077 sandeep nair

8/8/2019 077 sandeep nair

1/37

ETHICAL HACKING

A SEMINAR REPORT

Submitted by

SANDEEP NAIR NARAYANAN

in partial fulfillment for the award of the degree

of

BACHELOR OF TECHNOLOGY

in

COMPUTER SCIENCE & ENGINEERING

SCHOOL OF ENGINEERING

COCHIN UNIVERSITY OF SCIENCE & TECHNOLOGY,

KOCHI-682022

AUGUST 2008


2/37

DIVISION OF COMPUTER ENGINEERING

SCHOOL OF ENGINEERING

COCHIN UNIVERSITY OF SCIENCE AND TECHNOLOGY

KOCHI-682022

Certificate

Certified that this is a bonafide record of the seminar entitled

ETHICAL HACKING

done by the following student


of the VIIth

semester,Computer Science and Engineering in the year 2008 in

partial fulfillment of the requirements to the award of Degree of Bachelor of

Technology in Computer Science and Engineering of Cochin University of

Science and Technology.

Mrs.Sheena Mathew Dr.David Peter S

Seminar Guide Head of the Department

Date:


3/37

ACKNOWLEDGEMENT

At the outset, I thank the Lord Almighty for the grace, strength and hope tomake my endeavor a success.

I also express my gratitude to Dr. DAVID PETER S, Head of the

Department and my Seminar Guide for providing me with adequate facilities, ways

and means by which I was able to complete this seminar. I express my sincere

gratitude to him for his constant support and valuable suggestions without which the

successful completion of this seminar would not have been possible.

I thankMrs.SHEENA MATHEW, my Seminar Guide for her boundless

cooperation and helps extended for this seminar. I express my immense pleasure and

thankfulness to all the teachers and staff of the Department of Computer Science and

Engineering, CUSAT for their cooperation and support.

Last but not the least, I thank all others, and especially my classmates and my

family members who in one way or another helped me in the successful completion of

this work.



4/37

ABSTRACT

Today more and more softwares are developing and people are

getting more and more options in their present softwares. But many are

not aware that they are being hacked without their knowledge. One

reaction to this state of affairs is a behavior termed Ethical Hacking"

which attempts to proactively increase security protection by identifying

and patching known security vulnerabilities on systems owned by other

parties.

A good ethical hacker should know the methodology chosen by the

hacker like reconnaissance, host or target scanning, gaining access,

maintaining access and clearing tracks. For ethical hacking we should

know about the various tools and methods that can be used by a black hat

hacker apart from the methodology used by him.

From the point of view of the user one should know atleast some of

these because some hackers make use of those who are not aware of the

various hacking methods to hack into a system. Also when thinking from

the point of view of the developer, he also should be aware of these since

he should be able to close holes in his software even with the usage of the

various tools. With the advent of new tools the hackers may make new

tactics. But atleast the software will be resistant to some of the tools.


5/37

TABLE OF CONTENTS

LIST OF FIGURES iii

LIST OF SYMBOLS iv1. INTRODUCTION 01

1.1 Security 01

1.2 Need for Security 02

1.3 Hacking 03

1.4 Types of Hackers 04

1.5 Can Hacking Be Done Ethically? 04

1.6 Ethical Hacking 05

1.7 What do an Ethical Hacker do? 06

2. ETHICAL HACKING 08

2.1 Analogy with Building Robbing 08

2.2 Methodology of Hacking 09

2.3 Reconnaissance 09

2.3.1 Google 10

2.3.2 Samspade 10

2.3.3 Email Tracker and Visual Route 11

2.4 Scanning & Enumeration 14

2.4.1 War Dialing 14

2.4.2 Pingers 15

2.4.3 Port Scanning 15

2.4.4 Super Scan 16

2.4.5 Nmap 17

2.4.6 Enumeration 18

2.5 System Hacking 19

2.5.1 Password Cracking 19

2.5.2 Loftcrack 21

2.5.3 Privilege Escalation 22

2.5.4 Metasploit 22

2.5.6 Man in the Middle Attack 22

i


6/37

2.6 Maintaining Access 23

2.6.1 Key Stroke Loggers 23

2.6.2 Trojan Horses & Backdoors 24

2.6.3 Wrappers 25

2.6.4 Elitewrap 25

2.7 Clearing Tracks 26

2.7.1 Winzapper 26

3. CONCLUSION 27

REFERENCES 29

ii


7/37

LIST OF FIGURES

1. Fig 2.1 Samspade GUI 11

2. Fig 2.2 Email Tracker GUI 12

3. Fig 2.3 Visual Route GUI 13

4. Fig 2.4 SuperScan GUI 16

5. Fig 2.5 Nmap GUI 17

6. Fig 2.6 Loftcrack GUI 21

iii


8/37

LIST OF SYMBOLS

TCP -Transmission Control Protocol

UDP -User Datagram Protocol

FTP -File Transfer Protocol

SNMP -Simple Network Management Protocol

GUI -Graphical User Interface

ICMP -Internet Control Message Protocol

HTML -Hyper Text Markup Language

IP -Internet ProtocolSID -Security Identifier

CPU -Central Processing Unit

iv


9/37

Ethical hacking

1.INTRODUCTION

Ethical hacking ,also known as penetration testing or white-hat hacking,

involves the same tools, tricks, and techniques that hackers use, but with one major

difference that Ethical hacking is legal. Ethical hacking is performed with the targets

permission. The intent of ethical hacking is to discover vulnerabilities from a hackers

viewpoint so systems can be better secured. Its part of an overall information risk

management program that allows for ongoing security improvements. Ethical hacking

can also ensure that vendors claims about the security of their products are legitimate.

1.1 Security

Security is the condition of being protected against danger or loss. In the

general sense, security is a concept similar to safety. In the case of networks the

security is also called the information security. Information security means protecting

information and information systems from unauthorized access, use, disclosure,

disruption, modification, or destruction. Usually the security is described in terms of

CIA triads. The CIA are the basic principles of security in which C denotes the

Confidentiality , I represents Integrity and the letter A represents the Availability.

Confidentiality

Confidentiality is the property of preventing disclosure of information

to unauthorized individuals or systems. This implies that the particular data should be

seen only by the authorized personals. Those persons who is a passive person should

not see those data. For example in the case of a credit card transaction, the authorized

person should see the credit card numbers and he should see that data. Nobody others

should see that number because they may use it for some other activities. Thus the

confidentiality is very important. Confidentiality is necessary for maintaining the

privacy of the people whose personal information a system holds.

Division Of Computer Engineering, School Of Engineering, CUSAT 1


10/37

Ethical hacking

Integrity

Integrity means that data cannot be modified without authorization.

This means that the data seen by the authorized persons should be correct or the data

should maintain the property of integrity. With out that integrity the data is of no use.

Integrity is violated when a computer virus infects a computer, when an employee is

able to modify his own salary in a payroll database, when an unauthorized user

vandalizes a web site, when someone is able to cast a very large number of votes in an

online poll, and so on. In such cases the data is modified and then we can say thatthere is a breach in the security.

Availability

For any information system to serve its purpose, the information must

be available when it is needed. Consider the case in which the data should have

integrity and confidentiality. For achieving both these goals easily we can make those

data off line. But then the data is not available for the user or it is not available. Hence

the data is of no use even if it have all the other characteristics. This means that the

computing systems used to store and process the information, the security controls

used to protect it, and the communication channels used to access it must be

functioning correctly.

All these factors are considered to be important since data lacking any of theabove characteristics is useless. Therefore security is described as the CIA trio.

Lacking any one of the CIA means there is a security breach.

1.2 Need for Security

Computer security is required because most organizations can be damaged by



11/37

Ethical hacking

hostile software or intruders. Moreover security is directly related to business. This is

because if a company losses a series of credit card numbers of it`s customers then

many customers would be hesitant to go back to the same company and that particular

company will lose many customer and hence the business. There may be several

forms of damage which are obviously interrelated which are produced by the

intruders. These include:

lose of confidential data

damage or destruction of data

damage or destruction of computer system

loss of reputation of a company

There may be many more in the list due to security breaches. This means that

security is absolutely necessary.

1.3 Hacking

A hacker is a person who is interested in a particular subject and have an

immense knowledge on that subject. In the world of computers a hacker is a person

intensely interested in the arcane and recondite workings of any computer operating

system. Most often, hackers are programmers with advance knowledge of operating

systems and programming languages. Eric Raymond, compiler of The New Hacker's

Dictionary, defines a hacker as a clever programmer. A "good hack" is a clever

solution to a programming problem and "hacking" is the act of doing it. Raymond

lists five possible characteristics that qualify one as a hacker, which we paraphrase

here:

A person who enjoys learning details of a programming language or system

A person who enjoys actually doing the programming rather than just

theorizing about it

A person capable of appreciating someone else's hacking

A person who picks up programming quickly



12/37

Ethical hacking

A person who is an expert at a particular programming language or system

1.4 Types of Hackers

Hackers can be broadly classified on the basis of why they are hacking system

or why the are indulging hacking. There are mainly three types of hacker on this basis

Black-Hat Hacker

A black hat hackers are individuals with extraordinary computingskills, resorting to malicious or destructive activities. That is black hat hackers use

their knowledge and skill for their own personal gains probably by hurting others.

These black hat hackers are also known as crackers

White-Hat Hacker

White hat hackers are those individuals professing hacker skills and

using them for defensive purposes. This means that the white hat hackers use their

knowledge and skill for the good of others and for the common good. These white hat

hackers are also called as security analysts.

Grey-Hat Hackers

These are individuals who work both offensively and defensively at

various times. We cannot predict their behaviour. Sometimes they use their skills for

the common good while in some other times he uses them for their personal gains.

1.5 Can Hacking Be Done Ethically?

Due to some reasons hacking is always meant in the bad sense and hacking



13/37

Ethical hacking

means black hat hacking. But the question is can hacking be done ethically? The

answer is yes because to catch a thief, think like a thief. Thats the basis for ethical

hacking. Suppose a person or hacker try to hack in to a system and if he finds a

vulnerability. Also suppose that he reports to the company that there is a vulnerability.

Then the company could make patches for that vulnerability and hence they could

protect themselves from some future attacks from some black hat hacker who tries to

use the same vulnerability. So unless some body try to find a vulnerability, it remains

hidden and on someday somebody might find these vulnerability and exploit them for

their own personal interests. So this can be done using ethical hacking.

1.6 Ethical Hacking

Ethical hacking is also known as penetration testing, intrusion testing or red

teaming. With the growth of the Internet, computer security has become a major

concern for businesses and governments. They want to be able to take advantage of

the Internet for electronic commerce, advertising, information distribution and access,

and other pursuits, but they are worried about the possibility of being hacked. At the

same time, the potential customers of these services are worried about maintaining

control of personal information that varies from credit card numbers to social security

numbers and home addresses. In their search for a way to approach the problem,

organizations came to realize that one of the best ways to evaluate the intruder threat

to their interests would be to have independent computer security professionals

attempt to break into their computer systems. This scheme is called Ethical Hacking.

This similar to having independent auditors come into an organization to verify its

bookkeeping records. This method of evaluating the security of a system has been in

use from the early days of computers. In one early ethical hack, the United States Air

Force conducted a security evaluation of the Multics operating systems for

potential use as a two-level (secret/top secret) system. With that they found out that

the particular software is better than the conventional systems. But it also brought out

some of its vulnerabilities.



14/37

Ethical hacking

Successful ethical hackers possess a variety of skills. First and foremost, they

must be completely trustworthy. While testing the security of a client's systems, the

ethical hacker may discover information about the client that should remain secret. In

many cases, this information, if publicized, could lead to real intruders breaking into

the systems, possibly leading to financial losses. During an evaluation, the ethical

hacker often holds the keys to the company, and therefore must be trusted to

exercise tight control over any information about a target that could be misused. The

sensitivity of the information gathered during an evaluation requires that strong

measures be taken to ensure the security of the systems being employed by the ethicalhackers themselves: limited-access labs with physical security protection and full

ceiling-to-floor walls, multiple secure Internet connections, a safe to hold paper

documentation from clients, strong cryptography to protect electronic results, and

isolated networks for testing.

Ethical hackers also should possess very strong programming and computer

networking skills and have been in the computer and networking business for several

years. Another quality needed for ethical hacker is to have more drive and patience

than most people since a typical evaluation may require several days of tedious work

that is difficult to automate. Some portions of the evaluations must be done outside of

normal working hours to avoid interfering with production at live targets or to

simulate the timing of a real attack. When they encounter a system with which they

are unfamiliar, ethical hackers will spend the time to learn about the system and try to

find its weaknesses. Finally, keeping up with the ever-changing world of computer

and network security requires continuous education and review.

1.7 What do an Ethical Hacker do?

An ethical hacker is a person doing ethical hacking that is he is a security

personal who tries to penetrate in to a network to find if there is some vulnerability in



15/37

Ethical hacking

the system. An ethical hacker will always have the permission to enter into the target

network.

An ethical hacker will first think with a mindset of a hacker who tries to get in

to the system. He will first find out what an intruder can see or what others can see.

Finding these an ethical hacker will try to get into the system with those information

in whatever method he can. If he succeeds in penetrating into the system then he will

report to the company with a detailed report about the particular vulnerability

exploiting which he got in to the system. He may also sometimes make patches for

that particular vulnerability or he may suggest some methods to prevent thevulnerability.



16/37

Ethical hacking

2.ETHICAL HACKING

Ethical hacking is a process in which an authenticated person,who is a

computer and network expert, attacks a security system on behalf of it`s owners a

security system on behalf of its owners, seeking vulnerabilities that a malicious

hacker could exploit. In order to test the system an ethical hacker will use the same

principles as the usual hacker uses, but reports those vulnerabilities instead of using

them for their own advantage.

2.1 Analogy with Building Robbing

The methodology of a hacker is similar to the one used for usual thefts. Lets

consider the case of a bank robbery. The first step will be to find information about

the total transaction of the bank, the total amount of money that may be kept in the

bank, who is the manager, if the security personals have a gun with them etc. This is

similar to the reconnaissance phase of hacking.

The next step will be to find the ways through which we can enter the

building, how many doors are present in the building, if there is a lock at each door

etc. This is similar to the second stage the scanning in which we will check which all

hosts are present, which all services are running etc.

The third step will be to enter the building which is similar to gaining access.

For entering in to a building we need some keys. Like that in case of network we need

some ids and passwords. Once we entered the building our next aim will be to make

an easier way inside when I come next time which is analogous to the next step

maintaining access. In the hacking case we use Trojans,back door worms etc like

placing a hidden door inside the building. Then the final step in which we will try to

hide the fact that I entered the building which is analogous to the clearing of tracks in



17/37

Ethical hacking

the case of hacking

2.2 Methodology of Hacking

As described above there are mainly five steps in hacking like reconnaissance,

scanning, gaining access, maintaining access and clearing tracks. But it is not the end

of the process. The actual hacking will be a circular one. Once the hacker completed

the five steps then the hacker will start reconnaissance in that stage and the preceding

stages to get in to the next level.

The various stages in the hacking methodology are

Reconnaissance

Scanning & Enumeration

Gaining access

Maintaining access

Clearing tracks

2.3 Reconnaissance

The literal meaning of the word reconnaissance means a preliminary survey to

gain information. This is also known as foot-printing. This is the first stage in the

methodology of hacking. As given in the analogy, this is the stage in which the hacker

collects information about the company which the personal is going to hack. This is

one of the pre-attacking phases. Reconnaissance refers to the preparatory phase where

an attacker learns about all of the possible attack vectors that can be used in their plan.

In this pre-attack phase we will gather as much as information as possible

which are publicly available. The information includes the domain names, locations

contact informations etc. The basic objective of this phase is to make a

methodological mapping of the targets security schema which results in a unique



18/37

Ethical hacking

organization profile with respect to network and system involved. As we are dealing

with the Internet we can find many information here which we may not intend to put

it publicly. We have many tools for such purposes. These include tools like samspade,

email tracker, visual route etc. The interesting thing to note is that we can even use the

simple googling as a footprinting tool.

2.3.1 Google

Google is one of the most famous search engines used in the Internet. Using

some kind of specialized keywords for searching we can find many such informationthat is put in publicly. For example if we use some keywords like for internal use

only followed by the targets domain name we may get many such useful

information. Some times even if the company actually removed from its site, it

sometimes get preserved in the Google`s caches.

Some times even the job advertisement in Internet can also be used in

footprinting. For example if some company is looking for professional who are good

in oracle database, this can be telling to the world that they are using th oracle

database in their company. This can be helpful for the hacker since he can look for the

vulnerabilities of that particular object.

One of the main advantages of Google is it`s advanced search option. The

advanced search have many options like searching for particular domain, documents

published after a particular period of time, files of particular format, particular

languages etc.

2.3.2 Samspade

Samspade is a simple tool which provides us information about a particular

host. This tool is very much helpful in finding the addresses, phone numbers etc



19/37

Ethical hacking

Fig 2.1 Samspade GUI

The above fig 2.1 represents the GUI of the samspade tool. In the text field in

the top left corner of the window we just need to put the address of the particular host.

Then we can find out various information available. The information given may be

phone numbers, contact names, IP addresses , email ids, address range etc. We may

think that what is the benefit of getting the phone numbers, email ids, addresses etc.

But one of the best way to get information about a company is to just pick up the

phone and ask the details. Thus we can much information in just one click.

2.3.3 Email Tracker and Visual Route

We often used to receive many spam messages in our mail box. We don`t

know where it comes from. Email tracker is a software which helps us to find from

which server does the mail actually came from. Evey message we receive will have a

header associated with it. The email tracker use this header information for find the



20/37

Ethical hacking

location.

Fig 2.2 Email tracker GUI

The above fig 2.2 shows the GUI of the email tracker software. One of the

options in the email tracker is to import the mail header. In this software we just need

to import the mails header to it. Then the software finds from which area does that

mail come from. That is we will get information like from which region does the

message come from like Asia pacific, Europe etc. To be more specific we can use

another tool visual route to pinpoint the actual location of the server. The option of

connecting to visual route is available in the email tracker. Visual route is a tool which

displays the location a particular server with the help of IP addresses. When we

connect this with the email tracker we can find the server which actually send the mail

. We can use this for finding the location of servers of targets also visually in a map.



21/37

Ethical hacking

Fig 2.3 Visual route GUI

The above fig 2.3 depicts the GUI of the visual route tool. The visual route

GUI have a world map drawn to it. The software will locate the position of the server

in that world map. It will also depict the path though which the message came to our

system. This software will actually provide us with information about the routers

through which the message or the path traced by the mail from the source to the

destination.

We may wonder what is the use of finding the place from which the message

came. Suppose you got the email id of an employee of our target company and we

mailed to him telling that u are his greatest friend. Some times he may reply you

saying that he don`t know you. Then you use the email tracker and the visual route to



22/37

Ethical hacking

find that he is not working from the office. Then you can understand that there are

home users in the company. We should understand the fact that the home users are not

protected like the employees working from office. This can be helpful for the hacker

to get in to the system.

2.4 Scanning & Enumeration

Scanning is the second phase in the hacking methodology in which the hacker

tries to make a blue print of the target network. It is similar to a thief going through

your neighborhood and checking every door and window on each house to see whichones are open and which ones are locked. The blue print includes the ip addresses of

the target network which are live, the services which are running on those system and

so on. Usually the services run on predetermined ports. For example the web server

will be making use of the port no 80. This implies that if the port 80 is open in a

particular system we can understand that the targets web server is running in that host.

There are different tools used for scanning war dialing and pingers were used earlier

but now a days both could be detected easily and hence are not in much use. Modern

port scanning uses TCP protocol to do scanning and they could even detect the

operating systems running on the particular hosts.

2.4.1 War Dialing

The war dialers is a hacking tool which is now illegal and easier to find out.

War dialing is the practice of dialing all the phone numbers in a range in order to find

those that will answer with a modem. Earlier the companies used to use dial in

modems to which their employees can dial in to the network. Just a phone number is

enough in such cases. War dialing software makes use of this vulnerability. A war

dialer is a computer program used to identify the phone numbers that can successfully

make a connection with a computer modem. The program automatically dials a

defined range of phone numbers and logs and enters in a database those numbers that



23/37

Ethical hacking

successfully connect to the modem. Some programs can also identify the particular

operating system running in the computer and may also conduct automated

penetration testing. In such cases, the war dialer runs through a predetermined list of

common user names and passwords in an attempt to gain access to the system.

2.4.2 Pingers

Pingers and yet another category of scanning tools which makes use of the

Internet Control Message Protocol(ICMP) packets for scanning. The ICMP is actually

used to know if a particular system is alive or not. Pingers using this principle sendICMP packets to all host in a given range if the acknowledgment comes back we can

make out that the system is live. Pingers are automated software which sends the

ICMP packets to different machines and checking their responses. But most of the

firewalls today blocks ICMP and hence they also cannot be used.

2.4.3 Port Scanning

A port scan is a method used by hackers to determine what ports are open or in

use on a system or network. By using various tools a hacker can send data to TCP or

UDP ports one at a time. Based on the response received the port scan utility can

determine if that port is in use. Using this information the hacker can then focus their

attack on the ports that are open and try to exploit any weaknesses to gain access. Port

scanning software, in its most basic state, simply sends out a request to connect to the

target computer on each port sequentially and makes a note of which ports responded

or seem open to more in-depth probing. Network security applications can be

configured to alert administrators if they detect connection requests across a broad

range of ports from a single host. To get around this the intruder can do the port scan

in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than

blanket scanning all 65536 ports. Stealth scanning uses techniques such as slowing

the scan. By scanning the ports over a much longer period of time you reduce the



24/37

Ethical hacking

chance that the target will trigger an alert.

2.4.4 Super Scan

SuperScan is a powerful TCP port scanner, that includes a variety of additional

networking tools like ping, traceroute, HTTP HEAD, WHOIS and more. It uses multi-

threaded and asynchronous techniques resulting in extremely fast and versatile

scanning. You can perform ping scans and port scans using any IP range or specify a

text file to extract addresses from. Other features include TCP SYN scanning, UDP

scanning, HTML reports, built-in port description database, Windows hostenumeration, banner grabbing and more.

Fig 2.4 Superscan GUI



25/37

Ethical hacking

The fig 2.4 show the GUI of the superscan. In this either we can search a

particular host or over a range of IP addresses. As an output the software will report

the host addresses which are running. There is another option port list setup which

will display the set of services which are running on different hosts.

2.4.5 Nmap

Nmap ("Network Mapper") is a free and open source utility for network

exploration or security auditing. Many systems and network administrators also find ituseful for tasks such as network inventory, managing service upgrade schedules, and

monitoring host or service uptime. The fig 2.5 shows the GUI of the Nmap.

Fig 2.5 Nmap GUI



26/37

Ethical hacking

Nmap uses raw IP packets in novel ways to determine what hosts are available

on the network, what services those hosts are offering, what operating systems they

are running, what type of packet filters or firewalls are in use, and dozens of other

characteristics. It can even find the different versions. It was designed to rapidly scan

large networks, but works fine against single hosts. We also have the option of

different types of scan like syn scan, stealth scan, syn stealth scan etc and using this

we can even time the scanning of different ports. Using this software we just need to

specify the different host address ranges and the type of scan to be conducted. As an

output we get the hosts which are live, the services which are running etc. It can even

detect the version of the operating system making use of the fact that differentoperating systems react differently to the same packets as they use their own protocol

stacks.

2.4.6 Enumeration

Enumeration is the ability of a hacker to convince some servers to give them

information that is vital to them to make an attack. By doing this the hacker aims to

find what resources and shares can be found in the system, what valid user account

and user groups are there in the network, what applications will be there etc. Hackers

may use this also to find another hosts in the entire network.

A common type of enumeration is by making use of the null sessions. Many of

the windows operating systems will allow null sessions through which a hacker can

log on. A null session is a connection which uses no user name and password. That is

a null session is created by keeping the user name and password as null. Once the

hacker is logged in then he start enumeration by issuing some queries to find the list

of users and groups either local or active including SID`s, list of hosts, list of shares or

processes etc. One of the tools used after logging in using null sessions is NBTscan

which allows the hacker to scan the network this helps the hacker to get the user

name, resource shares etc. Other tools used are NAT(Netbios Auditing Tool),



27/37

Ethical hacking

DumpSec etc.

Another way of enumerating is the enumeration of the SNMP(Simple Network

Management Protocol). Using this protocol the managing entities send messages to

the managed entities. In enumerating this SNMP protocol the hacker sniffs the

network to get the various information. The SNMP versions till 3 sends data as text

files so it is very easy to get data. While from SNMP version 3 there the data is

encrypted and send. But still we can enumerate those protocols and get information.

Some of the tools used for this are SNMPutil, IP Network Browser etc.

2.5 System Hacking

This is the actual hacking phase in which the hacker gains access to the

system. The hacker will make use of all the information he collected in the pre-

attacking phases. Usually the main hindrance to gaining access to a system is the

passwords. System hacking can be considered as many steps. First the hacker will try

to get in to the system. Once he get in to the system the next thing he want will be to

increase his privileges so that he can have more control over the system. As a normal

user the hacker may not be able to see the confidential details or cannot upload or run

the different hack tools for his own personal interest. Another way to crack in to a

system is by the attacks like man in the middle attack.

2.5.1 Password Cracking

There are many methods for cracking the password and then get in to the

system. The simplest method is to guess the password. But this is a tedious work. But

in order to make this work easier there are many automated tools for password

guessing like legion. Legion actually have an inbuilt dictionary in it and the software

will automatically. That is the software it self generates the password using the

dictionary and will check the responses.



28/37

Ethical hacking

Many types of password cracking strategies are used today by the hackers

which are described below.

Dictionary cracking

In this type of cracking there will be a list of various words like the persons

children`s name, birthday etc. The automated software will then make use of these

words to make different combinations of these words and they will automatically try

it to the system.

Brute force cracking

This is another type of password cracking which does not have a list of pre

compiled words. In this method the software will automatically choose all the

combinations of different letters, special characters, symbols etc and try them

automatically. This process is of course very tedious and time consuming.

Hybrid cracking

This is a combination of both dictionary and hybrid cracking technique. This

means that it will first check the combination of words in it inbuilt dictionary and if

all of them fails it will try brute force.

Social Engineering

The best and the most common method used to crack the password is social

engineering. In this technique the hacker will come in direct contact with the user

through a phone call or some way and directly ask for the password by doing some

fraud.



29/37

Ethical hacking

2.5.2 Loftcrack

This is a software from @stake which is basically a password audit tool. This

software uses the various password cracking methodologies. Loftcrack helps the

administrators to find if their users are using an easy password or not. This is very

high profile software which uses dictionary cracking then brute force cracking. Some

times it uses the precompiled hashes called rainbow tables for cracking the passwords.

Fig 2.6 Loftcrack GUI

The fig 2.6 given above shows the GUI of loftcrack. Usually in windows the

passwords are stored in the sam file in the config directory of system 32. This file

operating system protected that is we cannot access this file if the operating system is

running. But with this loftcrack we just need to run a wizard to get the details of the

passwords stored in the sam file. As seen from the figure the software used the

dictionary of 29156 words in this case. It also got options to use the brute force and



30/37

Ethical hacking

pre-compiled hashes.

2.5.3 Privilege escalation

Privilege escalation is the process of raising the privileges once the hacker get

in to the system. That is the hacker may get in as an ordinary user. And now he tries to

increase his privileges to that of an administrator who can do many things. There are

many types of tools available for this. There are some tools like getadmin attaches the

user to some kernel routine so that the services run by the user look like a system

routine rather than user initiated program. The privilege escalation process usuallyuses the vulnerabilities present in the host operating system or the software. There are

many tools like hk.exe, metasploit etc. One such community of hackers is the

metasploit.

2.5.4 Metasploit

Metasploit is actually a community which provides an online list of

vulnerabilities. The hacker can directly download the vulnerabilities and directly use

in the target system for privilege escalation and other exploits. Metasploit is a

command line tool and is very dangerous as the whole community of black hat

hackers are contributing their own findings of different vulnerabilities of different

products.

2.5.5 Man in the Middle Attack

In this type of system hacking we are not actually cracking the password

instead we let all the traffic between a host and a client to go through the hacker

system so that he can directly find out the passwords and other details. In the man in

the middle attack what a hacker does is he will tell to the user that he is the server and

then tell the server that I am the client. Now the client will send packets to the hacker



31/37

Ethical hacking

thinking that he is the server and then the hacker instead of replying forwards a copy

of the actual request to the actual server. The server will then reply to the hacker

which will forward a copy of the reply to the actual client. Now the client will think

that he got the reply from the server and the server will think that it replied to the

actual client. But actually the hacker,the man in the middle, also have a copy of the

whole traffic from which he can directly get the needed data or the password using

which he can actually hack in.

2.6 Maintaining Access

Now the hacker is inside the system by some means by password guessing or

exploiting some of it`s vulnerabilities. This means that he is now in a position to

upload some files and download some of them. The next aim will be to make an

easier path to get in when he comes the next time. This is analogous to making a small

hidden door in the building so that he can directly enter in to the building through the

door easily. In the network scenario the hacker will do it by uploading some

softwares like Trojan horses,sniffers, key stroke loggers etc.

2.6.1 Key Stroke Loggers

Key stroke loggers are actually tools which record every movement of the

keys in the keyboard. There are software and hardware keystroke loggers the directly

records the movement of keys directly. For maintaining access and privilege

escalation the hacker who is now inside the target network will upload the keystroke

logging softwares in to the system.

The software keystroke loggers will stay as a middle man between the

keyboard driver and the CPU. That is all the keystroke details will directly come to

the software so that the tool keeps a copy of them in a log and forwarding them to the

CPU.



32/37

Ethical hacking

2.6.2 Trojan Horses & Backdoors

A Trojan horse is a destructive program that masquerades as a benign

application. Unlike viruses , Trojan horses do not replicate themselves but they can be

just as destructive. One of the most insidious types of Trojan horse is a program that

claims to rid your computer of viruses but instead introduces viruses on to your

computer. The term comes from a Greek story of the Trojan war in which the Greeks

fie a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But

after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the

horse`s hollow belly and open the city gates, allowing their compatriots to pour in andcapture Troy. Generally a Trojan is a malware that runs programs that you are either

unaware of or don`t want to have tunning on your system.

The hackers will place these Trojan softwares inside the network and will go

out. Then after sometimes when he come back the Trojan software either authenticate

the hacker as a valid user or opens some other ports for the hacker to get in. There are

many genere of Trojans like

password sending/capturing

FTP Trojans

Keystroke captures Trojans

Remote access Trojans

Destructive Trojans

Denial of Service Trojans

Proxy Trojans

The Trojans can be introduced through chat clients, email attachments,physical

access to systems,file sharing,wrappers and through other P2P softwares.

There are many examples for trojans like Tini, netcat, subseven, barkorffice

etc. Tini is a very tiny Trojan which just listens to the port 7777. so after introducing



33/37

Ethical hacking

the tini the hacker can send his commands to that port number. Netcat is another

Trogen which have the ability to connect to any local port and could start out bound

or inbound TCP or UDP connections to or from any ports. It can even return the

command shell to the hacker through which the hacker can access the system.

Subseven and barkorffice are other Trojans which have a client server architecture

which means that the server part will reside in the target and the hacker can directly

access the server with the knowledge of the user.

2.6.3 Wrappers

In the maintaining access phase in the hacking we usually upload some

software in to the system so that for some needs. In order to keep the softwares and

other data to be hidden from the administrator and other usual user the hackers usually

use wrapper software to wrap their contents to some pictures, greeting cards etc so

that they seem usual data to the administrators. What the wrapper softwares actually

does is they will place the malicious data in to the white spaces in the harmless data.

There are some tools like blindslide which will insert and extract the data into

just jpeg or bmp pictures. Actually what they does is that they will insert the data into

the white spaces that may be present in the files. The most attractive thing is that most

of the time they will not alter the size of the file.

2.6.4 Elitewrap

This is a very notorious wrapper software. Elitewrap is a command line tool

which wraps one or more Trojans in to a normal file. After the processing the product

will look like one program while it will contain many softwares. The speciality of this

is that we can even make the Trojans,packed in to it, to get executed when the user

open that file. For example consider the case in which the netcat Trojan is packed to a

flash greeting card. Now when the user opens the card, in the background, the netcat



34/37

Ethical hacking

will start working and will start listening to some ports which will be exploited by the

hackers.

2.7 Clearing Tracks

Now we come to the final step in the hacking. There is a saying that

everybody knows a good hacker but nobody knows a great hacker. This means that

a good hacker can always clear tracks or any record that they may be present in the

network to prove that he was here. When ever a hacker downloads some file or

installs some software,its log will be stored in the server logs. So inorder to erasethose the hacker uses man tools.

One such tool is windows resource kit`s auditpol.exe. This is a command line

tool with which the intruder can easily disable auditing. There are some other tools

like Eslave which directly clears all the event logs which tell the administrator that

some intruder has come in. Another tool which eliminates any physical evidence is the

evidence eliminator. Sometimes apart from the server logs some other informations

may be stored temporarily. The Evidence Eliminator deletes all such evidences.

2.7.1 Winzapper

This is another tool which is used for clearing the tracks. This tool will make a

copy of the log and allows the hackers to edit it. Using this tool the hacker just need to

select those logs to be deleted. Then after the server is rebooted the logs will be

deleted.



35/37

Ethical hacking

3.CONCLUSION

One of the main aim of the seminar is to make others understand that there are

so many tools through which a hacker can get in to a system. There are many reasons

for everybody should understand about this basics. Lets check its various needs from

various perspectives.

Student

A student should understand that no software is made with zero

vulnerabilities. So while they are studying they should study the various possibilities

and should study how to prevent that because they are the professionals of tomorrow.

Professionals

Professionals should understand that business is directly related to

security. So they should make new software with vulnerabilities as less as possible. Ifthey are not aware of these then they wont be cautious enough in security matters.

Users

The software is meant for the use of its users. Even if the software

menders make the software with high security options with out the help of users it

can never be successful. Its like a highly secured building with all doors open

carelessly by the insiders. So users must also be aware of such possibilities of hacking

so that they could be more cautious in their activities.

In the preceding sections we saw the methodology of hacking, why should we aware

of hacking and some tools which a hacker may use. Now we can see what can we do

against hacking or to protect ourselves from hacking.



36/37

Ethical hacking

The first thing we should do is to keep ourselves updated about those

softwares we and using for official and reliable sources.

Educate the employees and the users against black hat hacking.

Use every possible security measures like Honey pots, Intrusion Detection

Systems, Firewalls etc.

Every time make our password strong by making it harder and longer to be

cracked.

The final and foremost thing should be to try ETHICAL HACKING at

regular intervals.



37/37

Ethical hacking

REFERENCES

1. http://netsecurity.about.com2. http://researchweb.watson.ibm.com

3. http://www.eccouncil.org

4. http://www.ethicalhacker.net

5. http://www.infosecinstitute.com

6. http://searchsecurity.techtarget.com

077 sandeep nair

Documents