Agenda• Social Engineering• ARP Poisoning – MITM• Injection attacks• Cross Site Scripting• Wireless Security• Cross Site Request Forgery• Google Hacking• Linux vs. Microsoft• The Servers FaceOff
To catch a hacker, we should think like one• What does a hacker want? Aaha!! Got it • Why does he want it?• How he gets it?
• Use at least eight characters, the more characters the better. (safe from Brute Force attacks)• Dont use a word found in a dictionary. (Safe from Dictionary attacks)• Never use the same password twice. (safe for obvious reasons)• Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.
Social Engineering isthe first attack of the session
• Psychologically manipulating people into performing some action and extracting confidential information, instead of breaking in or using technical cracking skills..
1. Security Question• You got 500 Facebook Friends who could answer all these questions!!
2. Social Networking• Vulnerability : Human tendency to share intimate details of human life.• Though few sites allow us to set privacy controls on visibility, still most of our details are shared to the applications.• So any hacker could exploit this to find information about us.
• Cyber attack on Google in December 2009.• Chinese rebels’ accounts were accessed.• Led to Google pulling out from China.• A combination of Social Engineering and Zero- day vulnerabilities in IE6
Protecting yourself• Be aware that such attacks exist.
DISCLAIMER• Hacking is Illegal• This workshop is for Educational Purposes Only• Only use this stuff on your websites and your own networks.
ARP Poison Routing (APR) MAC Address IP Address Address Resolution Protocol
ARP Poisoning• Usually : Victim Server• In MITM : Victim Attacker Server• Thus the Attacker becomes the “Man in the Middle” (MITM)• This is done using ARP poisoning.
Traversing Directories in Windows and Linux – cd .. Takes us to the parent directory – cd pages Takes us into the Directory “pages” in the current directory – cd ../etc/files Goes back to parent directory then enters “etc” directory and then into “files” directory.
A little bit of SQL queries• With SQL, we can query a database and have a result set returned SELECT last_name FROM users WHERE user_id= 10;• Gives a result set like this: last_name rahul
What is SQL Injection?The ability to inject SQL commands into the database engine through an existing application.
How does SQL Injection work?Comments : # , --username: or 1=1 #Password: anythingFinal query would look like this:SELECT * FROM users WHERE username = or 1=1 #AND password = anything
SQL Injection Defense• Input Validation • Reject "select", "insert", "update", "shutdown", "delete", "drop", "--", “#" • Implement stringent "allow only good" filters • If the input is supposed to be numeric, use a numeric variable in your script to store it.• Magic quotes gpc is an awesome inbuilt input filter for PHP .
Cookies and Sessions• A cookie(client-side) can keep information in the users browser until deleted. Used for Authentication, site preferences ,focusing Ads.• Sessions (server-side) assigs each user a unique number, called session id.• This session id is stored in a cookie and passed in the URL between pages while the user browses.
Cross-Site Scripting (XSS)• What is it?: The Web Application is used to store, transport, and deliver malicious active content to an unsuspecting user.• XSS typically results from a web application that takes user input from one user and displays it to another user (or set of users ).
Ways of Launching Cross-Site Scripting AttacksAttackers script must be sent to the victim o Inter-user communication within the target site (i.e., message board, etc.) o URL provided on a third-party web site (either clicked on by victim user or automatically loaded when visiting a malicious web site) o URL embedded in an email or newsgroup posting
Evolution of Wireless Security1. Open SSID2. Hidden SSID3. WEP4. WPA5. WPA2
1. Open SSID• The SSID (Service Set Identifier) is a name for the wireless network. SSID SSID• Open SSID – SSID is broadcasted SSID by the access point. SSID• So it is visible to everyone.• And so anyone can connect to our network.
2. Hidden SSID• First layer of security.• The user should know the name of the SSID to connect to the internet.• Problem : Hidden SSIDs could be found using Packet Sniffers.
3. WEP – Wired Equivalent Privacy• Both the client PC and the Access point share a common key (Shared Key). Shared Key• The shared key generates a key-stream using RC4 algorithm.• Then the key-stream is XORed with the plain text to create the cipher text.• The cipher text is sent to the receiver.
Key unchanged Same key-stream every time • If the shared key used is not changed for every frame transmitted, then the data will be XORed with the same key every time!! • So we use an Initialization Vector (IV) which changes for every frame sent thus making the key-stream unique for every frame using RC4 algorithm.
WEP Vulnerability• IV changes for each frame transmitted.• But IV is made up of 24 bits – Therefore only 16 million combinations are possible. So surely the key-stream has to repeat after a while.• If two cipher text frames using same key- stream are captured, then using statistical analysis the plain text can be found.
• Searching for Wifi Networks in a moving vehicle.• Once a Wifi network is found, the place is marked with necessary details to connect to that network. (WAR-CHALKING)
Picture showing availability of an Open SSID network with bandwidth 1.5 Mbps.
CSRF (Cross Site Request Forgery)• A malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.• XSS exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a users browser.
Social Networks soicalnetwork.com Delete certain friends https://social.com/deletefriends.p Add a person as friend hp?id=66 https://social.com/addfriend.php? id=44 Change the password https://social.com/changepass ?new_pass=hacked attacker’s post(CSRF Code) at blog.net 71
• The best search engine.• Google hacking is not a exact hack. It just makes hacking easy.• VULNERABILITY : We can google ANYTHING!!
• Version of the server our website uses.• Error messages which contain too much information.• Logon Portals• Files containing passwords.
1. Google Caches• Google caches pages whenever its crawler finds a new page in the internet.• When Cached pages are viewed then the IP address of the hacker is not logged into the system.
2. Download anything from internet• “parent directory” akon mp3 –xxx –html –htm –php –shtml –opendir –md5 –md5sum• The above command returns the directory listing of all files under ‘Akon MP3’. Rest is “Right click” “Save Link As”
3. Get server information• Google provides information about the server which runs a website.. Some times even passwords • Moreover some error logs in the website’s can be exploited to find the actual internal implementation of a website..
Secure against Google hacks• The password file should be saved in any name other than “password.txt” “Pass.db” or any other obviously funny names.• Exceptions should be handled properly.
LINUX vs. MICROSOFT• Linux has NO open ports by default. But windows has open ports for Windows File Sharing even if no files are shared.• Windows is susceptible to NULL session attack on port 139.• Windows gives the root user the COMPLETE power to rule the PC!!