UNIT-IV

TOOLS AND METHODS USED IN CYBERCRIME

INTRODUCTION:

Basic Stages of an Attack:

The basic stages of an attack are described here to understand how an attacker can compromise a
network here:
1. Initial uncovering:
 Two steps are involved here.
 In the first step called as reconnaissance, the attacker gathers information, as much as possible,
about the target by legitimate.
Example: searching the information about the target on the Internet by Googling social
networking websites and people finder websites. The information can also be gathered by surfing
the public websites/searching news articles/press releases if the target is an organization/ institute.
 In the second step, Uncovering information, the attacker uncovers as much information as
possible on the company's internal network.
Example: Internet domain, machine names and the company's Internet Protocol (IP) address
ranges.
2. Network probe:
 At the network probe stage, the attacker uses more invasive techniques to scan the information.
 "ping sweep" of the network IP addresses is performed to seek out potential targets, and then a
"port scanning" tool is used to discover exactly which services are running on the target system.
At this point, the attacker has still not done anything that would be considered as an abnormal
activity on the network.
3. Crossing the line toward electronic crime (£ -crime):
 Here the attacker is toward committing what is technically a "computer crime." Attacker does this
by exploiting possible holes on the target system.
 The attacker usually goes through several stages of exploits to gain access to the system. Certain
programming errors can be used by attackers to compromise a system and are quite common in
practice.
 Exploits usually include vulnerabilities in common gateway interface (CGI) scripts, or well-
known buffer overflow holes.
 The attackers have the easiest way on having access to a user account without many privileges,
will attempt further exploits to get an administrator or "root" to access all files on the system.
4. Capturing the network:
 At this stage, the attacker attempts to "own" the network. The attacker gains a foothold in the
internal network quickly and easily, by compromising low-priority target systems.
 The next step is to remove any evidence of the attack. The attacker will usually install a set of
tools that replace existing files and services with Trojan and services that have a backdoor
password.
 There are a number of "hacking tools" which can clean up log files and remove any trace of an
intrusion.
 Once the attacker has gained access to Backdoor entry of the system, he/she will then repeat the
process by using the system as a stepping stone to access other systems deeper within the
network, as most networks have fewer defenses against attacks from internal sources.

1
5. Grab the data:
 Here the attacker has "captured the network," takes advantage to steal confidential data, customer
credit card information, deface web pages, alter processes and even launch attacks at other sites
from authenticated network, causing a potentially expensive and embarrassing situation for an
individual and/or for an organization.
6. Covering tracks:
 This is the last step in any cyberattack, which refers to the activities undertaken by the attacker to
extend misuse of the system without being detected.
 The attacker can remain undetected for long periods or use this phase either to start a fresh
reconnaissance to a related target system or continued use of resources, removing evidence of
hacking, avoiding legal action, etc.

Scareware, Malvertising, Clickjacking and Ransomware:

l. Scareware: It comprises several classes of scam software with malicious payloads or of limited or no
benefit, which are sold to consumers via certain unethical marketing practices. The selling approach uses
social engineering to cause shock, anxiety or the perception of a threat generally directed at an
unsuspecting user.
Example: Some websites display pop-up advertisement windows or banners with text such as: "Your
computer may be infected with harmful Spyware programs. Immediate removal may be required. To
scan. click 'Yes' below." These websites can go as far as saying that a user's job. career or marriage
would be at risk. Webpages displaying such advertisements for such products are often considered as
scareware.
2. Malvertising: It is a malicious advertising - malware + advertising - an online criminal methodology
that appears focused on the installation of unwonted or outright malicious software through the use of
Internet advertising media networks, exchanges and other user-supplied content publishing services
common to the social networking space.
Example: Cybercriminals attempt to distribute malware through advertising.
3. Clickjacking: It is a malicious technique of tricking netizens into revealing confidential information
and/or taking control of their system while clicking on seemingly innocuous webpages. It is also known
as User-Interface (UI) redressing. Clickjacking takes the form of embedded code and/or script which is
executed without netizen's knowledge.
Example: clicking on a button that appears to perform another function.
4. Ransomware: It is computer malware that holds a computer system, or the data it contains, hostage
against its user by demanding a ransom for its restoration. It typically propagates as a conventional
computer worm. entering a system through.
Example: vulnerability in a network service or on E-Mail attachment. It may then disable an essential
system service or lock the display at system start-up and encrypt some of the user's personal files.

PROXY SERVERS AND ANONYMIZERS:

Proxy Server: It is a computer on a network which acts as an intermediary for connections with other
computers on that network.
 The attacker first connects to a proxy server and establishes a connection with the target system
through existing connection with proxy.
 This enables an attacker to surf on the Web anonymously and/or hide the attack. A client connects
to the proxy server and requests some services (such as a file, webpage, connection or other
resource) available from a different server.

2
  The proxy server evaluates the request and provides the resource by establishing the connection to
the respective server and/or requests the required service on behalf of the client.
 Using a proxy server can allow an attacker to hide ID i.e., become anonymous on the Network.

Purposes of Proxy Server:

A proxy server has following purposes:
1. Keep the systems behind the curtain (mainly for security reasons).
2. Speed up access to a resource through "caching" . It is usually used to cache the webpages from a
web server.
3. Specialized proxy servers are used to filter unwanted content such as advertisements.
4. Proxy server can be used as IP address multiplexer to enable to connect number of computers on the
Internet, whenever one has only one IP address.
5. A proxy server’s cache memory can serve all users. If one or more websites are requested frequently,
may be by different users, it is likely to be in the proxy's cache memory, which will improve user
response time. In fact there are special servers available known as cache servers.
Listed are few websites where free proxy servers can be found:
1. http://www.proxy4free.com
2. http://www.publicproxyservers.com
3. htcp://www.proxz.com
4. http:/ /www.anonymirychecker.com
5. http://www.surf24h.com
6. http:/ /www.hidemyass.com

Anonymizer: An anonymizer or an anonymous proxy is a rool that attempts ro make activity on the
Internet untraceable.
 It accesses the Internet on the user's behalf, protecting personal information by hiding the source
computer's identifying information.
 Anonymizers are services used to make Web surfing anonymous by utilizing a website that acts
as a proxy server for the web client.
 The anonymizer hides/removes all the identifying information from a user's computer while the
user surfs on the Internet, which ensures the privacy of the user.

Listed are few websites where more information about anonymizers can be found:
1. http:/ /www.anonymizer.com
2. http://www.browzar.com
3. http://www.anonymize.net
4. http://www.anonymouse.ws
5. http://www.anonymousindex.com

Websites and tools used to find the common vulnerabilities:

www.hackerstorm.com/: This website was created for open-source vulnerability database (OSVBD)
tool. Since then it has grown in popularity and provides additional information about penetration testing.
The site is updated with whole bunch of news and alerts about vulnerability research.
www.hackerwatch.org/: It is an online community where Internet user, can report and share information
to block and identify security threats and unwanted traffic.
www:z.one-h.org/: It reports on recent web attacks and cybercrimes and lists them on the website. One
can view numerous defaced webpages and details about them.
www.milworm.com/: It contains day-wise information about exploits.

3
www.osvdb.org/: This is an open-source vulnerability database providing a large quantity of technical
information and resources about thousands of vulnerabilities.
www.metasploit.com/: Metasploit is an open-source computer security project that provides information
about security vulnerabilities and aids in penetration testing.

Being Anonymous While Searching on Google:

Google Cookie:
Google was the first search engine to use a cookie. Google set the standard and now-a-days cookies are
common place among search engines. This cookie places a unique ID number on your hard disk.
Anytime you visit Google, user gets a Google cookie if a user doesn't already have one. If a user has one
then it will read and record the unique ID number. Google con build a detailed list of your search terms
over many years.
Cookie:
Cookie (also know as HTTP cookie/browser cookie) is a small text file that contains a string of
alphanumeric characters and is used for storing netizen's website preferences/authentication while
visiting the same webpage again and again or also acts as identifier for server-based session - such
browser mechanism of setting and reading cookies invites attackers to use these cookies as "Spyware."
Types of cookies:
Two types of cookies.
1. Persistent cookie 2. Session cookie.
Persistent cookie is stored by the web browser into the cookie folder on the PC's hard disk. It remains
under the cookie folder, which is maintained by the web browser.
Session cookie is a temporary cookie and does not reside on the PC once the browser is closed.
DoubleClick:
It is a subsidiary of Google and provides Internet ad-serving services and paid search products listing and
utilize the cookies, which are called DART cookie.
G-Zapper:
G-Zapper utility helps to stay anonymous while searching Google. Google stores a unique identifier in a
cookie on the computer (i.e., on the hard disk) which allows to track keywords that are searched for. This
information is used to compile reports, track user habits and test features. G-Zapper helps to protect users'
ID and search history. It reads the Google cookie installed on users' PC, displays the date it was installed,
determines how long user searches have been tracked and displays Google searches. G-Zapper allows
user to automatically delete or entirely block the Google search cookie from future installation.

PHISHING:
Phishing: It is the fraudulent attempt to obtain sensitive information such as usernames, passwords and
credit card details by disguising as a trustworthy entity in an electronic communication.
Working of Phishing:
Phishers work in the following ways:
1. Planning: Criminals, usually called as phishers, decide the target (i.e., specific
business/business house/an individual) and determine how to get E-Mail address of that target
or customers of that business. Phishers often use mass mailing and address collection
techniques as spammers.
2. Setup: Once phishers know which business/business house to spoof and who their victims
are, they will create methods for delivering the message and to collect the data about the
target. Most often this involves E-Mail addresses and a webpage.
3. Attack: This is the step people are most familiar with the phisher sends a phony message that

4
 appears to be from a reputable source.
4. Collection: Phishers record the information of victims entering into web pages or pop-up
windows.
5. Identity theft and fraud: Phishers use the information that they have gathered to make illegal
purchases or commit fraud. Phishing started off as being part of popular hacking culture.
Nowadays, more and more organizations/institutes provide greater online access for their
customers and hence criminals are successfully using Phishing techniques to steal personal
information and conduct ID theft at a global level.

PASSWORD CRACKING:
 Password is like a key to get an entry into computerized systems like a lock.
 Password cracking is a process of recovering passwords from data that have been stored in or
transmitted by a computer system.
 An attacker follows a common approach repeatedly making guesses for the password.
Purpose of Password Cracking:
The purpose of password cracking is as follows:
1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily crackable passwords.
3. To gain unauthorized access to a system.
Manual password cracking is to attempt to logon with different passwords.
The attacker follows the following steps:
1. Find a valid user account such as an Administrator or Guest;
2. create a list of possible passwords;
3. rank the passwords from high to low probability;
4. key-in each password;
5. try again until a successful password is found.
Guessing Passwords: Passwords can be guessed sometimes with knowledge of the user’s personal
information.
Examples of guessable passwords include:
1. Blank (none)
2. The words like “password,” “passcode” and “admin”
3. Series of letters from the “qwerty” keyboard, for example, qwerty, asdf or qwertyuiop
4. User’s name or login name
5. Name of user’s friend/relative/pet
6. User’s birthplace or date of birth, or a relative’s or a friends
7. User’s vehicle number, office number, residence number or mobile number
8. Name of a celebrity who is considered to be an idol (e.g., actors, actress, spiritual gurus) by the user
9. Simple modification of one of the preceding, such as suffixing a digit, particularly 1, or reversing the
order of letters.
Password Cracking Attacks:
Password cracking attacks can be classified under three categories as follows:
1. Online attacks
2. Offline attacks
3. Non-Electronic attacks(Social Engineering Attacks)
Online Attacks:
 An attacker can create a script file (i.e., automated program) that will be executed to cry each
password in a list and when marches, an attacker can gain the access to the system. The most

5
 popular online attack is man-in-the middle (MITM) attack, also termed as "bucker-brigade attack"
or sometimes "Janus arrack."
 It is a form of active eavesdropping in which the attacker establishes a connection between a
victim and the server to which a victim is connected.
 When a victim client connects to the fraudulent server, the MITM server intercepts the call,
hashes the password and passes the connection to the victim server.
 This type of attack is used to obtain the passwords for E-Mail accounts on public websites such as
Yahoo, Hotmail and Gmail and can also used to get the passwords for financial websites that
would like to gain the access to banking websites.

Offline Attacks:
Offline attacks are performed from a location other than the target where these passwords reside are used.
Offline attacks usually require physical access to the computer and copying the password file from the
system onto removable media.
Types of Offline Attacks:
Dictionary attack: Attempts to match all the words from the dictionary to get the password.
Example of Password: Administrator
Hybrid attack: Substitutes numbers and symbols to get the password.
Example of Password: Adm1nlstrator
Brute force attack: Attempts all possible permutation-combinations oflecrers,
numbers and special characters.
Example of Password: Adm!n@09

Password Cracking Tools:

www.defaultpassword.com: Default password(s): Network devices such as switches, hubs and routers
are equipped with "default passwords" and usually these passwords are not changed after commissioning
these devices into the network (i.e., into LAN).
www.oxid.it/cain.html: Cain & Abel: This password recovery tool is typically used for Microsoft
Operating Systems (OSs). It allows to crack the passwords by sniffing the network, cracking encrypted
passwords using dictionary, brute force attacks, decoding scrambled passwords and recovering wireless
network keys.
www.aircrack-ng.org: Aircrack-ng: It is a set of tools used for wireless networks. This tool is used for
802.11a/b/g wired equivalent privacy (WEP) and Wi-Fi Protected Access (WPA) cracking. It can recover
a 40 through 512-bit \XTEP key once enough encrypted packets have been gathered. It can also attack
WPA l or 2 networks using advanced cryptographic methods or by brute force.

STRONG, WEAK & RANDOM PASSWORDS:

Strong Password: A strong password is long enough, random or otherwise difficult to guess - producible
only by the user who chooses it. The length of time deemed to be too long will vary with the attacker, the
attacker's resources, the ease with which a password can be tried and the value of the password to the
attacker.
A student's password might not be worth more than a few seconds of computer time, while a password
controlling access to a large bank's electronic money transfer system might be worth many weeks of
computer time for trying to crack it.
Examples of Strong Passwords:
1. Convert_£100 to Euros!: Such phrases are long, memorable and contain an extended symbol to
increase the strength of the password.
2. 382465304H: It is mix of numbers and a letter at the end, usually used on mass user accounts and
6
 such passwords can be generated randomly, for example, in schools and business.
3. 4pRte!ai@3: It is not a dictionary word, however it has cases of alpha along with numeric and
punctuation characters.
4. MoOoOfln245679: It is long with both alphabets and numerals.
5. t3wahSetyeT4: It is not a dictionary word, however, it has both alphabets and numerals.

Weak Password: A weak password is one, which could be easily guessed, short, common and a system
default password that could be easily found by executing a brute force attack and by using a subset of all
possible passwords, such as words in the dictionary, proper names and words based on the username or
common variations on these themes.
Passwords that can be easily guessed by acquaintances of the netizens (such as date of birth, pet's name
and spouses' name) are considered to be very weak.
Examples of Weak Passwords:
1. Susan: Common personal name;
2. aaaa: repeated letters, can be guessed;
3. rover: common name for a pet, also a dictionary word;
4. abcl23: can be easily guessed;
5. admin: can be easily guessed;
6. 1234: can be easily guessed;
7. QWERTY: a sequence of adjacent letters on many keyboards;
8. 12/3/75: date, possibly of personal importance;
9. nbusr123: probably a username, and if so, can be very easily guessed;
10. p@$$\/\/Ord: simple letter substitutions are preprogrammed into password cracking tools;
11. password: used very often - trivially guessed;
12. December12: using the date of a forced password change is very common.
Random Passwords: Secure passwords are long with random strings of characters and how such
passwords are generally most difficult to remember. Password is stronger if it includes a mix of upper
and lower case letters, numbers and other symbols, when allowed, for the same number of characters.
The difficulty in remembering such a password increases the chance that the user will write down the
password, which makes it more vulnerable to a different attack.
Example of Random Passwords:
One of these types of passwords is 26845. Although short, it is not easily guessed. However, the person
who created the password is able to remember it because it is just the four direction keys on the square
number board plus a five in the middle.
General Guidelines Applicable to the Password Policies:
The general guidelines applicable to the password policies, which can be implemented organization-
wide, are as follows:
1. Passwords and user logon identities (IDs) should be unique to each authorized user.
2. Passwords should consist of a minimum of eight alphanumeric characters (no common names or
phrases).
3. There should be computer-controlled lists of prescribed password rules and periodic testing (e.g., letter
and number sequences, character repetition, initials, common words and standard names) to identify
any password weaknesses.
4. Passwords should be kept private, that is, not shared with friends, colleagues, etc. They shall not be
coded into programs or noted down anywhere.
5. Passwords shall be changed every 30/45 days or less. Most operating systems (OSs) can enforce a
password with an automatic expiration and prevent repeated or reused passwords.
6. User accounts should be frozen after five failed logon attempts. All erroneous password entries
should be recorded in an audit log for later inspection and action, as necessary.

7
7. Sessions should be suspended after 15 minutes (or other specified period) of inactivity and require
the passwords to be re-entered.
8. Successful logons should display the dare and time of the last logon and logoff.
9. Logon IDs and passwords should be suspended after a specified period of non-use.
10. For high-risk systems, after excessive violations, the system should generate an alarm and be able to
simulate a continuing session (with dummy data) for the failed user (to keep this user connected
while personnel attempt to investigate the incoming connection).
Password Guidelines for Personal E-Mail Accounts:
 Passwords used for business E-Mail accounts, personal E-Mail accounts (Yahoo/Hotmail/Gmail)
and banking/financial user accounts (e.g., online banking/securities trading accounts) should be
kept separate.
 Passwords should be of minimum eight alphanumeric characters.
 Passwords should be changed every 30/45 days.
 Passwords should not be shared with relatives and/or friends.
 Password used previously should not be used while renewing the password.
 Passwords of personal E-Mail accounts (Yahoo/Hotmail/Gmail) and banking/financial user
accounts should be changed from a secured system, within couple of days.
 Passwords should not be stored under mobile phones/PDAs, as these devices are also prone to
cyberattacks.
 In the case of receipt of an E-Mail from banking/financial institutions, instructing to change the
passwords, before clicking the weblinks displayed in the E-Mail, legitimacy of the E-Mail should
be ensured to avoid being a victim of Phishing attacks.
 Similarly, in case of receipt of SMS from banking/financial institutions, instructing to change the
passwords, legitimacy of the E-Mail should be ensured to avoid being a victim of Smishing
attacks.
 In case E-Mail accounts/user accounts have been hacked, respective agencies/institutes should be
contacted immediately.

KEYLOGGERS AND SPYWARES:

 Stroke logging, often called keylogging, is the practice of noting (or logging) the keys struck on a
keyboard, typically in a covert manner so that the person using the keyboard is unaware that such
actions are being monitored.
 Keystroke logger or keylogger is quicker and easier way of capturing the passwords and
monitoring the victims' IT ability. It can be classified as software keylogger and hardware
keylogger.

SOFTWARE KEYLOGGERS:
 Software keyloggers are software programs installed on the computer systems which usually are
located between the OS and the keyboard hardware, and every keystroke is recorded.
 Software keyloggers are installed on a computer system by Trojans or viruses without the
knowledge of the user.
 A keylogger usually consists of two files that get installed in the same directory: a dynamic link
library (DLL) file and an EXEcutable (EXE) file that installs the DLL file and triggers it to work.
DLL does all the recording of keystrokes.
 Cybercriminals always install such tools on the insecure computer systems available in public
places and can obtain the required information about the victim very easily.

8
Software keyloggers:

 http:/ /www.soft-central.net: SC-KeyLog PRO: It allows to secretly record computer user

activities such as E-Mails, chat conversations, visited websites, clipboard usage, etc. in a
protected logfile. SC-KeyLog PRO also captures Windows user logon passwords. "The captured
information is completely hidden from the user and allows to remotely install the monitoring
system through an E-Mail attachment without the user recognizing the installation at all.
 http:/ /www.stealthkeylogger.org: Stealth Keylogger: It is a computer monitoring software that
enables activity log report where the entire PC keyboard activities are registered either at specific
time or hourly on daily basis. The entire log reports are generated either in text or HTML file
format as defined by the user. The keylogger facilitates mailing of log report at the specified E-
Mail address.

HARDWARE KEYLOGGERS:
 To install these keyloggers, physical access to the computer system is required. Hardware
keyloggers are small hardware devices connected to the PC and/or to the keyboard and save every
keystroke in to a file or in the memory of the hardware device.
 Cybercriminals install such devices on ATM machines to capture ATM Cards' PINs. Each
keypress on the keyboard of the ATM gets registered by these keyloggers.
 These keyloggers look like an integrated part of such systems; hence, bank customers are unaware
of their presence.
Listed are few websites where more information about hardware keyloggers can be found:
1. http://www.keyghost.com
2. http://www.keelog.com
3. http://www.keydevil.com
4. http://www.keykarcher.com

ANTIKEYLOGGER:
Antikeylogger is a tool that can detect the keylogger installed on the computer system and also
can remove the tool.
Advantages of Antikeylogger:
1. Firewalls cannot detect the installations of keyloggers on the systems; hence, antikeyloggers can
detect installations of keylogger.
2. This software does not require regular updates of signature bases to work effectively such as antivirus
and antispy programs; if not updated, it does not serve the purpose, which makes the users at risk.
3. Prevents Internet banking frauds. Passwords can be easily gained with the help of installing
keyloggers.
4. It prevents ID theft
5. It secures E-Mail and instant messaging/chatting.

SPYWARES:
Spyware is a type of malware /malicious software that is installed on computers which collects
information about users without their knowledge.
 The presence of Spyware is typically hidden from the user. It is secretly installed on the user's
personal computer. Sometimes, however, Spywares such as keyloggers are installed by the owner
of a shared, corporate or public computer on purpose to secretly monitor other users.
 Spyware programs collect personal information about the victim, such as the Internet surfing
habits/patterns and websites visited.

9
  The Spyware can also redirect Internet surfing activities by installing another stealth utility on the
users' computer system.
 Spyware also have an ability to change computer settings, which may result in slowing of the
Internet connection speeds and slowing of response time that may result into user complaining
about the Internet speed connection with Internet Service Provider (ISP).

Spyware Software Websites:

www.e-spy—software.com: 007 Spy:
It has following key features:
 Capability of overriding “antispy” programs like “Ad—aware”
 record all websites URL visited in Internet
 Power ful keylogger engine to capture all passwords
 view logs remotely from anywhere at anytime
 export log report in HTML format to view it in the browser
 automatically clean—up on outdated logs
 password protection.

http://www.flexispy.com Flexispy: It is a tool that can be installed on a cell/mobile phone. After

installation, Flexispy secretly records conversation that happens on the phone and sends this information
to a specified E—Mail address.

VIRUS AND WORMS

 Computer virus is a program that can "infect" legitimate programs by modifying them to include
a possibly “evolved” copy of itself. Viruses spread themselves, without the knowledge or
permission of the users, to potentially large numbers of programs on many machines.
 A computer virus passes from computer to computer in a similar manner as a biological virus
passes from person to person.
 Viruses may also contain malicious instructions that may cause damage or annoyance. The
combination of possibly Malicious Code with the ability to spread is what makes viruses a
considerable concern.
 Viruses can often spread without any readily visible symptoms. A virus can start on event-driven
effects, time-driven effects or can occur at random.
Typical actions of Viruses:
1. Display a message to prompt an action which may set of the virus.
2. Delete files inside the system into which viruses enter.
3. Scramble data on a hard disk.
4. Cause erratic screen behavior.
5. Halt the system (PC).
6. Just replicate themselves to propagate further harm.

10
Fig: Virus spread through Internet Fig: Virus spread through Standalone System

 The term computer virus is sometimes used as a catch-all phrase to include all types of malware,
Adware and Spyware programs that do not have reproductive ability.
 Malware includes computer viruses, worms, Trojans, most Rootkits, Spyware, dishonest Adware,
crimeware and other malicious and unwanted software as well as true viruses.

Fig: Virus spread through local networks

Malwares:

 Malware short for malicious software, is a software designed to infiltrate a computer system
without the owner's informed consent. The expression is a general term used by computer
professionals to mean a variety of forms of hostile, intrusive or annoying software or program
code.
Malware can be classified as follows:
1. Viruses and worms: These ore known as infectious malware. They spread from one computer
system to another with a particular behavior .
2. Trojan Horses: A Trojan Horse, Trojan for short, is a term used to describe malware that
appears, to the user, to perform a desirable function but, in fact, facilitates unauthorized access to
the user's computer system.
3. Rootkits: Rootkits is a software system that consists of one or more programs designed to
obscure the fact that a system has been compromised.
4. Backdoors: Backdoor in a computer system (or cryptosystem or algorithm) is a method of
bypassing normal authentication, securing remote access to a computer, obtaining access to plain
text and so on while attempting to remain undetected.

11
Differences between Virus and Worm:

Types of Viruses:
Computer viruses can be categorized based on attacks on various elements of the system and can
put the system and personal data on the system in danger.
1. Boot sector viruses:
 It infects the storage media on which OS is stored (e.g., floppy diskettes and hard drives) and
which is used to start the computer system. The entire data/programs are scored on the floppy
disks and hard drives in smaller sections called sectors.
 The first sector is called the BOOT and it carries the Master Boot Record (MBR). MBR's function
is to read and load OS, that is, it enables computer system to start through OS.
 Hence, if a virus attacks an MBR or infects the boot record of a disk, such floppy disk infects
victim's hard drive when he/she reboots the system while the infected disk is in the drive.
 Once the victim's hard drive is infected all the floppy diskettes that are being used in the system
will be infected. Boot sector viruses often spread to other systems when shared infected disks and
pirated softwares are used.
2. Program viruses:
 These viruses become active when the program file (usually with extensions .bin, .com, .exe, .ovl,
.drv) is excuted (i.e., opened - program is started).
 Once these program files get infected, the virus makes copies of itself and infects the other
programs on the computer system.
3. Multipartite viruses:
 It is a hybrid of a boor sector and program viruses. It infects program files along with the boot
record when the infected program is active.
 When the victim starts the computer system next time, it will infect the local drive and other
programs on the victim's computer system.
4. Stealth viruses:
 It camouflages and/or masks itself and so detecting this type of virus is very difficult.
 It can disguise itself such a way that antivirus software also cannot detect it thereby preventing
spreading into the computer system.
 It alters its file size and conceals itself in the computer memory to remain in the system
undetected. The first computer virus, named as Brain, was a stealth virus.

12
  A good antivirus detects a stealth virus lurking on the victim's system by checking the areas the
virus must have infected by leaving evidence in memory.
5. Polymorphic viruses:
 It acts like a "chameleon" that changes its virus signature (i.e., binary pattern) every time it
spreads through the system (i.e., multiplies and infects a new file).
 Polymorphic generators are the routines (i.e., small programs) that can be linked with the
existing viruses. These generators are not viruses but the purpose of these generators is to hide
actual viruses under the cloak of polymorphism.
6. Macroviruses:
 Many applications, such as Microsoft Word and Microsoft Excel, support MACROs (i.e.,
macrolanguages). These macros are programmed as a macro embedded in a document.
 Once a macrovirus enter onto a victim's computer then every document he/she produces will
become infected. This type of virus is relatively new and may get slipped by the antivirus
software if the user does not have the most recent version installed on his/her system.
7. Active X and Java Control:
 All the web browsers have settings about Active X and Java Controls.
 Little awareness is needed about managing and controlling these settings of a web browser to
prohibit and allow certain functions to work - such as enabling or disabling pop-ups, downloading
files and sound - which invites the threats for the computer system being targeted by unwanted
software(s) floating in cyberspace.
Computer Worm:
 A computer worm is a self-replicating malware computer program.
 It uses a computer network to send copies of itself to other nodes (computers on the network) and
it may do so without any user intervention.
 This is due to security shortcomings of the target computer. Unlike a virus, it does not need to
attach itself to an existing program.
 Worms almost always cause at least some harm to the network, if only by consuming bandwidth,
whereas viruses almost always corrupt or modify files on a targeted computer.
 Almost every day new viruses/worms are created and they become new threat to netizens.
Typical definitions of computer virus/worms:
1. A virus attacks specific file types (or files).
2. A virus manipulates a program to execute tasks unintentionally.
3. An infected program produces more viruses.
4. An infected program may run without error for a long time.
5. Viruses can modify themselves and may possibly escape detection this way.’

 Computer virus hoax: It is a message warning the recipient of a non-existent computer virus threat.
The message is usually a chain E-Mail that tells the recipient to forward it to everyone they know. They
often include announcements claimed to be from reputable organizations such as Microsoft, IBM or news
sources such as CNN and include emotive language and encouragement to forward the message. These
sources are quoted to add credibility to the hoax.
Unix and Linux OS are immune from computer viruses: This is a myth that Unix/Linux systems
are it virus as susceptible to hostile software attacks as any other systems. However, such systems usually
found to be well-protected compared with Microsoft Windows because fast updates are available to most
Unix/Linux vulnerabilities.

13
TROJAN HORSES AND BACKDOORS:

 Trojan Horse is a program in which malicious or harmful code is contained inside apparently
harmless programming or data in such a way that it can get control and cause harm.
 For example, ruining the file allocation table on the hard disk.
 A Trojan Horse may get widely redistributed as part of a computer virus. The term Trojan Horse
comes from Greek mythology about the Trojan War.
 Like Spyware and Adware, Trojans can get into the system in a number of ways, including from a
web browser, via E-Mail or in a bundle with other software downloaded from the Internet.
 It is also possible to accidentally transfer malware through a USB flash drive or other portable
media.
 Unlike viruses or worms, Trojans do not replicate themselves but they can be equally destructive.
On the surface, Trojans appear benign and harmless, but once the infected code is executed,
Trojans kick in and perform malicious functions to harm che computer system without the user's
knowledge.
Typical examples of threats by Trojans are as follows:
1. They erase, overwrite or corrupt data on a computer.
2. They help to spread other malware such as viruses (by a dropper Trojan).
3. They deactivate or interfere with antivirus and firewall programs.
4. They allow remote access to your computer (by a remote access Trojan).
5. They upload and download files without your knowledge.
6. They gather E-Mail addresses and use them for Spam.
7. They log keystrokes to steal information such as passwords and credit card numbers.
8. They copy fake links to false websites, display porno sites, play sounds/videos and display images.
9. They slow down, restart or shutdown the system.
10. They reinstall themselves after being disabled.
11. They disable the task manager.
12. They disable the control panel.

BACKDOOR:
 A backdoor is a means of access to a computer program that bypasses security mechanisms.
 A programmer may sometimes install a backdoor so that the program can be accessed for
troubleshooting or other purposes.
 Attackers often use backdoors that they detect or install themselves as part of an exploit.
 In some cases, a worm is designed to take advantage of a backdoor created by an earlier attack.
 A backdoor works in background and hides from the user.
 Most backdoors are autonomic malicious programs that muse be somehow installed to a
computer.
 Some parasites do not require installation, as their pares are already integrated into particular
software running on a remote host.
 Programmers sometimes leave such backdoors in their software for diagnostics and
troubleshooting purposes.
 Attackers often discover these undocumented features and use them to intrude into the system.

14
Functions of Backdoor:
Following are some functions of backdoor:
1. It allows an attacker to create, delete, rename, copy or edit any file, execute various commands,
change any system settings, alter the Windows registry, run, control and terminate applications,
install arbitrary software and parasites.
2. It allows an attacker to control computer hardware devices, modify related settings, shutdown or
restart a computer without asking for user permission.
3. It steals sensitive personal information, valuable documents, passwords, login names, ID details,
logs user activity and tracks web browsing habits.
4. 4. It records keystrokes that a user types on a computer's keyboard and captures screenshots.
5. It sends all gathered data to a predefined E-Mail address, uploads it to a predetermined FTP server
or transfers it through a background Internet connection co a remote host.
6. It infects files, corrupts installed applications and damages the entire system.
7. It distributes infected files to remote computers with certain security vulnerabilities and performs
attacks against hacker-defined remote hosts.
8. It installs hidden FTP server that can be used by malicious persons for various illegal purposes.
9. It degrades Internet connection speed and overall system performance, decreases system security
and causes software instability. Some parasites are badly programmed as they waste too many
computer resources and conflict with installed applications.
10. It provides no uninstall feature, and hides processes, files and other objects to complicate its
removal as much as possible.

Few Examples of Backdoor Trojans:

1. Back Orifice: It is a well-known example of backdoor Trojan designed for remote system
administration. It enables a user to control a computer running the Microsoft Windows OS from a remote
location.
2. Bifrost: It is another backdoor Trojan that can infect Windows 95 through Vista. It uses the typical
server, server builder and client backdoor program configuration to allow a remote attacker, who uses
client, to execute arbitrary code on the compromised machine.
3. SAP backdoors: SAP is an Enterprise Resource Planning (ERP) system and nowadays ERP is the
heart of the business technological platform. These systems handle the key business processes of the
organization, such as procurement, invoicing, human resources management, billing, stock management
and financial planning.
4. Onapsis Bizploit: It is the open-source ERP penetration testing framework developed by the Onapsis
Research Labs. Bizploic assists security professionals in the discovery, exploration, vulnerability
assessment and exploitation phases of specialized ERP penetration tests.

Steps to Protect from Trojan Horses and Backdoors:

Follow the following steps to protect your systems from Trojan Horses and backdoors:
1. Stay away from suspect websites/weblinks: Avoid downloading free/pirated softwares that often
get infected by Trojans, worms, viruses and other things.
2. Surf on the Web cautiously: Avoid connecting with and/or downloading any information from peer-
to-peer (P2P) networks, which are most dangerous networks to spread Trojan Horses and other threats.
P2P networks create files packed with malicious software, and then rename them to files with the criteria
of common search that are used while surfing the information on the web.
3. Install antivirus/Trojan remover software: Nowadays antivirus softwares have built-in feature for
protecting the system not only from viruses and worms but also from malware such as Trojan Horses.
Free Trojan remover programs are also available on the Web and some of them are really good.

15
Peer-to-Peer (P2P) Networks:
Peer-to-Peer, commonly abbreviated as P2P, is any distributed network architecture composed of
participants that make a portion of their resources (such as processing power, disk storage or network
bandwidth) directly available to other network participants, without the need for central coordination
instances (such as servers or stable hosts).
There are different levels of P2P networking:
Hybrid P2P: There is a central server that keeps information about the network. The peers are
responsible for storing the information. If they want to contact another peer, they query the server for the
address.
Pure P2P: There is absolutely no central server or router. Each peer acts as both client and server at the
same time. This is also sometimes referred to as “serverless” P2P.
Mixed P2P: It is between “hybrid” and “pure” P2P networks. An example of such a network is Gnutella
that has no central server but clusters its nodes around so—called “supernodes.”
Advantages of P2P Networks:
1. It enables faster delivery of information from one computer to another by bypassing a central
server.
2. It increases personal efficiency and personal empowerment. Users will no longer have to wait in
queues to perform essential tasks, as all activities take place at the user's discretion.
3. It represents significant cost savings over client/server models. As resources and computing
power are distributed across the entire network, there is no need for expensive centralized servers
as it will reduce the need for centralized management, storage and other related resources.
4. It offers easy scalability and all that is necessary for a network to grow is add more peers.
5. It increases a network's fault tolerance. As no part of the system is essential to its operation, you
can take down a few nodes and the network remains functional.
6. It leverages previously unused resources found on hundreds of millions of computers that are
connected to the “edges" of the Internet.
7. It frees up bandwidth on the Internet (or on a private network). In traditional client-server model,
the server is the bottleneck and often cannot handle everything the client requests.
8. It requires no centralized management, oversight or control.
9. It offers increased privacy, as all data and messages are directly exchange between two
computers.
10. It results in networks that are more flexible and adaptable compared with traditional client-server
networks.
Drawbacks of P2P Networks:
1. It propagates all sorts of undesirable items and activities including misinformation.
2. It increases network’s, an individual system's, exposure to network attacks, viruses and other
malicious damage.
3. It makes no guarantee that content/resources will always be available — any peer can go “dark" if
he/she shuts down his/her computer.
4. It does not enforce content ownership (copyright).
5. It cannot enforce standards (either technological or ethical/moral/social).
6. It can be overwhelmed by increased traffic when it is unprepared (Napster uses many clogged
university networks).
7. It is plagued by lack of standards, infrastructure and support. It is a kind of “Wild West” of the
Internet.
8. Its transactions are difficult to translate into revenues streams and this lack of revenue generation
could hinder its future development.

16
STEGANOGRAPHY:
 Steganography is a Greek word that means "sheltered writing." It is a method that attempts to
hide the existence of a message or communication.
 The word "steganography'' comes from the two Greek words: steganos meaning "covered" and
graphein meaning "to write" that means "concealed writing." This idea of data hiding is not a
novelty.
 Steganography can be used to make a digital watermark to detect illegal copying of digital
images. Thus, it aids confidentiality and integrity of the data.
Digital watermarking is the process of possibly irreversibly embedding information into a
digital signal. The signal may be, for example, audio, pictures or video.
 If the signal is copied then the information is also carried in the copy.
 In other words, when steganography is used to place a hidden "trademark" in images, music and
software, the result is a technique referred to as "watermarking".

Fig: Steganography working

Steganalysis: Steganalysis is the art and science of detecting messages that are hidden in images,
audio/video files using steganography.
 The goal of steganalysis is to identify suspected packages and to determine whether or not they
have a payload encoded into them, and if possible recover it.
 Automated tools are used to detect such steganographed data/information hidden in the image and
audio and/or video files.

Difference between Steganography and Cryptography:

 Cryptography is the study of hiding information, while Steganography deals with composing
hidden messages so that only the sender and the receiver know that the message even exists.
 In Steganography, only the sender and the receiver know the existence of the message, whereas in
cryptography the existence of the encrypted message is visible to the world.
 Due to this, Steganography removes the unwanted attention coming to the hidden message.
 Cryptographic methods try to protect the content of a message, while Steganography uses
methods that would hide both the message as well as the content.
 By combining Steganography and Cryptography one can achieve better security.

17
DoS and DDoS ATTACKS:

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an

attempt to make a computer resource (i.e., information systems) unavailable to its intended users.

DoS ATTACKS:
 In this type of criminal act, the attacker floods the bandwidth of the victim's network or fills his E-
Mailbox with Spam mail depriving him of the services he is entitled to access or provide.
Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally
consists of the concerted efforts of a person or people to prevent the Internet site or service from
functioning efficiently or at all, temporarily or indefinitely.
 The attackers typically target sites or services hosted on high-profile web servers such as banks,
credit card payment gateways, mobile phone networks and even root name servers.
 The term IP address Spoofing refers to the creation of IP packers with a forged (spoofed) source
IP address with the purpose of concealing the ID of the sender or impersonating another
computing system.
 A packet is a formatted unit of data carried by a packet mode computer network. The attacker
spoofs the IP address and floods the network of the victim with repeated requests. As the IP
address is fake, the victim machine keeps waiting for response from the attacker's machine for
each request.
 This consumes the bandwidth of the network which then fails to serve the legitimate requests and
ultimately breaks down.

Symptoms of DoS attacks:

The United States Computer Emergency Response Team defines symptoms of DoS attacks to
include:
1. Unusually slow network performance (opening files or accessing websites).
2. Unavailability of a particular website.
3. Inability to access any website.
4. Dramatic increase in the number of Spam E-Mails received(E-Mail bomb).
The goal of DoS is not to gain unauthorized access to systems or data, but to prevent intended users
i.e., legitimate users) of a service from using it.
A DoS attack may do the following:
1. Flood a network with traffic, thereby preventing legitimate network traffic.
2. Disrupt connections between two systems, thereby preventing access to a service.
3. Prevent a particular individual from accessing a service.
4. Disrupt service to a specific system or person.

CLASSIFICATION OF DoS ATTACKS:

Bandwidth Attacks:
 Loading any website takes certain time. Loading means complete webpage appearing on the
screen and system is awaiting user's input.
 This loading consumes some amount of memory. Every site is given with a particular amount of
bandwidth for its hosting.
 Example, Consider 50 GB bandwidth. Now if more visitors consume all 50 GB bandwidth then
the hosting of the site can ban this site. The attacker does the same - he/she opens 100 pages of a
site and keeps on refreshing and consuming all the bandwidth, thus, the site becomes out of
service.

18
Logic Attacks:
 These kind of attacks can exploit vulnerabilities in network software such as web server or
TCP/IP stack.
Protocol attacks:
 Protocols here are rules that are to be followed to send data over network.
 These kind of attacks exploit a specific feature or implementation bug of some protocol installed
at the victim's system to consume excess amounts of its resources.
Unintentional DoS attack:
 This is a scenario where a website ends up denied not due to a deliberate attack by a single
individual or group of individuals, but simply due to a sudden enormous spike in popularity.
 This can happen when an extremely popular website posts a prominent link to a second, less well-
prepared site, for example, as part of a news story.
 The result is that a significant proportion of the primary sites regular users', potentially hundreds
of thousands of people, click that link within a few hours and have the same effect on the target
website as a DDoS attack.

TYPES (or) LEVELS OF DoS ATTACKS:

There are several types or levels of DoS attacks as follows:
1. Flood attack:
 It is also known as ping flood. It is based on an attacker simply sending the victim
overwhelming number of ping packets, usually by using the "ping" command, which result
into more traffic than the victim can handle.
 This requires the attacker to have a faster network connection than the victim (i.e., access to
greater bandwidth than the victim). It is very simple to launch, but to prevent it completely is
the most difficult.
2. Ping of death attack:
 The ping of death attack sends oversized Internet Control Message Protocol (ICMP) packets, and
it is one of the core protocols of the IP Suite.
 It is mainly used by networked computers' OSs to send error messages indicating datagrams
(encapsulated in IP packets) to the victim.
 The maximum packet size allowed is of 65,536 octets. Some systems, upon receiving the
oversized packet, will crash, freeze or reboot, resulting in DoS.

3. SYN attack:
 It is also termed as TCP SYN Flooding. In the Transmission Control Protocol (TCP), handshaking
of network connections is done with SYN and ACK messages.
 An attacker initiates a TCP connection to the server with an SYN. The server replies with an
SYN-ACK. The client then does not send back an ACK, causing the server (i.e., target system) to
allocate memory for the pending connection and wait. This fills up the buffer space for SYN
messages on the target system, preventing other systems on the network from communicating
with the target system.
4. Teardrop attack:
 The teardrop attack is an attack where fragmented packets are forged to overlap each other when
the receiving host tries to reassemble them. IP's packet fragmentation algorithm is used to send
corrupted packets co confuse the victim and may hang the system.
 This attack can crash various OSs due to a bug in their TCP/IP fragmentation reassembly code.

19
 5. Smurf attack:
 It is a way of generating significant computer network traffic on a victim network. This is a type
of DoS attack chat floods a target system via spoofed broadcast ping messages. This attack
consists of a host sending an ICMP echo request (ping) to a network broadcast address.
 Every host on the network receives the ICMP echo request and sends back an ICMP echo
response flood the initiator with network traffic. On a multi-access broadcast network, hundreds
of machines might reply to each packer.
 This creates a magnified DoS attack of ping replies, flooding the primary victim.
6. Nuke:
 Nuke is an old DoS attack against computer networks consisting of fragmented or otherwise
invalid ICMP packets sent to the target.
 It is achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing
down the affected computer until it comes to a complete stop.
 A specific example of a nuke attack chat gained some prominence is the WinNuke, which
exploited the vulnerability in the NetBIOS handler in Windows 95.
 A string of out-of-band data was sent to TCP pore 139 of the victim's machine, causing it to lock
up and display a Blue Screen of Death (BSOD).

Fig: DoS Attack

Tools Used to Launch DoS Attack:
Jolt2: A major vulnerability has been discovered in Windows' networking code. The vulnerability allows
remote attackers to cause a DoS attack against Windows-based machines - the attack causes the target
machine to consume 100% of the CPU time on processing of illegal packets.
Nemesy: This program generates random packets of spoofed source IP to enable the attacker to launch
DoS attack.
Targa: It is a program that can be used to run eight different DoS attacks. The attacker has the option to
launch either individual attacks or try all the attacks until one is successful.
Crazy Pinger: This tool could send large packets of ICMP to a remote target network.
Some Trouble: It is a remote flooder and bomber. It is developed in Delphi.

20
DDoS ATTACKS:

 In a DDoS attack, an attacker may use your computer to attack another computer. By taking
advantage of security vulnerabilities or weaknesses, an attacker could take control of your
computer.
 Attacker could then force your computer to send huge amounts of data to a website or send Spam
to particular E-Mail addresses. The attack is "distributed" because the attacker is using multiple
computers, including yours, to launch the DoS attack.
 A DDoS attack is a distributed DoS wherein a large number of zombie systems are synchronized
to attack a particular system. The zombie systems are called "secondary victims" and the main
target is called "primary victim."

Tools used to launch DDoS attack:

Trinoo: It is a set of computer programs to conduct a DDoS attack. It is believed that Trinoo networks
have been set up on thousands of systems on the Internet that have been compromised by remote buffer
overrun exploit.
Tribe Flood Network (TFN): It is a set of computer programs to conduct various DDoS attacks such as
ICMP Rood, SYN Rood, UDP flood and Smurf attack.
Stacheldraht: It is written by Random for Linux and Solaris systems, which acts as a DDoS agent. It
combines features of Trinoo with TFN and adds encryption.
Shaft: This network looks conceptually similar to a Trinoo, it is a packet flooding attack and the client
controls the size of the flooding packets and duration of the attack.
MStream: It uses spoofed TCP packers with the ACK flag set to attack the target. Communication is not
encrypted and is performed through TCP and UDP packets. Access to the handler is password protected.
This program has a feature not found in other DDoS tools. It informs all connected users of access,
successful or not, to the handler(s) by competing parties.

HOW TO PROTECT FROM DOS/DDOS ATTACKS:

Computer Emergency Response Team Coordination Center (CERT/CC) offers many preventive
measures from being a victim of DoS attack.
1. Implement router filters.
2. If such filters are available for your system, install patches to guard against TCP SYN flooding.
3. Disable any unused or inessential network service. This can limit the ability of an attacker to take
advantage of these services to execure a DoS attack.
4. Enable quota systems on your OS if they are available.
5. Observe your system's performance and establish baselines for ordinary activity. Use the baseline to
gauge unusual levels of disk activity, central processing unit (CPU) usage or network traffic.
6. Routinely examine your physical security with regard to your current needs.
7. Use Tripwire or a similar tool co detect changes in configuration information or other files.
8. Invest in and maintain "hot spares" - machines that can be placed into service quickly if a similar
machine is disabled.
9. Invest in redundant and fault-tolerant network configurations.
10. Establish and maintain regular backup schedules and policies, particularly for important configuration
information.
11. Establish and maintain appropriate password policies, especially access to highly privileged accounts
such as Unix root or Microsoft Windows NT Administrator.

21
Tools for detecting DoS/DDoS attacks:
Zombie Zapper: It is a free, open-source tool that can tell a zombie system flooding packets to stop
flooding. It works against Trinoo, TFN and Stacheldraht. It assumes various defaults are still in place
used by these attack tools, however, it allows you to put the zombies to sleep.
Remote Intrusion Detector (RID): It is a tool developed in "C" computer language, which is a highly
configurable packet snooper and generator. It works by sending out packers defined in the config.txt file,
then listening for appropriate replies. It detects the presence of Trinoo, TFN or Stacheldraht clients.
Security Auditor's Research Assistant (SARA): It gathers information about remote hosts and
networks by examining network services. This includes information about the network information
services as well as potential security flaws such as incorrectly set up or configured network services.
Find_DDoS: It is a tool that scans a local system that likely contains a DDoS program. It can detect
several known DoS attack tools.
DDoSPing: It is a remote network scanner for the most common DDoS programs. It can detect Trinoo,
Stacheldraht and Tribe Flood Network programs running with their default settings.

SQL INJECTION:

 Structured Query Language (SQL) is a database computer language designed for managing data
in relational database management systems (RDBMS).
 SQL injection is a code injection technique that exploits a security vulnerability occurring in the
database layer of an application.
 SQL injection attacks are also known as SQL insertion attacks.
 The vulnerability is present when user input is either filtered incorrectly for string literal escape
characters embedded in SQL statements or user input is not strongly typed and thereby
unexpectedly executed.
 It is an instance of a more general class of vulnerabilities that can occur whenever one
programming or scripting language is embedded inside another.
 Attackers target the SQL servers - common database servers used by many organizations to score
confidential data. The prime objective behind SQL injection attack is to obtain the information
while accessing a database table that may contain personal information such as credit card
numbers, social security numbers or passwords.
 During an SQL injection attack, Malicious Code is inserted into a web form field or the website's
code to make a system execute a command shell or other arbitrary commands.
 Just asba legitimate user enters queries and additions to the SQL database via a web form, the
attacker can insert commands to the SQL server through the same web form field.

Steps for SQL Injection Attack:

Following are some steps for SQL injection attack:
Step 1: Finding Vulnerable Website:
◦ find the Vulnerable websites(hackable websites) using Google Dork list.
◦ google dork is searching for vulnerable websites using the google searching tricks
◦ use “inurl:” command for finding the vulnerable websites.
Some Examples:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=

22
 How to use?
copy one of the above command and paste in the google search engine box.
Hit enter.
You can get list of web sites.
We have to visit the websites one by one for checking the vulnerability.
Step 2: Checking the Vulnerability:
◦ Now we should check the vulnerability of websites.
◦ In order to check the vulnerability ,add the single quotes(‘) at the end of the url and hit
enter.
For eg:
http://www.victimsite.com/index.php?id=2'
◦ If the page remains in same page or showing that page not found or showing some other
webpages. Then it is not vulnerable.
◦ If it showing any errors which is related to sql query, then it is vulnerable.
Step 3: Finding Number of columns:
◦ Now we have found the website is vulnerable.
◦ Next step is to find the number of columns in the table.
◦ For that replace the single quotes(‘) with “order by n” statement
◦ Change the n from 1,2,3,4,,5,6,…n. Until you get the error like “unknown column “.
For eg:
http://www.victimsite.com/index.php?id=2 order by 1
http://www.victimsite.com/index.php?id=2 order by 2
http://www.victimsite.com/index.php?id=2 order by 3
http://www.victimsite.com/index.php?id=2 order by 4
…..
http://www.victimsite.com/index.php?id=2 order by 8(error)
so now x=8 , The number of column is x-1 i.e, 7.
Step 4: Displaying the Vulnerable columns:
◦ Using “union select columns_sequence” we can find the vulnerable part of the table.
Replace the “order by n” with this statement.
◦ And change the id value to negative
◦ Replace the columns_sequence with the no from 1 to x-1(number of columns) separated
with commas(,).
For eg:
if the number of columns is 7 ,then the query is as follow:
http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7—

Blind SQL Injection:

 Blind SQL injection is used when a web application is vulnerable to an SQL injection but the
results of the injection are not visible to the attacker.
 The page with the vulnerability may not be the one that displays data, however, it will display
differently depending on the results of a logical statement injected into the legitimate SQL
statement called for that page.
 This type of attack can become time-intensive because a new statement must be crafted for each
bit recovered. There are several tools that can automate these attacks once the location of the
vulnerability and the target information have been established.
Using SQL injections, attackers can commit the following:
1. Obtain some basic information if the purpose of the attack is reconnaissance

23
  To get a directory listing
 To ping an IP address
2. May gain access to the database by obtaining username and their password
 To get a user listing by select command.
3. Add new data to the database
 Execute the INSERT command: This may enable selling politically incorrect items on an
E-Commerce website.
4. Modify data currently in the database
 Execute the UPDATE command: May be used to have an expensive item suddenly be
deeply "discounted."

Tools used for SOL Server penetration:

AppDetectivePro: It is a network-based, discovery and vulnerability assessment scanner that discovers
database applications within the infrastructure and assesses security strength. It locates, examines, reports
and fixes security holes and misconfigurations as well as identify user rights and privilege levels based
on its security methodology and extensive knowledge based on application-level vulnerabilities.
DbProtect: It enables organizations with complex, heterogeneous environments to optimize database
security, manage risk and bolster regulatory compliance. It integrates database asset management,
vulnerability management, audit and threat management, policy management, and reporting and analytics
for a complete enterprise solution.
Database Scanner: It is an integrated part of Internet Security Systems' (ISS) Dynamic Threat Protection
platform that assesses online business risks by identifying security exposures in the database applications.
Database scanner offers security policy generation and reporting functionality, which instantly measures
policy compliance and automates the process of securing critical online business data.
SQLPoke: It is an NT-based tool that locates Microsoft SQL (MSSQL) servers and tries to connect with
the default System Administrator (SA) account. A list of SQL commands are executed if the connection
is successful.
NGSSQLCrack: It can guard against weak passwords that make the network susceptible to attack. This
is a password cracking utility for Microsoft SQL server 7 and 2000 and identifies user accounts with
weak passwords so that they can be reset with stronger ones, thus, protecting the overall integrity of the
system.
Microsoft SQL Server Fingerprint (MSSQLFP) Tool: This is a tool that performs fingerprinting
version on Microsoft SQL Server 2000, 2005 and 2008, using well-known techniques based on several
public tools that identifies the SQL version and also can be used to identify vulnerable versions of
Microsoft SQL Server.

How to Prevent SOL Injection Attacks/ Minimum Countermeasures that can be

implemented to prevent SQL injection attack:
SQL injection attacks occur due to poor website administration and coding. The following steps
can be taken to prevent SQL injection.
1. Input validation:
 Replace all single quotes (escape quotes) to two single quotes.
 Sanitize the input: User input needs to be checked and cleaned of any characters or strings that
could possibly be used maliciously. For example, character sequences such as ; , --, select, insert
and xp_ can be used to perform an SQL injection attack.
 Numeric values should be checked while accepting a query string value. Function - IsNumeric()
for Active Server Pages (ASP) should be used to check these numeric values.
 Keep all text boxes and form fields as short as possible to limit the length of user input.
24
2. Modify error reports:
 SQL errors should not be displayed to outside users and to avoid this, the developer should handle
or configure the error reports very carefully.
 These errors some time display full query pointing to the syntax error involved and the attacker
can use it for further attacks.
3. Other preventions:
 The default system accounts for SQL server 2000 should never be used.
 Isolate database server and web server. Both should reside on different machines.
 Most often attackers may make use of several extended stored procedures such as xp_cmdshell
and xp_grantlogin in SQL injection attacks.

BUFFER OVERFLOW:
 Buffer overflow, or buffer overrun, is an anomaly where a process stores data in a buffer outside
the memory the programmer has set aside for it.
 The extra data overwrites adjacent memory, which may contain other data, including program
variables and program flow control data.
 This may result in erratic program behavior, including memory access errors, incorrect results,
program termination or a breach of system security.
 Buffer overflows can be triggered by inputs that are designed to execute code or alter the way the
program operates. They are, thus, the basis of many software vulnerabilities and can be
maliciously exploited.
 Programming languages commonly associated with buffer overflows include C and C++, which
provide no built-in protection against accessing or overwriting data in any part of memory and do
not automatically check that data written to an array (the built-in buffer type), which is within the
boundaries of that array.
 Buffer overflow occurs when a program or process tries to store more data in a buffer (temporary
data storage area) than it was intended to hold.
 As buffers are created to contain a finite amount of data, the extra information - which has to go
somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in
them.
 Although it may occur accidentally through programming error, buffer overflow is an
increasingly common type of security attack on data integrity.
 A buffer is a contiguous allocated chunk of memory such as an array or a pointer in C. In C and
C++, there are no automatic bounds checking on the buffer - which means a user can write past a
buffer.
 For example,
int main () {
int buffer [10];
buffer[20] = 10; }
 This C program is a valid program and every compiler can compile it without any errors.
However, the program attempts to write beyond the allocated memory for the buffer, which might
result in an unexpected behavior.

Types of Buffer Overflow:

1. Stack-Based Buffer Overflow

2. Heap Buffer Overflow

25
Stack-Based Buffer Overflow:
Stack buffer overflow occurs when a program writes to a memory address on the program's call
stack outside the intended data structure - usually a fixed length buffer.

Characteristics of Stack-Based Programming:

1. "Stack" is a memory space in which automatic variables (and often function parameters) are allocated.
2. Function parameters are allocated on the stack (i.e., local variables that are declared on the stack-
unless they are also declared as "static" or "register") and are not automatically initialized by the
system,so they usually have garbage in them until they are initialized.
3. Once a function has completed its cycle, the reference to the variable in the stack is removed.
The attacker may exploit stack-based buffer overflows to manipulate the program in various ways by
overwriting:
1. A local variable that is near the buffer in memory on the stack to change the behavior of the program
that may benefit the attacker.
2. The return address in a stack frame. Once the function returns, execution will resume at the return
address as specified by the attacker, usually a user input-filled buffer.
3. A function pointer, or exception handler, which is subsequently executed.
The factors that contribute to overcome the exploits are
1. Null bytes in addresses
2. Variability in the location of shellcode
3. Differences between environments

Shellcode: A shellcode is a small piece of code used as a payload in the exploitation of software
vulnerability. It is called "shellcode" because it starts with command shell from which the attacker can
control the compromised machine.

NOPs:

 NOP or NOOP (short form of no operation or no operation performed) is an assembly language

instruction/ command that effectively does nothing at all.
 The explicit purpose of this command is not to change the state of status flags or memory
locations in the code. This means NOP enables the developer to force memory alignment to act as
a place holder to be replaced by active instructions later on in program development.
 NOP opcode can be used to form an NOP slide, which allows code to execute when the exact
value of the instruction pointer is indeterminate.
 It helps to know/locate the exact address of the buffer by effectively increasing the size of the
target stack buffer area.
 The attacker can increase the odds of findings the right memory address by padding his/her code
with NOP operation. To do this, much larger sections of the stack are corrupted with the NOOP
machine instruction.
 At the end of the attacker-supplied data, after the NOOP instructions, an instruction is placed to
perform a relative jump to the top of the buffer where the shellcode is located.
 This collection of NOOP is referred to as the "NOP sled" because if the return address is
overwritten with any address within the NOOP region of the buffer then it will "slide" down the
NOOP until it is redirected to the actual Malicious Code, by the jump at the end.
 This technique requires the attacker to guess where in the stack the NOP sled is compared with
small shellcode.
 Owing to the popularity of this technique, many vendors of intrusion prevention system will
search for this pattern of NOOP machine instructions in an attempt to detect shellcode in use.

26
  It is important to note that an NOP sled does not necessarily contain only traditional NOOP
machine instructions but also any instruction that does not corrupt the state of machine to a point
where the shellcode will not run and can be used in place of the hardware-assisted NOOP.
 As a result, it has become common practice for exploit writers to compose the NOOP sled with
randomly chosen instructions that will have no real effect on the shellcode execution.

Heap Buffer Overflow:

 Heap buffer overflow occurs in the heap data area and may be introduced accidentally by an
application programmer, or it may result from a deliberate exploit.
 In either case, the overflow occurs when an application copies more data into a buffer than the
buffer was designed to contain. A routine is vulnerable to exploitation if it copies data to a buffer
without first verifying that the source will fit into the destination.

Characteristics of Heap-based programming:

1. "Heap" is a "free store" that is a memory space, where dynamic objects are allocated.
2. The heap is the memory space that is dynamically allocated new(), malloc() and calloc()
functions, it is different from the memory space allocated for stack and code.
3. Dynamically created variables (i.e., declared variables) are created on the heap before the
execution program is initialized to zeros and are stored in the memory until the life cycle of the
object has completed.
4. Memory on the heap is dynamically allocated by the application at run-time and normally
contains program data.
5. Exploitation is performed by corrupting this data in specific ways to cause the application to
overwrite internal structures such as linked list pointers.
6. The canonical heap overflow technique overwrites dynamic memory allocation linkage and uses
the resulting pointer exchange to overwrite a program function pointer.

How to Minimize Buffer Overflow:

Although it is difficult to prevent all possible attacks, the following methods will definitely help
to minimize such attacks:
1. Assessment of secure code manually: Buffer overflow occurs when a program or process tries to
store more data in a buffer than it was intended to hold. Developers should be educated about minimizing
the use of vulnerable functions available in C library, such as strcpy(), strcat(), sprintf() and vsprintf(),
which operate on null-terminated strings and perform no bounds checking. The input validation after
scanf() function that reads user input into a buffer is very essential.
2. Disable stack execution: Malicious Code causes input argument to the program, and it resides in the
stack and not in the code segment. Any code that attempts to execute any other code residing in the stack
will cause a segmentation violation. Therefore, the simplest solution is to invalidate the stack to execute
any instructions.
3. Compiler tools: Over the years, compilers have become more and more aggressive in optimizations
and the checks they perform. Various compiler tools already offer warnings on the use of unsafe
constructs such as gets(), strcpy(), etc. Developers should be educated to restructure the programming
code if such warnings are displayed.
4. Dynamic run-time checks: In this scheme, an application has restricted access to prevent attacks.
This method primarily relies on the safety code being preloaded before an application is executed. This
preloaded component can either provide safer versions of the standard unsafe functions or it can ensure
chat return addresses are not overwritten. One example of such a cool is libsafe. The libsafe library
provides a way to secure calls co these functions, even if the function is not available.

27
5. Various tools are used to detect/ defend buffer overflow:
StackGuard- It is a compiler approach for defending programs and systems against "stacksmashing"
attacks. These attacks are the most common form of security vulnerability. Programs that have been
compiled with StackGuard are largely immune to stacksmashing attack.
ProPolice- The stack protection provided by ProPolice is specifically for the C and C++ languages.
LibSafe- Libsafe protection is system wide and automatically gets attached to the applications. It is based
on a middleware software layer that intercepts all function calls made to library functions known to be
vulnerable.

28