A signature is used to detect one or multiple types of attacks. For example, the presence of “scripts/iisadmin” in a packet going to your web server may indicate an intruder activity. Signatures may be present in different parts of a data packet depending upon the nature of the attack.

2) Alerts - Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it has to inform security administrator about this using alerts. Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on. Alerts are also stored in log files or databases where they can be viewed later on by security experts.

3) Logs - The log messages are usually saved in file.Log messages can be saved either in text or binary format.

4) False Alarms - False alarms are alerts generated due to an indication that is not an intruder activity. For example, misconfigured internal hosts may sometimes broadcast messages that trigger a rule resulting in generation of a false alert. Some routers, like Linksys home routers, generate lots of UPnP related alerts. To avoid false alarms, you have to modify and tune different default rules. In some cases you may need to disable some of the rules to avoid false alarms.

5) Sensor - The machine on which an intrusion detection system is running is also called the sensor in the literature because it is used to “sense” the network.

Snort :- Snort is a very flexible network intrusion detection system that has a large set of pre-configured rules. Snort also allows you to write your own rule set. There are several mailing lists on the internet where people share new snort rules that can counter the latest attacks.

Snort is a modern security application that can perform the following three functions :

* It can serve as a packet sniffer.
* It can work as a packet logger.
* It can work as a Network-Based Intrusion Detection System (NIDS).

Further details and downloads can be obtained from it's home- http://www.snort.org
-: Honeypots :-

Definition :-
"Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems."  -Wikipedia

"Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource."  -Lance Spitzner

Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. Its is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand.

Types of Honeypots :-
Low-Interaction Honeypot:- Low-interaction honeypots have limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. These honeypots tend to be easier to deploy and maintain, with minimal risk. Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor.

High-Interaction Honeypot:- High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, we give attackers the real thing. The advantages with such a solution are two fold. First, you can capture extensive amounts of information. By giving attackers real systems to interact with, you can learn the full extent of their behavior. The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. However, this also increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implement that prevent the attacker from harming other non-honeypot systems. However, they can be more complex to deploy and maintain. Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets.

Typical Honeypot Model

Honeypot Softwares :-
Argos by Georgios Portokalidis, Herbert Bos
Back Officer Friendly by NFR Security
Bait N Switch Honeypot by Team Violating
BigEye by Team Violating
FakeAP by Black Alchemy Enterprises
GHH - The "Google Hack" Honeypot by Ryan McGeehan et al
HOACD by Honeynet.BR Project
HoneyBOT by Atomic Software Solutions
Honeyd by Niels Provos
Honeyd Development site by Niels Provos
Honeyd for Windows by Michael A. Davis (port)
Honeynet Security Console for Windows 2000/XP by Activeworx, Inc.
HoneyPerl by Brazilian Honeypot Project (HoneypotBR)
HoneyPoint by MicroSolved, Inc.
Honeywall CD-ROM by The Honeynet Project
HoneyWeb by Kevin Tim
Impost by sickbeatz
Jackpot Mailswerver by Jack Cleaver
KFSensor by Keyfocus
Kojoney by Jose Antonio Coret
LaBrea Tarpit by Tom Liston
NetBait by NetBait Inc.
NetFacade by Verizon
OpenBSD's spamd by OpenBSD Team
ProxyPot by Alan Curry
Sandtrap by Sandstorm Enterprises, Inc.
Single-Honeypot by Luis Wong and Louis Freeze
Smoke Detector by Palisade Systems Inc.
SMTPot.py by Karl A. Krueger
Spamhole by Dr. Uid
Spampot.py by Neale Pikett
Specter by Netsec
SWiSH by Canned Ham
Symantec Decoy Server (formerly ManTrap) by Symantec
Tiny Honeypot (thp) by George Bakos
The Deception Toolkit by Fred Cohen & Associates
User-Mode Linux (UML) by Jeff Dike

Input Validation Attacks

-: Input Validation Attacks :-

Input Validation Attacks are where an attacker intentionally sends unusual input in the hopes of confusing the application.
The most common input validation attacks are as follows-

1) Buffer Overflow :- Buffer overflow attacks are enabled due to sloppy programming or mismanagement of memory by the application developers. Buffer overflow may be classified into stack overflows, format string overflows, heap overflows and integer overflows. It may possible that an overflow may exist in language’s (php, java, etc.) built-in functions.
To execute a buffer overflow attack, you merely dump as much data as possible into an input field. The attack is said to be successful when it returns an application error. Perl is well suited for conducting this type of attack.
Here’s the buffer test, calling on Perl from the command line:
$ echo –e “GET /login.php?user=\
> `perl –e ‘print “a” x 500’`\nHTTP/1.0\n\n” | \
nc –vv website 80
This sends a string of 500 “a” characters for the user value to the login.php file.
Buffer overflow can be tested by sending repeated requests to the application and recording the server's response.

2) Canonicalization :- These attacks target pages that use template files or otherwise reference alternate files on the web server. The basic form of this attack is to move outside of the web document root in order to access system files, i.e., “../../../../../../../../../boot.ini”. This type of functionality is evident from the URL and is not limited to any one programming language or web server. If the application does not limit the types of files that it is supposed to view, then files outside of the web document root are targeted, something like following-
/menu.asp?dimlDisplayer=menu.asp
/webacc?User.asp=login.htt
/SWEditServlet?station_path=Z&publication_id=2043&template=login.tem
/Getfile.asp?/scripts/Client/login.js
/includes/printable.asp?Link=customers/overview.htm

3) Cross-site Scripting (XSS) :- Cross-site scripting attacks place malicious code, usually JavaScript, in locations where other users see it. Target fields in forms can be addresses, bulletin board comments, etc.
We have found that error pages are often subject to XSS attacks. For example, the URL for a normal application error looks like this:
http://website/inc/errors.asp?Error=Invalid%20password
This displays a custom access denied page that says, “Invalid password”. Seeing a string
on the URL reflected in the page contents is a great indicator of an XSS vulnerability. The attack would be created as:
http://website/inc/errors.asp?Error=<script%20src=...
That is, place the script tags on the URL.

4) SQL Injection :- This kind of attack occurs when an attacker uses specially crafted SQL queries as an input, which can open up a database. Online forms such as login prompts, search enquiries, guest books, feedback forms, etc. are specially targeted.
The easiest test for the presence of a SQL injection attack is to append “or+1=1” to the URL and inspect the data returned by the server.
example:- http://www.domain.com/index.asp?querystring=sports' or 1=1—

-: SQL Injection Attacks :-

What is SQL Injection?
 SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Web pages which accepts parameters from user, and make SQL query to the database, are targeted. For Example, A web page with username and password, fires SQL query on the database to check whether a user has entered valid name and/or password or not. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

What is Required?
1) Any Web Browser
2) Some Basic SQL (Structured Query Language) Queries such as 'SELECT', 'INSERT', 'UPDATE', 'DELETE', etc. along with their attributes (i.e Syntax).

What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP/ASPX page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

<FORM action=login.aspx method=post>
<input type=hidden name=user value=xyz>
</FORM>

Everything between the <FORM> and </FORM> tags have potential parameters that might be useful.
OR

You should look for pages like ASP, ASPX, JSP, CGI, or PHP.
Try to look especially for URL that takes parameters, like:
http://example.com/login.asp?id=10


Is it Vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
Login: hi' or 1=1--
Pass: hi' or 1=1--
http://example.com/login.asp?id=hi' or 1=1--

You can do this with a hidden field, just view the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly.
Example:
<FORM action=http://example.com/login.asp method=post>
<input type=hidden name=abc value="hi' or 1=1--">
</FORM>

If luck is on your side, you will get login without any login name or password.


But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:
http://example.com/search.asp?category=sports
In this URL 'category' is the variable name and 'sports' is it's value.
Here this request fires following query on the database in background.
SELECT * FROM search WHERE category='sports'
Where 'search' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.

Now, assume that we change the URL into something like this:
http://example.com/search.asp?category=sports' or 1=1--
Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or 1=1--'
The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='

Countermeasures ?
Filter out character like   '    "    -    /    \    ;    NULL, etc. in all strings from:
* Input from users
* Parameters from URL
* Values from cookie

-: Google Hacking :-

Basic Operators:-
1) And (+) :- This operator is used to include multiple terms in a query which is to be searched in google.
example:- if we type "hacker+yahoo+science" in google search box and click search, it will reveal the results something which are related to all the three words simultaneously i.e. hacker, yahoo and science.

2 ) OR (|) :- The OR operator, represented by symbol( | ) or simply the word OR in uppercase letters, instructs google to locate either one term or another term in a query.

3) NOT :- It is opposite of AND operator, a NOT operator excludes a word from search.
example:- If we want to search websites containing the terms google and hacking but not security then we enter the query like "google+hacking" NOT "security".


Advanced Operators:-
1) Intitle :- This operator searches within the title tags.
examples:- intitle:hacking returns all pages that have the string "hacking" in their title.
intitle:"index of" returns all pages that have string "index of" in their title.
Companion operator:- "allintitle".

2) Inurl :- Returns all matches, where url of the pages contains given word.
example:- inurl:admin returns all matches, where url of searched pages must contains the word "admin".
Companion operator:- "allinurl".

3) Site :- This operator narrows search to specific website. It will search results only from given domain. Can be used to carry out information gathering on specific domain.
example:- site:www.microsoft.com will find results only from the domain www.microsoft.com

4) Link :- This operator allows you to search for pages that links to given website.
example:- link:www.microsoft.com
Here, each of the searched result contains asp links to www.microsoft.com

5) Info :- This operator shows summary information for a site and provides links to other google searches that might pertain to that site.
example:- info:www.yahoo.com

6) Define :- This operator shows definition for any term.
example:- define:security
It gives various definitions for the word "security" in different manner from all over the world.

7) Filetype :- This operator allows us to search specific files on the internet. The supported file types can be pdf, xls, ppt, doc, txt, asp, swf, rtf, etc..
example:- If you want to search for all text documents presented on domain www.microsoft.com then we enter the query something like following.
"inurl:www.microsoft.com filetype:txt"
Some of the most powerful and very effective google search queries
are added on  Google Dorks!  page.



Subscribe

Guyyyyz if u want serious and successful hacking tools please subscribe















Untamed productions

Email:If u subscribe.

8|

Cryptography

-: Cryptography :-


 By definition cryptography is the process of converting recognisable data into an encrypted code for transmitting it over a network (either trusted or untrusted). Data is encrypted at the source, i.e. sender's end and decrypted at the destination, i.e. receiver's end.

In all cases, the initial unencrypted data is referred to as plaintext. It is encrypted into ciphertext, which will in turn (usually) be decrypted into usable plaintext using different encryption algorithms.


The Purpose :-
* Authentication : The process of proving one's identity.
* Privacy/confidentiality : Ensuring that no one can read the message except the intended receiver.
* Integrity : Assuring the receiver that the received message has not been altered in any way from the original.
* Non-repudiation : A mechanism to prove that the sender really sent this message.

In general cryptographic algorithms are classified into three categories as follows :

1) Secret Key Cryptography (SKC) : Uses a single key for both encryption and decryption.
2) Public Key Cryptography (PKC) : Uses one key for encryption and another for decryption.
3) Hash Functions : Uses a mathematical transformation to irreversibly "encrypt" information.

Secret Key Cryptography :- With secret key cryptography, a single key is used for both encryption and decryption. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.

Secret key cryptography algorithms that are in use today include :

1) Data Encryption Standard (DES) : DES is a block-cipher employing a 56-bit key that operates on 64-bit blocks. DES uses a key of only 56 bits, and thus it is now susceptible to "brute force" attacks.
Triple-DES (3DES) and DESX are the two important variants that strengthen DES.

2) Advanced Encryption Standard (AES ) : The algorithm can use a variable block length and key length; the latest specification allowed any combination of keys lengths of 128, 192, or 256 bits and blocks of length 128, 192, or 256 bits.

3 ) International Data Encryption Algorithm (IDEA) : Secret-key cryptosystem written by Xuejia Lai and James Massey, in 1992 and patented by Ascom; a 64-bit SKC block cipher using a 128-bit key. Also available internationally.

4) Rivest Ciphers : Named for Ron Rivest, a series of SKC algorithms.

RC1 : Designed on paper but never implemented.
RC2 : A 64-bit block cipher using variable-sized keys designed to replace DES. It's code has not been made public although many companies have licensed RC2 for use in their products. Described in RFC 2268.
RC3 : Found to be breakable during development.
RC4 : A stream cipher using variable-sized keys; it is widely used in commercial cryptography products, although it can only be exported using keys that are 40 bits or less in length.
RC5 : A block-cipher supporting a variety of block sizes, key sizes, and number of encryption passes over the data. Described in RFC 2040.
RC6 : An improvement over RC5, RC6 was one of the AES Round 2 algorithms.

5) Blowfish : A symmetric 64-bit block cipher invented by Bruce Schneier; optimized for 32-bit processors with large data caches, it is significantly faster than DES on a Pentium/PowerPC-class machine. Key lengths can vary from 32 to 448 bits in length. Blowfish, available freely and intended as a substitute for DES or IDEA, is in use in over 80 products.

Public-Key Cryptography :- Generic PKC employs two keys that are mathematically related although knowledge of one key does not allow someone to easily determine the other key. One key is used to encrypt the plaintext and the other key is used to decrypt the ciphertext. No matter which key is applied first, but both the keys are required for the process to work. Because a pair of keys are required, this approach is also called asymmetric cryptography.
In PKC, one of the keys is designated the public key and may be advertised as widely as the owner wants. The other key is designated the private key and is never revealed to another party.

Public-key cryptography algorithms that are in use today for key exchange or digital signatures include :

1) RSA : One of the most popular encryption algorithm, invented in 1977 by three MIT scientists (Ronald Rivest, Adi Shamir, and Leonard Adleman)
The key-pair is derived from a very large number, n, that is the product of two prime numbers chosen according to special rules; these primes may be 100 or more digits in length each, yielding an n with roughly twice as many digits as the prime factors. The public key information includes n and a derivative of one of the factors of n; an attacker cannot determine the prime factors of n (and, therefore, the private key) from this information alone and that is what makes the RSA algorithm so secure.

Hash Functions :- Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key. Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a measure of the integrity of a file.
Hash algorithms that are in common use today include:
1) Message Digest (MD) algorithms : A series of byte-oriented algorithms that produce a 128-bit hash value from an arbitrary-length message.
MD2 : Designed for systems with limited memory, such as smart cards.
MD4 : Developed by Rivest, similar to MD2 but designed specifically for fast processing in software.
MD5 : Also developed by Rivest in 1991 after potential weaknesses were reported in MD4; this scheme is similar to MD4 but is slower because more manipulation is made to the original data.It accepts variable length message from the user and converts it into a fixed 128-bit message digest value.
One interesting and important aspect of the MD5 hash function is that it is a one way algorithm. This means you can produce the 128-bit fingerprint if the data chunk is available to you. You cannot, however, generate the entire data if only the fingerprint of the data is known.
2) Secure Hash Algorithm (SHA) : Algorithm for NIST's Secure Hash Standard (SHS). SHA-1 produces a 160-bit hash value and was originally published as FIPS 180-1 and RFC 3174. FIPS 180-2 describes five algorithms in the SHS: SHA-1 plus SHA-224, SHA-256, SHA-384, and SHA-512 which can produce hash values that are 224, 256, 384, or 512 bits in length, respectively. SHA-224, -256, -384, and -52 are also described in RFC 4634.
3) RIPEMD : A series of message digests that initially came from the RIPE (RACE Integrity Primitives Evaluation) project. RIPEMD-160 was designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, and optimized for 32-bit processors to replace the then-current 128-bit hash functions. Other versions include RIPEMD-256, RIPEMD-320, and RIPEMD-128.
4) HAVAL (HAsh of VAriable Length) : Designed by Y. Zheng, J. Pieprzyk and J. Seberry, a hash algorithm with many levels of security. HAVAL can create hash values that are 128, 160, 192, 224, or 256 bits in length.
5) Whirlpool : A relatively new hash function, designed by V. Rijmen and P.S.L.M. Barreto. Whirlpool operates on messages less than 2256 bits in length, and produces a message digest of 512 bits. The design of this hash function is very different than that of MD5 and SHA-1, making it immune to the same attacks as on those hashes.
6) Tiger : Designed by Ross Anderson and Eli Biham, Tiger is designed to be secure, run efficiently on 64-bit processors, and easily replace MD4, MD5, SHA and SHA-1 in other applications. Tiger/192 produces a 192-bit output and is compatible with 64-bit architectures; Tiger/128 and Tiger/160 produce the first 128 and 160 bits, respectively, to provide compatibility with the other hash functions.
-: Steganography :-

The art and science of hiding information by embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images.

Some common files used for hiding the data are .jpeg, .bmp, .jpg, .bmp, .pdf, .mp3, .wav, .gif, etc.

The following example gives detailed overview on how data can be hide by steganography :-
The tool used in this example is "S-Tools".
 Download S-Tool.zip (273 KB)

1) Prepare the secret file that you want to hide (eg. '.txt')
2) Launch the steganography tool (eg. 'S-Tools')


3) Drag and drop the host file (image, audio or video) inside which you want to hide your secret file.(eg. 'Sachin.bmp')


4) Now, Drag and drop the secret file (eg. 'New Text Document.txt') over the host file (eg. 'Sachin.bmp'). As soon as you drop the secret file you will be alerted by s-tools to enter password and to choose encryption algorithm which can be further used to retrieve your secret file from the host file.


5) After entering password and encryption algorithm, click OK, the steganography tool will then create an identical copy of the host file (eg. 'hidden data.bmp') as shown below.


This identical copy actually consist of hidden data (your secret file), but it can never be differentiated from original one by human eyes.

6) The duplicate file containing hidden data can be saved by right clicking and selecting 'save as' option.
7) To reveal the hidden data from duplicate file (eg. hidden data.bmp'), open the file in steganography tool. Then right click and select 'reveal' option; you will be promted to enter password and proper encryption algorithm. As soon as you click OK you will be offered by 'reveal archive' as shown below :


This consist of exact secret file (eg. 'New Text Document.txt'). Then, you can save it to read the secret information.


Privacy Attacks

-: Privacy Attacks :-


Here attacker uses various automated tools which are freely available on the internet. Some of them are as follows:

1) Trojan :- Trojan is a Remote Administration Tool (RAT) which enable attacker to execute various software and hardware instructions on the target system.

Most trojans consist of two parts -
a) The Server Part :- It has to be installed on the the victim's computer.
b) The Client Part :- It is installed on attacker's system. This part gives attacker complete control over target computer.

Netbus, Girlfriend, sub7, Beast, Back Orifice are some of the popular trojans.

2) Keylogger :- Keyloggers are the tools which enable attacker to record all the keystrokes made by victim and send it's logs secretly to the attacker's e-mail address which is previously set by him.

Almost all the Trojans have keylogging function.

     Use of latest updated antirus-firewall, detect the presence of trojan and remove it permanently.   

3) Spyware :- Spyware utilities are the malicious programs that spy on the activities of victim, and covertly pass on the recorded information to the attacker without the victim's consent. Most spyware utilities monitor and record the victim's internet-surfing habits. Typically, a spyware tool is built into a host .exe file or utility. If a victim downloads and executes an infected .exe file, then the spyware becomes active on the victim's system.
Spyware tools can be hidden both in .exe files an even ordinary cookie files.
Most spyware tools are created and released on the internet with the aim of collecting useful information about a large number of Internet users for marketing and advertising purposes. On many occasions, attacker also use spyware tools for corporate espionage and spying purposes.

4) Sniffer :- Sniffers were originally developed as a tool for debugging/troubleshooting network problems.
The Ethernet based sniffer works with network interface card (NIC) to capture interprete and save the data packets sent across the network.
Sniffer can turn out to be quite dangerous. If an attacker manages to install a sniffer on your system or the router of your network, then all data including passwords, private messages, company secrets, etc. get captured.

Recommended  Tools      
Snort    http://www.snort.org      
Ethereal    http://www.ethereal.com   

-: The Trojan Horse :-

What is a Trojan ?
"A Trojan Horse, or Trojan, is a term used to describe malware that appears, to the user, to perform a desirable function but, in fact, facilitates unauthorized access to the user's computer system". - Wikipedia

"A Trojan horse is an apparently useful program containing hidden functions that can exploit the privileges of the user [running the program], with a resulting security threat.". - CERT Advisory

Types of Trojan :-
 The different types of Trojan Horses are as follows-

1) Remote Access Trojans :- Abbreviated as RATs, a Remote Access Trojans are potentially the most damaging, designed to provide the attacker with complete control of the victim's system.

2) Data Sending Trojans :- A type of a Trojan horse that is designed to provide the attacker with sensitive data such as passwords, credit card information, log files, e-mail address or IM contact lists. They could install a keylogger and send all recorded keystrokes back to the attacker.

3) Destructive Trojans :- Once this Trojan is installed on your computer, it will begin to systematically or completely randomly delete information from your computer. This can include files, folders, registry entries, and important system files, which likely to cause the failure of your operating system.

4) Proxy Trojans :- A type of Trojan horse designed to use the victim's computer as a proxy server. This gives the attacker the opportunity to conduct illegal activities, or even to use your system to launch malicious attacks against other networks.

5) FTP Trojans :- A type of Trojan horse designed to open port 21 (FTP) and acts like an FTP server. Once installed, the attacker not only could download/upload files/programs to victim's computer but also install futher malware on your computer.

6) Security Software Disabler Trojan :- A type of Trojan horse designed stop or kill security programs such as an antivirus program or firewall without the user knowing. This Trojan type is normally combined with another type of Trojan as a payload.

7) DoS Attack Trojans :- These trojans are used by the attacker to launch a DoS/DDoS attack against some website or network or any individual. In this case they are well known as "Zombies".

How Trojan Works ?
Trojans typically consist of two parts, a client part and a server part. When a victim (unknowingly) runs a Trojan server on his machine, the attacker then uses the client part of that Trojan to connect to the server module and start using the Trojan. The protocol usually used for communications is TCP, but some Trojans' functions use other protocols, such as UDP, as well. When a Trojan server runs on a victim\92s computer, it (usually) tries to hide somewhere on the computer; it then starts listening for incoming connections from the attacker on one or more ports, and attempts to modify the registry and/or use some other auto-starting method.

       It is necessary for the attacker to know the victim\92s IP address to connect to his/her machine. Many Trojans include the ability to mail the victim\92s IP and/or message the attacker via ICQ or IRC. This system is used when the victim has a dynamic IP, that is, every time he connects to the Internet, he is assigned a different IP (most dial-up users have this). ADSL users have static IPs, meaning that in this case, the infected IP is always known to the attacker; this makes it considerably easier for an attacker to connect to your machine.

       Most Trojans use an auto-starting method that allows them to restart and grant an attacker access to your machine even when you shut down your computer.

How Trojan Horses Are Installed ?
Infection from Trojans is alarmingly simple. Following are very common ways to become infected that most computer users perform on a very regular basis.
Software Downloads
Websites containing executable content (ActiveX control)
Email Attachments
Application Exploits (Flaws in a web applications)
Social Engineering Attacks

The Removal :-
Antivirus software is designed to detect and delete Trojan horses ideally preventing them from ever being installed.
-: Popular Trojans :-

1) NetBus :-



Latest Version: NetBus 2.10 Pro
Developer: Carl-Fredrik Neikter
Default Port: 20034 (variable)
Language: Delphi
Operating System: Windows 95/98, NT4 or later
Type: Remote Access
Download:   NB2ProBeta.zip







2) Back Orifice XP :-



Latest Version: BOXP Beta 7
Developer: Javier Aroche
Default Port: 15380
Language: Microsoft Visual C++ 6.0
Operating System: Windows 95/98/ME/NT/2000/XP
Type: Remote Access
Download:   boxp_beta7_bin.zip



3) SubSeven / Sub7 :-



Latest Version: SubSeven 2.2
Developer: Mobman
Default Port: 1080, 1369, 5873, 27374 (variable)
Language: Delphi
Operating System: Windows 95/98/ME/NT/2000
Type: Remote Access, Keylogger, Eavesdropper, Sniffer, Proxy server, FTP server
Download:   Subseven.2.2.zip



4) Beast :-



Latest Version: Beast 2.07
Developer: Tataye
Default Port: 6666
Language: Delphi
Operating System: Windows 95/98/ME/NT/2000/XP
Type: Remote Access, Keylogger
Download:   Beast_2.07.rar



-: The NetBus Trojan :-

NetBus was written in Delphi by Carl-Fredrik Neikter, a Swedish programmer in March 1998.

It is capable of :--
Open/Close CD-ROM
Show optional BMP/JPG image
Swap mouse buttons
Start optional application
Play a wav file
Control mouse
Show different kind's of messages
Shut down Windows
Download/Upload/Delete files
Go to an optional URL
Send keystrokes and disable keys
Listen for and send keystrokes
Take a screendump
Increase and decrease the sound-volume
Record sounds from the microphone
Make click sounds every time a key is pressed
This utility also has the ability to scan "Class C" addresses by adding "+Number of ports" to the end of the target address. Example: 255.255.255.1+254 will scan 255.255.255.1 through 255.

NetBus 2.0 Pro :- It was completely re-written and re-designed. It now has increased features such as improved GUI for client and server, improved file manager, windows manager, registry manager, plugin manager, capture of web cam images, n...more............!

Following is the stepwise procedure for installation and configuration of NetBus 2.0 Pro (server and client).

1) Download NetBus 2.0 Pro. from here -   NB2ProBeta.zip

2) Extract and install properly on your system.

3) After installation you will find the two shortcuts in the NetBus installation directory.

     This is to be executed on victim's system.      
     This is to be executed on your system.   


4) By Executing the 'NetBus Server' (on victim's computer), you will be greeted by a window as shown in figure (left). Click on 'Settings' button.
Here you can configure server settings such as port no, password, visibility, auto/manual start, etc. as shown in figure (right).

         

Click on 'OK' button to finish NetBus Server settings.
Then close the NetBus Server window.

5) By executing 'NetBus' (i.e. client)(on your system), you will be greeted by a window as shown below-


6) To add a new host go to the menu 'Host' and then click 'New'. This is as shown in figure (left).
Here you should enter the proper Destination(e.g. 'My Computer'), IP Address(eg. 72.232.50.186), TCP Port(by default 20034), Username/Password(exactly same as that of 'NetBus Server') for target computer.

         

Click on 'OK' to finish the addition of new host.

7) Now you are ready to connect with target(victim's) computer.
To do so, select the host from main window then go to 'Host' menu and then click 'Connect'.

8) After client get connected with server(target computer), you can use any of the features of 'NetBus Trojan' as listed above. You can see all these tools on 'Toolbar' of NetBus Client.

IP spoofing

-: IP Spoofing :-


The term IP (Internet Protocol) address spoofing refers to the creation of IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system.

Why it works ?
IP-Spoofing works because trusted services only rely on network address based authentication. Since IP is easily duped, address forgery is not difficult.
The main reason is security weakness in the TCP protocol known as sequence number prediction.

How it works ?
To completely understand how ip spoofing can take place, one must examine the structure of the TCP/IP protocol suite. A basic understanding of these headers and network exchanges is crucial to the process.

Internet Protocol (IP) :
It is a network protocol operating at layer 3 (network) of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. Additionally, there is no method in place to ensure that a packet is properly delivered to the destination.

Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses – specifically the “source address” field.

Transmission Control Protocol (TCP) :
It is the connection-oriented, reliable transport protocol in the TCP/IP suite. Connection-oriented simply means that the two hosts participating in a discussion must first establish a connection via the 3-way handshake (SYN-SYN/ACK-ACK). Reliability is provided by data sequencing and acknowledgement. TCP assigns sequence numbers to every segment and acknowledges any and all data segments recieved from the other end.


As you can see above, the first 12 bytes of the TCP packet, which contain port and sequencing information.

TCP sequence numbers can simply be thought of as 32-bit counters. They range from 0 to 4,294,967,295. Every byte of data exchanged across a TCP connection (along with certain flags) is sequenced. The sequence number field in the TCP header will contain the sequence number of the *first* byte of data in the TCP segment. The acknowledgement number field in the TCP header holds the value of next *expected* sequence number, and also acknowledges *all* data up through this ACK number minus one.

TCP packets can be manipulated using several packet crafting softwares available on the internet.

The Attack
IP-spoofing consists of several steps. First, the target host is choosen. Next, a pattern of trust is discovered, along with a trusted host. The trusted host is then disabled, and the target's TCP sequence numbers are sampled. The trusted host is impersonated, the sequence numbers guessed, and a connection attempt is made to a service that only requires address-based authentication. If successful, the attacker executes a simple command to leave a backdoor.

Spoofing can be implemented by different ways as given below -

Non-Blind Spoofing :- This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately.

Blind Spoofing :- Here the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers.

Both types of spoofing are forms of a common security violation known as a Man In The Middle Attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.

IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – Denial of Service attacks, or DoS.

     CounterMeasures        
1) Filtering at the Router :- Implementing ingress and egress filtering on your border routers is a great place to start your spoofing defense. You will need to implement an ACL (access control list)

2) Encryption and Authentication :- Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats.

3) Initial Sequence Number Randomizing.
-: Packet Header Analysis :-

Following are the easy to analyze ICMP, TCP and UDP packet headers along with short description.
All header Drawings by- "Matt Baxter" (www.fatpipe.org/~mjb/Drawings/)



ICMP Message Types :- ICMP message type-code/name format
0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply

Checksum :- The checksum is the 16-bit ones's complement of the one's complement sum of the ICMP message starting with the ICMP Type.

RFC 792 :- Please refer to RFC 792 for Internet Control Message Protocol (ICMP) Specification.





TCP Flags :- C E U A P R S F      
C 0x80 Reduced (CWR)      
E 0x40 ECN Echo (ECE)      
U 0x20 Urgent      
A 0x10 Ack      
P 0x08 Push      
R 0x04 Reset      
S 0x02 Syn      
F 0x01 Fin      
       
TCP Options :-      
0 End of Options List      
1 No Operation (NOP, Pad)      
2 Maximum Segment Size      
3 Window Scale      
4 Selective ACK ok      
8 Timestamp      
       
       
    

Checksum :- Checksum of entire TCP segment and pseudo header (parts of IP header)

Offset :- Number of 32-bit words in TCP header, minimum value of 5. Multiply by 4 to get byte count.

RFC 793 :- Please refer to RFC 793 for Transmission Control Protocol (TCP) Specification.




Source Port :- an optional field, when meaningful, it indicates the port of the sending process, and may be assumed to be the port to which a reply should be addressed in the absence of any other information. If not used, a value of zero is inserted.

Destination Port :- Destination Port has a meaning within the context of a particular internet destination address.

Length :- Length is the length in octets of this user datagram including this header and the data. (This means the minimum value of the length is eight.)

Checksum :- Checksum is the 16-bit one's complement of the one's complement sum of a pseudo header of information from the IP header, the UDP header, and the data, padded with zero octets at the end (if necessary) to make a multiple of two octets.

RFC 768 :- Please refer to RFC 768 for User Datagram Protocol (UDP) Specification. -: IP Address :-

Definition :-
"An Internet Protocol (IP) address is a numerical identification (logical address) that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes".   -- Wikipedia

The Internet Protocol (IP) has two versions currently in use which are IPv4 and IPv6.
This article represents to IPv4 version only.

In general, an IP address is a 32-bit decimal number that is normally written as four numbers between 1 to 255 (8 bits or 1 byte each), each seperated from the other by a decimal point. This standard is known as "Dotted Decimal Notation".
e.g.-   117.200.77.110

IP addresses are divided into number of ranges/classes as given in the table below-

Class    Range      
A    0.0.0.0 to 127.255.255.255      
B    128.0.0.0 to 191.255.255.255      
C    192.0.0.0 to 223.255.255.255      
D    224.0.0.0 to 239.255.255.255      
E    240.0.0.0 to 255.255.255.255   

e.g.-  IP Address 192.168.24.114 belongs to Class 'C'.

How to find out IP Address of your system ?
1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "netstat -n", Press Enter.

You will get the output similar to following-


The IP Address shown in local address field denotes IP Address of your system.
In this case it is 117.200.160.151

IP Address Formats :-
Four different formats of IP Address along with example is as given below-

1) Domain Name System (DNS) : www.insecure.in
2) DWORD Format : 2928008962
3) Octal Format : 0256.0205.0337.002
4) Dotted Decimal Format : 174.133.223.2

Converting DNS IP Address into Normal IP Address :-
You can easily get the IP Address of any domain by various methods such as WHOIS, Netstat, Ping, Traceroute, etc.
Here I have used 'Ping' to get IP Address.

1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "ping domainname", Press Enter.

You will get the output similar to following-



Here, IP Address for Domain "www.insecure.in" is "174.133.223.2"

Thus by typing "http://www.insecure.in" OR "http://2928008962" OR "0256.0205.0337.02" OR "174.133.223.2" in your browser will take you to the same site.

     Not all of these formats work in all browsers.   

Password Hacking


   

-: Password Hacking :-


Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password.
Most passwords can be cracked by using following techniques :

1) Hashing :- Here we will refer to the one way function (which may be either an encryption function or cryptographic hash) employed as a hash and its output as a hashed password.
If a system uses a reversible function to obscure stored passwords, exploiting that weakness can recover even 'well-chosen' passwords.
One example is the LM hash that Microsoft Windows uses by default to store user passwords that are less than 15 characters in length.
LM hash breaks the password into two 7-character fields which are then hashed separately, allowing each half to be attacked separately.

    Hash functions like SHA-512, SHA-1, and MD5 are considered impossible to invert when used correctly.


2) Guessing :- Many passwords can be guessed either by humans or by sophisticated cracking programs armed with dictionaries (dictionary based) and the user's personal information.

Not surprisingly, many users choose weak passwords, usually one related to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include:

* blank (none)
* the word "password", "passcode", "admin" and their derivatives
* the user's name or login name
* the name of their significant other or another person (loved one)
* their birthplace or date of birth
* a pet's name
* a dictionary word in any language
* automobile licence plate number
* a row of letters from a standard keyboard layout (eg, the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop)
* a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
and so on....

In one survery of MySpace passwords which had been phished, 3.8 percent of passwords were a single word found in a dictionary, and another 12 percent were a word plus a final digit; two-thirds of the time that digit was.
    A password containing both uppercase &  lowercase characters, numbers and special characters too; is a strong password and can never be guessed.


Check Your Password Strength

3) Default Passwords :- A moderately high number of local and online applications have inbuilt default passwords that have been configured by programmers during development stages of software. There are lots of applications running on the internet on which default passwords are enabled. So, it is quite easy for an attacker to enter default password and gain access to sensitive information. A list containing default passwords of some of the most popular applications is available on the internet.

     Always disable or change the applications' (both online and offline) default username-password pairs.   

4) Brute Force :- If all other techniques failed, then attackers uses brute force password cracking technique. Here an automatic tool is used which tries all possible combinations of available keys on the keyboard. As soon as correct password is reached it displays on the screen.This techniques takes extremely long time to complete, but password will surely cracked.

     Long is the password, large is the time taken to brute force it.   

5) Phishing :- This is the most effective and easily executable password cracking technique which is generally used to crack the passwords of e-mail accounts, and all those accounts where secret information or sensitive personal information is stored by user such as social networking websites, matrimonial websites, etc.
Phishing is a technique in which the attacker creates the fake login screen and send it to the victim, hoping that the victim gets fooled into entering the account username and password. As soon as victim click on "enter" or "login" login button this information reaches to the attacker using scripts or online form processors while the user(victim) is redirected to home page of e-mail service provider.

     Never give reply to the messages which are demanding for your username-password, urging to be e-mail service provider.   

It is possible to try to obtain the passwords through other different methods, such as social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, using a Trojan Horse or virus, identity management system attacks (such as abuse of Self-service password reset) and compromising host security.
However, cracking usually designates a guessing attack.
-: Windows-XP Password Cracking :-

Here we use the tool "Cain and Abel" for cracking passwords of any local user/administrator.
First download cain and abel from "http://www.oxid.it/cain.html" and install it on your system.

Make sure that you have disabled the antivirus/firewall running on your system before installing and throughout this process.

Two most effective techniques used here are "Brute-Force" and "Cryptanalysis".

Brute-Force:- As this techniques takes more time to complete, the attacker prefer this technique only when there is a hope that the password contain same type of characters or may be two. i.e only loweralpha, only alpha, only numeric or may be loweralpha-numeric, also it should contain less than 7 characters. Otherwise it takes more time to crack password, which may be the mixture of all types of characters along with special symbols.
The step-by-step explaination for this technique is given below-

1) Open the tool "Cain and Abel"   


2) Go into the category "Cracker"      it displays all sub-categories under "Cracker" in left panel.


3) Select "LM & NTLM Hashes" from left panel and then click on      symbol, you will be greeted by a window as shown.


4) Check "import hashes from local system" and then click "Next". This shows all the active accounts on local system like administrator, guest, etc. along with LM and NT hashed values of their respective passwords, as shown below.


5) Right clicking on any username shows all available options using which we can crack it's password.


6) Here we select "Brute-Force Attack" and then "NTLM Hashes", since windows uses NTLM hashes to store local users' passwords.

7) You will be greeted by a window where you can modify properties for brute-force attack such as password length, character set, etc.


8) Click on "Start" button.

9) On completion it will reveal the exact password.


-: Windows-XP Password Cracking :-

Cryptanalisys :- Basically, Cryptanalisys means Operations performed in converting encrypted messages to plain text without initial knowledge of the crypto-algorithm and/or key employed in the encryption.
This is the fastest technique of password cracking possible due to "Rainbow Tables".
A rainbow table is a file that is used to lookup an unknown plaintext from a known hash for an algorithm that does not usually permit this operation.
Steps 1 to 4 i.e upto importing hashes from local system, are similar to previous technique (i.e brute-force). The steps coming after that are as follows-

5) Here, select "cryptanalisys attack" then "NTLM hashes" and then select "via rainbow tables". Here we can choose either OphCrack or RainbowCrack formats of tables. The rainbow tables are available free to download on internet.
Due to large file size of rainbow tables (350MB - 3GB); instead of downloading we can also create at own just by downloading rainbow table generator (winrtgen.zip of 181KB) free download at "http://www.oxid.it/downloads/winrtgen.zip"


6) Click on "Add Table"


7) Browse for the location of rainbow table on your system, select proper table and click "open".


8) Select the loaded table and then click on "Start" button.


9) On completetion it will show the exact password.



     To learn windows password cracking techniques properly, one must understand "LM" & "NTLM" algorithms, SAM File, Dumping NTLM hashes from local SAM, Rainbow Tables, etc.......!   

About ethical hacking

About Ethical Hacking



Internet Security and Ethical Hacking      


Welcome to the unique confluence of hackers , crackers and security professionals
on the world wide web.
This is your complete resource for internet security and ethical hacking.

 -: The Ethical Hacker :-
Most people thinks that hackers are computer criminals. They fail to recognise the fact that criminals and hackers are two totally different things. Media is responsible for this. Hackers in reality are actually good and extremely intelligent people who by using their knowledge in a constructive manner help organisations, companies, goverment, etc. to secure documents and secret information on the internet.       
          
           
-: Network Hacking :-

Network Hacking is generally means gathering information about domain by using tools like Telnet, NslookUp, Ping, Tracert, Netstat, etc.
It also includes OS Fingerprinting, Port Scaning and Port Surfing using various tools.

Ping :- Ping is part of ICMP (Internet Control Message Protocol) which is used to troubleshoot TCP/IP networks. So, Ping is basically a command that allows you to check whether the host is alive or not.
To ping a particular host the syntax is (at command prompt)--
c:/>ping hostname.com

example:- c:/>ping www.google.com


Various attributes used with 'Ping' command and their usage can be viewed by just typing c:/>ping at the command prompt.


Netstat :- It displays protocol statistics and current TCP/IP network connections. i.e. local address, remote address, port number, etc.
It's syntax is (at command prompt)--
c:/>netstat -n




Telnet :- Telnet is a program which runs on TCP/IP. Using it we can connect to the remote computer on particular port. When connected it grabs the daemon running on that port.
The basic syntax of Telnet is (at command prompt)--
c:/>telnet hostname.com

By default telnet connects to port 23 of remote computer.
So, the complete syntax is-
c:/>telnet www.hostname.com port

example:- c:/>telnet www.yahoo.com 21 or c:/>telnet 192.168.0.5 21


Tracert :- It is used to trace out the route taken by the certain information i.e. data packets from source to destination.
It's syntax is (at command prompt)--
c:/>tracert www.hostname.com
example:- c:/>tracert www.insecure.in



Here "*    *    *    Request timed out." indicates that firewall installed on that system block the request and hence we can't obtain it's IP address.

various attributes used with tracert command and their usage can be viewed by just typing c:/>tracert at the command prompt.

The information obtained by using tracert command can be further used to find out exact operating system running on target system.

   
-: Network Hacking (Port Scanning) :-

Port Scanning :- Port scanning is carried out to determine a list of open ports on the remote host that have certain services or daemons running. In port scanning, the attacker connects to various TCP and UDP ports and tries to determine which ports are in listening mode.

1) TCP Ports Scanning :- Almost all port scans are based on the client sending a packet containing a particular flag to the target port of the remote system to determine whether the port is open. Following table lists the type of flags a TCP packet header can contain.

Flag    Meaning      
URG (urgent)    This flag tells the receiver that the data pointed at by the urgent pointer required urgently.      
ACK (acknowledgment)    This flag is turned on whenever sender wants to acknowledge the receipt of all data send by the receiving end.      
PSH (push)    The data must be passed on to the application as soon as possible.      
RST (reset)    There has been a problem with the connection and one wants to reset the connection with another.      
SYN (synchronize)    If system X wants to establish TCP connection with system Y, then it sends it's own sequence number to Y, requesting that a connection be established. Such apacket is known as synchronize sequence numbers or SYN packet.      
FIN (finish)    If system X has finished sending all data packets and wants to end the TCP/IP connection that it has established with Y, then it sends a packet with a FIN flag to system Y.    


A typical TCP/IP three way handshake can be described as follows :
1) The client sends a SYN packet to the server.
2) The server replies with a SYN packet and acknowledges the client's SYN packet by sending an ACK packet.
3) The client acknowledges the SYN sent by the server.

Different techniques of TCP port scanning are :-
1) TCP connect port scanning
2) TCP SYN scanning (half open scanning)
3) SYN/ACK scanning
4) TCP FIN scanning
5) TCP NULL scanning
6) TCP Xmas tree scanning

2) UDP Ports Scanning :- In UDP port scanning, aUDP packet is sent to each port on the target host one by one.
If the remote port is closed, then the server replies with a Port Unreachable ICMP error message. If the port is open then no such error message is generated.

3) FTP Bounce Port Scanning :- The FTP bounce port scanning technique was discovered by Hobbit. He revealed a very interesting loophole in the FTP protocol that allowed users connected to the FTP service of a particular system to connect to any port of another system. This loophole allows anonymous port scanning.


Recommended   Tools      
Nmap    http://www.insecure.org/nmap      
Superscan    http://www.foundstone.com   


-: Network Hacking (OS Fingerprinting) :-

OS Fingerprinting :- OS Fingerprinting refers to detection of target computer's operating system.
Since, different operating system responds differently to the same kind of ICMP message, it is very important for an attacker to determine the exact operating system running on target system.
Also attacker can carry out attacks by taking over the vulnerabilities/bugs found in that particular operating system.
There are four areas that we will look at to determine the operating system (however there are other signatures that can be used). These signatures are:

1) TTL - What the operating system sets the Time To Live on the outbound packet.
2) Window Size - What the operating system sets the Window Size at.
3) DF - Does the operating system set the Don't Fragment bit.
4) TOS - Does the operating system set the Type of Service, and if so, at what.

There are two different types of OS Fingerprinting technique -

1) Active OS Fingerprinting :- Remote active operating system fingerprinting is the process of actively determining a targeted network node’s underlying operating system by probing the
targeted system with several packets and examining the response(s), or lack thereof, received? The traditional approach is to examine the TCP/IP stack behavior (IP, TCP, UDP, and ICMP protocols) of a targeted network element when probed with several legitimate and/or malformed packets.

Recommended Tools      
Nmap    http://insecure.org/nmap   


2) Passive OS Fingerprinting :-Passive fingerprinting is based on sniffer traces from the remote system. Instead of actively querying the remote system, all you need to do is capture packets sent from the remote system. Based on the sniffer traces of these packets, you can determine the operating system of the remote host. Just like in active fingerprinting, passive fingerprinting is
based on the principle that every operating system's IP stack has its own idiosyncrasies. By analyzing sniffer traces and identifying these differences, you may be able determine the operating system of the remote host.

Recommended Tools      
P0f    http://lcamtuf.coredump.cx/p0f.shtml      
Ettercap    http://ettercap.sourceforge.net   
-: IP Address :-

Definition :-
"An Internet Protocol (IP) address is a numerical identification (logical address) that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes".   -- Wikipedia

The Internet Protocol (IP) has two versions currently in use which are IPv4 and IPv6.
This article represents to IPv4 version only.

In general, an IP address is a 32-bit decimal number that is normally written as four numbers between 1 to 255 (8 bits or 1 byte each), each seperated from the other by a decimal point. This standard is known as "Dotted Decimal Notation".
e.g.-   117.200.77.110

IP addresses are divided into number of ranges/classes as given in the table below-

Class    Range      
A    0.0.0.0 to 127.255.255.255      
B    128.0.0.0 to 191.255.255.255      
C    192.0.0.0 to 223.255.255.255      
D    224.0.0.0 to 239.255.255.255      
E    240.0.0.0 to 255.255.255.255   

e.g.-  IP Address 192.168.24.114 belongs to Class 'C'.

How to find out IP Address of your system ?
1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "netstat -n", Press Enter.

You will get the output similar to following-


The IP Address shown in local address field denotes IP Address of your system.
In this case it is 117.200.160.151

IP Address Formats :-
Four different formats of IP Address along with example is as given below-

1) Domain Name System (DNS) : www.insecure.in
2) DWORD Format : 2928008962
3) Octal Format : 0256.0205.0337.002
4) Dotted Decimal Format : 174.133.223.2

Converting DNS IP Address into Normal IP Address :-
You can easily get the IP Address of any domain by various methods such as WHOIS, Netstat, Ping, Traceroute, etc.
Here I have used 'Ping' to get IP Address.

1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "ping domainname", Press Enter.

You will get the output similar to following-



Here, IP Address for Domain "www.insecure.in" is "174.133.223.2"

Thus by typing "http://www.insecure.in" OR "http://2928008962" OR "0256.0205.0337.02" OR "174.133.223.2" in your browser will take you to the same site. -: NetBIOS Hacking :-

NetBIOS stands for "Network Basic Input Output System".
It was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources.
By default it runs on port 139.
NetBIOS gives the various information of the computers on a network, which includes computer name, username, domain, group, and many others.....!

The NBTSTAT Command :-
NBTSTAT is the command for manually interact with NetBIOS Over TCP/IP.
All the attributes (switches) used with nbtstat command and their usage can be viewed.
At the command prompt type-
C:\Windows>nbtstat




Sample NBTSTAT Response :-
C:\>nbtstat -A 117.200.160.174

NetBIOS Remote Machine Name Table

Name         Type    Status      
----------------------------------------------      
PRASANNA    <00>    UNIQUE    Registered      
INSECURE LAB    <00>    GROUP    Registered      
PRASANNA    <03>    UNIQUE    Registered      
PRASANNA    <20>    UNIQUE    Registered      
INSECURE LAB    <1E>    GROUP    Registered   

MAC Address = 86-95-55-50-00-00

An intruder could use the output from an nbtstat against your machines to begin gathering information about them.

"<03> in above table is nothing but the username of that system."

The next step for an intruder would be to try and list the open shares on the given computer, using the net view command.
Here is an example of the Net View command-
C:\>net view \\117.200.160.174
Shared resources at \\117.200.160.174

Sharename      Type      Comment      
----------------------------------------      
C    Disk    Drive C:\      
MySofts    Disk    My Softwares Collection      
E    Disk    Drive E:\   

The command was completed successfully.


This information would give the intruder a list of shares which he would then use in conjunction with the Net Use command, a command used to enable a computer to map a share to it\92s local drive, below is an example of how an intruder would map the C Share to a local G: drive, which he could then browse...!
C:\>net use G: \\117.200.160.174\C
The command was completed successfully.

C:\>G:

G:\>



-: Address Resolution Protocol (ARP) Attacks :-

What Does ARP Mean?
Address Resolution Protocol (ARP) is a stateless protocol, was designed to map Internet Protocol addresses (IP) to their associated Media Access Control (MAC) addresses. This being said, by mapping a 32 bit IP address to an associated 48 bit MAC address via attached Ethernet devices, a communication between local nodes can be made.

On a majority of operating systems, such as Linux, FreeBSD, and other UNIX based operating systems, and even including Windows, the "arp" program is present. This program can be used to display and/or modify ARP cache entries.

An example of the "arp" utility's output would look like the following:

Windows:
> arp -a
Interface: 192.168.1.100 .- 0x10003
Internet Address        Physical Address        Type
192.168.1.1          00-13-10-23-9a-53       dynamic

Linux:
$ arp -na
? (192.168.1.1) at 00:90:B1:DC:F8:C0 [ether] on eth0

FreeBSD:
$ arp -na
? (192.168.1.1) at 00:00:0c:3e:4d:49 on bge0


How ARP works?
Specifically for Internet Protocol Version 4 (IPv4), ARP maps IP addresses between the Network layer and Data Link layer of the Open System Interconnection (OSI) model.
For a more complete and thorough explanation of how address resolution works, and protocol specifics, please consult RFC 826.


ARP Protocol Flaws :-
ARP's main flaw is in its cache. Knowing that it is possible for ARP to update existing entries as well as add to the cache, this leads one to believe that forged replies can be made, which result in ARP cache poisoning attacks.


Terms & Definitions :-
ARP Cache Poisoning : Broadcasting forged ARP replies on a local network. In a sense, "fooling" nodes on the network. This can be done because ARP lacks authentication features, thus blindly accepting any request and reply that is received or sent.

MAC Address Flooding : An ARP cache poisoning attack that is mainly used in switched environments. By flooding a switch with fake MAC addresses, a switch is overloaded. Because of this, it broadcasts all network traffic to every connected node. This outcome is referred to as "broadcast mode" because, all traffic passing through the switch is broadcasted out like a Hub would do. This then can result in sniffing all network traffic.


The ARP Attacks :-
1] Connection Hijacking & Interception : Packet or connection hijacking and interception is the act in which any connected client can be victimized into getting their connection manipulated in a way that it is possible to take complete control over.

2] Connection Resetting : The name explains itself very well. When we are resetting a client's connection, we are cutting their connection to the system. This can be easily done using specially crafted code to do so. Luckily, we have wonderful software that was made to aid us in doing so.

3] Man In The Middle : One of the more prominent ways of attacking another user in order to hijack their traffic, is by means of a Man In The Middle (MITM) attack. Unlike the other attacks, a MITM is more a packet manipulation attack which in the end however does result in packet redirection to the attacker . all traffic will get sent to the attacker doing the MITM attack. This attack however is specific. As opposed to MAC Address Flooding or other attacks against a router/switch, the MITM attack is against a victim, and also can be done outside of a switched environment. Thus meaning, an attack can be executed against a person on the other side of the country.

4] Packet Sniffing : Sniffing on a Local Area Network (LAN) is quite easy if the network is segmented via a hub, rather than a switch. It is of course possible to sniff on a switched environment by performing a MAC flood attack. As a result of the MAC flood, the switch will act as a hub, and allow the entire network to be sniffed. This gives you a chance to use any sort of sniffing software available to you to use against the network, and gather packets.

5] Denial of Service : MAC Address Flooding can be considered a Denial of service attack. The main idea of the MAC flood, is to generate enough packet data to send toward a switch, attempting to make it panic. This will cause the switch to drop into broadcast mode and broadcast all packet data. This however did not result in a crash, or the service to be dropped, but to be overloaded.
-: ClickJacking :-

Definition :-
"Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages." - Wikipedia

Introduction :-
A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.
The long list of vulnerabilities involves browsers, Web sites and plug-ins like Flash.

How It Works? :-
ClickJacking is a little bit difficult to explain however try to imagine any button that you see in your browser from the Wire Transfer Button on your Bank, Post Blog button on your blog, Add user button on your web-site, Google Gadgets etc.
ClickJacking gives the attacker to ability to invisibly float these buttons on-top of other innocent looking objects in your browser.
So when you try to click on the innocent object, you are actually clicking on the malicious button that is floating on top invisibly.

In other words, the attack is thrown by a malicious web page embedding objects, possibly from a different site, such as framed documents or plugin content (Flash, Silverlight, Java\85) which may lead to unwanted results if clicked by the current user (e.g. a \93Delete all messages\94 button in your webmail or an advertisement banner in a click fraud scheme). Using DHTML, and especially CSS, the attacker can disguise or hide the click target in several ways which go completely undetected by the user, who\92s easily tricked into clicking it in a more or less blind way.

JavaScript increases the effectiveness of these attacks hugely, because it can make our invisible target constantly follow the mouse pointer, intercepting user\92s first click with no failure.
We can however imagine a few less effective but still feasible scriptless scenarios, e.g. covering the whole window with hidden duplicates of the target or overlaying an attractive element of the page, likely to be clicked (e.g. a game or a porn image link), with a transparent target instance.

Examples :-
1) Malicious camera spying using Adobe's Flash.
2) Flash, Java, SilverLight, DHTML Game or Application used to Spy on your Webcam and/or Microphone.


     The best defense against ClickJacking attacks is to use Firefox with the NoScript add-on installed.   


  NoScript 2.0.9.7
Allow active content to run only from sites you trust,
and protect yourself against XSS and Clickjacking attacks...!