Ethical Hacking

ETHICAL HACKING
----- To Stop a Hacker is to think Like One!

Presented by: Abhijeth Dugginapeddi, Dept Of Information Technology, Gitam University. Visakhapatnam. Email:abhijeth0423@gmail.com

Ethical Hacking

Introduction to Hacking:
"Hacking" is the word that shakes everyone whenever it is said or heard by someone. Everyone born in this world with attitude wants to be a Hacker. But it is not a job of a new born baby or an old grown lady. A Hacker needs a brilliant mind to hack anything. His skills should be so powerful that no other hacker can hack him. A Hacker doesn't need a software to hack. There are many rules that he should learn to become an Ethical Hacker. These rules include knowledge of HTML, JavaScripts, Computer Tricks, Cracking & Breaking etc.etc.

Argument: Many hackers argue they follow an ethic that guides their behavior and justifies their break-ins. They state that all information should be free, and hence

there is no such thing as intellectual property, and no need for security. Counterargument: If all information should be free, privacy is no longer possible. Additionally, our society is based on information whose accuracy must be assured, hence free and unrestricted access to such information is out of the question. Also, information 2

Ethical Hacking is often collected and developed at great expense.

Types of Hackers!

History:
Kevin Mitnick, often incorrectly called by many God of hackers, broke into the computer systems of the World's top technology and telecommunications companies Nokia, Fujitsu, Motorola, and where he is a Wanted man. The next hearing in the case is slated for today.Sun Micro systems. He was arrested by the FBI in 1995, but later released on parole in 2000. He never termed his activity hacking, instead he called it social engineering. November 2002 Englishman Gary McKinnon was arrested in November 2002 following an accusation that he hacked into more than 90 US military computer systems in the UK. He is currently undergoing trial in a British court for a fasttrack extradition to where he is where he is a Wanted man. The next hearing in the case is slated for today.a Wanted man. The next hearing in the case is slated for today.the US where he is a Wanted man. The next hearing in the case is slated for today.

White Hat Hacker- Also

referred as Ethical Hacker or sometimes called as Sneakers. A White Hat Hacker mainly focuses on securing corporate Network from outsider threat. They are with good intention who fight against Black Hat.

Black Hat Hacker- Also

referred as Cracker. A Black Hat Hacker's intention is to break into others Network, and wish to secure his own machine. They often uses different techniques for breaking into systems which can involve advanced programming skills and social engineering.

Grey Hat Hacker- They are

Skilled Hacker who sometimes act legally and sometime not. In simple word you may call a Grey Hat hacker as Hybrid between White Hat and

Ethical Hacking Black Hat hacker Hacker: Brilliant programmer The positive usage of hacker. One who knows a (sometimes specified) set of programming interfaces well enough to write software rapidly and expertly. This type of hacker is well-respected, although the term still carries some of the meaning of hack, developing programs without adequate planning. This zugzwang gives freedom and the ability to be creative against methodical careful progress. Types of hackers in this sense are gurus and wizards. "Guru" implies age and experience, and "wizard" often implies particular expertise in a specific topic, and an almost magical ability to perform hacks no one else understands. Hacking Methods! your Fake Yahoo Account.

Brute Force Hack- Brute Force

Hack is a Hacking which takes much time to get Password of the Victim and it needs a Hacker to learn about JavaScripts and all the non-sense.

Fake Login Hack- Fake Login

Hack is the Hacking used by most of you for your goal by creating a Fake Login Page and telling your friends to login there and the Password would come to you.

Cookie Steal Hack- Cookie Steal

Hack is somewhat similar to Fake Login Hack as you prepare a Cookie Stealer and tell your friends to open your Cookie so that his Password would come to you.

Phising Method- Phising is

the method that you are familiar with. You create a Fake Account and ID in yahoo and fool your friends by telling them to send the victim's ID, their own ID and their own Password in

Web Mail Hack- Web Mail Hack

is the toughest method to learn for Hacking as it also needs a Hacker to learn about JavaScripts, Computer Tricks and much 4

Ethical Hacking more and ther is also a software for this type of Hack.

Phising represents the act of creating fake pages of

popular social web sites (YouTube, Facebook, MySpace, Windows Live Messenger), auction sites (eBay), online banks (Wells Fargo, Bank of America, Chase), online payment processors (PayPal), or IT Administrators (Yahoo, ISPs, corporate),or any mail sites like GMAIL,YAHOOMAIL indeed everything. For example, we can see a fake page of a famous social networking site ORKUT in the below figure..

pages so that when ever we type in our details and click on submit we do not get logged into orkut but actually give away our account details. Let us see how this page is created. First the login page of orkut is saved onto out local system. If we view the page source and search for a word action it appears like this..

It looks

like an original orkut login page but it is fake

So whenever we click submit the url https://www.google.com/ accounts/ServiceLoginA uth?service=orkut is called so instead of that we can create another file and do our own action. So for that we create a file with the following code.

Ethical Hacking

This is saved as login.php.Whenever this file is called the username and password are stored in a file called victim.php. To call the login.php file in the place of https://www.google.com/ accounts/ServiceLoginA uth?service=orkut We write login.php so that login.php is called. Now the source code of the fake login page appears as:

The files are hosted and whenever a user thinking it to be orkut login page submits his username and password, they are stored in a file called victim.html.

PREVENTION:
So prevent such attacks it is sufficient if we just see the source code and find the word action and see the task related to it.

Email spoofing:
This represents the act of fake emails that we receive in our mail box saying that they are from some higher authority and ask for your username and password. This can also be associated to phising. For
6

Ethical Hacking

example, if we consider the orkut hacking, a mail says that it is from orkut team and asks us to confirm something and they give you a link to do that. This link indeed redirects to the fake orkut login page. So if we think it is the orkut main page and submit our information our account is hacked.

How long will it take to attempt each key? Is there a mechanism which will lock the attacker out after a number of failed attempts?

Increasing Security against a Brute Force Attack

From the example above, account security could be increased by: Increasing the length of the password. Allowing the password to contain characters other than numbers, such as * or # Imposing a 30 second delay between failed authentication attempts. Locking the account after 5 failed authentication attempts. Key logging:
Keystroke logging (often called key logging) is a method of capturing and recording user keystrokes. The technique and name came from before the era of the graphical user interface; loggers nowadays would expect to capture mouse operations and screenshots.

Brute force attacks:

A brute force attack consists of trying every possible code, combination, or password until you find the right one. The hacker tries out different combinations of dictionary to match the username and password. So if they match, the account is under control of the hacker. The difficulty of a brute force attack depends on several factors, such as: How long can the key be? How many possible values can each component of the key have?

A hacker when has access to the victims system installs a key logger or if he has no access he makes the user believe the key logger is
7

Ethical Hacking

some trusted application and makes him install it. It records all the users activities (which also include usernames and passwords) in a local file called log file. The hacker somehow receives the log file and hence the victims system is hacked.

Key Logger: Keystrokes to an encrypted file which can then be read later. Based on the order of the keystrokes, it is usually easy to identify the password(s) from the file later. Like the Trojan, this also requires that someone actually type the password. Keyloggers come in two types: hardware and software. A hardware keylogger can be fitted between the keyboard cable and the computer and can be activated with a few keystrokes. It is then left in place until after the password that you are looking to recover is typed. Later it is removed and the file of keystrokes is examined for the password. A hardware keylogger is undectable by anti-virus software. A software keylogger is installed on a system and effectively has the same function, however, it is a little bit more complex to use since

it must be installed to run stealthily to be effective. A keylogger could be used to steal a password from someone who is using an office computer or sharing a computer. It is possible that installing and using such a device or piece of software could be illegal depending upon whether the target has a presumption of privacy when using the computer on which the keylogger is installed.

Packet sniffing:
A sniffer is a piece of software thats grabs information packets that travel along a network. That network could be running a protocol, such as Ethernet,TCP/IP,IPX or others. The purpose of sniffer is to place the network interface into promiscuous mode and, by doing so ,capture all network traffic. Looking into packets can reveal information like usernames,passwords,ad dress or the contents of e-mails.

Basic needs for hacking !!!

8

Ethical Hacking few batch files. 5. Port scanning. ( download blues port scanner if it's your first time) 6. Learn a few programming languages HTML,C++,Python,Perl.... (i'd recommend learning html as your first lang) 7. How to secure yourself (proxy,hiding ip etc) 8. FTP 9. TCP/Ip , UDP , DHCP , 10. Get your hands dirty with networking 11. Learn diassembler language (its the most basic language for understanding machine language and very useful to ubderstand when anything is disassembled and decoded) 12. Learn to use a Unix os. (a Unix system is generally loaded with networking tools as well as a few hacking tools) 13. Learn how to use Exploits and compile them. (Perl and c++ is must)

u learn about computers in as much detail as you can- now most people willl disagree with this but the first thing you should do is learn HTML this way you will knowhow to make decent websites. you may wonder why? because hacking is knowing ecverything about a cpmputer an usingthat knowledge to get what you want. Now after you have done this you can start on this list of things to do. Code: 1. Learn about hardware basicly how your computer works. 2. Learn about different types of software. 3. Learn DOS.(learn everything possible) 4. Learn how to make a

Hacking Windows XP!

* Boot the PC in Safe Mode by pressing the F8 key. * Select the Safe Mode option, now you can now Login as an Administrator and XP won't prompt for the

Password. * Try rebooting the PC in DOS. * Now, Access to C:\Windows\system32\co nfig\Abhi * Rename Abhi as abhi.mj.

Ethical Hacking * Now XP won't ask for Password next time you Login. * Now, again go to Start menu --> Run. * Type there cmd prompt. * Type net user *, It will list all the users. * Again type net user "administrator" or the name of the administrator "name" *. * It will ask for the password. Type the password and there you are done. * Hold the Ctrl+Alt key and press Del twice. This will bring up the normal login and you can log on as Administrator. To unhide the Administrator account so it does show up. * Again go to Start --> Run --> regedit. * Go to HKEY_LOCAL_MACHI NE --> SOFTWARE --> Microsoft --> Windows NT --> CurrentVersion --> Winlogon --> SpecialAccounts --> UserList. ---Web site defacing ---ISPs ---DDOS ---Access ---Credit cards ---Computer control ---Home computers ---Business ---Data bases ---Software theft ---Hacktivism ---Computer time ---Theft of intellectual property ---Riding the Bullet

Conclusion:
Hacking is now a issue that does not have any conclusion.The only way we can stop an hacker is by learning hacking.By learning we can read the minds of a hacker which enables us to know the reality.Hacking is not a crime but it is made a crime by mis using the knowledge of programming. Every hacker is a perfect programmer even more than a normal programmer. Everyone should know the ethics of hacking and follow them.

Hackers Goals: ---Corporate

espionage ---Infowarfare

10

Ethical Hacking

11

Ethical Hacking

12