About ethical hacking

About Ethical Hacking

Internet Security and Ethical Hacking      

Welcome to the unique confluence of hackers , crackers and security professionals
on the world wide web.
This is your complete resource for internet security and ethical hacking.

 -: The Ethical Hacker :-
Most people thinks that hackers are computer criminals. They fail to recognise the fact that criminals and hackers are two totally different things. Media is responsible for this. Hackers in reality are actually good and extremely intelligent people who by using their knowledge in a constructive manner help organisations, companies, goverment, etc. to secure documents and secret information on the internet.       
          
           
-: Network Hacking :-

Network Hacking is generally means gathering information about domain by using tools like Telnet, NslookUp, Ping, Tracert, Netstat, etc.
It also includes OS Fingerprinting, Port Scaning and Port Surfing using various tools.

Ping :- Ping is part of ICMP (Internet Control Message Protocol) which is used to troubleshoot TCP/IP networks. So, Ping is basically a command that allows you to check whether the host is alive or not.
To ping a particular host the syntax is (at command prompt)--
c:/>ping hostname.com

example:- c:/>ping www.google.com


Various attributes used with 'Ping' command and their usage can be viewed by just typing c:/>ping at the command prompt.


Netstat :- It displays protocol statistics and current TCP/IP network connections. i.e. local address, remote address, port number, etc.
It's syntax is (at command prompt)--
c:/>netstat -n




Telnet :- Telnet is a program which runs on TCP/IP. Using it we can connect to the remote computer on particular port. When connected it grabs the daemon running on that port.
The basic syntax of Telnet is (at command prompt)--
c:/>telnet hostname.com

By default telnet connects to port 23 of remote computer.
So, the complete syntax is-
c:/>telnet www.hostname.com port

example:- c:/>telnet www.yahoo.com 21 or c:/>telnet 192.168.0.5 21


Tracert :- It is used to trace out the route taken by the certain information i.e. data packets from source to destination.
It's syntax is (at command prompt)--
c:/>tracert www.hostname.com
example:- c:/>tracert www.insecure.in



Here "*    *    *    Request timed out." indicates that firewall installed on that system block the request and hence we can't obtain it's IP address.

various attributes used with tracert command and their usage can be viewed by just typing c:/>tracert at the command prompt.

The information obtained by using tracert command can be further used to find out exact operating system running on target system.

   
-: Network Hacking (Port Scanning) :-

Port Scanning :- Port scanning is carried out to determine a list of open ports on the remote host that have certain services or daemons running. In port scanning, the attacker connects to various TCP and UDP ports and tries to determine which ports are in listening mode.

1) TCP Ports Scanning :- Almost all port scans are based on the client sending a packet containing a particular flag to the target port of the remote system to determine whether the port is open. Following table lists the type of flags a TCP packet header can contain.

Flag    Meaning      
URG (urgent)    This flag tells the receiver that the data pointed at by the urgent pointer required urgently.      
ACK (acknowledgment)    This flag is turned on whenever sender wants to acknowledge the receipt of all data send by the receiving end.      
PSH (push)    The data must be passed on to the application as soon as possible.      
RST (reset)    There has been a problem with the connection and one wants to reset the connection with another.      
SYN (synchronize)    If system X wants to establish TCP connection with system Y, then it sends it's own sequence number to Y, requesting that a connection be established. Such apacket is known as synchronize sequence numbers or SYN packet.      
FIN (finish)    If system X has finished sending all data packets and wants to end the TCP/IP connection that it has established with Y, then it sends a packet with a FIN flag to system Y.    


A typical TCP/IP three way handshake can be described as follows :
1) The client sends a SYN packet to the server.
2) The server replies with a SYN packet and acknowledges the client's SYN packet by sending an ACK packet.
3) The client acknowledges the SYN sent by the server.

Different techniques of TCP port scanning are :-
1) TCP connect port scanning
2) TCP SYN scanning (half open scanning)
3) SYN/ACK scanning
4) TCP FIN scanning
5) TCP NULL scanning
6) TCP Xmas tree scanning

2) UDP Ports Scanning :- In UDP port scanning, aUDP packet is sent to each port on the target host one by one.
If the remote port is closed, then the server replies with a Port Unreachable ICMP error message. If the port is open then no such error message is generated.

3) FTP Bounce Port Scanning :- The FTP bounce port scanning technique was discovered by Hobbit. He revealed a very interesting loophole in the FTP protocol that allowed users connected to the FTP service of a particular system to connect to any port of another system. This loophole allows anonymous port scanning.


Recommended   Tools      
Nmap    http://www.insecure.org/nmap      
Superscan    http://www.foundstone.com   


-: Network Hacking (OS Fingerprinting) :-

OS Fingerprinting :- OS Fingerprinting refers to detection of target computer's operating system.
Since, different operating system responds differently to the same kind of ICMP message, it is very important for an attacker to determine the exact operating system running on target system.
Also attacker can carry out attacks by taking over the vulnerabilities/bugs found in that particular operating system.
There are four areas that we will look at to determine the operating system (however there are other signatures that can be used). These signatures are:

1) TTL - What the operating system sets the Time To Live on the outbound packet.
2) Window Size - What the operating system sets the Window Size at.
3) DF - Does the operating system set the Don't Fragment bit.
4) TOS - Does the operating system set the Type of Service, and if so, at what.

There are two different types of OS Fingerprinting technique -

1) Active OS Fingerprinting :- Remote active operating system fingerprinting is the process of actively determining a targeted network node’s underlying operating system by probing the
targeted system with several packets and examining the response(s), or lack thereof, received? The traditional approach is to examine the TCP/IP stack behavior (IP, TCP, UDP, and ICMP protocols) of a targeted network element when probed with several legitimate and/or malformed packets.

Recommended Tools      
Nmap    http://insecure.org/nmap   


2) Passive OS Fingerprinting :-Passive fingerprinting is based on sniffer traces from the remote system. Instead of actively querying the remote system, all you need to do is capture packets sent from the remote system. Based on the sniffer traces of these packets, you can determine the operating system of the remote host. Just like in active fingerprinting, passive fingerprinting is
based on the principle that every operating system's IP stack has its own idiosyncrasies. By analyzing sniffer traces and identifying these differences, you may be able determine the operating system of the remote host.

Recommended Tools      
P0f    http://lcamtuf.coredump.cx/p0f.shtml      
Ettercap    http://ettercap.sourceforge.net   
-: IP Address :-

Definition :-
"An Internet Protocol (IP) address is a numerical identification (logical address) that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes".   -- Wikipedia

The Internet Protocol (IP) has two versions currently in use which are IPv4 and IPv6.
This article represents to IPv4 version only.

In general, an IP address is a 32-bit decimal number that is normally written as four numbers between 1 to 255 (8 bits or 1 byte each), each seperated from the other by a decimal point. This standard is known as "Dotted Decimal Notation".
e.g.-   117.200.77.110

IP addresses are divided into number of ranges/classes as given in the table below-

Class    Range      
A    0.0.0.0 to 127.255.255.255      
B    128.0.0.0 to 191.255.255.255      
C    192.0.0.0 to 223.255.255.255      
D    224.0.0.0 to 239.255.255.255      
E    240.0.0.0 to 255.255.255.255   

e.g.-  IP Address 192.168.24.114 belongs to Class 'C'.

How to find out IP Address of your system ?
1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "netstat -n", Press Enter.

You will get the output similar to following-


The IP Address shown in local address field denotes IP Address of your system.
In this case it is 117.200.160.151

IP Address Formats :-
Four different formats of IP Address along with example is as given below-

1) Domain Name System (DNS) : www.insecure.in
2) DWORD Format : 2928008962
3) Octal Format : 0256.0205.0337.002
4) Dotted Decimal Format : 174.133.223.2

Converting DNS IP Address into Normal IP Address :-
You can easily get the IP Address of any domain by various methods such as WHOIS, Netstat, Ping, Traceroute, etc.
Here I have used 'Ping' to get IP Address.

1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "ping domainname", Press Enter.

You will get the output similar to following-



Here, IP Address for Domain "www.insecure.in" is "174.133.223.2"

Thus by typing "http://www.insecure.in" OR "http://2928008962" OR "0256.0205.0337.02" OR "174.133.223.2" in your browser will take you to the same site. -: NetBIOS Hacking :-

NetBIOS stands for "Network Basic Input Output System".
It was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources.
By default it runs on port 139.
NetBIOS gives the various information of the computers on a network, which includes computer name, username, domain, group, and many others.....!

The NBTSTAT Command :-
NBTSTAT is the command for manually interact with NetBIOS Over TCP/IP.
All the attributes (switches) used with nbtstat command and their usage can be viewed.
At the command prompt type-
C:\Windows>nbtstat




Sample NBTSTAT Response :-
C:\>nbtstat -A 117.200.160.174

NetBIOS Remote Machine Name Table

Name         Type    Status      
----------------------------------------------      
PRASANNA    <00>    UNIQUE    Registered      
INSECURE LAB    <00>    GROUP    Registered      
PRASANNA    <03>    UNIQUE    Registered      
PRASANNA    <20>    UNIQUE    Registered      
INSECURE LAB    <1E>    GROUP    Registered   

MAC Address = 86-95-55-50-00-00

An intruder could use the output from an nbtstat against your machines to begin gathering information about them.

"<03> in above table is nothing but the username of that system."

The next step for an intruder would be to try and list the open shares on the given computer, using the net view command.
Here is an example of the Net View command-
C:\>net view \\117.200.160.174
Shared resources at \\117.200.160.174

Sharename      Type      Comment      
----------------------------------------      
C    Disk    Drive C:\      
MySofts    Disk    My Softwares Collection      
E    Disk    Drive E:\   

The command was completed successfully.


This information would give the intruder a list of shares which he would then use in conjunction with the Net Use command, a command used to enable a computer to map a share to it\92s local drive, below is an example of how an intruder would map the C Share to a local G: drive, which he could then browse...!
C:\>net use G: \\117.200.160.174\C
The command was completed successfully.

C:\>G:

G:\>



-: Address Resolution Protocol (ARP) Attacks :-

What Does ARP Mean?
Address Resolution Protocol (ARP) is a stateless protocol, was designed to map Internet Protocol addresses (IP) to their associated Media Access Control (MAC) addresses. This being said, by mapping a 32 bit IP address to an associated 48 bit MAC address via attached Ethernet devices, a communication between local nodes can be made.

On a majority of operating systems, such as Linux, FreeBSD, and other UNIX based operating systems, and even including Windows, the "arp" program is present. This program can be used to display and/or modify ARP cache entries.

An example of the "arp" utility's output would look like the following:

Windows:
> arp -a
Interface: 192.168.1.100 .- 0x10003
Internet Address        Physical Address        Type
192.168.1.1          00-13-10-23-9a-53       dynamic

Linux:
$ arp -na
? (192.168.1.1) at 00:90:B1:DC:F8:C0 [ether] on eth0

FreeBSD:
$ arp -na
? (192.168.1.1) at 00:00:0c:3e:4d:49 on bge0


How ARP works?
Specifically for Internet Protocol Version 4 (IPv4), ARP maps IP addresses between the Network layer and Data Link layer of the Open System Interconnection (OSI) model.
For a more complete and thorough explanation of how address resolution works, and protocol specifics, please consult RFC 826.


ARP Protocol Flaws :-
ARP's main flaw is in its cache. Knowing that it is possible for ARP to update existing entries as well as add to the cache, this leads one to believe that forged replies can be made, which result in ARP cache poisoning attacks.


Terms & Definitions :-
ARP Cache Poisoning : Broadcasting forged ARP replies on a local network. In a sense, "fooling" nodes on the network. This can be done because ARP lacks authentication features, thus blindly accepting any request and reply that is received or sent.

MAC Address Flooding : An ARP cache poisoning attack that is mainly used in switched environments. By flooding a switch with fake MAC addresses, a switch is overloaded. Because of this, it broadcasts all network traffic to every connected node. This outcome is referred to as "broadcast mode" because, all traffic passing through the switch is broadcasted out like a Hub would do. This then can result in sniffing all network traffic.


The ARP Attacks :-
1] Connection Hijacking & Interception : Packet or connection hijacking and interception is the act in which any connected client can be victimized into getting their connection manipulated in a way that it is possible to take complete control over.

2] Connection Resetting : The name explains itself very well. When we are resetting a client's connection, we are cutting their connection to the system. This can be easily done using specially crafted code to do so. Luckily, we have wonderful software that was made to aid us in doing so.

3] Man In The Middle : One of the more prominent ways of attacking another user in order to hijack their traffic, is by means of a Man In The Middle (MITM) attack. Unlike the other attacks, a MITM is more a packet manipulation attack which in the end however does result in packet redirection to the attacker . all traffic will get sent to the attacker doing the MITM attack. This attack however is specific. As opposed to MAC Address Flooding or other attacks against a router/switch, the MITM attack is against a victim, and also can be done outside of a switched environment. Thus meaning, an attack can be executed against a person on the other side of the country.

4] Packet Sniffing : Sniffing on a Local Area Network (LAN) is quite easy if the network is segmented via a hub, rather than a switch. It is of course possible to sniff on a switched environment by performing a MAC flood attack. As a result of the MAC flood, the switch will act as a hub, and allow the entire network to be sniffed. This gives you a chance to use any sort of sniffing software available to you to use against the network, and gather packets.

5] Denial of Service : MAC Address Flooding can be considered a Denial of service attack. The main idea of the MAC flood, is to generate enough packet data to send toward a switch, attempting to make it panic. This will cause the switch to drop into broadcast mode and broadcast all packet data. This however did not result in a crash, or the service to be dropped, but to be overloaded.
-: ClickJacking :-

Definition :-
"Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages." - Wikipedia

Introduction :-
A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.
The long list of vulnerabilities involves browsers, Web sites and plug-ins like Flash.

How It Works? :-
ClickJacking is a little bit difficult to explain however try to imagine any button that you see in your browser from the Wire Transfer Button on your Bank, Post Blog button on your blog, Add user button on your web-site, Google Gadgets etc.
ClickJacking gives the attacker to ability to invisibly float these buttons on-top of other innocent looking objects in your browser.
So when you try to click on the innocent object, you are actually clicking on the malicious button that is floating on top invisibly.

In other words, the attack is thrown by a malicious web page embedding objects, possibly from a different site, such as framed documents or plugin content (Flash, Silverlight, Java\85) which may lead to unwanted results if clicked by the current user (e.g. a \93Delete all messages\94 button in your webmail or an advertisement banner in a click fraud scheme). Using DHTML, and especially CSS, the attacker can disguise or hide the click target in several ways which go completely undetected by the user, who\92s easily tricked into clicking it in a more or less blind way.

JavaScript increases the effectiveness of these attacks hugely, because it can make our invisible target constantly follow the mouse pointer, intercepting user\92s first click with no failure.
We can however imagine a few less effective but still feasible scriptless scenarios, e.g. covering the whole window with hidden duplicates of the target or overlaying an attractive element of the page, likely to be clicked (e.g. a game or a porn image link), with a transparent target instance.

Examples :-
1) Malicious camera spying using Adobe's Flash.
2) Flash, Java, SilverLight, DHTML Game or Application used to Spy on your Webcam and/or Microphone.


     The best defense against ClickJacking attacks is to use Firefox with the NoScript add-on installed.   


  NoScript 2.0.9.7
Allow active content to run only from sites you trust,
and protect yourself against XSS and Clickjacking attacks...!