G lim p s e o n

C o m p u t e r S e c u r it y

A presentation by –
Sumit Dimri

1
 AGENDA

 SECURITY
 GOOGLE HACKING
 SNIFFERS
 ARP SPOOFING
 STEGANOGRAPHY
 SOCIAL ENGINEERING
 HACKING WEB SERVER

2
Net wor k Secur i t y

3
A Br i ef Hi st or y of t he
Wor l d

4
Over vi ew

 What is security?
 Why do we need security?
 Who is vulnerable?

5
What i s “Secur i t y”

 Dictionary.com says:
 1. Freedom from risk or danger; safety.
 2. Freedom from doubt, or fear; confidence.
 3. Something that gives or assures safety, as:
 1. A group or department of private guards: Call building
security if a visitor acts suspicious.
 2. Measures adopted by a government to prevent attack.
 3. Measures adopted, as by a business or homeowner, to
prevent a crime such as burglary or assault: Security was lax at
the firm's smaller plant.
…etc.

6
Why do we need secur i t y?

 Protect vital information while still

allowing access to those who need it
 Trade secrets, medical records, etc.
 Provide authentication and access
control for resources

7
Who i s vul ner abl e?

 Financial institutions and banks

 Internet service providers
 Government and defense agencies
 Contractors to various government
agencies
 Multinational corporations
 ANYONE ON THE NETWORK
8
Secur i t y r el at ed URLs

 http://www.robertgraham.com/pubs/network-intr
 http://online.securityfocus.com/infocus/1527
 http://www.snort.org/
 http://www.cert.org/
 http://www.nmap.org/
 http://grc.com/dos/grcdos.htm
 http://lcamtuf.coredump.cx/newtcp/

9
 Googl e Hacki ng

 Plays a very important role in collecting

information about the target.
 Google has a variety of special search
syntaxes.
 List of employees, their personal details.
 Sometimes simple searches yield personal
pages and non authorized information.
 Google can assist an ethical hacker in many
ways.
What i s Googl e ?
 A powerful full-text search engine that
indexes over 10 billion websites
 A tool
 A site that has launched a vocabulary all its
own
How doe s Googl e TM
wor k ?
The speci al synt axes

INTITLE
intitle: restricts your search to the titles
of web pages.
Intitle: “HACKING”
I NURL

inurl: restricts your search to the URLs of web

pages. This syntax tends to work well for
finding search and help pages because they
tend to be rather regular in composition.
Inurl: hacking
SI TE

Site: allows you to narrow your search

by either a site or a top-level domain.
Site:edu
LI NK

Link: returns a list of pages linking to

the specified URL. Enter
link:www.orkut.com and you’ll be
returned a list of pages that link to
Orkut.
FI LETYPE

Filetype: searches the suffixes or filename

extensions.
Filetype:ppt google hacking
15-441 Networks Fall 2002 23
15-441 Networks Fall 2002 24
 What ar e Sni f f er s?
 Sniffers monitor network data.
 A sniffer usually act as network probes or
“snoops”-examining network traffic but not
intercepting or altering them.
 Ettercap is the best tool for sniffer.
ARP Spoof i ng
 Getting max internet speed using ARP
spoofing.
ARP POI SONI NG : ar p - a

15-441 Networks Fall 2002 30

15-441 Networks Fall 2002 31
What i s St eganogr aphy?
 The process of hiding data in images is called
Steganography.
 Attackers can embed information such as:
 Source code for hacking tool.
 List of compromised servers.
 Plans for future attacks.
What I s Soci al
Engi neer i ng
 Social engineering is the human side of
breaking into a corporate network.
 An employee may unwittingly give away key
information in an email or by answering
questions over the phone with someone they
don’t know.
Ar t Of Mani pul at i on

 The goal of a social engineer is to trick

someone into providing valuable information
or access to that information.
 It preys on qualities of human nature, such as
the desire to be helpful, the tendency to trust
people and the fear of getting in trouble.
Human Weakness

 People are usually the weakest link in the

security chain.
 Social engineering is the hardest form of
attack to defend against because it cannot be
defended with hardware or software alone.
Human Based Soci al
Engi neer i ng
 Human based social engineering can be
broadly categorized into:
 Technical support
 Third person approach
 Dumpster Diving
 Shoulder Surfing
Comput er Based Soci al
Engi neer i ng
 These can be divided into the following
categories:
 Mail attachments
 Websites
 Spam Mail
Rever se Soci al
Engi neer i ng
 More advanced method of gaining illicit
information is known as “reverse social
engineering”.
 This is when the hacker creates a persona
that appears to be in a position of authority
so that employees will ask him for
information, rather than the other way
around.
Hacki ng Web Ser ver s

Popular web servers

 Apache web server
 IIS Web server
 Sun ONE web server
I nvadi ng PHP ser ver

Sites with PHP 4.4 have a SQL injection

vulnerability in them which makes their
Admin control panel easily accessible . This
tutorial is applicable on PHP4.4 machines
with Apache running in parallel with them.
St eps f or web hacki ng

1. Search the server

 Make a Google dork to find sites running Apache
and PHP4.4 .
2. Scan the server
 Start by scanning them using Nmap,Do
and intense scan and find the open ports.
If you find port 2000 open, then you have
almost got it. Most websites running
PHP4.4 have this port for admin login.

Now just login using port 2000

http://www.website.com:2000
And you will be comfortably login into admin
Page like this-
3.Hack the site
Now in the fields, you have to type-
Username – admin
Password – a’ or 1=1 or ‘b
Domain - a’ or 1=1 or ‘b
And press go , you will login into admin.
Now you have hacked into admin. Actually sites
based on PHP4.4 have the vulnerability in them
that they are vulnerable to SQL injection. It will
Literally take 20 seconds.
Thanks For your t i me 

52