1. CIA-Confidentiality (Password hack), Integrity (bit flipping), Availability (DOS attack). 2.

More security hard to ease of use and functionality and vice-versa. 3. Three phases of pen test a. Preparation. b. Assessment. c. Conclusion. 4. Phases of assessment process a. Reconnaissance. b. Scanning and enumeration. c. Gaining access exploiting the system. d. Maintaining access leaving a back door open for future use. e. Covering attacks Using proxy to cover our self from back track by security guys. 5. Reconnaissance has two stages. a. Passive -> Gathering Information about the victim without their knowledge. b. Active-> Gathering Information about the victim with their knowledge by using various tools. 6. Three elements of RISK. a. Asset --- what does your company has. b. Threat---what could damage your Assets (Virus, flood) c. Vulnerabilitya weakness in a software system and physical security system

7. Cryptography: securing communication between two or more parties. a. Cryptanalysis: Methods used to crack the encrypted communications. 8. Plaintext (data) + Cryptographic method =Cypher text 9. Non-repudiation is the means by which a recipient can ensure the identity of the sender and that neither party can deny having sent or received the message. 10. Symmetric algorithm use same key at both ends. Good for confidentiality but problem with integrity (Non-Repudiation). 11. Where in Asymmetric algorithms use different keys at both ends. (Public key for encryption and Private Key for decryption). A sends its Public key to B for encryption and B sends its public key to A for encryption, both use their private key to decrypt the encrypted values. 12. Asymmetric is slower than its counterpart. 13. Hash algorithms are used for Integrity of the data and can be broken with collision (brute force) attack. 14. Steganography: Hiding the data inside an image and can be detectable by anti-virus program. 15. PKI infrastructure use CA to issue key and certificates which every user in the network uses to identify them. 16. Vulnerability research can be done on various websites like exploit-db.com (check bookmarks). 17. Foot printing is gathering Information about a particular network. 18. There are two types of foot printing

19. 20. 21. 22. 23.

24. 25. 26. 27.

a. Active where in you actually touch the network like issuing a ping sweep against the company IP. b. Passive where in you dont touch the network itself like checking their websites. Competitive intelligence: Information gathered by the business entity about its competitor. DNS poisoning : directing the DNS request to your own server DNS does have many record types defined inside a zone. When an IP request for the details zone transfer does happen. DNS details can be found using nslookup command. DIG utility can provide same details as nslookup and we just need to have the Ip address of the DNS server to get the detailed information about the various MX servers with their respective IP address used. Whois command can be used to find the detailed (liked server used, contact info) information about the websites. To find the network range put the IP address in the registry whois box. With this can also find lot of other useful information. Tracert command stop responding when there is a firewall since firewall doesnt respond to ICMP packets. Email Tracking: Just append .mailtracking.com to the mail address your sending the mail to, a receipt will be received when the mail is read.

Scanning and Enumeration. 1. There are three types of scanning a. Network scanning b. Port scanning c. Vulnerability scanning 2. Steps of scanning a. Identify the live system: can be done through ping. b. Identify the open ports: Once you know the IP find what ports they are listening on. c. Identify OS and services: Banner grabbing and OS fingerprinting can be used to accomplish this task. d. Identify the vulnerabilities: check for the system for any kind of vulnerabilities which have not been patched yet. 3. IP is connectionless so there is no error messaging function at network layer, so ICMP was created which does the job (Type 8 Echo request and Type 0 Echo reply). 4. Combining pings to each and every address in a subnet range is called ping sweep. 5. Ping responses are not enabled by default. 6. Type 13 in ICMP indicates a firewall is preventing the delivery of ICMP packets.

7. Read about various types of ICMP. 8. Network Intrusion detection system (NIDS) and Host based intrusion detection system (HIDS) will easily detect any ping sweep. 9. Angry IP scanner is one of the tools used for ping sweep. 10. Various flags in TCP segment a. PSH: delivery of data without buffering. b. SYN: Initial setup of communication. c. ACK: acknowledgment to the SYN request. d. RST: force termination of channel at both ends. e. URG: delivery of data out of the band. f. FIN: closing the communication. 11. A quick-and-easy tip to remember is that all scans return an RST on a closed port, with the exception of the ACK scan, which returns no response. 12. Nmap: a. TCP connect scan will have SYN flag set n expects SYN/ACK on open ports and RST on closed ports and noisiest. b. SYN (Half open) will work same like TCP connect except that three way handshake doesnt happen. c. ACK scan will have ACK flag set and expects RST on open ports and No response on closed ports and widely used in firewall filter test. d. XMAS (FIN/URG/PSH) will have all three flag set and expects a no response on open ports and RST/ACK on closed ports but doesnt work windows machines. e. FIN will have FIN set and works like XMAS. f. NULL will not have any flag set but works like XMAS. g. IDLE scan will use a spoofed IP address. 13. If the scan output says ports are filtered then either a firewall or router is preventing it from scanning. 14. MacAfee super scan, Hping does the same work as nmap. 15. War dialing is a process in which user dials a set of phone numbers finding open modem. 16. Proxies can be used to hide the IP and TOR proxy. 17. Spoofing an IP can be done through various tools like Cain, ettercap, nmap. 18. Enumeration is a next step of scanning where in you looks for any sensitive information. 19. Null Session is logging into the system without username and password. 20. Tools which make use of NULL sessions are super scan, USER2SID, SID2USER. 21. Banner grabbing is a great enumeration tool. Which can be done using telnet and net cat (Swiss army knife of hacking tools). 22. SNMP is used to manage the IP enabled devices on the network. Every device on a network will have SNMP agent which will answer the queries sent by a central management unit by using the information stored in MIB (management Information base). 23. SNMP uses community string as a form of password. Read only string will help in finding the SNMP GET request and read write will help in finding the SNMP SET request. 24. Default password for read only string in public and for read n write is private.

Hacking Through the Network: Sniffers and Evasion 1. ARP poisoning is a process of changing the ARP entries. 2. NIC keeps listening to the medium, if the electricity charges the wire the NIC will check the frames coming in and if the address is its own address then it will start processing the frame. But Sniffer forces the NIC to collect all the frames regardless of the address. 3. Tcpdump sniffer. a. Tcpdump i eth1 to keep in the listening mode. b. Tcpdump I eth1 w shaavd.txt to write the output to a file. 4. Process of sending lot of broadcast across switch in order to force it out to all recipients is called flooding. 5. One way to avoid ARP poisoning is to manually add the MAC of the default gateway on each device. 6. Best tool for ARP flooding is Cain and Abel. 7. Intrusion detection system looks out for some kind of malicious behaviors in the packet as and notifies the network admin. 8. Three kinds of IDSs present on signature based where in packets are matched against the signatures available if match is found packet is discarded and other is behavior based where in it looks for the everyday routine and if something suspicious found then the packet is discarded and also protocol based. 9. False positive: IDS sends reports saying some intrusion has happened but in reality traffic is fine. 10. False Negative: IDS thinks the traffic is fine and doesnt send any reports when in reality some intrusion has happened. 11. Host IDS (HIDS) are software programs usually resides inside a host and monitors only that host example: Tripwire, NORTON internet security. 12. NIDS sits in the network perimeter and it watches the packet coming in and leaving the network. 13. SNORT runs in three modes a. Sniffer mode which lets you watch the traffic in real time. b. Packet logger mode which saves the packets in disk for review at later times. c. NIDS mode which helps in monitoring the packets coming in and leaving the network and does exactly what you have asked that to do. 14. Snort rule sets include a protocol, source address and port numbers and destination address and port numbers and statement to write to the log. 15. alert tcp !$HOME_NET any -> $HOME_NET 23 (mgs:"Telnet attempt..admin access"; content: "admin Please alert on any packet from an address not in my home network and using any source port number, intended for any address that is within my home network on port 23, including the ASCII string admin.

16. Fool the security guy to get your things done like flood the network so that your packet goes in without notice. 17. IDS evasion techniques a. Fragmentation: put some malicious payload on the SYN bit which usually ignored by IDS. b. Packet generators can be used to generate a packet of our own kind. 18. If you receive an ACK flag and you dont have a log for SYN packet in the firewall then its a malicious attempt. 19. HTTP tunneling is a firewall evasion technique since port 80 is never blocked by firewall it can be used to carry the payload for other protocol. 20. The process of walking through the firewall to determine which port is open is called fire walking. Tool: fire walk 21. Firewall will not bother to see the packets if they are originated from inside the network. 22. PackETH is a Linux tool that is designed to create an Ethernet packet for security testing. 23. Honeypot can be used to fool around with the attacker and can be used to track the same. 24. Best way to put the honeypot inside the DMZ. 25. Backorifice : is a computer program designed for remote access administration on windows operating systems. Port number used: 31337. 26. Stateful firewall not only checks the ACLs but also looks at the packet behaviors like in the case of ACK attack when SYN flag was not logged in firewall.

Attacking a System 1. Passwords: Should be long, easier to remember and change them frequently. 2. Password must not contain users name. 3. Password must contain characters, 9 better 7 not well. 4. Password must contain an uppercase letter, lowercase letter, special symbol, and numbers. Password Attack: 1. A passive online attack where in you actually sniff the traffic in order to obtain a password in transit (clear text like in telnet session) or MAN IN THE MIDDLE ATTACK or replay attack. 2. In MIM attack the attacker will re-send the authentication request to the server on behalf of client and routing all the traffic through the attackers machine. 3. In a replay attack entire authentication process is captured and replayed at a later time. Client is not part of this session. 4. Side Jacking: Its a process of hijacking the passwords which are encrypted (SSL) by stealing the cookies exchanged between two systems (Reply style attack). 5. Tools used for Side jacking (hamster and ferret). 6. Active online attack occurs when an attacker simply types passwords as long as doesnt find one. (Since we cannot lockout the administrator password its a good technique). 7. Offline attack: occurs when the attacker steals a copy of password file and works on it (SAM file).

8. Offline attack can be done in three main ways a. Dictionary attack: done using a list of passwords in a text file. b. Hybrid attack: take words from a list and substitute numbers and symbols for alpha characters. c. Brute force attack: Every number and words is checked against the hash for a match. 9. Key logging captures key strokes of the users. It could be software key loggers or hardware. Software ones are easy to detect by Anti-virus. Hardware ones are almost impossible to detect. 10. Last type of password attack is non-electronic attack which is nothing but social engineering.

11. Windows 2000 and NT had LM hash (LAN manager) which used to make all the 14 characters upper case and split them into half and hash them separately and combine them for the output. 12. LM hash value of seven blank characters will always be same. 13. Kerberos is a hash techniques used in the current windows OS. It makes use of both symmetric and Asymmetric keys. The process will have a KDC (key distribution center), AS (Authentication service), Ticket granting service (TGS), Ticket granting ticket (TGT). Client will ask for a ticket (plain text), server will respond with a secret key which is hashed by a password kept on both ends, client decrypts the key and asks for a TGS ticket. Server responds and client logs into the network. 14. There are 4 ways to get an administrative access to a system. A. by cracking the admin password. B. By finding the vulnerability in the OS. C. By using the tool like metaspoilt. D. Social engineering (By asking the user to a run a code for you like sending something over the mail and asking user to click on it). 15. Alternate data streams under NTFS help us to hide one file in another file. 16. Application log: If an application tries to access a file and the file is corrupted then an error will be logged. 17. System log: this will register system events like a driver fail, startup/shutdown times. 18. Security log: This will register login attempts, activities regarding resources. 19. Best way to hide the track is not to delete the entire log but be very selective either by deactivating the audit log for application for which we are going to hit to or delete only logs which can reveal our identity and also other way to hide the track is to corrupt the log file. 20. Rootkits are collection of software put in place by an attacker which is designed to obscure (hide) system compromise. If its properly installed on a system then it could be an asset to the hacker by hiding his identity as well as could act as a backdoor for future use. There are three types of Rootkits A. Application level: which replaces the application files with backdoor binaries. B. Kernel code: which replaces the kernel code with backdoors, hard to detect. C. Library level: makes use of system-level calls to hide their existence.

Tools such as Tripwire can be used to reveal these kinds of rootkits. 21. Read, write and Execute permission are assigned through chmod command, these values can be seen through ls l command. Syntax: chmod 464 file1 Where in 4 represents read only for user, 6 represents read and write for group, 5 represents read only for other users.1 represents execute. 22. Passwords in linux will be stored either in /etc/passwd or /etc/shadow. /etc/passwd will be clear text and can be read by anyone who has an access to it. /etc/shadow will be encrypted and can be ready by root. 23. Tar file is the zip file which will have installation files can be unzipped using the command called GZIP. 24. Linux has a built in compiler called GNU compiler collection (GCC) can be used to compile C, C++, FORTRAN codes. 25. Hardening the linux system: A. Place the linux servers on a secured location. B. Deactivate the services such as FTP, TFTP, Remote access which could be dangerous. C. Always change the root password frequently and restrict the access for root from certain location so remote access cant be done. D. Use an HIDS like tripwire which can notify us about the current happening in the systems. E. Log file monitoring like in windows is also a good practice. (/var/log). F. Use vulnerability scanners like Nessus.

Social Engineering Human Based attacks 1. Dumpster Diving: find something useful in trash bins like user passwords written for remembrance or network diagram. 2. Impersonation: Act as a valid employee of the company to get an access to the restricted areas.

3. Technical support: Act as a helpdesk guy and ask the employees for their password or call the helpdesk agent and ask them to reset the password for a guy. 4. Shoulder surfing: Its a good technique to see what your colleague is typing. 5. Tailgating and piggybacking: In tailgating person acts as a valid employee with a fake badge and ask other employees to open the door for him where in piggybacking person will not have the badge but will convince the other person by saying he has left his badge on the desk. Reverse social engineering: In this case victim actually calls the attacker for a help. It has three steps. A. Advertisement: where in the attacker will advertise himself as a technical support guy. B. Sabotage: where in attacker does some attacks which leads to the non-responsiveness of system. C. Support: Victim will call the attacker to help him sort the problem and the attacker will ask for the victims credentials. Computer Based attack A. Phishing attack: Crafting an email which looks legitimate but has links to some fake websites which steals users sensitive information. Sign in seal is a technique used to fight against this kind of phishing attack in which an image or secret message can be used for the communication with the site since its stored locally in the computer its hard to spoof it. B. Many attackers make use of codes to create pop-up windows users will unknowingly click. C. Another attack is done through chat and messenger channels where in the attacker actually transfers the malicious code. Physical security measures have three components. 6. Physical measures include all the things you can touch, taste, smell like locks, fences. 7. Technical measure includes things which involve technology like smartcards, biometrics, and authentication. 8. Operational measures include policies and procedures you set up to enforce security oriented operation like background checks on employees. 9. Access controls are physical measure which designed to prevent access to unrestricted areas. 10. Biometric measures are measured by two main factors. A. False rejection rate: where a legitimate user is rejected.

B. False acceptance rate: where an unauthorized user is allowed. These two are usually graphed and intercepting mark called Crossover error rate (CER) becomes the ranking method to decide how well the system works. If a system has a CER of 4 and other system has a CER of 2 then the system with CER 2 is the best solution. Man trap: This will have a two doors where in first door will get locked as soon as a person passes inside the room the person will have to provide some kind of authentication like PIN so that second door gets open. 11. For the protection of data at rest MacAfee end point protection can be used which encrypts the data at sector level and forces pre boot level authentication. 12. Its always good to have layered security like have access controls at each door, have a security guard, after getting inside the building good to have technical controls like authentication measures.

Web Based Hacking: Servers and applications 1. There are two main web servers available in the market. a. Apache b. IIS Server which is bundled in windows machines. 2. When a client sends a request to the server a CGI program will hand over the request to proper application running on the server like if the request is for a web page HTTP will be used, if its mail request SMTP will come into the picture. 3. Directory traversal (../ Attack) is a one form of attack where in you ask the server to go to unrestricted folder on that server. 4. DT is fairly noisy and IDS can easily find out these type of attacks since several signatures are available for these../ . 5. One method to get around this IDS is to make use of Unicode strings like %2f represents . And %sf represent a /. 6. Parameter tampering is the process of manipulating what appears in a URL. 7. URL obfuscation is a technique in which you actually type the decimal equivalent of IP address. 8. Web application attacks involve Injecting malicious codes into the input string. a. File Injection: Injects a pointer in the web form input to an exploit hosted on a remote site b. Command Injection: Insert commands instead of expected text string. c. Shell injection: where the attacker attempts to gain shell access using java.

9. SQL injection is a technique to exploit a web application. There are many tools available to help in this like sqlmap, sqlninja and havij. 10. XSS is a technique in which when a user enters some data into the web form the server will act in a different way than its intended to. 11. One of the attacks of XSS is getting access to document. Cookie and send it to the remote host, which has session information stored on the users browser 12. Buffer overflows requires a lot of programming experience, its hard to execute in modern technology. In this you input more data than buffer is allocated to hold. a. Stack Guard is a technology to guard against stack overflow. 13. Cookies: are sent by the web server in HTTP response to the request of the client which contains sensitive information such as authentication details, session info. 14. Cookie Editor add on for Firefox helps in manipulating texts in a cookie file. 15. Cookie can be used to change pricing options, even to authenticate the server.