Mynotes:

12

web application architecture:

custom web appl: business logic flaws
open source connected
database
web server
web application threats:
cookie poisoning
directory traversal
information leakage
broken account management
platform exploits
insufficient transport layer
authentication hijacking
hidden manipulation
unvalidated outputs
input validation flaws refers to web appl vulnerability
an attacker exploits input validation flaws
Directory traversal allows attackers to access restricted directories including
application source code.
security misconfiguration:yields easy exploitation common prevalence.
Injection flaws: are web application that allow untrusted data to be interpreted
and executed as part of a command or query.
Injection flaws are prevalent in legacy code often found in sql,ldap 7 xpath
queries.

command injection:shell injection

HTML embeding
file injection
ldap injection:
this exploits vulnerabilities using LDAP filter used for searching Directory
services to obtain direct access.

Insecure cryptography:insecure cryptographic storage refers to when an application

uses poorly written encryption code.

vulnerable code and secure code.

Broken authentication and session mgmt:
Session Id/Password Exploitation/Timeout Exploitation.
Unvalidated Redirects and forwards.
Web services architecture.
Web services XML POISONING:
WEB APP Hacking methodology
Footprint WeB infrastructure:--Service Directory-Service Discovery-Server
Identification-hidden content discovery

server discovery is by whois lookup/service discovery is by :NMAP/NETSCAN

PRO/SANDCAT BROWSER
bANNER Grabbing:
telnet/netcat/ID serve/netcraft
Detecting Webapp firewalls and proxies on target site:
Foot print web infrastructure:Web spidering/attacker-directed spidering/brute
forcing
Web spidering using burp suite/
Web crawling using Mozenda Web Agent Builder
web server: WebInspect
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
--------
3.Network Scanning:
1.network scanning refers to a set of procedure to identifying hosts, ports and
services.
2.Obj of network scanning:
tcp communication flags urg,psh,ack,fin,rst,syn
colasoft packet builder
ICMP Scanning:this scan is useful for locating active devices
ICMP ECHO REPLY
pING SWEEP TOOLS:COLASOFT PING TOOL
SSDP Scanning: UPnP scannig-may allow buffer overflow or DOS attacks.

IPv6: from 32 bits to 128 bits.

icmp ping: hping3 -1 10.40.123.160
ack scan on port 80: hping3 -A 10.40.123.160 -p 80
UDP Scan port 80:hping3 -2 10.40.123.160 -p 80

collecting initial seq.no:hping3 10.40.123.160 -Q -p 139 -3

firewalls and timestamps: hping3 -s 10.40.123.160 -p 80--tcp-timestamp
syn scan on port 50-60:: hping3 -8 50-60 -s 10.40.123.160 -V

fin,psh,urg,scan on port80: hping3 -F-P-U 10.40.123.160 -p 80

scanning techniques:

TCP Full connect/Full open scan

--three way handshake
RST packet
does not rquire super user privileges
STEALTH SCAN:(Half open scan)

-----------------------------------------------------------------------------------
---------------------------------------------
7-sniffing:
it is a process of monitoring and capturing all data packets passing through a
given network using sniffing tools.
sniffer turns NIC of the network system into promiscous mode so that he can listen
to all the data transmitted in the segment.
active sniffing is used to sniff a switch based network
active sniffing like injecting address resolution packets into CAM table.
sniffers operate at the data link layer
wiretapping-ACTIVE & PASSIVE
LAWFUL interception means legally intercepting data comm between two endpoints for
surveillance.
PRISM:Planning tool for resource integration,synchronisation amd management
CAM table stores information of MAC addresses.
MAC FLOODING involves flooding the CAM table WITH FAKE mac addresses and IP pairs
until it is full.

MACOF:Unix tool that floods the CAM table with random MAC addresses.-131000 per
minute.
How DHCP WORKS: DHCP maintains TCP/IP with config parameters and IP addresses,and
duration of the leaseoffered by the server.
dhcp starvation attack: this is denial of service attack on DHCP servers and tries
to lease all the dhcp addresses available.
DHCP starvation attack tools:DHCP starv & YERSINIA.

Rogue DHCP server attack:Attacker sets rogue DHCP server in the network and
responds to DHCP address with bogus IP address.
switch port stealing technique uses MAC flooding to sniff the packets.
attacker floods the switch with forged gratituous ARP PACKETS.
HOW TO DEFEND AGAINST MAC Attacks: configure port security on cisco switch.
Only one MAC Address allowed on switch port.

Address Resolution protocol is a stateless protocol for resloving IP and MAC

addresses.
ARP PACKETS can be forged to send data to the attacker's machine.
ARP Spoofing involves constructing large number of forged ARP request and reply
packets to overload a switch.
Switch is set in forwarding mode after ARP table is flooded, with spoofed ARP reply

ARP poisoning tools:Cain & Abel and WinARP Attacker.-

ufasoft: automated ARP poisoning tools that sniffs passwords on the network and
works on wi-fi network as well.

-----------------------------------------------------------------------------------
------------------------------------------------------------------
MODULE:05 SYSTEM HACKING

INFORMATION is at hand before cracking in.

password cracking techniques to gain unauthorised access.
dictionary attack
brute forcing attack
hybrid attack
syllable
rule based attack

types:passive/non electronic/offline/active online

Passive:man-in the middle attack..,replay,wire sniffing

Active: Trojan,phishing,password guessing,hash injection.

technique to prevent from offline attacks: remove Lm hashes,encryption

packet sniffer tool:gets all info of LAN and raw network traffic.

man in the middle attack and replay attack

A hash injection attack allows an attacker to inject a compromised hash into a

local session and use the hash
into the local session and use the hash to validate to network resources.

Rainbow table, precomputed hashes,computed hashes,compare hashses.

rtgen and winrtgen are rainbow password cracking tools.

Distributed Network Attacks

A Dis tr ibuted N e tw o rk At tac k (DNA) is th e te ch n iq u e used fo r re c o
ve r in g p as sword -
p ro te c te d files. It utilizes th e unused processing p ow e r o f machines
across th e n e tw o rk to
d e c ryp t passwords.