Chapter 3

Tools and Methods

Used in Cybercrime
Marks: 20 hours:06
Topics
 Proxy Servers and Anonymizers
 Phishing working, Methods, Techniques, Types of Phishing,
 Online, Offline attacks, Password specification ,Random password
 S/W key loggers, H/W key logger ,Anti-key logger, Spywares
 Types of virus, Difference between virus and warms, Trojan horses and
backdoors
 Difference between Steganography and cryptography, steganalysis
 DoS Attack, classification of Dos, Tools for DOS, Protection from DoS/DDoS
 Steps for SQL Injection, Prevention from SQL Injection ,
 Types of Buffer overflow ,How to minimize Buffer overflow
 Traditional Techniques for WN, Theft of Internet hours , How to secure WN
 ID Theft
Tools and Methods Used in Cybercrime
 Various tools, techniques and complex methodologies are used to
launch attacks against the target.
 The basic stages of an attack over network are:
 Initial uncovering
 Network probe
 Crossing the line toward E-crime.
 Capturing the network
 Grab the data
 Covering tracks
- Malformed activity are performed by attacker without being detected.
Initial Uncovering
 Two steps are involved here :
 Gathering the information using social websites – Reconnaissance
 Uncover as much information as possible on the company’s internal
network like internet domain, machine names and the company’s IP
address range.
 Its not possible to detect the attacker because they have done
nothing illegal.
Network Probe (Search)
 The attacker uses persistent scanning techniques to obtain the
information.
 “ping sweep” of the network IP addresses is performed to seek
out potential targets.
 The classic tool used for ping sweeps is fping .
 At this point, attacker has still not done anything that is
considered as abnormal activity.
 “port scanning” tool is used to discover exactly which services are
running on the target system
Crossing the line toward E-Crime
 Attacker will perform E crime by exploiting
vulnerability of the target systems.
 Program flaws , guessable system password are use by
attacker to exploit the system.
 The attacker usually goes through several stages of
exploits to gain access of the system.
 Once the attackers are able to access a user account
without many privileges, they will attempt further exploits
to get an administrator or “root” access.
 Websites and tools used to find the common vulnerabilities
:
 secunia.com
 milworm.com
 immunitysec.com/products-canvas.shtml
 hackerwatch.org
Capturing the Network

 At this stage, the attacker attempts to “own” the

network.
 The attacker gain a foothold in the internal
network quickly and easily, by compromising low-
priority target system.
 The next step is to remove any evidence of the
attack.
 The attacker will usually install a set of tools that replace
existing files and service with Trojan files and services that
have a backdoor password.
 There are number of “hacking tools” which can clean up log
files and remove any trace of instruction.
 For ex.
 evidenceeliminator.com
 acesoft.net
 traceless.com/computer-forensics
Grab the data
 Now that the attacker has “captured the network”, he/she takes
advantage of his/her position to steal confidential data.
Covering tracks
 This is the last step in any cyberattack.
 In this, the activities undertaken by the attacker to extend misuse
of the system without being detected.
 The attacker can remain undetected for long periods or use this
phase either to start a fresh exploitation of target system.
Password Cracking
 Password is like a key to get an entry into computerized
systems like a lock.
 Password cracking is a process of recovering passwords from
data.
 Usually, an attacker follows a common approach – repeatedly
making guesses for the password.
The purpose and steps for manual of password cracking

1. To recover a forgotten password.

2. As a preventive measure by system administrator to check
for easily crackable passwords. (Testing )
3. To gain unauthorized access to a system.
 Steps for manual password cracking
1. Find a valid user account such as an administrator or guest;
2. Create a list of possible passwords;
3. Rank the passwords from high to low probability;
4. Try again until a successful password is found.
Cracking Password by Guess
 Passwords can be guessed sometimes with knowledge of the user’s personal
information. Example of guessable passwords include :
1. Blank (none);
2. The words like “password”, “passcode”, and “admin”.
3. Users’ name or login name.
4. Name of users’ friend/relative/pet.
5. Users’ birthplace or date of birth or a relative’s or a friend.
6. User’s vehicle number, office number, residence number or mobile number
7. Name of a celebrity who is to be idol.
8. Simple modification of one of the preceding.
 An attacker can also create script file which will be executed to try
each password in a list. This is still considered manual cracking
which is time-consuming and not very effective.
 Passwords are stored in a database and password verification
process is established into a system when a user attempts to login
or access a restricted resource.
 To ensure confidentiality of passwords, the password verification
data is usually not stored in a clear text format and its stored in
encrypted format.
 When user attempts to login to the system by entering the
password, the same function is applied to the entered value and the
result is compared with the stored value. This process is called
authentication.
Weak Passwords
 1. Susan: Common personal name;
 2. aaaa: repeated letters, can be guessed;
 3. rover: common name for a pet, also a dictionary word;
 4. abc123: can be easily guessed;
 5. admin: can be easily guessed;
 6. 1234: can be easily guessed;
 7. QWERTY: a sequence of adjacent letters on many keyboards;
 8. 12/3/75: date, possibly of personal importance;
 9. nbusr123: probably a username, and if so, can be very easily guessed;
 10. p@$$\/\/0rd: simple letter substitutions are preprogrammed into password
cracking tools;
 11. password: used very often – trivially guessed;
 12. December12: using the date of a forced password change is very common.
 Here are some examples of strong passwords:

1. Convert_£100 to Euros!: Such phrases are long,

memorable and contain an extended symbol to
increase the strength of the password.

2. 382465304H: It is mix of numbers and a letter at

Strong the end, usually used on mass user accounts and such
passwords can be generated randomly.

Passwords 3. 4pRte!ai@3: It is not a dictionary word; however it

has cases of alpha along with numeric and
punctuation characters.

4. MoOoOfIn245679: It is long with both alphabets

and numerals.

5. t3wahSetyeT4: It is not a dictionary word; however,

it has both alphabets and numerals.
Password Cracking Tools….
 www.defaultpassword.com
 Network devices like switches, hubs and routers are equipped
with “default passwords” and usually these passwords are not
changed after commissioning these devices into the network.
 www.openwall.com/john
 John the Ripper : This is a free and open-source software-fast
password cracker, compatible with many different OSs. Its
primary purpose is to detect weak UNIX passwords.
…Password Cracking Tools….
 Cain & Abel password Hacking Tools.
website :
http://www.oxid.it/cain.html.
It allow to crack the passwords by sniffing the network , creaking
encrypted password using dictionary ,brute force attacks , decoding
scrambled password and recovering wireless network keys.

More details visit following link:

http://www.youtube.com/watchv=7TFn6mNk1h8
http://www.youtube.com/watch?v=5Ux6o0IKNX4
…Password Cracking Tools
 http://airsnort.shmoo.com
 It’s a wireless LAN tool which recovers encryption keys. It operates by
passively monitoring transmission, computing the encryption key when
enough packets have been gathered. Once enough packets have been
gathered, airsnort can guess the encryption password in under a second.
 http://www.hoobie.net/brutus
 It is one of the fastest, most flexible remote password crackers available for
use.
Password cracking attacks can be classified in :

 Online attack
 Offline attack
 Non electronic attacks
Online Attacks
 An attacker maintain list of password file which execute
automatically and try to match each password from list with user
password.
 Attacker can access the system subject to password match
 This type of attack is used to obtain the password for E mail
account on public website such as yahoo, hotmail, gmail.
 Man-in-Middle attack : it is active eavesdropping attack.
 An attacker establish a connection between victim and server.
Offline Attack
 Offline Password Cracking is an attempt to recover one or
more passwords from a password storage file that has been
recovered from a target system.
 Offline attack required physical access to computer ,
password file is copy in external storage
 Types of Password cracking attack.
- Dictionary attack. - Attempt to match all word from dictionary to get
password.
- Hybrid attack. - Substitutes number and symbols to get password.
- Brute force attack. – Attempt all types of permutation and
combinations of letter and sp. characters.
- Rainbow table approach- Precomputed hash table is used and stored
in table named as rainbow table
Example
 a Brute Force attack
 Password size 8 -character
 password consisting of all 95 printable ASCII characters
 Space for password is
 95 ^ 8 possible combinations= (95x95x95x95x95x95x95x95), or
6,634,204,312,890,625 (6.6 quadrillion) passwords.
 a rate of password cracking is assumed as 1 million guesses/ sec.
to break the password it will take 210 years with a Brute Force
attack.
If Attacker Knows the Pattern, Then…
 For instance, if an attacker knows or assumes that the passwords
pattern is:
 Password is eight characters long
 First character is upper case
 Next five characters are lower case
 Next character is a number
 Next character is a symbol

 The number of possible combinations is: 26 x 26 x 26 x 26 x 26 x

26 x 10 x 34 or 105,031,363,840 combinations. At 1,000,000
combinations per second, this password would take up to 1.2 days
to crack with a Mask Attack.
Difference Between Online And Offline Attack

Online Attack Offline Attack

 Using Online Password  Using Offline Password
Cracking, an attacker does not Cracking, an attacker does
have to have any prev needs have to previous access
 to the system.
Slow
 Fast
 Online Password Cracking is
also noisier, potentially leaving  Once the credential storage
one entry per attempt in a log mechanism is recovered,
file. Offline Password Cracking
leaves no other trace on the
victim’s system.
  Shoulder Surfing
Non-Electronic  Social Engineering
Attack
The General Guidelines for Password Selection
 Passwords and user logon identities (IDs) should be unique to each authorized user.
 Passwords should consist of a minimum of eight alphanumeric characters.
 There should be computer-controlled lists of prescribed password rules and periodic
testing to identify any password weaknesses.
 Passwords should be kept private, that is, not shared with friends, colleagues.
 Passwords shall be changed every 30/45 days or less.
 User accounts should be frozen after five failed login attempts.
 Sessions should be suspended after specified period of inactivity and require the
passwords to be re-entered.
 Successful logins should display the date and time of the last login and logoff.
 Login IDs and passwords should be suspended after a specified period of non-use.
 For high-risk systems, after excessive violations, the system should generate an alarm
and be able to simulate a continuing session (with dummy data) for the failed user.
 Keylogger and Spyware
 Keylogger stored the key entered by user.
 It is most easy way to capture the password.
 Keylogger is a software or tools install remotely on system through
viruses or Trojans.
 Software keylogger are found on following sites.
- http://www.soft- central .net.
This key logger allow user to secretly record computer activity.
- http://www.spytech-web.com
It allowed compute monitoring ,application filtering ,chat blocking, remote
delivery of log via E mail or FTP
 Stealth Keylogger
http://www.stealthkeylogger.org
It is computer monitoring software , it logged the activity of
specific time duration or days.
 Power Key logger
http://www.mykeylogger.com
It is used for following operation.
 Network administrator.

 Shared PC activity tracking.

 Employee productivity monitoring.

 Surveillance
 Keylogger
 Hardware keylogger
Hardware keylogger are small hardware device, connected
to PC and keyboard and save every keystroke into file or
in memory.
 List of website where hardware keylogger information
are available.
http://www.keyghost.com
http://www.keylog.com
http://wwwkeydevil.com
http://www.keykatcher.com
Anti-keylogger
 It detect the keylogger install in system.
 Advantage of anti-keylogger are listed as below.
- Firewall can not detect the installation of keylogger
on the system but anti-keylogger does it.
- Anti-keylogger does not required regular updates.
- It prevent internet banking fraud.
- It prevent ID theft.
- It secure E mail and internet messaging /chatting.
 Spyware
 Spyware is malware (malicious software) which install on system
and collect information about user without their knowledge.
 Spyware also collect information such internet surfing habits
/pattern and website visited.
 The features and functions of such Spywares are beyond simple
monitoring.
 Spyware will change computer internal setting.
Example of spyware

 007-Spy : It has following feature

 http://www.e-spy-software.com (007 Spy)
- Override on antispy program like “Ad-aware”
- record all web site URL
- Powerful keylogger engine to capture all password.
- It can view logs remotely from anywhere at
anytime.
 Spector Pro : ( http://www.spectorsoft.com)
- Captures and reviews all chats and instant massages.
- Capture E mail
- Capture websites visited.
- Capture activities perform on social networking sites
1. 007 Spy
 It has following key features:
 Capability of overriding “antispy” programs like “ad-aware”;
 Record all websites url visited in internet;
 Powerful keylogger engine to capture all passwords;
 View logs remotely from anywhere at any time;
 Export log report in html format to view it in the browser;
 Automatically clean-up on outdated logs;
 Password protection.
2. Spector Pro
 It has following key features:
 Captures and reviews all chats and instant messages;
 captures E-Mails (read, sent and received);
 captures websites visited;
 captures activities performed on social networking sites such as MySpace
and Facebook
 enables to block any website and/or chatting with anyone;
 acts as a keylogger to capture every single keystroke (including usernames
and passwords).
3. eBlaster
 Besides keylogger and website watcher, it also records
 E-Mails sent and received,
 files uploaded/downloaded,
 logging users’ activities,
 record online searches
 recording Myspace and Facebook activities
 another program activity.
Remote spy
 Besides remote computer monitoring, silently and invisibly, it also
monitors and records users’ PC without any need for physical access.
 it also records keystrokes (keylogger), screenshots, E-Mail,
passwords, chats, instant messenger conversations and websites
visited.
Stealth Recorder Pro
 It is a new type of utility that enables to record a variety of sounds
and transfer them automatically through Internet without being
notified by original location or source.
 It has following features:
 Real-time mp3 recording via microphone, cd, line-in and stereo mixer as
mp3, wma or wav formatted files;
 Transferring via e-mail or ftp, the recorded files to a user-defined e-mail
address or ftp automatically;
 Controlling from a remote location;
 Voice mail, records and sends the voice messages.
PC Phone Home
 It is a software that tracks and locates lost or stolen
laptop and desktop computers.
 Every time a computer system on which PC Phone Home
has been installed, connected to the Internet, a stealth E-
Mail is sent to a specified E-Mail address of the user’s
choice.
Viruses
 Computer virus is a program that can “infect” legitimate programs
by modifying them to include a possibly “evolved” copy of itself.
 Viruses spread themselves, without the knowledge or permission
of the users, to potentially large numbers of programs on many
machines.
 Reproduce themselves to propagate further harm.
Viruses some typical actions:

1. Display a message to prompt an action which may set of the virus

2. Delete files inside the system into which viruses enter
3. Scramble data on a hard disk
4. Cause erratic screen behavior
5. Halt the system (PC)
6. Just replicate
Types of Viruses
1. Boot sector viruses
2. Program viruses
3. Multipartite viruses
4. Stealth viruses
5. Polymorphic viruses
6. Macro viruses
7. Active X and Java Control
Virus can affect our system in following ways

1. A virus attacks specific file types (or files).

2. A virus manipulates a program to execute tasks unintentionally.
3. An infected program produces more viruses.
4. An infected program may run without error for a long time.
5. Viruses can modify themselves and may possibly escape detection
this way.
Worms
 A computer worm is a malicious, self-replicating software
program (popularly termed as 'malware') which affects the
functions of software and hardware programs.
 It often uses a computer network to spread itself, relying on
security failures on the target computer to access it.
 Computer worms use recursive method to copy themselves
without host program and distribute themselves based on the law
of exponential growth, and then controlling and infecting more
and more computers in a short time.
Features of worms
 A worm does not need a host program, as it is an independent
program or code chunk. It runs independently.
 Worms do not require activation—or any human intervention—to
execute or spread their code.
 Because a worm is not limited by the host program, worms can
take advantage of various operating system vulnerabilities to
carry out active attacks.
 Some worms are combined with web page scripts, and are hidden
in HTML pages using VBScript, ActiveX and other technologies.
 Worms are more infectious than traditional viruses.
How worms are spread across networks
1. Email attachment
2. Internet: Via links to infected websites
3. Downloads & FTP Servers
4. Instant Messages (IM)
5. P2P/Filesharing
6. Networks
Identification of presence of worm in computer

 Keep an eye on your hard drive space. When worms repeatedly

replicate themselves, they start to use up the free space on your
computer.
 Monitor speed and performance. Has your computer seemed a
little sluggish lately? Are some of your programs crashing or not
running properly? That could be a red flag that a worm is eating
up your processing power.
 Be on the lookout for missing or new files. One function of a
computer worm is to delete and replace files on a computer.
Difference Between Virus and Worm

Virus Worm
 viruses must be triggered by  worms are stand-alone
the activation of their host malicious programs. It does not
 require host to trigger
A virus typically attaches itself
to a program, file, or the boot  Worms are a self-replicating
sector of the hard drive type of malware
 A virus spreads when the  It exploits network
infected file or program vulnerabilities.
migrates through networks, file  quickly spreads as compare to
collaboration apps, email
virus from one computer to
attachments, and USB drives
another.

Worm Case study: In 2017, the WannaCry

Protection against virus and worm
 Install anti-virus software and firewall
 Track potential data exfiltration at the edge and attacks at the
point of entry
 Remember to regularly install security patches
 Monitor and analyze file and user behavior
 Leverage security analytics to spot suspicious behavior
 Set up alerts to notify you automatically and immediately when an
anomaly occurs
Trojan Horse and Backdoor
 Harmful program under the cover of harmless software
 Destroys files from infected system
 A Trojan Horse may get widely redistributed as part of a computer
virus.
 Read : Greek mythology about the Trojan War
Types of Trojans
 Data sending
 Remote access
 Destructive
 Proxy
 FTP
 Security software disabler
 DoS
 Backdoor
 Exploit
 Rootkit
 Trojan banker
 Trojan downloader
Threats from Trojans
1. They erase, overwrite or corrupt data on a computer.
2. They help to spread other malware such as viruses (by a dropper
Trojan).
3. They deactivate or interfere with antivirus and firewall programs.
4. They allow remote access to your computer (by a remote access
Trojan).
5. They upload and download files without your knowledge.
6. They gather E-Mail addresses and use them for Spam.
Threats from Trojans
7. They log keystrokes to steal information such as passwords and
credit card numbers.
8. They copy fake links to false websites, display porno sites, play
sounds/videos and display images.
9. They slow down, restart or shutdown the system.
10. They reinstall themselves after being disabled.
11. They disable the task manager.
12. They disable the control panel.
Backdoor
 A backdoor is a means of access to a computer program that
bypasses security mechanisms.
Backdoor Trojans
 Back Orifice: designed for remote system administration.
 Bifrost: windows 95 backdoor
 SAP backdoors: Enterprise Resource Planning (ERP) backdoor
 Onapsis Bizploit: open-source ERP penetration testing framework
How to Protect from Trojan Horses and Backdoors

 Stay away from suspect websites/weblinks: Avoid downloading

free/pirated
 Surf on the Web cautiously: Avoid connecting with and/or
downloading any information from peer-to-peer (P2P) networks
 Install antivirus/Trojan remover software
Identity Theft
 Identity theft occurs when someone uses your personal
identifying information and pretends to be you in order to commit
fraud or to gain other financial benefits.
 ID theft can be
1. True-name identity theft means that the imposter uses the victim's
personal information to open a fake new account in the victim’s name
2. Account takeover identity theft means that the imposter uses the
victim’s personal information to gain access to existing account
Types of ID Theft
1. Financial ID Theft
2. Criminal ID Theft
3. Medical ID Theft
4. Insurance ID Theft
5. Child ID Theft
6. Synthetic ID Theft (combining ID of two different victim)
7. Business ID Theft
Techniques for ID Theft
1. Dumpster Diving
2. Shoulder Surfing
3. Phishing and Spam e-mail
4. Skimming
5. Wi-Fi hacking
6. Phone scams
7. Data breaches
8. Malware
9. Mail theft
10. Child ID theft
11. Tax ID theft
How Fraudster Uses Theft ID
 Thieves open fraudulent credit card account in victim’s name
 This account is used for taking loan or purchases
 Information can be sale on dark web site. Credit card number,
account details are used for committing medical, credit card fraud
etc.,
 Thieves can also file tax on victim’s name and steal tax refund
 Pass an employment background check or rent an apartment,
using your identity and financial standing
Prevention from ID Theft
 Check your credit card statement periodically
 Shred unsolicited credit card application
 Monitor your account statements for any unauthorised transactions
 Follow up with creditors in case there are fraudulent transaction
 Do not respond to spam e-mail
 Enable two-factor authentication on all accounts that offer it.
 Shred documents before throwing them away. This might include mail,
receipts, bills, and any other paperwork that contains sensitive
information
Steganography… covered or hidden writing
 Steganography is the practice of concealing a file, message, image,
or video within another file, message, image, or video.
 Steganography was normally used in conjunction with
cryptography to further hide secret information.
 Steganalysis is a process in which a steganalyzer cracks the cover
object to get the hidden data.
Types of Steganographic
1. Text Steganography
2. Image Steganography
3. Audio Steganography
4. Video Steganography
 Proxy Servers and An Anonymous proxy

 Proxy server is a computer on a network which acts as an

intermediary for connections with other computers on that network.

 Proxy Server sits in between a Client and the "real" Server that a
Client is trying to use. Client's are sometimes configured to use a
Proxy Server, usually an HTTP server. The clients makes all of it's
requests from the Proxy Server, which then makes requests
from the "real" server and passes the result back to the Client.
 Proxy Server

Client Server
 Sometimes the Proxy server will store the results and give a stored
result instead of making a new. Such special proxy server are known as
Cache Server.
 Proxy servers are commonly established on Local Area Networks.

 The attacker first connect to a proxy server and establishes a

connection with the target system through existing connection with
proxy.
A client connects to the proxy server and requests some services
available from a different server.
 The proxy server evaluates the request and provides the resource.

 Usinga proxy server can allow attacker to hide ID by becoming

anonymous on the network.
Types of proxy
 Open proxies A proxy server that passes requests and responses
unmodified is usually called a gateway or sometimes a tunneling
proxy. An open proxy is a forwarding proxy server that is
accessible by any Internet user.
 A reverse proxy is usually an Internet-facing proxy used as a
front-end to control and protect access to a server on a private
network.
 A forward proxy is an Internet-facing proxy used to retrieve from
a wide range of sources (in most cases anywhere on the Internet).
Reasons for installing reverse proxy servers

1. Encryption / SSL acceleration

2. Load balancing
3. Serve/cache static content
4. Compression
5. Spoon feeding
6. Security
7. Extranet Publishing
 Listed are few websites where free proxy servers can be found :
 http://www.proxy4free.com
 http://www.publicproxyservers.com
 http://www.proxz.com
 http://www.surf24h.com
 An anonymous proxy is a tool that attempts to make activity on
the internet untraceable.
 It accesses the internet on the user’s behalf, protecting personal
information by hiding the source computer’s identifying information.
Anonymizer
 An anonymizer or an anonymous proxy is a tool that attempts to
make activity on the Internet untraceable.
 They can be used to prevent identity theft, or to protect search
histories from public disclosure.
 Anonymizers are used for avoided targeted information
 Anonymizer websites are banned in these countries, users are
wary that they may be falling into a government-set trap.
Types of Anonymizer
 Protocol specific anonymizers
 Protocol independent anonymizers
 In 1997 the first anonymous software tool was created by Lance
Cottrell, developed by Anonymizer.com.
 The anonymous proxy hide/removes all the identifying
information from a user’s computer while the user surfs on the
Internet, which ensures the privacy of the user.
 Listed are few websites where more information about
anonymous proxy can be found:
 http://www.anonymizer.com
 http://www.browzar.com
 http://www.anonymize.net
 http://www.anonymouse.ws
 Being Anonymous While Searching on Google!
 Google Cookie
 Cookies were designed to be a reliable mechanism for websites to
remember the state of the website or activity the user had taken in the past.
Cookies is a text file contain a string of alphanumeric character and is used
for storing netizen’s (regularly accessing internet ) website preferences
/authentication while visiting same site again and again.
 Google was the first search engine to use a cookie. This cookie places a unique
ID number on your hard disk. Anytime you visit Google, user gets a Google
cookie if a user doesn’t already have one. If the user has one, then it will read
and record the unique ID.
 Google can build a detailed list of your search terms over many years.
 Google cookies are set to expire by the year 2038.
G-Zapper
 G-Zapper utility helps to stay anonymous while searching Google.
 G-Zapper helps to protect users’ ID and search history. G-
Zapper reads the Google cookie installed on users’ PC, displays the
date it was installed, determines how long user searches have
been tracked and displays Google searches.
 G-Zapper allows user to automatically delete or entirely block the
Google search cookie from future installation.
Initial Uncovering
 Two steps are involved here :
 Gathering the information using social websites – Reconnaissance
 Uncover as much information as possible on the company’s internal
network like internet domain, machine names and the company’s IP
address range.
 Its not possible to detect the attacker because they have done
nothing illegal.
Network Probe (Search)
 The attacker uses persistent scanning techniques to obtain the
information.
 “ping sweep” of the network IP addresses is performed to seek
out potential targets.
 The classic tool used for ping sweeps is fping .
 At this point, attacker has still not done anything that is
considered as abnormal activity.
 “port scanning” tool is used to discover exactly which services are
running on the target system
Crossing the line toward E-Crime
 Attacker will perform E crime by exploiting
vulnerability of the target systems.
 Program flaws , guessable system password are use by
attacker to exploit the system.
 The attacker usually goes through several stages of
exploits to gain access of the system.
 Once the attackers are able to access a user account
without many privileges, they will attempt further exploits
to get an administrator or “root” access.
 Websites and tools used to find the common vulnerabilities
:
 secunia.com
 milworm.com
 immunitysec.com/products-canvas.shtml
 hackerwatch.org
Capturing the Network

 At this stage, the attacker attempts to “own” the

network.
 The attacker gain a foothold in the internal
network quickly and easily, by compromising low-
priority target system.
 The next step is to remove any evidence of the
attack.
 The attacker will usually install a set of tools that replace
existing files and service with Trojan files and services that
have a backdoor password.
 There are number of “hacking tools” which can clean up log
files and remove any trace of instruction.
 For ex.
 evidenceeliminator.com
 acesoft.net
 traceless.com/computer-forensics
Grab the data
 Now that the attacker has “captured the network”, he/she takes
advantage of his/her position to steal confidential data.
Covering tracks
 This is the last step in any cyberattack.
 In this, the activities undertaken by the attacker to extend misuse
of the system without being detected.
 The attacker can remain undetected for long periods or use this
phase either to start a fresh exploitation of target system.
 Phishing – How It Works?

 Phisher work in the following ways :

1. Planning
1. Criminals uses mass mailing and address collection techniques as
spammers.
2. Setup
1. Once phishers know which business/business house to spoof and who
their victims are, they will create methods for delivering the message and
to collect the data about the target.
3. Attack
1. The phisher sends a fake message that appears to be from a
reputable source.
4. Collection
1. Phishers record the information of victims entering into web-
pages or pop-up windows.
5. Identity theft and fraud
1. Phishers use the information that they have gathered to make
illegal purchases or commit fraud.
 Now a days, more and more organizations provide greater
online access for their customers and hence criminals are
successfully using Phishing techniques to steal personal
information and conduct ID theft at a global level.
Dos Attack
 Flood the bandwidth of victim network.
 Flood the resources of the system.
 Flood the victim E-mail box with spam mail.
- IP Spoofing ( Forge IP address) tech is use to flood victim machine.
How to perform a DoS/DDoS attack
https://www.youtube.com/watch?v=fGWkhmCp_js
DoS attack is classified as,
- Bandwidth attack. : Loading a webpage which takes
more system times.
Logic attack : It exploit vulnerability of web server and TCP/IP stack.
 Ethical Hacking - Sniffing as an Attack Technique
 ( Replay attack)
 https://www.youtube.com/watch?v=RCro7fH-AY4


 Web Server Vulnerability

1. Command Injection
Command injection is a technique, which allows an attacker to
execute system commands by abusing an application feature.
2. Weak Session Management
This happens when the web application produces a session cookie,
which value is easily guessable
3.LDAP Injection
- LDAP is an application protocol used to access and maintain
distributed directory services like Microsoft's Active Directory.
- Active Directory contain information about object.
- Object (resources info. and security policy)
- LDAP Injection is a Code Injection technique used against
applications, which construct LDAP statement based on user input
4 Cross-site Scripting (XSS)
Cross-site Scripting (or XSS) is one of the most common application-
layer web attacks.
- Hacker uses social Engineering approach to inject a code into web page
which is access by victim.
5.NET Tracing Capabilities
.NET provides powerful application debugging capabilities, which can
be abused by attackers to obtain various pieces of critical information
including session cookies and session state.
6 Password Via GET
Sending passwords via GET parameter is considered a bad
programming practice since this information can be easily read
from the browser's address bar, history or from the web server logs.
7. Microsoft Office Document
Microsoft Office Documents often contain hidden metadata like
username, author name, company name, the name of the computer,
which may be misused by attacker.
XML Injection
XML Injection is a Code Injection variant, which can
be used by attackers to include malicious XML block.

Ping flood. / Ping of death. – Attacker send

oversize ICMP packet to victim machine.

- ping of flood – n no of ping request.

- SYN Flooding attack.
- Teardrop attack : Fragmented packet are forged
to overlap
each other when receiver tries to reassemble
them..
- Fragment algorithms are use to confused the
victim.
- windows 3.1x, windows 95,windows NT OS
are vulnerable to this attack.
 Smurf attack
- This attack generate significant network traffic on
victim machine.
- Network is floods the target system with spoofed
broadcast ping message.
- Attacker send ICMP echo request to network
broadcast address.
- Victim spoofed IP address is used.
 Nuke Attack :
- Invalid ICMP packet are send to target m/c.
- Attacker sends corrupts data to slow down of system.
 Unintentional DoS attack :
- Multiple hit to web site.
( Jet Airways low fair scheme)
- Tools used to launch DoS attack.
 JOLT2: It is used to discover vulnerability in windows
networking code.
- The vulnerability allow attacker to launch
DoS attack from remote location.
 Targa : This tool is use to launch 8 different types of DoS
attack.
 Nemesy : This program generate random packet of spoofed
source IP to enable attacker to launch DoS attack.
DDoS Attack
 Concept of DDoS
 Tools used to launch DDoS attack
 Trinoo : It is a set of program that use to conduct DDoS
attack. Trinoo network has been install on thousand
mechine.
 Tribe Flood network (TFN) : This tool is used to launch
various DDoS attack such as ICMP flood,SYN flood, UDP
flood, Smurf attack.
 MStream : It is used to spoofed TCP packet by modifying
ACK flag.
Protection from DoS and DDoS
 Implement router filter. Filter will help to minimize DoS
attack.
 Install patches to guard system against TCP SYN flooding.
 Disable any unseen network services.
 Decide normal and abnormal activity of system.
 Routinely exam physical security of system.
 Identified redundant and fault tolerant network
configuration.
 Take regular backup of system.
Tools for Detecting DoS/DDoS attack.
 Zombie Zapper : This tool instruct Zombies to stop
flooding .
 Remote Intrusion Detection (RID) : It is packet snooper
and generator.
-Snooper : It is a spy who makes uninvited inquiries into the private
affairs of others.
- It send packet in the form of config.txt and then listening
appropriate replies.
 Find _DDoS : This tool scan system to detect DDoS attack.
 DDoSPing : It is remote network scanner .
It detect Trinoo,Tribe Flood with their default seating.
Sql Injection
 SQL is used to define database , update database and retrieve
information from database.
 Sql injection is result of vulnerability present at database layer.
 The vulnerability is exposed when user entered string escape
char embedded in sql statement.
 SQL injection is a example of such vulnerability where one
scripting lang. is embedded inside another.
 Attacker will target of database which store confidential
information. ( password , Credit card no, debit card no).
 A web page is design to enter query into system to retrieve
dataset from database.


Steps for SQL Injection
 Attacker will search for web page ( UI) .
 Attacker can view the source code of the script through source
view option of IE ( Internet Explorer). In source code ,attacker
will search for <FORM> </FORM> tag.
 This tag contain parameter that might useful to find vulnerability.
 The attacker inputs a single quote in text box of web page to
accept username and password.
 Attacker enter following variable on web page to test for sql
vulnerability.
Blah’ or 1=1-;
login.blah or 1=1-;
Password :: blah’ or 1=1--;
http://search/index.asp ? id blah’ or 1=1--

‘
Blind Sql Injection
 Blind SQL injection is used when web application is
vulnerable to an SQL injection but result of the injection are
not visible to the attacker.
 In summery SQL injection attacker can,
 Obtain basic information
 May gain access to the system by obtaining username and
password.
select * from user where name=“OR ‘1’=‘1’. ”
 Add new data to the dataset. (insert command)
 Modify data currently in the database.
( update command)
SQL Injuction : https://www.youtube.com/watch?
v=uSw0IoSr3Hkl Injection attack
Tools used for SQL server penetration
 AppDetectivePro : This tools access database application
and their security strength within network.
 DbProtector : This tool is responsible for
- Database asset management.
- Vulnerability management.
- Audit and threat management.
-Policy management.
- reporting and analysis.
 Database scanner :
 How to prevent SQL Injection Attack
 Sql injection is result of poor website administration and coding.
 Prevention mechanism ,
- Input Validation.
- Replaces all single ( escape quotes)quotes to two
single quotes.
- Check input.
- Check numeric value using IsNumeric() function.
- Keep proper size of text box and input box.
- Sql error should not display to outside the user.
- Do not use default setting for SQL server 2000.
- Isolate database and web server.
- Attacker are using stored procedure xp_cmdshell (), xp_grantlogin() in
SQL injection attack.
Buffer Overflow
 Buffer Overflow concept.
 Additional data will overwrite on ,
- Program data area.
- Program code area.
- system data area.
- system code area.
 These language does not provide any built in protection
against buffer overflow.
Buffer Overflow
 C complier does not check buffer overflow.
int main( )
{
int buffer[10];
buffer[20]=10;
}
Types of Buffer overflow
In software, a stack buffer overflow (also known as stack
smashing) occurs when a program writes to a memory
address on the program's call stack outside of the intended
data structure; usually a fixed length buffer.
Buffer Overflow
 Stack buffer overflow bugs are caused when a program
writes more data to a buffer located on the stack than there
was actually allocated for that buffer.
 This almost always results in corruption of adjacent data
on the stack, and in cases where the overflow was
triggered by mistake, will often cause the program to crash
or operate incorrectly.
 "shellcode“ starts with command shell from which the
attacker can control the compromised machine
 Buffer Overflow

 #include <string.h>
 void buffer_overflow(char *bar)
 { char c[12];
 strcpy(c, bar); // no bounds checking...
 }
 int main (int argc, char **argv)
 {
 Buffer_overflow(argv[1]);
 }
Stack Overflow
NOPs ( No operation perform)
 NOP reserve space which will be replace by active
instruction .
 Collection of NOP is called as NOP sled.
 A NOP-sled is the oldest and most widely known technique
for successfully exploiting a stack buffer overflow.
 NOP allow user to find the exact address of the buffer.
 Attacker can pad his code with NOP operation.
NOPs
Heap Buffer overflow
 A buffer overflow occurring in the heap data area is
referred to as a heap overflow
 Memory on the heap is dynamically allocated by the
application at run-time and typically contains program
data.
 Exploitation is performed by corrupting this data in
specific ways to cause the application to overwrite internal
structures such as linked list pointers.
How to minimize bufferoverflow
 Assessment of security code manually.
- Buffer overflow is a result of storing more than
capacity.
- Developer should minimizing the use of c lib.
 Disable stack execution
- Malicious code will try to provide input to program
from stack segment rather than code segment.
Complier Tools :
- It generates warning to user , if they uses gets(),strcpy().
 Dynamic runtime check
- This techniques ensure that code should load in secured
manner before execution.
Attack on wireless Network
 Wireless network consist two elements.
- Wireless access point.
- Wireless enabled device.
User may access wireless network through dongle.
Networking standard
802.11 - It is applicable to WLAN.
- It supports 1 or 2 mbps transmission.
- 2.4 GHz band using FHSS (freq hopping
spread spectrum)
802.11 a - It provides 54 mbps transmission in 5 GHZ
band.
- It uses OFDM ( orthogonal freq. div. mult.
tech . Which is better than FHSS)
 802.11 b - it provides 11 mbps transmission in 2.4 GHz

band.
- It uses complementary code keying (CCK)
modulation to improve speed.
 802.11g - it provides 54 mbps transmission in 2.4
 GHz band.
- It uses OFDM.
802.11 n : - 802.11 n is providing 54 mbps transmission
speed .
It can only achieve 24 mbps of speed due to
n/w conj.
 802.15 - This standard is used for personal WLAN and
cover very short range. Here it is used for Bluetooth
technology.
 802.16 – It is also known as WiMax .
- It combine the benefits broadband and
wireless. It provide high speed internet over
long distance.
This standard is developed by IEEE.
Ex. wireless MAN.
Access point : It is act as a communication HuB.
Wi-Fi Hot spot : A hotspot is a site that offers the internet
access by using Wi-Fi technology over a WLAN.
- Hotspot are found in public area.
 SSID ( Service Set Identifier ) : All wireless devices must
use same SSID to communicate with each other.
SSID is set WLAN setup.
SSID is 32 char long.
 Wired equivalent privacy (WEP) .
Wired Equivalent Privacy (WEP) is a security algorithm
for IEEE 802.11 wireless networks
WEP uses the stream cipher RC4 for confidentiality
and the CRC-32 checksum for integrity.