• Like
  • Save
Lab session 1
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Lab session 1

  • 8,198 views
Published

W3CERT LAB exam answers

W3CERT LAB exam answers

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
8,198
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Lab session I<br />Student name : gopinathanrm<br />Student ID : SID1516<br />Question 1: <br />Perform Whois Probe on the following Hostnames and IP Addresses<br /> Host Names:<br />www.ethicaluniversity.com | www.anti-intruders.org | www.techm4sters.org IP Addresses:<br />85.17.45.118 | 208.65.153.253<br />Answers:<br />Host 1<br />Registry WhoisDomain Name: ethicaluniversity.com Status: clientTransferProhibited Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Expiration Date: 2009-06-05 Creation Date: 2007-06-05 Last Update Date: 2008-03-30 Name Servers:     ns10.crucialdns.com     ns11.crucialdns.com Extended InfoIP Address: 208.76.245.242IP Location:  United StatesWebsite Status: activeServer Type: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.25Alexa Trend/Rank: 3 Month: 6,892,201Page Views per Visit: 3 Month: 1.4Cache Date: 2009-01-10 09:49:01 MSTCompare Archived Data: 2007-07-20<br />Whois=-=-=-= Visit AboutUs.org for more information about ethicaluniversity.com <a href="http://www.aboutus.org/ethicaluniversity.com">AboutUs: ethicaluniversity.com</a> Registration Service Provided By: NameCheap.com Contact:  Visit: http://www.namecheap.com/ Domain name: ethicaluniversity.com Registrant Contact:    Personal    karishma f ()       Fax:    45N,kiatokama    nishathi    illinos, P 754822    US Administrative Contact:    Personal     f ()    +1.457645    Fax: +1.5555555555    45N,kiatokama    nishathi    illinos, P 754822    US Technical Contact:    Personal    karishma f ()    +1.457645    Fax: +1.5555555555    45N,kiatokama    nishathi    illinos, P 754822    US Status: Locked Name Servers:    NS10.CRUCIALDNS.COM    NS11.CRUCIALDNS.COM    Creation date: 05 Jun 2007 09:33:35 Expiration date: 05 Jun 2009 09:33:35 <br />Host 2<br />Registry WhoisDomain Name: anti-intruders.org Status: CLIENT DELETE PROHIBITED, CLIENT RENEW PROHIBITED, CLIENT TRANSFER PROHIBITED, CLIENT UPDATE PROHIBITED Registrar: Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR) Expiration Date: 2009-05-30 15:02:43 Creation Date: 2007-05-30 15:02:43 Last Update Date: 2008-12-02 15:46:33 Name Servers:     ns10.crucialdns.com     ns11.crucialdns.com <br />Extended InfoIP Address: 208.76.245.162IP Location:  United StatesWebsite Status: activeServer Type: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.25Alexa Trend/Rank:  1 Month: 1,519,775   3 Month: 1,203,580Page Views per Visit:  1 Month: 1.2   3 Month: 1.6Cache Date: 2009-01-10 09:52:37 MSTCompare Archived Data: 2007-11-27<br />WhoisRegistrant Contact Information:     Name: Lakhan     Organization: VS     Address 1: centeral mumbai     Address 2: mumbai     City: india     State: Maharashtra     Zip: 4455002214     Country: IN     Phone: +91.325655     Email:  Administrative Contact Information:     Name: Lakhan     Organization: VS     Address 1: centeral mumbai     Address 2: mumbai     City: india     State: Maharashtra     Zip: 4455002214     Country: IN     Phone: +91.325655     Email:  Technical Contact Information:     Name: Lakhan     Organization: VS     Address 1: centeral mumbai     Address 2: mumbai     City: india     State: Maharashtra     Zip: 4455002214     Country: IN     Phone: +91.325655     Email:  <br />Host 3<br />Registry WhoisDomain Name: techm4sters.org Status: OK Registrar: eNom, Inc. (R39-LROR) Expiration Date: 2009-02-05 17:35:21 Creation Date: 2007-02-05 17:35:21 Last Update Date: 2008-02-04 16:50:45 Name Servers:     ns1.lizardserver.net     ns2.lizardserver.net <br />Extended InfoIP Address: 78.47.43.249IP Location:  GermanyWebsite Status: activeServer Type: Apache/1.3.41 (Unix) mod_perl/1.30 mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7aAlexa Trend/Rank:  1 Month: 3,679,825   3 Month: 4,529,391Page Views per Visit:  1 Month: 3.0   3 Month: 2.1Cache Date: 2009-01-10 09:54:51 MSTCompare Archived Data: 2008-05-27<br />WhoisRegistrant Contact Information:     Name: Manuel Castro     Address 1: Rua Mario de Almeida n 80 5  E     Address 2: sq Frt     City: Braga     Zip: 4705 395     Country: PT     Phone: +351.917582495     Email:  Administrative Contact Information:     Name: Manuel Castro     Address 1: Rua Mario de Almeida n 80 5  E     Address 2: sq Frt     City: Braga     Zip: 4705 395     Country: PT     Phone: +351.917582495     Email:  Technical Contact Information:     Name: Manuel Castro     Address 1: Rua Mario de Almeida n 80 5  E     Address 2: sq Frt     City: Braga     Zip: 4705 395     Country: PT     Phone: +351.917582495     Email:  <br />IP Address 1:<br />Website name : criticalsecurity.net<br />Registry WhoisOrgName:    RIPE Network Coordination Centre OrgID:      RIPE Address:    P.O. Box 10096 City:       Amsterdam StateProv:   PostalCode: 1001EB Country:    NL ReferralServer: whois://whois.ripe.net:43 NetRange:   85.0.0.0 - 85.255.255.255 CIDR:       85.0.0.0/8 NetName:    85-RIPE NetHandle:  NET-85-0-0-0-1 Parent:     NetType:    Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: NS3.NIC.FR NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: SUNIC.SUNET.SE NameServer: TINNIE.ARIN.NET NameServer: NS.LACNIC.NET Comment:    These addresses have been further assigned to users in Comment:    the RIPE NCC region. Contact information can be found in Comment:    the RIPE database at http://www.ripe.net/whois RegDate:    2004-04-01 Updated:    2004-04-06 # ARIN WHOIS database, last updated 2009-01-09 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. <br />IP Address 2:<br />Website name : youtube.com <br />Registry WhoisOrgName:    YouTube, Inc. OrgID:      YOUTU Address:    71 E Third Ave Address:    2nd Floor City:       San Mateo StateProv:  CA PostalCode: 94401 Country:    US NetRange:   208.65.152.0 - 208.65.155.255 CIDR:       208.65.152.0/22 NetName:    YOUTUBE NetHandle:  NET-208-65-152-0-1 Parent:     NET-208-0-0-0-0 NetType:    Direct Assignment NameServer: DNS1.SJL.YOUTUBE.COM NameServer: DNS2.SJL.YOUTUBE.COM Comment:     RegDate:    2006-03-02 Updated:    2006-03-09 RTechHandle: NETWO1084-ARIN RTechName:   networkradbaccount RTechPhone:  +1-650-343-2960 RTechEmail:   OrgTechHandle: NETWO1084-ARIN OrgTechName:   networkradbaccount OrgTechPhone:  +1-650-343-2960 OrgTechEmail:   # ARIN WHOIS database, last updated 2009-01-09 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. <br />Question 2: <br />Perform Traceroute on the following Host Names<br /> Host Names:<br />www.ethicaluniversity.com | www.anti-intruders.org <br />Answers:<br />Host 1 – www.ethicaluniversity.com<br />Tracing route to 208.76.245.242.reverse.crucialx.net [208.76.245.242] with TTL of 32:<br /> 1 26ms 14ms 12ms 203-221-91-1------dato-dc-reverse.w3dt.net [203.221.91.1]<br /> 2 31ms 36ms 42ms 203-220-7-193-----dato-dc-reverse.w3dt.net [203.220.7.193]<br /> 3 48ms 44ms 55ms 141.112.220.203.unassigned.comindico.com.au [203.220.112.141]<br /> 4 66ms 53ms 46ms 141.112.220.203.unassigned.comindico.com.au [203.220.112.141]<br /> 5 48ms 41ms 41ms syd-pow-cla-crt1-pos-1-3.tpgi.com.au [202.7.162.61]<br /> 6 185ms 190ms 189ms 66.162.129.149<br /> 7 245ms 247ms 235ms peer-02-so-0-0-0-0.chcg.twtelecom.net [66.192.244.20]<br /> 8 245ms 241ms 237ms ge-2-1-0.mpr1.ord2.above.net [64.125.26.249]<br /> 9 274ms 274ms 286ms so-0-1-0.mpr2.dfw2.us.above.net [64.125.25.134]<br />10 285ms 270ms 274ms xe-1-1-0.er1.dfw2.us.above.net [64.125.26.210]<br />11 275ms * 275ms xe-0-0-0.er2.dfw2.us.above.net [64.125.26.206]<br />12 265ms 261ms 256ms 209.249.122.74.available.above.net [209.249.122.74]<br />13 254ms 264ms 276ms ge-1-2.core2.colo4dallas.net [206.123.64.30]<br />14 269ms 259ms 256ms gi0-0.core02.crucialx.net [72.29.100.138]<br />15 254ms 252ms 246ms 208.76.245.242.reverse.crucialx.net [208.76.245.242]<br />Traceroute complete.<br />Host 2 – www.anti-intruders.org<br />Tracing route to s243.c4.crucialx.net [208.76.245.162] with TTL of 32:<br /> 1 18ms 21ms 16ms 203-221-91-1------dato-dc-reverse.w3dt.net [203.221.91.1]<br /> 2 46ms 25ms 36ms 203-220-7-193-----dato-dc-reverse.w3dt.net [203.220.7.193]<br /> 3 44ms 39ms 52ms 13.112.220.203.unassigned.comindico.com.au [203.220.112.13]<br /> 4 40ms 41ms 39ms 13.112.220.203.unassigned.comindico.com.au [203.220.112.13]<br /> 5 43ms 37ms 58ms syd-pow-cla-crt1-pos-1-3.tpgi.com.au [202.7.162.61]<br /> 6 186ms 204ms 191ms 66.162.129.149<br /> 7 244ms 243ms 239ms peer-02-so-0-0-0-0.chcg.twtelecom.net [66.192.244.20]<br /> 8 241ms * 235ms ge-2-1-0.mpr1.ord2.above.net [64.125.26.249]<br /> 9 275ms 269ms 276ms so-0-1-0.mpr2.dfw2.us.above.net [64.125.25.134]<br />10 * 265ms 277ms xe-1-1-0.er1.dfw2.us.above.net [64.125.26.210]<br />11 278ms 262ms 266ms xe-0-0-0.er2.dfw2.us.above.net [64.125.26.206]<br />12 253ms 252ms 251ms 209.249.122.74.available.above.net [209.249.122.74]<br />13 253ms 281ms 275ms ge-1-2.core2.colo4dallas.net [206.123.64.30]<br />14 251ms 254ms 249ms gi0-0.core02.crucialx.net [72.29.100.138]<br />15 265ms 264ms 264ms s243.c4.crucialx.net [208.76.245.162]<br />Traceroute complete.<br />Question 3: <br />Perform a Ping Sweep on any IP Range<br />208.76.245.162 - 208.76.246.254<br />Live hosts this batch: 0 <br />Live hosts this batch: 0 <br />Total live hosts discovered 0 <br />Total open TCP ports 0 <br />Total open UDP ports 0 <br />The IP list contains 511 entries<br />Service TCP ports: 179<br />Service UDP ports: 88<br />Packet delay: 10<br />Discovery passes: 1<br />ICMP pinging for host discovery: Yes<br />Host discovery ICMP timeout: 2000<br />TCP banner grabbing timeout: 8000<br />UDP banner grabbing timeout: 8000<br />Service scan passes: 1<br />Hostname resolving passes: 1<br />Full connect TCP scanning for service scanning: No<br />Service scanning TCP timeout: 4000<br />Service scanning UDP timeout: 2000<br />TCP source port: 0<br />UDP source port: 0<br />Enable hostname lookup: Yes<br />Enable banner grabbing: Yes<br />Scan started: 01/11/09 14:58:55<br />-------- Scan of 511 hosts started --------<br />Scanning 256 machines with 511 remaining.<br />-------- Host discovery pass 1 of 1 --------<br />Host discovery ICMP (Echo) scan (256 hosts)...<br />0 new machines discovered with ICMP (Echo)<br />Reporting scan results...<br />Scanning 255 machines with 255 remaining.<br />-------- Host discovery pass 1 of 1 --------<br />Host discovery ICMP (Echo) scan (255 hosts)...<br />0 new machines discovered with ICMP (Echo)<br />Reporting scan results...<br />-------- Scan done --------<br />Discovery scan finished: 01/11/09 14:59:06<br />Question 4: <br />Perform Reverse DNS on the following Host Names<br />85.17.45.118 | 208.65.153.253<br />Answers:<br />IP Address 1:<br />w3dt.net Reverse DNS Scan v1.0<br />Copyright 2008 - 2009 w3dt.net, All Rights Reserved.<br />see http://w3dt.net/ for more info.<br />------------------------------------------------------------------<br />Parsing subnet information... [OK]<br />Returning subnet(s) addresses... [OK]<br />Checking returned addresses... [OK]<br />Performing Reverse DNS Scan...<br />------------------------------------------------------------------<br /> 85.17.45.118 => criticalsecurity.net <br />IP Address 2:<br />w3dt.net Reverse DNS Scan v1.0<br />Copyright 2008 - 2009 w3dt.net, All Rights Reserved.<br />see http://w3dt.net/ for more info.<br />------------------------------------------------------------------<br />Parsing subnet information... [OK]<br />Returning subnet(s) addresses... [OK]<br />Checking returned addresses... [OK]<br />Performing Reverse DNS Scan...<br />------------------------------------------------------------------<br /> 208.65.153.253 => youtube.com => 208.65.153.238 <br />Question 5: <br />Perform Port scan on the following Host Name and identify which ports are open and what is the service running in those open ports.<br /> Host Names:<br />www.ethicaluniversity.com <br />Answers:<br />Port Scan Results for: "www.ethicaluniversity.com"    -    Scan Type: "Linux Server".<br />Host / IPPort NoStateService NameAdditional Info About This Portwww.ethicaluniversity.com22Activewww.ethicaluniversity.com80Activewww.ethicaluniversity.com443Active<br />Additional Scan Information for: "www.ethicaluniversity.com"<br />    -   Scan Type: Linux Server.    -   Total Scan Time: 7.9994 Seconds.    -   Ports Scanned: 10 Ports.    -   Ports Found Active: 3 Active/Open.    -   Ports Found Closed: 7 Closed/Inactive.<br />Question 6: <br />Identify the OS Running on the IP Address 85.17.45.118? Describe the steps you used for OS detection?<br />Answers:<br />Starting Nmap 4.62 ( http://nmap.org ) at 2009-01-13 00:36 IST<br />Interesting ports on criticalsecurity.net (85.17.45.118):<br />Not shown: 1705 closed ports<br />PORT STATE SERVICE<br />21/tcp open ftp<br />23/tcp open telnet<br />80/tcp open http<br />111/tcp open rpcbind<br />443/tcp open https<br />798/tcp open unknown<br />5190/tcp open aol<br />6667/tcp open irc<br />7000/tcp open afs3-fileserver<br />8080/tcp open http-proxy<br />Aggressive OS guesses: Linux 2.6.23 (94%), Linux 2.6.22 (93%), Linux 2.6.5 - 2.6.9 (93%), Linux 2.6.9 - 2.6.11 (93%), Linux 2.6.9 - 2.6.20 (Fedora Core 5 or 6) (93%), Tandberg Border Controller VoIP gateway (Linux 2.6.11) (93%), Linux 2.6.20-1 (Fedora Core 5) (92%), Linux 2.6.17 - 2.6.21 (92%), Linux 2.6.19 - 2.6.21 (92%), Linux 2.6.13 - 2.6.24 (91%)<br />No exact OS matches for host (test conditions non-ideal).<br />Uptime: 1.294 days (since Sun Jan 11 17:34:50 2009)<br />Network Distance: 6 hops<br />OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .<br />Nmap done: 1 IP address (1 host up) scanned in 72.330 seconds<br />Question 7: <br />Use Daemon Banner Grabbing Technique to identify the Daemon running on the IP Address  208.76.245.162 in port 21.<br />Answer:<br />220---------- Welcome to Pure-FTPd [TLS] ----------<br />220-You are user number 3 of 50 allowed.<br />220-Local time is now 13:16. Server port: 21.<br />220-This is a private system - No anonymous login<br />220-IPv6 connections are also welcome on this server.<br />220 You will be disconnected after 20 minutes of inactivity.<br />Question 8: <br />Trace an Email you received using the technique we discussed in one of our course module. You may use any other technique if you feel comfort with. Explain the steps you performed while tracing an email.<br />Answer:<br />Full header of the mail :<br />From noreply@mybloglog.com Sun Jan 11 17:58:14 2009<br />Return-Path: <mybloglog.mzrgkmbtgbqtcm3egvstombtgmzwkntbhbrwiyzygfrwmzjsgezgiyrzmuzwem3f-gopinathan_rm=yahoo.com@returns.bulk.yahoo.com><br />Authentication-Results: mta307.mail.re4.yahoo.com from=mybloglog.com; domainkeys=neutral (no sig)<br />Received: from 66.94.237.28 (HELO n14a.bullet.scd.yahoo.com) (66.94.237.28)<br />by mta307.mail.re4.yahoo.com with SMTP; Sun, 11 Jan 2009 18:00:30 -0800<br />Received: from [209.73.164.83] by n14.bullet.scd.yahoo.com with NNFMP; 12 Jan 2009 01:58:14 -0000<br />Received: from [68.142.237.87] by t7.bullet.scd.yahoo.com with NNFMP; 12 Jan 2009 01:58:14 -0000<br />Received: from [69.147.76.197] by t3.bullet.re3.yahoo.com with NNFMP; 12 Jan 2009 01:58:14 -0000<br />Date: 11 Jan 2009 17:58:14 -0800<br />Received: from [127.0.0.1] by www3.mbl.re1.yahoo.com with NNFMP; 12 Jan 2009 01:58:14 -0000<br />From: "noreply@mybloglog.com" <noreply@mybloglog.com><br />To: "gopinathan_rm@yahoo.com" <gopinathan_rm@yahoo.com><br />Subject: Tudor Constantin is now following you on MyBlogLog<br />Content-Length: 534<br /> <br />Question 9: <br />What is your favorite Anti-Virus Program? Why you took it as your Favorite? [If you are a Linux user, Please explain what level of security measures you have done in your Box as a security measure against viruses and threats]<br /> <br />Answers:<br />Im a novice user in linux,so i also use windows for my support .<br />In windows , i use Avast anti virus because of its free support to home users.But in future i would switch on to linux and i would like to implement the following as a security measure :<br />1. Protecting the root accountThe root, or superuser, account on a Linux system is like a backstage pass at a Stones concert -- it allows you access to anything and everything. For this reason, it's well worth taking extra steps to protect it. Start by setting a hard-to-guess password for this account with the passwd command, change it on a regular basis, and restrict knowledge of the password to a few (ideally, only two) key people in the organisation.<br />Next, restrict the terminals that can be used for root access, by editing the file /etc/securetty. To avoid users leaving a root terminal "open", set a timeout for inactive root logins by setting the TMOUT local variable, and ensure that the root command history file (which might contain sensitive information) is disabled by setting the HISTFILESIZE local variable to 0. Finally, enforce a policy of using this account only to perform specific administrative tasks, and discourage users from logging in as root by default.<br />Tip: Once you've closed these holes, the next step is to require that every normal user account must have a password and ensure that passwords do not use easily-recognisable heuristics such as birthdays, user names or dictionary words.<br />2. Installing a firewallA firewall lets you filter data packets travelling in and out of your server and ensures that only those packets matching pre-defined rules are permitted to enter or exit. A number of excellent firewalls are available for Linux, and firewall code can even be compiled directly into the kernel. Begin by defining input, output and forwarding rules for packets leaving and entering your network, using the ipchains or iptables commands. Rules may be specified on the basis of IP addresses, network interfaces, ports, protocols or combinations of these attributes; these rules also specify what action (accept, reject, forward) to take when a match occurs. Once the rules are installed, test the firewall extensively to ensure that no holes exist in it. A good firewall is your first line of defence against common attacks like the distributed denial of service (DDoS) attack.<br />3. Using OpenSSH for network transactionsAn important issue in client-server architecture involves the security of data being transmitted over the network. If network transactions take place in plaintext, it is possible for a hacker to "sniff" the data packets being transmitted and thus gain access to sensitive information. You can close this hole by using a secure shell utility like OpenSSH to create a secure encrypted "tunnel" for your data to pass through. Encrypting your connections in this manner makes it extremely hard for unauthorised users to read the data going back and forth between network hosts.<br />4. Disabling unwanted servicesMost Linux systems are installed with a wide variety of different services enabled, such as FTP, telnet, UUCP, ntalk and so on. In most cases, these services are rarely used and leaving them active is like leaving your windows open for a burglar to slip in. You can disable these services by commenting them out in the /etc/inetd.conf or /etc/xinetd.conf files and then restarting the inetd or xinetd daemon. Additionally, some services (for example, database servers) may start up by default during the boot process; you can disable these by editing the /etc/rc.d/* directory hierarchy. Many experienced administrators disable all system services, only leaving SSH communication ports open.<br />5. Using a spam and anti-virus filterJunk e-mail and viruses annoy your users and can sometimes cause critical network failures. Linux is surprisingly resistant to viruses, but client machines running Windows may be more susceptible. Therefore, it's a good idea to install a spam and virus filter on your mail server itself, to "defang" suspicious messages and reduce the risk of a chain of collapses.<br />Begin by installing SpamAssassin, a leading open-source tool that uses a combination of different techniques to identify and flag spam; the program also supports user-based whitelisting and graylisting for greater accuracy. Next, install procmail for user-level filtering based on regular expressions; this tool allows automatic filtering of received email into mailboxes, at both a user and system level. Finally, install Clam Anti-Virus, a free anti-virus toolkit that integrates with sendmail and SpamAssassin and supports on-access scanning of email attachments.<br />6. Installing an intrusion detection systemIntrusion detection systems (IDS) are early warning systems that let you know if changes occur on your network. They're a great way to identify (and prove) attempts to break into your system, although at the cost of increased resource consumption and potential red herrings. There are two fairly well-known IDS' you can try: tripwire, which tracks file signatures to detect modifications; and snort, which use rules-based directives to perform real-time packet analysis and search and identify attempts to probe or attack your system. Both packets can generate e-mail alerts (among other actions) and are useful when you suspect your network is being compromised but need definitive proof.<br />7. Performing regular security auditsWhen it comes to securing your network, this final step is possibly the most important. Here, you put on a black hat and do your best to circumvent the defences you erected in the previous steps. Doing this provides you with an immediate and objective assessment of how hard your system really is, and identifies potential vulnerabilities that you should fix.<br />A number of tools are available to help you in this audit: you can attempt to hack your password files using password crackers like Crack and John the Ripper; you can use nmap or netstat to look for open ports; you can sniff the network using tcpdump; and you can try exploiting publicised holes in your installed programs (Web server, firewall, Samba) to see if they offer a way in. If you do manage to find a way past your obstacles, rest assured that others will too; take immediate measures to close the openings.<br />(Source : i read this in the following site : http://www.builderau.com.au/program/linux/soa/Seven-steps-to-increase-Linux-security/0,339028299,339271677,00.htm)<br />Question 10:  <br />Explain about Email Client Programs? Give at least 5 Email Client Program Names? <br />Answers:<br />An Email client , Mail User Agent (MUA) , e-mail reader is a frontend computer program used to manage e-mails.<br />Evolution<br />Evolution or Novell Evolution (formerly Ximian Evolution, prior to Novell’s 2003 acquisition of Ximian) is the official personal information manager and workgroup information management tool for GNOME. It combines e-mail, calendar, address book, and task list management functions.<br />Currently this is the default email client for Ubuntu Linux<br />Thunderbird<br />Mozilla Thunderbird is a free, open source, cross-platform e-mail and news client developed by the Mozilla Foundation.<br />Pine<br />Pine® - a Program for Internet News & Email - is a tool for reading, sending, and managing electronic messages. Pine was developed by UW Technology at the University of Washington. Though originally designed for inexperienced email users, Pine has evolved to support many advanced features, and an ever-growing number of configuration and personal-preference options. Pine is available for Unix as well as for personal computers running a Microsoft operating system (PC-Pine).<br />Alpine<br />Alpine is an upgrade of the well-known PINE email client. Alpine is currently in alpha. Its name derives from the use of the Apache License and its ties to PINE. It features a full suite of support for mail protocols like IMAP and SMTP and security protocols like TLS. It uses curses for its interface.<br />Balsa<br />Balsa is a highly configurable and robust mail client for the GNOME desktop. It supports both POP3 and IMAP servers as well as the mbox, maildir and mh local mailbox formats. Balsa also supports SMTP and/or the use of a local MTA such as Sendmail.Some of Balsa’s other features include:* Allowing nested mailboxes* Printing* Spell Checking* Multi-threaded mail retrieval* MIME support (view images inline, save parts)* GPE Palmtop, LDAP, LDIF and vCard address book support* Multiple character sets for composing and reading messages* File attachments on outgoing messages* GPG/OpenPGP mail signing and encryptionSupport for Kerberos and SSL has been enabled in this package.<br />Question 11:  <br />Write a Short notes on Windows Registry?<br />Answers:<br />Actually I have published my presentation as a book before two or three months back about windows registry .Please a look at it :<br />http://base.googlehosted.com/base_media?q=hand-7924414598934922447&size=8<br />Question 12:  <br />List the Basic Commandments that an Ethical Hacker must remember while performing any Test for his client. Write it in your own words?<br />Answers :<br />List of Basic commandments a Ethical Hacker should follow are :<br />1>First ,One should be able to hack his own system .This is the first step in ethical hacking commandment<br />2>Think of the dangers he is going to face and beware of the real world.<br />3>He has to work legally with all the agreements and contracts are signed.<br />4>Respect each and everyone’s privacy and avoid hacktivism<br />5>Test or do everything without causing damage to one’s own system<br />6>Planning each and every step correctly. The only difference between the Hacker and Cracker is planning.<br />7>Choose the correct tool always <br />8>Execute the plan in order <br />9>Google is a gold mine and we should use it as possible<br />10>Do not harm any others computer<br />Question 13:  <br />What is mean by Hacktivism?<br />Answers:<br />Hacktivism is the fusion of hacking and activism; politics and technology. More specifically, hacktivism is described as hacking for a political cause. In this context, the term hacker is used in reference to its original meaning. As defined in the New Hacker’s Dictionary, a hacker is “a person who enjoys exploring the details of programmable systems and how to stretch their capabilities” and one who is capable of “creatively overcoming or circumventing limitations”. (1) Activism is defined as “a policy of taking direct and militant action to achieve a political or social goal”. (2) Therefore, a clinical definition of hacktivism is:<br />Hacktivism: a policy of hacking, phreaking or creating technology to achieve a political or social goal.(3)<br />However, both hacking and activism, and thus hacktivism, are loaded words ripe for a variety of interpretation. Therefore it is preferable not to clinically define hacktivism but rather to describe the spirit of hacktivism. Hacktivism is root. It is the use of one’s collective or individual ingenuity to circumvent limitations, to hack clever solutions to complex problems using computer and Internet technology. Hacktivism is a continually evolving and open process; its tactics and methodology are not static. In this sense no one owns hacktivism - it has no prophet, no gospel and no canonized literature. Hacktivism is a rhizomic, open-source phenomenon.<br />In the Beginning…Since hacktivism is a recombinant initiative comprised of two divergent communities (hackers and activists) it is necessary to understand their respective backgrounds in order to analyze this historic merger and to examine its challenges and future capabilities. “Hacker” was originally a term that encapsulated an individual’s deep understanding of computer systems and networks and the ability to invent, modify, and refine such systems. It is a recombinant attitude that promotes problem solving and creative instinct for it does not limit one’s options to the possible. Hacking thrives in an environment in which information is freely accessible. The hacker ethic formulated by Steven Levy in his 1984 book “Hackers: Heroes of the Computer Revolution” outlines the hacker tenets:<br />Access to computers should be unlimited and total.<br />All information should be free.<br />Mistrust authority - promote decentralization.<br />Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position.<br />You create art and beauty on a computer.<br />Computers can change your life for the better.(4)<br />The GNU/Linux operating system evolved from this hacker ethic. As fellow hackers from the MIT AI lab were lured into commercial ventures Richard Stallman became increasingly concerned about the decay of the hacker community and the increasing control being exerted over proprietary code. Stallman decided to create a free operating system modeled after the proprietary UNIX system.(5) Linus Torvalds began development on a kernel and released the initial source code for his kernel, named Linux.(6) Together the work of Stallman and Linus form the GNU/Linux operating system. This software is released under the General Public License (GPL), which is known as “copyleft” as opposed to copyright. The GPL allows users to modify and copy the software as long as they make the source freely available to others.(7) There is now a vibrant global, open source community that thrives based on the free flow, and sharing of information.<br />Hackers abhor censorship. Censorship is often seen as a human rights violation, especially when it is combined with a repressive, governing regime. In addition, hackers mistrust restrictive legislation that encroaches on free access to information and cherished electronic privacy. Thus a natural aversion to repressive governments and predatory, private institutions has developed. In Phrack magazine, Dr. Crash explains that computer technology is being misused not by hackers but by governments and corporations:<br />The wonderful device meant to enrich life has become a weapon which dehumanizes people. To the government and large businesses, people are no more than disk space, and the government doesn’t use computers to arrange aid for the poor, but to control nuclear death weapons. (8)<br />This sentiment is not an isolated rant. There is definitely a trend within hacker culture that not only focuses on technical aspects of computing but political aspects as well. In the “Hacker’s Manifesto” the ment0r explains:<br />We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals. (9)<br />There is an antagonism between government/corporate restrictions and domination of computer technology and hackers who want to ensure free access to information, to circumvent censorship, and to prevent monopoly control of technology.<br />Activists recognized the benefits of integrating activism and computer/Internet technology relatively quickly. The new open architecture technology of the Internet played a complementary and beneficial role that fit perfectly with existing, decentralized, activist networks. In fact, computerized activism was already taking place before the birth of the WWWeb. Stephan Wray notes that the creation of PeaceNet, a text-based newsgroup service, in 1986 allowed “political activists to communicate with one another across international borders with relative ease and speed.” (10) This has allowed activists with little or no technical skills to utilize the benefits of digital communications. The Internet allows for the convergence of meetings, debates, and research in one convenient and fast medium that greatly enhances not only activists’ organizational capabilities but also the ability of activists to react to a constantly changing world in a timely manner. In order to educate the public and promote causes and campaigns, activist organizations have utilized the Internet and established an accessible, updateable, interactive, and international presence that previously would have been difficult if not nearly impossible to maintain.<br />Question 14:  <br />Write a Short note on Network Enumeration?<br />Answers:<br />Network Enumeration is the discovery of hosts/devices on a network, they tend to use overt discovery protocols such as ICMP and SNMP to gather information, they may also scan various ports on remote hosts for looking for well known services in an attempt to further identify the function of a remote host and solicit host specific banners. The next stage of enumeration is to fingerprint the Operating System of the remote host.<br />Some of the tools used for this purpose are :<br />Unicornscan<br />Paketto Scanrand<br />Hping2<br />Angry IP Scanner<br />Network View<br />NSAT<br />ScanLine<br />SuperScan<br />Visio<br />What's Up Gold<br />WS_Ping ProPack<br />NetCrunch<br />Question 15:  <br />What is the difference between DoS attack and DDoS attack? Give any realtime example that involves DDOS attack (a companies website, with the incident of DDOS that you can find through Google) ?<br />Answer:<br />The difference in the those attacks are :<br />DoS (Denial of service) is done using a single machine to attack and DDOS (Distributed Denial of service) the attack is organised in such a way that many machines are compromised to install a specific daemon by the attacker and the attack is performed in a distributed manner using all of these machines at a time.<br />A real time example :<br />The first major attack involving DNS servers as reflectors occurred in January 2001. The target was Register.com.This attack, which forged requests for the MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a list of tens of thousands of DNS records that were a year old at the time of the attack.<br />In February, 2001, the Irish Government's Department of Finance server was hit by a denial of service attack carried out as part of a student campaign from NUI Maynooth. The Department officially complained to the University authorities and a number of students were disciplined.<br />In July 2002, the Honeynet Project Reverse Challenge was issued. The binary that was analyzed turned out to be yet another DDoS agent, which implemented several DNS related attacks, including an optimized form of a reflection attack.<br />On two occasions to date, attackers have performed DNS Backbone DDoS Attacks on the DNS root servers. Since these machines are intended to provide service to all Internet users, these two denial of service attacks might be classified as attempts to take down the entire Internet, though it is unclear what the attackers' true motivations were. The first occurred in October 2002 and disrupted service at 9 of the 13 root servers. The second occurred in February 2007 and caused disruptions at two of the root servers.<br />In February 2007, more than 10,000 online game servers in games such as Return to Castle Wolfenstein, Halo, Counter-Strike and many others were attacked by "RUS" hacker group. The DDoS attack was made from more than a thousand computer units located in the republics of the former Soviet Union, mostly from Russia, Uzbekistan and Belarus. Minor attacks are still continuing to be made today.<br />In the weeks leading up to the five-day Georgia-Russian war, a DDoS attack directed at Georgian government sites containing the message: “win+love+in+Rusia" effectively overloaded and shut down multiple Georgian servers. Websites targeted included the Web site of the Georgian president, Mikhail Saakashvili, rendered inoperable for 24 hours, and the National Bank of Georgia. While heavy suspicion was placed on Russia for orchestrating the attack through a proxy, the St. Petersburg-based criminal gang known as the Russian Business Network, or R.B.N, the Russian government denied the allegations, stating that it was possible that individuals in Russia or elsewhere had taken it upon themselves to start the attacks.<br />Question 16: <br /> Write a Short notes on Default Ports?<br />Answers:<br />FTP (File transfer protocol):<br />Port 21<br />Port number 21 is a reserved port in TCP/IP networking, meaning that it is listed with IANA. Port 21 is utilized by the File Transfer Protocol for FTP control traffic.FTP clients initiate an FTP session by connecting to port number 21 on the FTP server. An FTP server responds from port 21 with messages that prompt the client for an FTP session login (username and password). Note that FTP clients do not use port 21, only the server.FTP servers also do not send files from port number 21. Instead, the FTP protocol allows for a second connection to be established for data transfer. Port 21 represents the server-side of a "control" or "command" connection whereas the alternate server port represents the "data" connection.<br />Email Ports<br />Incoming and Outgoing Mail Servers<br /> Incoming Mail Server: the incoming mail server is the server associated with you email address account. There can not be more then one incoming mail server for an email account. In order to access your incoming messages, you need an email client: a program that can retrieve email from an email account, allowing a user to read, forward, delete, and reply to email messages. Depending on your mail server, you can use a dedicated email client (like Outlook Express) or a web browser (like Internet Explorer, for accessing web based email accounts, like Hotmail). The mail is held in storage on the incoming mail server until you download it. Once you have downloaded your mail from the mail server it cannot be downloaded again. In order to download your Email, you must have the correct settings configured in your Email client program. Most incoming mail servers are using one of the following protocols: IMAP, POP3, HTTP.<br /> Outgoing Mail Server: this is the server used only to send emails (to transport them from your email client program to the receiver). Most outgoing mail servers are using the SMTP protocol for sending emails. Depending on your network settings, the outgoing mail server can belong to your ISP or to the server where you setup your email account. As an alternative, you can use a subscription based SMTP server (like smtp.com), which will allow you to send emails from any email account you already own. Due to anti-spam reasons, most of outgoing mail servers will not let you send emails if you are not logged on their network. An open-relay server will allow you to use it for sending emails, no matter if you belong to its network group or not, thus it is a heaven for spammers.<br />eMail Servers and Ports<br /> Email Ports: For networks, a port means an endpoint to a logical connection. The port number identifies what type of port it is. Here are the default ports for:<br />POP3 - port 110<br />IMAP - port 143<br />SMTP - port 25<br />HTTP - port 80<br />Secure SMTP (SSMTP) - port 465<br />Secure IMAP (IMAP4-SSL) - port 585<br />IMAP4 over SSL (IMAPS) - port 993<br />Secure POP3 (SSL-POP) - port 995<br />Telnet<br />Port 23<br />The telnet port is usually port 23. If a server is configured correctly, it will find the port for you. However, you may need to add it to your IP number.<br />telnet 192.54.81.18:23<br />Sometimes the telnet port is very busy and is divided into sub-ports. If this is the case, try adding two digits onto the 23 to make it a four digit number. Try variations until you get through:<br />telnet 192.54.81.18:2355<br />or<br />telnet 192.54.81.18:2394<br />Question 17: <br /> Write the Port Numbers that is used by the following Trojans as Default, Sub7(Server & Client), CIA, Back Oriffice, NetBus, Lion Worm ?<br />Answers:<br />SubSeven (aka Sub7 or Backdoor_G)<br />SubSeven (aka Sub7 or Backdoor_G) currently affects Windows 95/98 PC's and can be a bit tricky to remove. This is because the server portion can be configured to rerun itself automatically from any of four places each time the system has been rebooted. The trojan also has two files that can be configured with any name.TCP Ports 6711 and 6776 are used by default, but there's a third TCP port which is the port used in the establishment of the connection between the "client" and "server". This third TCP port can be configured to be anything, although it's commonly seen as TCP port 1243 or TCP port 1999 .<br />Back Orifice <br />The Back Orifice (BO) itself is a program which, if activated, opens a victim's PC for intruders to access/control it remotely and invisibly through network. Under certain conditions, it is even able to allow intruders to hack victim's user password. So far, victims reported including Windows 95/98 users of Computer Barn, office, and home. It is known that current version (ver 1.2) of Back Orifice cannot be installed on Windows NT system. The BO is a trojan horse instead of virus because it does not replicate like ordinary virus does. A user may become a victim of BO if he/she runs programs (that contain BO) obtained from unreliable source (say Internet downloads or email attachments).BO has existed in broad and increasing use since about 3 August 1998. BO was released in version 1.2. It can be expected to evolve, and other tools like it will inevitably appear. Watch ITSC announcement for any updates. Port used by back oriffice is 31337 <br />CIA<br />The Cruel Intentionz Administrator (CIA) backdoor is a full-featured Trojan horse program developed in Visual BASIC. It allows a remote attacker to take complete control of a victim host. Functions supported by the Trojan include:file browsingscreen/webcam captureclipboard manipulation, SOCKS proxykey loggingoperating system configuration access A number of other functions are also included that are designed to aggravate a legitimate user of a host, such as mouse pointer enable/disable, audio/video file playing, and desktop icon manipulation. The Trojan can notify its controller of a compromised host coming online via CGI, ICQ, or Yahoo Instant Messenger. By default, it listens on ports 5222 or 5888. Subsequent sessions are allocated new port numbers, and incremented by 1000, for example, 6222/6888 incremented to 7222/7888, and so on. However, the port ranges utilized are fully configurable by the Trojan's controller. Port used by CIA is 6333 TCP<br />Netbus<br />NetBus uses TCP for communication, and always uses ports 12345 and 12346 for listening.<br />Netbus is a Win32 based Trojan program. This trojan can affect Windows95, Windows 98 and Windows NT systems. Netbus trojan needs to be executedby the user for it to be installed. Once executed by the user it will installitself in such a way that it will be active all the time. Netbus adds anentry to the Windows Registry to achieve this. The presence of Netbus installedin the computer will not be evident to the affected user. There are 3 versionsof Netbus and the size of these trojan files are;<br />Lion Worm<br />The Lion worm has been found spreading itself across the Internet by exploiting a known vulnerability in BIND on Linux systems. Once the worm gains root permissions by exploiting BIND, it emails to a china.com address /etc/passwd, /etc/shadow, and some network settings; removes /etc/hosts.deny, installs back doors that listen on ports 60008 and 33567; stops syslogd; replaces login with a version with a back door; and installs the t0rn root kit. The Lion worm then starts scanning random class B network ranges for its next victim. There are two known versions of the worm propagating across the Internet with only minor differences reported between them.<br />Question 18: <br /> What are the types of Password Cracking attack and Which one is you prefer? Why?<br />Answer:<br />Password cracking doesn't have to involve fancy tools, but it's a fairly tedious process. If the target doesn't lock you out after a specific number of tries, you can spend an infinite amount of time trying every combination of alphanumeric characters. It's just a question of time and bandwidth before you break into a system.<br />The most common passwords found are password, root, administrator, admin, operator, demo, test, webmaster, backup, guest, trial, member, private, beta, [company_name] or [known_username].<br />There are three basic types of password cracking tests that can be automated with tools:<br />Dictionary - A file of words is run against user accounts, and if the password is a simple word, it can be found pretty quickly.<br />Hybrid - A common method utilized by users to change passwords is to add a number or symbol to the end. A hybrid attack works like a dictionary attack, but adds simple numbers or symbols to the password attempt.<br />Brute force - The most time-consuming, but comprehensive way to crack a password. Every combination of character is tried until the password is broken.<br />Some common Web password cracking tools are:<br />Brutus is a password cracking tool that can perform both dictionary attacks and brute force attacks where passwords are randomly generated from a given character. Brutus can crack the multiple authentication types, HTTP (Basic authentication, HTML Form/CGI), POP3, FTP, SMB and Telnet.<br />WebCracker is a simple tool that takes text lists of usernames and passwords, and uses them as dictionaries to implement basic authentication password guessing.<br />ObiWan is a Web password cracking tool that can work through a proxy. ObiWan uses wordlists and alternations of numeric or alpha-numeric characters as possible passwords.<br />I prefer bruteforce attack because it is efficient than other cracking techniques.<br />Question 19: <br /> Write a Short notes on Proxy Server and give an example of a Free Proxy providing website(the link you provide should not exist in the course material), Grab atleast 5 working proxies and include them?<br />Answer:<br />Proxy Server<br />A proxy server is a server that retrieves Web pages for you, providing only its own identity to the sites it visits. Requesting data comes first to the proxy, and through the requested proxy, the data is transmitted to you. Usually, they are used to increase the effective network speed of your connection to the Internet because they save informations and files that are requested by many many users in a special database what is called "cache". When you retrieve pages behind proxy, then proxy server first look into "cache" and if the same information is found you will gets directly because of previsly storing in "cache".<br />Anonymous proxy<br /> server hide your IP address and hide information about you and your interests.Besides that, anonymous proxy servers can help in the cases when, for example, the owners of the Internet resource force some limitation on users from certain countries, cities, geographic regions or even restrictions on some ip address ranges.<br />Anonymous Surfing<br />Of all the activities the Internet offers, browsing Web pages is probably the last thing many folks would consider hazardous. Web-surfing is not without threats to internet privacy and every visit to Web Site may be risk to you because everything is automatically recorded for analyzing purpose. Some Web servers can be set up from webmaster and administrators with malicious intention to "grab" your E-mail address and other info from your browser. This capability is often used to put your name on spammers lists. It can also be used to logs and keep track of exactly who visits a Web site. Anonymous proxy server together with knowledge of spoofing HTTP variables can prevent this malicious spammer activity along with sniffing your real ip address and other informations from prying webmasters.<br />Hide Ip Address<br />You can lose your online privacy simply by visiting a Web site. YOUR IP address is vulnerable to unscrupulous hackers, who may use it to gain access to your Personal details and hard drive. Furthermore web site can automatically exploit security holes in your system using some ready-made free hacking programs. Some of such programs may just hang your machine, making you reboot it, but other, more powerful ones, can get access to the content of your hard drive or RAM. What a web site may need for that is only your IP address and some information about your operating system.<br />Proxyblind.org can be used to find proxy listings according to countries.<br />Some of the free proxies are :<br />India<br />121.242.41.67:3128<br />220.227.47.8:8080<br />America <br />12.47.164.114:8888<br />208.131.157.20:80<br />209.11.82.88:3128<br />209.20.78.177:3128<br />Question 20: <br /> Write a Short notes on TCP/IP?<br />Answer:<br />TCP/IP<br />Transmission Control Protocol (TCP) and Internet Protocol (IP) are two distinct network protocols, technically speaking. TCP and IP are so commonly used together, however, that TCP/IP has become standard terminology to refer to either or both of the protocols.<br />IP corresponds to the Network layer (Layer 3) in the OSI model, whereas TCP corresponds to the Transport layer (Layer 4) in OSI. In other words, the term TCP/IP refers to network communications where the TCP transport is used to deliver data across IP networks.<br />The average person on the Internet works in a predominately TCP/IP environment. Web browsers, for example, use TCP/IP to communicate with Web servers.<br />left0<br />Internet Protocol: IP Addresses<br />Every machine on the Internet has a unique identifying number, called an IP Address. The IP stands for Internet Protocol, which is the language that computers use to communicate over the Internet. A protocol is the pre-defined way that someone who wants to use a service talks with that service. The "someone" could be a person, but more often it is a computer program like a Web browser.<br />A typical IP address looks like this:<br />216.27.61.137<br />To make it easier for us humans to remember, IP addresses are normally expressed in decimal format as a dotted decimal number like the one above. But computers communicate in binary form. Look at the same IP address in binary:  <br />11011000.00011011.00111101.10001001<br />The four numbers in an IP address are called octets, because they each have eight positions when viewed in binary form. If you add all the positions together, you get 32, which is why IP addresses are considered 32-bit numbers. Since each of the eight positions can have two different states (1 or zero), the total number of possible combinations per octet is 28 or 256. So each octet can contain any value between zero and 255. Combine the four octets and you get 232 or a possible 4,294,967,296 unique values!<br />Out of the almost 4.3 billion possible combinations, certain values are restricted from use as typical IP addresses. For example, the IP address 0.0.0.0 is reserved for the default network and the address 255.255.255.255 is used for broadcasts.<br />The octets serve a purpose other than simply separating the numbers. They are used to create classes of IP addresses that can be assigned to a particular business, government or other entity based on size and need. The octets are split into two sections: Net and Host. The Net section always contains the first octet. It is used to identify the network that a computer belongs to. Host (sometimes referred to as Node) identifies the actual computer on the network. The Host section always contains the last octet. There are five IP classes plus certain special addresses<br />