Contents

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  Foreword This book is written based on practical usage and research on computer security and networks. Basically everyone has strong concern about computer security networks where by it can sabotage the business and operations. It will be worse if the entire business operations are running on the website or web hosting company.

  This book covers practical approach on software tools for ethical hacking. Some of the software tools covered are SQL Injection, Password Cracking, port scanning, packet sniffing and etc. Performing ethical hacking requires certain steps and procedures to be followed properly. A good ethical hacker will find information, identify weakness and finally perform some attacks on the target machine. Then the most crucial part would be to produce a good security audit report for the clients to understand their computer network conditions.

  This book also explains and demonstrates step by step most of the software security tools for any beginners in the computer security field. Some of the software tools have been selected and utilized in computer security trainings and workshops.

  About The Author

  Mr Elaiya Iswera Lallan has been in the IT Industry for the past 12 years. He is the Managing Director of Blue Micro Solutions, which is based in SIRIM Bhd (Governmnet agency) .

  Mr Lallan has extensive experience in the IT industry. He has recieved an award as a Federal Territory Entrepreneur. After obtaining his Bachelor Degree in Computers and Electronics Engineering from Kolej Bandar Utama (twinning program with University of Nottingham) in year 2001, he joined the company called MIR as a Information Technology Consultant .

  He was performing computer programming tasks, and then joined as a software engineer in a new company called Neural Manufacturing Sdn Bhd. He had his best of experiences here when he was creating software technologies for the company’s flagship product called e-Jari, which is a biometric security device. He created an enterprise time attendance system for this device that can be used by other companies ranging from SMEs to government offices. Some of the companies using this time attendance system are PejabatTanah & Galian in Kuala Lumpur, Koperasi Malaysia, Bernama and ITIS. He also created a Guard Patrol and Intruder Detection System using the e-Jari, and was involved in the ISO9000:2001 certification for the company.With his extensive working experience and good track

  2010. With this Mr Lallan moved Blue Micro Solutions’ operations into the SIRIM building. He obtained certification from Ministry of Finance in Malaysia in the software fields where he can participate in tenders for government IT projects. He also started employing staffs to do IT projects and ventured into IT trainings in private corporations, government institutions and polytechnics, such as SKALI Bhd, Kolej Komuniti in Klang, Politeknik Ungku Omar in Ipoh and Politeknik Kuching in Sarawak. He has made Blue Micro Solutions to be a certified Human Resource Development Funds (HRDF) training provider to companies in Malaysia. With his proven track record in both the industrial and education worlds in IT, Mr Lallan has been awarded collaboration with Open University Malaysia (OUM) to offer affordable IT degree program to the public recently. Currently Mr Lallan is pursuing MSC status for his company Blue Micro Solutions.

  With his company Blue Micro Solutions growing in the right directions, Mr Lallan began to explore his opportunities to grow his business in overseas as well. Venturing into Canada, he successfully opened a branch called Blue Micro Canada Incorporated. He also successfully registered the company with the Canadian government in Toronto, whereby he received invitations to participate in the government tenders for IT projects. He also saw the opportunity to conduct IT trainings over the internet through webinars. He obtained license from Adobe USA to use its tool Adobe Connect to conduct webinars in Canada and United States of America.

  1.0 What is Ethical Hacking?

  Ethical Hacking is an act of performing and testing security on IT infrastructure with proper authorization from a company or organization. A person performing ethical hacking is known as ethical hacker or computer

  security expert. An ethical hacker will use latest hacking tools and social engineering techniques to identify vulnerabilities on IT infrastructure.

  Overall the ethical hacking provides risk assessment about the security of IT infrastructure for a company or organization information systems. These risk assessment information will provide the level of security that can be exploited by a hacker.

  On the other hand, hacker is a person who breaks into IT infrastructure or computer networks without any authorization. Hackers mostly hack for profit or motivated by challenge. These exploitation can cause financial lost, legal impart and trust towards the organization.

  1.1 Why IT Security is so Important?

  Nowadays all the companies or organizations are using and depending on IT infrastructure, computer networks and computer systems to operate their core businesses. Most companies store their client informations in the server in database systems. A good hacker will easily break into customer database if weak passwords are utilized on the server. Definitely this will cause heavy financial losses to the company. Mostly these hacked incidents will not be reported in the media in detail because it will spoil the company’s reputation. Moreover shopping and bill payments are performed online these days. Therefore client’s credit card information must be protected at all cost. One of the most famous method to gain client’s credit card information is by performing spoofing. Objective of spoofing is to fool the user into thinking that they are connected to the trusted website.

  Most attacks are implemented utilizing emails these days. A good example whould be the LoveLetter worm attacks performed during year 2000. Millions of computers have been attacked and made changes to the users’ system itself. The LoveLetter worms are received using email attachments.

  IT security is crucial to the organization and individual computer users. Individual computer users must make sure they have installed the latest antivirus and antispyware in their computers. Whereas companies must ensure they have engaged a computer security expert or consultant to look into their computer network security issues.

1.2 Ethical Hacking Procedures and Strategies

  The first step in performing ethical hacking is to understand a hacker’s process. There are basically 5 main steps and processes of hacking: Step 1 : Gaining targeted information Step 2 : Probing vulnerabilities for exploitation Step 3 : Gaining access to the targeted system Step 4 : Maintaining access on targeted system Step 5 : Covering the tracks on targeted system.

  The targeted system is mostly referring to the machine to be hacked. It can represent a server or computer or any electronic devices. The hacker will perform the 5 steps mentioned above to gain control or steal information or stop the machine services. Each steps above may take a few months to acheive the desired goal. An ethical hacker will perform the same steps above to further understand the weaknesses of the targeted system. Once the weaknesses are identified, the ethical hacker will take steps for countermeasure to avoid further exploitation on the targeted system.

2.0 Finding Information

  In this process, the hacker will gather as much information about the target system before launching an attack. This allows the hacker to learn and strategize his or her attacks on the system. Basically there are 2 ways of gaining information :

  1. Passive Methods of gaining information on the targeted system

  2. Active Methods of gaining information on the targeted system Passive methods involve acquiring information without direct interaction

  with the targeted system. One of the few ways of passive methods are acquiring publicly available information, social engineering and dumpster diving.

  

Dumpster diving is a process of looking for information in an organization’s

  trash for discarded information. Social engineering is a another process by making friends or smooth talk with staffs in the organization to reveal server passwords, security codes and etc. Whereas active methods are utilizing tools to detect open ports, types of operating systems installed on target system and purpose of applications and services available on the targeted system. Social engineering is the most deadly and effective way of gaining information on targeted system. Most previous employees that dislike the company management are potential threat for social engineering.

2.1 Software Tools for Gaining Targeted Information

  As mentioned previously, using software tools to gain targeted information is categorized as Active Method. The most common and popular tools used for

  1. WHOIS

  2. Nslookup

  3. ARIN

  4. Neo Trace

  5. VisualRoute Trace

  6. Email Tracker Pro

2.2 WHOIS

  WHOIS is a query and response protocol for querying databases that store the registered users or assignees of an Internet resource. Information that can be acquired are domain name, IP address block, autonomous system, and etc. The WHOIS protocol stores and provides database content in a human readable format.

  The websites and software tool providing WHOIS informations are : 1. http://internic.net/whois.html 2. http://www.whois.net

  3. SAM SPADE 1.14

  Access information at www.internic.net/whois.html Just type www.internic.net/whois.html at your internet browser.

  Type the desired domain name and type whether it is .com, .edu, .biz, .org and etc.

  Then click the button ‘Submit’ and finally the information about the domain name will be displayed as below.

  Access information at www.whois.net Just type www.whois.net at your internet browser.

  Type the desired domain name and choose whether it is .com, .edu, .biz, .org and etc. will displayed as below.

  Installing and Accessing Information from SAM SPADE 1.14 Double click on the file name spade114 to install the software.

  Just click ‘Next’ until the installation is completed.

  Double click on the desktop icon Sam Spade 1.14 and a screen will appear as shown below.

  Type the desire domain name as highlighted below.

  Click on the pink arrow button to produce the results.

  Overall the WHOIS tools will display the hosting company that has registered the domain name. It will also display the creation date and expiration date and will update the name server of the domain name. These are the key information provided by WHOIS tool :

  1. Hosting Company that registered the domain

  2. Creation date of domain

  3. Expiration date of domain

  4. Name server hosted

  5. Hosting Company hosting the website

  6. Administrative contact details

  7. Technical contact details

  8. Registrant Details

2.3 Nslookup

  Nslookup is a network command-line tool for many computer operating systems for querying the Domain Name System (DNS) to get information about domain name and IP address mapping for a particular specific DNS record. The nslookup command is available in LINUX operating system by shell command and windows operating system by command prompt. Below are the options associated with nslookup command:

  Just type nslookup –d any desired domain name at windows operating system command prompt. The option –d will display all the records of the domain name. It will provide the sample results shown below:

2.4 ARIN

  ARIN (American Registry for Internet Numbers) founded in the year 1997. It is a non-profit organization that registers and administers IP numbers for North America, some regions of the Caribbean and sub-Saharan Africa. ARIN is one of four regional Internet registries. ARIN also provides services to the technical coordination and management of Internet numbers.

  Just type on the internet browser.

  Enter the desired domain name highlighted below. Only choose domain names from North America, some regions of the Caribbean and sub-Saharan Africa.

  Click on the arrow button next to the search box highlighted above and results will be shown as below. Select any of the 2 list highlighted below.

  Upon clicking on the selected list shown from the previous page, the information about the domain will be display as shown below.

2.5 Neo Trace

  NeoTrace is an investigative tool which traces the network path across the Internet from the host system to a target system from the Internet. The software provides good information about registration details for the owner of each computer and the network of each node IP that is registered. It provides a world map displaying the locations of nodes of the route.

  Double click on the file name NeoTraceProTrial325 to perform the installation.

  Click ‘Next’ button until installation is completed successfully.

  Once the installation is completed, Neo Trace screen will pop-up as shown below.

  Just type the desired domain name on the highlighted area below. In these situation, www.google.com is type at the type box highlighted.

  Click the ‘go’ button to produce the results as shown below. These results are in ‘Map View’ format where by it shows the geographical locations of the network node.

  Select the ‘Node View’ option in the highlighted area.

  These results shows all the servers and routers responded to communicate with google.com.

2.6 VisualRoute

  VisualRoute is a tool that integrates Traceroute, Ping, and Whois into an interface that investigates Internet connections to identify whether there is slowdown in the network. Moreover, VisualRoute can display the geographical location of IP addresses and on a global map. VisualRoute provides key information to help identify Internet abusers and network intruders. Just click on file name vrc to perform visualroute software installation.

  It is required to install java runtime first before installing visualroute software. Just proceed with the java runtime installation until it is completed.

  Click ‘Install Now’ button to continue VisualRoute software until successful.

  Once installation is completed, a visualroute screen will appear as below. Enter the desired domain name as highlighted below and click the green arrow button located the same row.

  The results shows all the network nodes and targeted information. It also display the geographical location of the servers.

3.0 Identifying Weakness

  During the probing process, the network scanners, sniffers and port scanners are actively used to identify vulnerabilities on the targeted system. These provides time and advantage for the hacker to find a important and strong means of penetrating the target system.

  For example, a hacker can identify that a server has installed a particular database application that stores customer’s passwords, by using port scanners to listen to the port. When the port scanners have revealed the vulnerability of database then the hacker has high potential to use sql injections on the databases applications. Sql injection is unverified user input which has convinced the application into running the sql statement. When these type of sql statements are executed, the hacker has high chances of gaining customer’s passwords in the database application.

  In the scenario above : Probed information : the type of database installed Vulnerability : sql injection Exploitation : high chances of gaining customer’s passwords The diagram for scenario above is illustrated in the following page.

  Simple Diagram on probing activities on targeted system

  Therefore once the hacker has probed the vulnerabilities of the targeted system, they have high chances to exploit the system. The types of exploitation will be explained in the following chapter. Exploitations are performed by performing attacks on the computer systems.

3.1 Software Tools to Probe Networks

  If you ever think that any existing network is fully proctected from any attacks, it is best to humble yourself and test run the proposed tools below to audit any computer networks. These tools may even provided suggestions to fix the network security issues.

  Port Scanning

  NMAP NetScan

  Vulnerability Scanning

  WebCruiser GFI LandGuard

  Network Packet Scanning (Widely known as network sniffing)

  Ethereal A good computer security auditor will follow the steps below to probe any computer networks: However there many other network tools such as Retina from eEye, the ISS Security Scanner, and AppDetective by Application Security, Inc but the tools suggested above are for beginners to have a basic understanding on network vulnerabilities.

3.2 NMAP

  NMAP is a network that is able to detect operating systems, host discovery, host services detection and etc. Typically the NMAP runs on DOS mode and the end user needs to execute the nmap commands to probe networks. The website to download and install NMAP is http://nmap.org. A NMAP simple command is demonstrated below: Above results shows that NMAP has detected all the services available from the host name scanme.nmap.org which are smtp, domain, gopher, http, auth,ajp13 and elite. It has identified the host using Linux 2.6 version.

  Important NMAP commands

  The NMAP commands below are provided based on various network situation to be probed. Basically the end user needs to have some basic knowledge on computer networks before using the NMAP commands.

1: Scan a single host or an IP address (IPv4)

  ### Scan a single ip address ### nmap 192.168.1.1 ## Scan a host name ### nmap server1.cyberciti.biz ## Scan a host name with more info###

  2: Scan multiple IP address or subnet (IPv4) nmap 192.168.1.1 192.168.1.2 192.168.1.3 ## works with same subnet i.e. 192.168.1.0/24 nmap 192.168.1.1,2,3

  You can scan a range of IP address too:

  nmap 192.168.1.1-20

  You can scan a range of IP address using a wildcard:

  nmap 192.168.1.*

  Finally, you scan an entire subnet:

  nmap 192.168.1.0/24 3: Read list of hosts/networks from a file (IPv4) The -iL option allows you to read the list of target systems using a text file.

  This is useful to scan a large number of hosts/networks. Create a text file as follows:

  cat > /tmp/test.txt

  The syntax is:

  nmap -iL /tmp/test.txt 4: Excluding hosts/networks (IPv4)

  When scanning a large number of hosts/networks you can exclude hosts from a scan:

  nmap 192.168.1.0/24 --exclude 192.168.1.5 nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

  OR exclude list from a file called /tmp/exclude.txt

  nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt 5: Turn on OS and version detection scanning script (IPv4) nmap -A 192.168.1.254 nmap -v -A 192.168.1.1 nmap -A -iL /tmp/scanlist.txt

  6: Find out if a host/network is protected by a firewall nmap -sA 192.168.1.254 nmap -sA server1.cyberciti.biz 7: Scan a host when protected by the firewall nmap -PN 192.168.1.1 nmap -PN server1.cyberciti.biz 8: Scan an IPv6 host/address

• 6

  The option enable IPv6 scanning. The syntax is:

  nmap -6 IPv6-Address-Here nmap -6 server1.cyberciti.biz nmap -6 2607:f0d0:1002:51::4 nmap -v A -6 2607:f0d0:1002:51::4

9: Scan a network and find out which servers and devices are up and

running

  This is known as host discovery or ping scan:

  nmap -sP 192.168.1.0/24 10: How do I perform a fast scan? nmap -F 192.168.1.1 11: Display the reason a port is in a particular state nmap --reason 192.168.1.1 nmap --reason server1.cyberciti.biz 12: Only show open (or possibly open) ports nmap --open 192.168.1.1 nmap --open server1.cyberciti.biz 13: Show all packets sent and received nmap --packet-trace 192.168.1.1

  14: Show host interfaces and routes

  

   nmap --iflist 15: How do I scan specific ports? map -p [port] hostName ## Scan port 80 nmap -p 80 192.168.1.1 ## Scan TCP port 80 nmap -p T:80 192.168.1.1 ## Scan UDP port 53 nmap -p U:53 192.168.1.1 ## Scan two ports ## nmap -p 80,443 192.168.1.1 ## Scan port ranges ## nmap -p 80-200 192.168.1.1 ## Combine all options ## nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1 nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254 ## Scan all ports with * wildcard ## nmap -p "*" 192.168.1.1 ## Scan top ports i.e. scan $number most common ports ## nmap --top-ports 5 192.168.1.1 nmap --top-ports 10 192.168.1.1

16: The fastest way to scan all your devices/computers for open ports

ever nmap -T5 192.168.1.0/24 17: How do I detect remote operating system?

  You ca

  nmap -O --osscan-guess 192.168.1.1

nmap -v -O --osscan-guess 192.168.1.1

3.3 NetScan

  If anyone is looking for network scanner toolkit application, it would be NetScan where by it comes with a bundle of important network tools to audit the network. The website to download the tool is http://www.netscantools.com/ The network tools bundle are as below :

  DNS Tools - Simple: simple IP/hostname resolution, Who Am I? (shows your computer name, IP and DNSs)

  Ping Graphical Ping Traceroute Ping Scanner Whois

  Sample NetScan results for DNS scanning mode: run directly against the domain's authoritative name server, so changes to DNS Records should appear instantly. By default, the DNS scanning tool will return an IP address if you give it a name (e.

3.4 Webcruiser

  The earlier tools will only detect the network securities on surface level which are port scanning, dns records, host service,ip address and OS versions. These types of scanning and information will not be enough to ensure to the computer network securities. Whereas software tools like Webcruiser will scan more information about the network security towards the host applications.

  

Basically this software tool performs the network exploitation in the early

stage, and then provides the vulnerability information. The following page

  shows an example of exploitation processes and vulnerability results from Webcruiser: The results shows that Webcruiser has perform various possibilites of SQL Injection and cross site scripting at host url with some strings and ID parameters to exploit the database application. Finally the SQL Injection will display the results of data which was saved in the

  A perfect tool for auditing SQL Injection activities would be Webcruiser tool. A good hacker will get access to all the table records in a database by simply applying 105 or 1=1 into the sql statements. Below is a basic example of a sql statement that can cause SQL Injection.

  SELECT * FROM Users WHERE UserId = 105 or 1=1 Basically the injected SQL commands can alter SQL statements and compromise or exploit the security of a web application. Webcruiser tool can simply execute the SQL Injection testing activities without need of the constructing any sql statements.

  The above screenshot demonstrates the SQL Injection activities performed by Webcruiser. Overall Webcruiser can perform several types of SQL Injections below:

  Post SQL Injection Cookie SQL Injection Cross Site SQL Injection

  XPath Injection

  Quick simple steps below to use Webcruiser tool

  Now change the value of username to admin' and '1'='2 If there is a different response then the application has a vulnerability of SQL Injection.

3.4.1 Explanation from Other Websites What is SQL Injection?

  commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application.

  SQL Injection Based on 1=1 is Always True

  Let's say that the original purpose of the code was to create an SQL statement to select a user with a given user id.

  If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:

  UserId:105 or 1=1 Server Result SELECT * FROM Users WHERE UserId = 105 or 1=1

  The SQL above is valid. It will return all rows from the table Users, since WHERE 1=1 is always true.

  Does the example above seem dangerous? What if the Users table contains names and passwords? The SQL statement above is much the same as this: SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1

  From What is Cross Site Scripting?

  Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere without validating or encoding it.

  

From https://www.owasp.org/index.php/Cross-

site_Scripting_%28XSS%29

3.5 GFI LandGuard

  In a corporate environment there will be a few hundred computers connected in a network environment and it will very difficult for IT department and administrators to maintain the security updates and patches for the organization. This is where GFI LandGuard tool comes into the picture to simply apply the patches and updates for the network environment. Basically the GFI LandGuard will scan for network vulnerabilities and security compliance and many more and finally perform the security updates and patches. Following page shows the scanning results from GFI LandGuard.

  The scanning features from GFI LandGuard includes software and hardware audit like ports status, patching status, missing services packs for particular OS and etc. It provides an overall network security vulnerability level for IT administrators to understand their existing computer networks.

3.6 What is Wireshark and Ethereal? Most of us would have heard of this term called Sniffing or Packet Sniffer.

  When someone is sniffing the network, he or she is basically analyzing all the packet movements in the network. Wireshark and Ethereal are well known packet analyzer software tools. Overall Wireshark and Ethereal performs and provide information as below:

  Troubleshooting network issues and locating bottlenecks

  Network intrusion detection Log network traffic for forensic analysis Discovering a DoS (denial-of-service) attack

  A hacker will use the tools to exploit for the below information

  Capturing usernames and passwords OS fingerprinting Capturing sensitive or proprietary information Network mapping

  Simple Steps to Filter DHCP Traffic with Wireshark

  Wireshark can be downloaded at . Below is a screenshot of wireshark capturing all the packets in the in network Filter only DHCP packets on the display filter type (bootp.option.type == 53) and click apply. The results are as shown below.

  Just type (ipconfig /release) at a command prompt and the DHCP Discover,

  

Offer, Request, and ACK resulted from Wireshark are caused by typing this

command (ipconfig /renew) at a command prompt.

4.0 Performing Attacks

  Gaining access is the most dangerous phase in the hacking process. Basically the hackers will initiate attacks on the computer systems. There are several types of attacks can be performed by the hacker :

  1. Buffer overflow

  2. Denial of service

  3. Session hijacking

  4. SQL Injection

  5. Trojans

  6. Password Cracking

  7. Worms and Viruses There are many type of attacks can be found but the items above are the most common tactics used by hackers.

  A buffer overflow happens when data written to a buffer with insufficient bounds checking and eventually corrupts the data values in memory addresses next to the allocated buffer. Mostly this situation happens when string characters copied from one buffer to another.

  A denial-of-service attack (DoS attack) is an attempt to make a computer resource or service completely unavailable to the users. DoS attack will continuesly sent data packets to the computer system until the system is exhausted and unable to provide the configured service to the users.

  Session hijacking is exploitation of a valid computer sessions which is known as a session key. These sessions will allow hackers to gain unauthorized access to a particular information or services in a computer system. Mostly it is used to refer to the hackers acquiring a unique cookie used to authenticate or validate a user to a remote server. Trojan is a malware thats performs a function for the user to run or install but instead executes unauthorized access of the user's computer system. Users are usually tricked into loading and executing trojans on their systems.

  Password cracking is a process of recovering passwords from a computer that has been stored or transmitted by the users. Usually password cracking tools will repeatedly try to guess for the password. The purpose of password cracking is to help a user to recover a forgotten password, gain unauthorized access to a system, provide preventive measure by system administrators to check for password strength.

  A computer worm and virus performs self replication through computer networks by sending copies of itself to other computer network. The main difference between a virus and a worm is that a worm does not need to attach itself to an existing program. Worms will cause some harm to the computer network by at least consuming bandwidth but a virus will corrupt or modify files on a targeted computer.

  Overall the attacks described above can cause serious harm to computer networks and architecture. Basically these attacks will take control of the computer systems in the organization.

4.1 Good Software Tools to Attack a Computer or Network The software tools suggested are more for educational and testing purposes.

  A proper testing enviroment should be established before using the software tools to attack a network. Below are some of the software tools that can be used to perform some attacks over the network.

  Denial of Service

  1) Colasoft Packet Builder

  Password Cracking

  2) Cain and Abel 3) L0phtCrack

  Web Copier Tools to Perform Phishing Attacks

  5) Webcopier 6) HTTrack

  Buffer Overflow

  7) C/C++ Programming examples of Buffer Overflow Testing the tools above can cause the computer to hang or slow down the speed of the computer. It is better to use a dedicated old computer to execute the software tools above. The software tools are mostly used by beginners to explore computer attacks.

4.2 Colasoft Packet Builder

  A simple denial of service attack would be typing a ping at command prompt which will send a Internet Control Message Protocol (ICMP) Echo Request messages to the destination computer and waiting for a response. However this will definitely would not be enough to initiate a DOS attack.

  Colasoft Packet Builder is handy enough to initiate a DOS attack over a network. Colasoft Packet Builder provides an interface for end user to craft a custom network packet. The end user is able to craft the types of following packets such as Ethernet Packet, ARP Packet, IP Packet, TCP Packet and UDP Packet, and change the parameters in the decoder editor, hexadecimal editor or ASCII editor as shown below.

  An existing network packets can be obtain from Colasoft Capsa, Wireshark, Ethereal and etc to simplify the network crafting work by adding and inserting packet command in edit menu or toolbar. Finally the packets can be send over the network by clicking the start button.

  Just change the Loop Sending option to 0 for a infinite loop which will cause a denial of service attack to the host. Some firewalls are able to detect and block denial of service attacks. It would be good to shutdown the personal firewall for experimental and learning purposes.

  Plus type taskmgr at command prompt and click at the performance tab to observe the computer resources while network packets are sent over the network. When the cpu usage has reached 100%, then Colasoft Packet Builder has successfully performed a denial of service.

4.3 Cain and Abel

  One of the most interesting tools to explore would be Cain and Abel. This software tool can crack almost any type of encryption proctection. Cain and Abel tool is always useful for password recovery task. The most popular encryptions are :

  MD4 hashes MD5 hashes SHA-1 hashes SHA-2 hashes MSSQL hashes MySQL hashes WEP (Wireless Encryption Protocol)

  Let take an example of cracking a MD5 hash using Cain and Abel software tool to reveal the actual information. Normally MD5 data can be obtain in any MySQL databases which is used to concile user passwords. Step 1: Click on the Cracker Tab Step 2 : Select MD5 Hashes in sidebar

  Step 3 : Right click on the blank sheet and select "add to list" option. Step 4 : A pop-up box will appear and copy and paste the hash code in that box and hit ok button. For instance, let us take this hash code c3ea886e7d47f5c49a7d092fadf0c03b

  Step 5 : Right click on the hash code and select the Method. Select Brute Force Attack

  Step 6 : The final would to Click "Start" button below to start the cracking of passwords.

  When the MD5 hash has been succesfully cracked then results will be shown as below.

4.4 L0phtCrack L0phtCrack is mainly use for cracking windows user account passwords.

  Normally for windows xp, the user account informations are stored at this location c:\windows\system32\configure\sam. SAM (Security Accounts Manager) which is database for windows user account. L0phtCrack simplifies the task by automatically locating the SAM files in the Windows OS. It will display all the user accounts including the Windows Administrator details. Below is simple screenshot of L0phtCrack tool:

  For beginners it is better to use brute force attack to crack the passwords.

  What is Brute Force Attacks? In cryptography, a brute force attack or exhaustive key search is a strategy that can in theory be used against any encrypted data by an attacker who is

unable to take advantage of any weakness in an encryption system that would

otherwise make his task easier.

  From wikipedia.org What is Dictionary Attacks? An attempt to gain illicit access to a computer system by using a very large set of words to generate potential passwords.

  From wikipedia.org

4.5 Webcopier

  Webcopier is a fantastic tool to copy any websites offline and store the website files in the laptop. Webcopier even copies website with javascript and supports proxy servers and HTTP authorization.The copied website files can be use for phishing activities to perform an attack.

  All the files copied can be hosted on another webhosting server with similar domain names. End user will not be able to recognize the domain names quickly but recognized the websites design immediately. Eventually the end user will provide the particulars like username, passwords, credit card details and etc. Finally the attacker can exploit the end user with these details from the actual websites or domains.

  What is Phishing? Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public.

  From wikipedia.org

  Below is an hands on example of Webcopier tool:

  Screenshot shows the website files being copied to the local computer and upon completion the results shows as below:

  Webcopier also allows to browse the website files as shown above and have preview of the html content.

4.6 HTTrack

  Another software tool that performs like Webcopier is HTTrack. This tool is absolutely free and it is GPL license. HTTrack has more features than Webcopier and it is able to handle websites with huge files. Plus it also allows to control the amount and the type of website files to be downloaded.

  This is recommended for an intermediate end user and below shows the screenshots for HTTrack for download files from the targeted website:

  Basic concept to use HTTrack:

  1. Choose your project to organize the downloads

  2. Drag and drop several websites for downloading

  3. Precisely choose the options for downloading

  4. For example, filters is a powerful way to select or refuse selective links.

  5. Start to download the website files.

4.7 Buffer Overflow

  Buffer Overflow is a common error programming mistakes in a software application. Therefore proper auditing should be performed on any software application in an organization. Before explaining into details about Buffer Overflow, the concept of Buffer Overflow should be defined properly.

  A buffer is a memory allocated to contain anything from a character string to an array of integers. A buffer overflow occurs when more data is assigned into a fixed-length buffer than the buffer is able to handle. When the buffer is not able to handle the data supplied then the adjacent memory space becomes overwritten and finally get corrupted. This is will lead to a situation where by the system will crash.

  Mostly C/C++ applications are frequent targets of buffer overflow attacks. C/C++ applications have no mechanism to check for buffer overflows. C/C++ developers should avoid standard library functions which have no checks for functions like scanf and strcpy.

  Below is sample C/C++ programming code for Buffer Overflow exploitation.

  #include <stdio.h> #include <string.h> int main(void) { char buff[15]; int pass = 0; printf("\n Enter the password : \n"); gets(buff); if(strcmp(buff, "thegeekstuff")) { printf ("\n Wrong Password \n"); } else { printf ("\n Correct Password \n"); pass = 1; }

  { /* Now Give root or admin rights to user*/ printf ("\n Root privileges given to the user \n"); } return 0; }

  When the end user runs the program from the previous page, the end user receives the expected results below.

  This time the end user runs the program with entering a wrong password and the program has responded wrong password but given the rights for Root user privileges.

  Example above is a very strange situation where by even with wrong password the program has given Root privileges. The logic behind this situation is the end user has supplied the input length greater than the buffer size and the buffer overflow took place over writing the memory of pass integer value. Therefore pass integer value has non-zero value which fulfills the condition to grant Root privileges.

5.0 Ethical Hackers Important Tasks

  So far the earlier chapters have given a basic exposure of the security tools that can be use for understanding computer securities. However there are certain tasks and responsibilities for ethical hackers to perform on their daily job activities. These tasks are not mandatory but important for their career as stated below: 1) Join Ethical Hacking groups 2) Upgrade and select the right software tools 3) Attend seminars about Cyber-Law 4) Create incident forms and prepare reports for security audits Among the tasks above, the most important one is to get trained for cyber-

  

law and prepare reports for security audits. Practically the Ethical Hacker or

  Security Engineers need to understand the cyber-law before they can even advise their clients. Sometimes it is best to team up with lawyers with cyber- law experience.

5.1 Incident Forms

  When the security audit is performed at client’s location, it is best practice for the clients to report the incident by filling up the incident form provided by the security engineers. Following page is a sample incident form: The incident form will provide the Ethical Hackers to focus on particular incident that the client or end user has experienced in their work environment.

5.2 Computer Security Reports The security reports are the most crucial part of the task for Ethical Hackers.

  Based on the reports, the client will have to make decision to purchase any security software tools to avoid any securities vulnerabilities. Therefore report has to be comprehensive enough to convince the clients about the computer security situations. Below is simple format or outline that a report should contain:

  Executive Summary Hacking Activities Summary of Website or Software Application Audit Vulnebrality Findings Security Recommendations Graphs and Tables

  For illustration, the ‘Summary of Website or Software Application Audit’ screenshot sample is as below: The samples provided are just a basic guidelines and there are plenty of report templates can be acquired over the Internet.