Upcoming SlideShare
Loading in...5







Total Views
Views on SlideShare
Embed Views



1 Embed 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • .

Ch03 Ch03 Presentation Transcript

  • Lesson 3-Hacker Techniques
  • Overview
    • Hacker’s motivation.
    • Historical hacking techniques.
    • Advanced techniques.
    • Malicious code.
    • Methods used by untargeted hacker.
    • Methods used by targeted hacker.
  • Hacker’s Motivation
    • The term “hacker” was originally coined for an _________ __________________________________________
    • A hacker currently refers to an individual who _________ ______________________________________________
      • Cracker is another term you might hear to refer to ________________________ who breaks into computer and computer networks
    View slide
  • Hacker’s Motivation
    • Originally, the most common motivation for hacking into computer systems is the
      • The challenge motivation is usually associated with an ______________________________
    • An untargeted hacker is one who ____________________ ______________________________
    • The _________________________________________ ___________________________________________
    View slide
  • Hacker’s Motivation
    • Sites having _______________________ (software, money, information) are primary targets for hackers motivated by _________________________.
    • Malicious attacks focus on ________________________
    • The hacker motivated by malicious intent aims at ________________________________________
    • The risk of a hacker being caught and convicted is ______.
    • The potential gain from hacking is _______________.
  • Historical Hacking Techniques
    • ____________________________ :
      • When the Internet was originally created, most systems were configured to _______________________________________ given much consideration.
      • Older versions of Network File System (NFS) used by UNIX allowed ______________________________________________________.
        • Hackers used this open file sharing to ___________________________ _____________________________________________
        • NOTE: NFS is still used, is up to version 4 and has since made security much more robust.
  • Historical Hacking Techniques
    • Open sharing (continued):
      • Many operating systems were shipped out with the _________ ______________________________________________.
      • What is the danger in this?
      • Another vulnerability related to open sharing is __________
      • Rlogin allows users to access ________________________ _______________________________________
        • Hackers can get into a system with remote access, ___________ ____________________________________________________
  • Historical Hacking Techniques
    • Weak passwords:
      • __________________________________________________________________________________________________
        • A two-character password is easier to guess than an eight-character one.
      • Easy to guess passwords allow hackers a quick entry into the system.
        • Often through a ____________________________________ _______________________________________________
  • Password Supplement to text
    • Passwords are the ________________________________________ on a system
    • Password file stored in
      • Directory /etc/passwd or /etc/shadow in Unix systems
    • Password can be cracked if an attacker has gained _________________ ___________________________________________________
      • Or he must resort to
    • Password Cracking – ________________________________________ ________________________________________________________
  • Password Supplement to text
    • Question: If an attacker can only obtain a user-level password what kind of threat is that to your system?
    • One way to protect passwords is to _____ ____________________________________________________________________________________________________________ even if the password files are obtained.
      • Password cracking programs have already been made to work around a one-way hash.
  • Password Supplement to text
    • Three general methods for cracking passwords
      • ____________________________________ ____________________________________
        • Countermeasures- enforceable policies and filters
      • __________________________ builds upon the dictionary method by _____________________ _____________________________________
        • Slight modifications of dictionary words
        • Example: using a password of
        • This would satisfy filters
  • Password Supplement to text
    • Last of the three general methods for cracking passwords
      • _____________________ will always recover the password- it’s just a matter of time.
        • Most ___________________________________ ________________________________
        • Countermeasures- ____________________________________________ ______________________________________________________________
        • How feasible is that?
    • Why would a system administrator want to use a password cracking tool?
  • Password Supplement to text
    • Different password auditing programs
      • __________________________ can be used on Unix or Windows machines
        • Fast and configurable
      • _______________________- can be used on Windows NT/2000/XP machines
        • Newest version- ____________ (there is a fee for this program)
        • Can crack using any method talked about earlier
        • Configurable and easy to use
  • Password Supplement to text
    • Example of a Strong Password Policy
      • Password change
      • Accounts locked
      • All passwords must contain ______________ _________________________________
      • Can’t
  • Historical Hacking Techniques
    • Programming flaws and social engineering:
      • Hackers have used ________________________________ ___________________________________________________
      • Many shopping Websites store information entered by the buyer on a _______________________________________________
      • _____________________ is the use of non-technical means to gain unauthorized access to information or systems.
        • Includes “dumpster diving”-
      • The ______________________ are the most powerful tools used by a hacker using the social engineering technique.
  • Historical Hacking Techniques
    • Buffer overflow:
      • Buffer overflow is _______________________________________ _____________________________________________________
      • A hacker can exploit a buffer overflow to ______________________ _______________________________________________
      • Buffer overflows cause ______________________ such as allowing _______________________________________, cause another application to start, cause a change in a configuration file.
      • Buffer overflows exist because ______________________________ ______________________________________________________
        • Widely used functions exist in ______________________ with buffer overflow issues
  • Historical Hacking Techniques
    • Denial-of-Service (DoS):
      • __________________ are malicious acts to deny legitimate users access to a system, network, application, or information.
      • Most DoS attacks originate from ______________________.
      • In a single-source DoS attack , a ____________________ ________________________________
      • The ________________________ are some of the single-source DoS attacks that have been identified.
        • Ping of Death- sending of large amount of data in a ping packet
  • SYN flood DoS attack
    • Solutions:
    • ________________________________________________________
    • Obtain a device to ___________________
    • Both these solutions are not always successful in protecting systems from a SYN Flood attack.
  • Historical Hacking Techniques
    • Distributed Denial-of-Service (DDoS):
      • DDoS attacks originate from a _____________________ _____________________________________________
      • A Smurf attack is an example of a DDoS attack
        • See next slide
      • There are a number of tools available which enable a hacker to launch a DDoS attack.
  • Smurf DDos attack Gets all the ping responses from all members of the broadcast
  • Historical Hacking Techniques
    • DDoS process using sophisticated tools:
      • A hacker talks to a _____________________________________ _______________________________________
      • The ______________________________________ that have been placed on _____________________________. The slaves, also called __________ , perform the ___________ against the target system.
    • The attacks could be comprised of UDP packets, TCP SYN flood packets or ICMP traffic
    • See next slide for example…
  • Historical Hacking Techniques The architecture of DDoS attacks.
  • Advanced Techniques
    • Sniffing switch networks.
    • IP spoofing.
  • Sniffer suppliment
    • Recall: A sniffer is a _____________________ __________________________________________________________________________________________
      • Packets could contain
      • NOTE: sniffers can also be ___________________________ ________________________________________, but software based sniffers are far more common
    • Sniffers were much easier to use back when they were used ________________________________ (with devices connected to a hub )
      • The hub would “broadcast” data to every device. Only the device with a matching MAC address would process the data.
        • But a sniffer
  • Sniffing Switch Networks
    • In a switched environment, the hacker must cause the switch to
    • Can someone tell me how a switch works once it receives a frame?
    • What is ARP used for?
  • Sniffing Switch Networks
    • Sniffing through ARP spoofing:
      • A sniffer may ______________________________________ ____________________________________________
      • The sniffer must then _____________________________ _______________________________________________
      • ARP spoofing is possible only on local subnets. Why would that be?
  • Sniffing Switch Networks
    • Sniffing through ______________________:
      • ________________________________________ is another way of getting the switch to redirect the traffic to the sniffer .
      • Software is available ______________________ on Windows systems
      • On Unix systems, the ability is
    • Sniffing through DNS Spoofing:
      • A sniffer responds to the sending system’s DNS requests.
        • ______________________________________________________________________________________________________________________
      • DNS Spoofing is possible if the sniffer is ______________________ ______________________________________________________
  • Sniffing Switch Networks
    • Sniffing by
      • When the memory used by switches to store the mappings between MAC addresses and physical ports is full, some switches will
        • ____________________________________________________________________________________________________
        • Effectively turning
      • Sniffing requires that the hacker have a system on the ____________________________
  • Sniffer suppliment
    • _____________________________ do the same things that sniffers do.
      • Used to be that the __________________ the ____________________________________
      • Protocol analyzers can be
      • Many good sniffers are
        • Free tools are really all some incident handlers and security specialists use
        • Downside is that you have to
  • Sniffer suppliment
    • No matter what your needs, interest or budget, there is most likely at least one sniffer out there that does what you want
    • Examples
      • See next slide
  • Examples of Sniffers Windows version of TCPdump Free Windump Sniffer that decodes and prints many common protocols Analyzes only layers 3 and 4 protocols Free TCPdump Also an IDS Free Snort Decodes many specialized protocols Commercial Network Associates Sniffer Specializes in switched networks and man-in-the-middle sniffing Free Ettercap Graphical sniffer with additional analysis functions Analyzes all 7 layers of the OSI model Free Ethereal Suite of sniffing tools; including tools for sniffing switched networks Free Dsniff Comments Availability Sniffer
  • Details OF IP Spoofing
    • What is Spoofing an IP address?
      • _________________________________________________________________________________________________
    • ______________________________________________ enables the hacker to attempt an IP spoofing attack
  • IP Spoofing Details of IP spoofing Not sent back to Hacker’s machine The sequence number must be guessed and this must be done _________ ___________________________________________________________________________________
  • IP Spoof attack results
    • If the attack progresses well, the hacker will have a legitimate connection to the target system
    • He will
  • IP Spoofing Example Using IP spoofing in the real world
    • First- we know the target and trusted systems have a trust relationship.
    • The IP address of the trusted system will be allowed into the target system
    • Second- Trusted system must be silenced (with a DoS attack)
    • Third- Once we gain access to the target system (step 5), we can make changes- can you think of changes we can make?
  • Malicious Code
    • Malicious codes include three types of programs:
  • Computer Viruses
    • Computer viruses are __________________________ ______________________________________
    • Virus codes execute when the ___________________ _____________________________________
    • Malicious viruses may __________________________ _____________________________________________
    • Some viruses just spread themselves to other systems without performing any malicious acts.
  • How computer viruses spread…
    • When on an infected computer, the virus will _____________________________ ___________________________________________________________________
    • More common method: read the e-mail address book of infected computer and _________________________________
  • Trojan Horse Programs
    • A Trojan horse is a
    • It is a program that looks benign but actually has a malicious purpose.
      • _______________________________________________ _______________________________________________
    • Most Trojan horse programs contain a mechanism to _____ ______________________________________________
    • May be spread through a harmless looking business utility or game etc.
  • Worms
    • A worm is a program that _______________________ _____________________________________________
      • CodeRed and Slapper Worm are recent examples of worms.
    • Hybrid is the combination of two types of malicious codes into
      • Example: Nimda- spread like a Trojan horse but then infected the system like a worm
  • Process of an attack
      • Step involves ______________________ ______________________________
      • Done gathering info from various sources such as ____________________________ ____________ etc. (we will discuss some of these later on)
      • Think of this step as
  • Process of an attack cont..
      • Allows attacker to focus their efforts and attention on _________________________________________
      • Identify
      • Analyze acceptable risk
      • Can use ______________ at this step
        • best known and most flexible _________________ – used in both Windows and Unix environments
        • Finds ports and services (such as OSs) available
        • Uses IP packets for scanning
  • Process of an attack cont..
      • Use of nbstat
    • NOTE: the above 3 steps are involved in
  • Process of an attack cont..
      • Through means such as _______________, __________________________ etc.
      • ___________________ but NOT at level the hacker needs or wants to be at
        • Will work on getting
      • _____________________________________________________________________
  • Process of an attack cont..
      • Once in- hacker will ________________ from system administrators and other hackers
      • Will also
  • Methods Used by Untargeted Hacker
    • From the beginning of the chapter, can someone tell me what an untargeted hacker is?
      • ____________________________________________________________________________________________________________________________________________________
      • What is the primary motivation of untargeted hackers?
  • Methods Used by Untargeted Hacker cont…
    • Internet reconnaissance:
      • Untargeted hackers look for ___________________________ they can find.
      • The hacker may perform a stealth scan, sometimes in conjunction with a ping sweep.
      • A stealth scan is _______________________________ ________________________________ (example on next slide)
      • A ping sweep is ___________________________________ ____________________________________________
  • Methods Used by Untargeted Hacker cont… Stealth scanning SYN I can send a reset because I know the system is up
  • Methods Used by Untargeted Hacker cont… Reset scans So… Indicates the target system exists
  • Methods Used by Untargeted Hacker cont…
    • Some untargeted hackers may also perform the reconnaissance in several steps.
      • The hacker may choose a domain name and attempt to perform a zone transfer of DNS against this domain.
        • A zone transfer _______________________________________________ __________________________________________________
    • From that list, the hacker may then run a tool such as Nmap to ______________________________________________
    • A stealth scan may be used to ___________________________, and the final list may be used for the actual attacks.
  • Methods Used by Untargeted Hacker cont…
    • Telephone and wireless reconnaissance:
      • Wardialing is a ____________________________________ _______________________________________________
      • Wardriving and Warchalking are methods of wireless reconnaissance (see next slide for definitions)
  • Methods Used by Untargeted Hacker cont…
    • Wardriving involves driving around with a computer and a wireless network adapter for the express _________________________ _______________________________________
    • Warchalking means that the hacker uses ___________________ or sidewalk outside of a building to _______________________ ____________________________________________________
    • An untargeted hacker will use reconnaissance methods to identify systems. They will look for systems that may be vulnerable to the available exploits.
  • Methods Used by Untargeted Hacker cont…
    • Use of Compromised Systems:
      • Hackers normally place a ____________________________ ________________________________________________
      • The back door entries are put together in a rootkit .
      • Hackers may close vulnerabilities they used to gain access, so that
      • A compromised system may be used to attack other systems or for reconnaissance purposes.
        • Example: installing a password sniffer to capture password for
  • Rootkit
    • A type of
    • A _______________________________ ___________________________________________________________________________
    • Process:
      • User level access is obtained by a vulnerability or cracking a password
      • Rootkit installed
      • User passwords and id’s obtained
    • Today, rootkits are _______________________ on a network
  • Methods Used by Targeted Hacker
    • A targeted hacker ________________________________ ___________________________________________
    • A targeted hacker is motivated by a desire to ___________ _____________________________________________
    • The skill level of targeted hackers tends to be higher than that of untargeted hackers.
  • Methods Used by Targeted Hacker
    • Reconnaissance:
      • Address reconnaissance is the _________________________ _____________________________________________
        • Addresses can be identified through ______________________ ___________________________________________ or through text searches at Network Solutions.
      • Additional info on the target can be found by doing a zone transfer if allowed.
        • What is a zone transfer?
  • Methods Used by Targeted Hacker
    • Reconnaissance (continued):
      • Phone number reconnaissance is more difficult than identifying network addresses.
        • Hacker may attempt to look for __________________________ ________________________________________________
      • The hacker can perform wireless reconnaissance by walking or driving around the organization’s building.
  • Methods Used by Targeted Hacker
    • Reconnaissance (continued):
      • System reconnaissance is used to ____________________ _______________________________________________
      • Ping sweeps, stealth scans, or port scans may be used to identify systems.
        • These can be done in such a way so as to not send up a flag from an IDS
      • Identifying the operating system may be done by _______________ ________________________________ such as which port are open and ___________________
  • Methods Used by Targeted Hacker
    • Reconnaissance (continued):
      • Attacking or ____________________________________ ____________________
      • Vulnerability scanners will provide information, but _________ ______________________________________________
        • See next slide for more info on vulnerability scanners
  • Vulnerability scanner supplement
    • A Vulnerability scanner is a ___________ ______________________________________________________________________________________________________
    • Vulnerabilities checked include ______________________________________________________________________________________________________
  • Versions of vulnerability scanners
      • Takes a _____________________________ to securing computer networks.
        • _________________________________________________ _________________________________________________________________________________________________
      • Most
      • Fast, reliable and includes a variety of plug-ins
      • Will not fix security holes- just __________________ ________________________________________
      • Works on Unix-like systems but has a Windows version called
  • Methods Used by Targeted Hacker
    • Reconnaissance (continued):
      • Business reconnaissance will help the hacker identify the __________ ____________________________________________________
      • Studying the employees of the organization may prove valuable for the purpose of
      • The hacker may gain access to the organization through its _______ ___________________________________________________________
      • Targeted hackers use physical reconnaissance extensively.
        • Weaknesses in physical security may be used to gain access to the site.
      • The hacker may also find information by searching a dumpster if trash and paper to be recycled is dumped into it.
        • What is this called?
  • Methods Used by Targeted Hacker
    • Electronic attack methods:
      • The hacker may attempt to hide the attack from the intrusion detection system by
      • The hacker must make the system ___________________ _________________ if the attack is successful.
        • Only removing log files which show hacker’s presence
      • The hacker will _________________________ to allow repeated access to a compromised system.
  • Methods Used by Targeted Hacker
    • Electronic attack methods (continued):
      • Systems with _________________ are prime targets for attacks via _______________________
      • The hacker may send a virus or a Trojan horse program to an employee’s home system to gain access.
      • Wireless networks may provide the easiest access path.
        • May be part of the organization’s internal network but have _______________________________________________
  • Methods Used by Targeted Hacker
    • Physical attack methods:
      • Social engineering is the safest physical attack method.
        • It may lead to electronic information.
      • Checking the dumpster or __________________________ ____________________ are other methods of physical attack.
  • Summary
    • A hacker may be motivated by the challenge of breaking in, greed, or malicious intent.
    • Open file sharing, weak passwords, programming flaws, and buffer overflows were exploited by hackers to break into systems.
    • In social engineering, the hacker uses human nature and the ability to lie, to access information.
  • Summary
    • In Denial-of-Service attacks, legitimate users are denied access to the system, network, information, or applications.
    • In Distributed Denial-of-Service attacks, many systems are coordinated to attack a single target.
    • Sniffing switch networks involves getting the switch to either redirect traffic to the sniffer or send all traffic to all ports.
  • Summary
    • ARP spoofing, MAC duplicating, and DNS spoofing are the three methods of redirecting traffic.
    • IP spoofing involves modifying the source address to make the packet appear as if coming from elsewhere.
    • Viruses, Trojan horse programs, and worms are the three types of malicious codes.
  • Summary
    • Untargeted hackers do not aim at accessing particular information or organizations, but look for any system that can be compromised.
    • Targeted hackers have a reason for attacking a organization.
  • Homework due next class
    • Essay/ research project described below:
      • Find a recent (no longer than 1 year old) security article that covers a topic discussed in chapter 2. Print out article including the source and write an article summary.
      • The summary should be 1 or 2 paragraphs in length and summarize the article. Feel free to also give your opinions.
      • You may be asked to present your finding to the class
    • Key Term Quiz and Multiple Choice Quiz
      • P. 89- 92 ALL
    • First Exam on Chapters 1, 2 and 3 coming up
    • Wrap up lab work