Ethical Hacking Tutorial

http://www.certiology.com/tutorials.
html
Ethical Hacking Tutorial
Ethical Hacking is something performed by extremely skilled computer experts. Computers

experts use their knowledge of programming and attempt to find vulnerabilities in computer
systems. These people are often referred to as white hats. The people that partake in unethical
hacking are called black hats.
These black hats exploit vulnerabilities in systems. They use those weaknesses for mischievous
purposes in order to gain something for themselves or to cause mayhem. The ethical hackers
evaluate the weaknesses. They locate and point them out in order to suggest what changes can be
made to avoid black hats. Companies use ethical hackers on a consultant or full-time employee
basis. These companies want to make sure that their systems are safe and secure.
Though white hats penetrate computer systems, they are still ethical. They work on the side of
good to help create a stronger and safer system. They know how to spot the weak points and
places where black hats could penetrate a system. Using that knowledge, they are able to assist
companies in creating more protected systems.
If a white hat can break into a computer system and alter its security protocols, then so can a
black hat. The main goal of ethical hacking is to figure out how a hacker can cause chaos with
the current programs running on a specific computer system. These hackers only do so if they are
asked by companies. From there, these hackers can explain to companies how they can upgrade
their systems and prevent the wrong people from hacking them.
Most people enter the ethical hacking lifestyle because they are computer savvy, have extensive
education in computer science, or for various other reasons. In some instances, people have been
recruited as white hats after being black hats. Some black hats may have served jail time for their
malicious behavior. After doing do, they may have been hired for more productive uses of their
computer knowledge.
As the need for Internet usage increases, security becomes a bigger issue. The need for ethical
hackers has grown in order to protect people from unethical ones. Most people involved in
hacking have simply learned from experience. As with many subject areas, computer knowledge
can also be obtained through formal education. Ethical hackers must be able to discover every
outcome that can occur if a system becomes hacked by black hats. They need to be creative and
think in innovative ways.
Denial of Service Dos
What is Ethical Hacking
Footprinting and Reconnaissance

http://www.certiology.com/tutorials.html
Scanning Networks
Trojans and Backdoors
Enumeration Hacking Phase
Sniffers
Social Engineering
Session Hijacking in Ethical Hacking
How to hack a web server
DoS: Denial of Service

In Denial of Service commonly known as DoS, is made by the hacker on the computer or
network resources so they cannot be accessed by other genuine users as well.
The main goal is to deprive use of the network resources to everyone and this is achieved by
flooding the victim /target computer with unwanted services and processes which with then
exhaust the resources for the victim (CPU / memory) and in turn either crash or become very
slow for others to access.
Indication of DoS attack
- Resource unavailability
- Unable to access a website
- Slowness / delay in using or opening apps
- Many spam emails
DoS targets
Webservers: The Companys website is hosted on a webserver and every company or

organization wants that site to be up and running at all times for customers to access it. Using a
DoS attack, the site can be compromised and the downtime for the website could lead to revenue
loss or even loss of image in the market, that they are prone to such attacks.
Compromise Database / Backend resource: The DoS attack can also lead to bringing down the
database or sending multiple queries to the DB, which in order makes the DB slow or hang and
in worst scenarios the DB may also crash. Thus the end customer when retrieving some data
from a website etc, will not be able to get the results since the database would be slow or down.
Compromise a Network or Server: At times there can be internal employees with negative
mentality that may cause harm to the servers and networks internally. The network / Server can
be attacked from outside causing slowness in access data, and authenticating users thus depriving
all genuine users also from logging into the system.
Types of DoS Attacks
Service Request Floods: This means sending requests to a server or application continuously to
make it occupied and run short of resources. Its similar to someone calling your phone
continuously so someone else cannot make a call to you. The attacker can do this by sending
continuous TCP connect messages to have the resources occupied and finally the resources
exhaust also disallowing genuine requests to be dropped.
SYN Flood: In this type of attack, the SYN packet is put up with a fake source address thus
exploiting the three way handshake mechanism. When a fake SYN packet goes to victim, the
victim will send a SYN+ACK and then wait for the ACK, but since it is a fake address, the
connection is not setup and the victim / server will be held waiting for the ACK from the sender (
attacker) thus eating up resources.
ICMP Flood: An ICMP works by checking the request and then responding back to the sender.
This process does occupy some CPU resources, but if the ping is done by multiple system sand
continuous ping will have the CPU to go high on the server that is being pinged. Attacks known
as smurf attacks or ICMP floods will cause server to slow down by attacking with ICMP floods
without waiting for the response from the server.
Ping of Death: In this a ping packet larger than 64KB , which is larger than the allowable size in
the ping packet was sent to a victim to slow it down and stop processing other requests. In
todays world this is not much of a threat because most companies block the ping but this was a
popular mechanism used in the 1990s.
Smurf attack: In this the IP address of the target is spoofed and then send many ICMP echo
requests to different sites broadcast addresses, they these servers which receive the broadcast,
start to reply back to the attacker IP, thus overwhelming the system with so many responses. This
also causes the network to get clogged with so many responses coming to one victim machine.
Application Level attacks: These attacks cause loss to the services such as email, network,
preventing access data etc.
Permanent DoS attack: The term phlashing is used for a permanent DoS attack. These
damages are irreversible, as these cause harm to the system hardware, as attacker sends firmware
for hardware which is tried to update and finally is in a bad state.
Buffer Overflow
This is a technique in DoS attack which makes use of the flaw in the code of the program and
inputs more data than the program buffer or memory can take. When the buffer of the program
comes in overflow state, and new inputs that are written will cause the system to crash or result
in other security issues. This also suffices the main goal of DoS which is to make the program
unusable by anyone else, thus denies the services.
DDoS: Distributed Denial of Service
This form of DoS is similar but is more powerful as it is done from various other systems and not
just one. The goal is same but the implication can really be devastating as several attacker go
after a single victim.
In DDoS the attacker uses distributed systems to attack the victim. See below figure.
The process for the DDoS attack goes like this:
- The master computer or handler is infected with DDoS software which is also known as a
bot.
- The bot then searches for clients on the victims network to make potential slaves that will
be involved in the DoS attack. These victims are called Slaves or Zombies.
- After infecting the handler system and also having the zombies ready and listening to the
master or handler, the attacker identifies a target and then asks the handler to launch the attack.
- The attack from the handler goes through these zombies to the victim.
Botnets creation tools
- Plugbot
- Poison Ivy
- LOIC ( Low Orbit Ion Cannon)
- Shark
The below are tools used for DoS attack:
UDP Flood: Generating UDP packets for a specific destination
DoSHTTP: HTTP based DoS Tool, used to target URLs.
Jolt2: This is a toll that uses fragmentation of IP packet to cause the attack. Many fragmented
packets are sent to the windows Host.
The below are tools used for DDoS attack:
LOIC: This is a very popular tool. Its full form is Low Orbit Ion Cannon
Trinoo: This tool is used to attack single or more IPs using UDP flooding.
TFN2K: Based on Tribe Flood Network, this tool performs UDP and SYN flood attacks.
Below info from Wikipedia

Once you set the Target IP and threads with TCP or UDP as method, you can click the button on
Top to fire the flow and check the packets using Wireshark.
DoS Countermeasures
- Unnecessary services to be disabled: By disabling unnecessary services you may the

system less prone to any attacks. Attackers usually try making uses of some services or ports that
you are unaware of and install the bots on the systems.
- Use Anti-Malware: Using tools like Antimalware can be of great help since these will
prevent from any malware to be installed and also detect any files that are infected with it and
help in clearing those.
- Filter in and out ports: DoS and DDoS attacks can be prevented by blocking any spoofed
IP addresses coming from a particular source.
- Absorb the attack: This is an expensive way to avoid any damage. This means your
equipments i.e. Servers, network should be of more capacity than the attacker can send and this
device can easily absorb the attack and not cause any down time.
- Service Degradation: This is kind of counter attack but by keeping quite. In this if any
service experiences an attack, the service can be degraded or immediately shutdown
automatically this will make the attack difficult and the attacker will lose interest in trying to
attack or will need more work to be done.
Countermeasures for Botnets

- Black Hole Filtering: This is a place or null port on a system where the malicious traffic
will be sent, thus not affecting the actual system. The traffic reaching such ports will be dropped
and not have any adverse effect on the system.
- Filtering based on Source IP reputation: Based on the history of traffic flows

technologies like Cisco IPS can filter traffic based on what are genuine and new checking the
history of communication.
What is Ethical Hacking?

The word Ethical Hacking sounds contradicting, as how can hacking be ethical. But many have
the misconception that hacking is bad and hackers are bad people.
Hackers are actually experts that help in solving issues and crackers are the ones on the dark side
who make use of their knowledge in the negative way.
Ethical hackers have the skills of a cracker and use their skills positively and in a legal manner,
thus known as Ethical hackers.
Ethical hacker are usually employed to do penetration testing or pen testing i.e. identifying
security threats and vulnerabilities and thus suggest counter measures. Ethical hackers will use
the skills for defending the systems from malicious hackers or crackers.
There are types of hackers in the industry namely:
1. White Hat Hacker: Positive people or the good person / ethical hacker. They hack with
having the data owner know about it. The main aim is to look for vulnerabilities and have
them fixed.
2. Black Hat Hacker: Negative people or the bad person / malicious hacker. They will hack
without the knowledge of the owner with the intent to cause financial or some other loss
like destroying information.
3. Gray Hat Hacker: Mixed, depending on situation can be good or bad at times. You never
know how they work and when they may act differently. They can also be initial black
hat person who work as white hat
Information security comprises of these main elements:
Confidentiality: This means to have information confidential or no disclosed to unintended

users.
Integrity: means avid the data being manipulated by someone in middle. This explains the
trustworthiness of the data.
Authenticity: Only authenticated users should be able to access the resources. Use of digital
certificates, bio metrics, etc is part of authenticity
Availability: Means to have access to a resource continuously and it should not get interrupted
when required. For example you need to access a web server but if it is compromised and does
not allow you to access it, you are being deprived of its availability.
Ethical Hacking Terminology
Threat: A condition or situation which is prone to being breached of security
Exploit: Taking advantage or capitalizing on a bug or vulnerability to seek elevated privileges or

to attack the system for some Denial of Service etc.
Vulnerability: A defect or flaw found in the existing system which can be exploited.
Target of Evolution (ToE): The resource which is being targeted for the attack
Attack: After vulnerability is found, and to take undue advantage of it, an attack is made based
on the weakness found due to the vulnerability in the system.
Hacktivism: When promoting some political agenda by hacking for example to deface some
website etc is called Hacktivism.
Zero Day Attack: When an attack is made before a patch for the vulnerability is made by the
developer.
Hack Value: The satisfaction factor, be it financial or emotional for the hacker he gets when he
breaks down a system.
Ethical hacking is not a one step process; it needs to be done in phases.
Below are the phases of Ethical hacking:
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks
1. Reconnaissance: This is mainly the phase where information is gathered about a target.
If the target company or organization is not aware that information about it is being
collected, this is known as Passive Reconnaissance or foot printing. Looking for
employee details, IP address details, physical address all come under passive
reconnaissance. If you are gathering information by somehow getting involved with the
target, like pinging their network devices and probing which services are running etc, is
called Active reconnaissance. By using Active foot printing or reconnaissance there are
more chances of being traced as compared to passive foot printing.
2. Scanning: Making use of the first phase information to further get more detail
information about the network. The hacker may use some tools to scan or ping sweep the
network and collect information. Using these they try and collect information about the
Operating system, IP address or user account etc.
3. Gaining Access: This builds on the earlier phase and it is this phase where more skills of
hacking take place. The flaws, weakness of vulnerabilities found from the previous stages
are now to be exploited and need to take access of the target system. Techniques like
buffer overflow, DoS (Denial of Service), Session hijacking etc are used.
4. Maintaining Access: Once you are into a target system with all the effort of previous
stages or phases, the hacker would like to maintain access to the system rather than trying
to figure out ways to compromise the target system every time. They would like to get
into the target system on a future date or time and so have something like a backdoor,
Trojan etc left on the target system so it can be accesses easily later.
5. Covering Tracks: This is a very important phase where you are now wiping of your
footsteps to be safe from being caught. They do not want to be tracked by the security
team of the target organization. The logs files can be modified or deleted to make remove
any traces of the hacker entering the system.
Attacks on the target can be like below:
1. Operating System Attack: Based on the OS vulnerability try to attack.
2. Application level Attack: Attack that is done on type of application and it drawbacks.
Like phishing or session hijacking etc.
3. Misconfiguration Attack: If the device is not configured correctly, if file permission not
set properly, some open port left in the application etc.
4. Shrink wrap code Attack: Code or script that was shared in OS for easy of task of
System admin, that script if it has vulnerabilities, it can lead to the system being
compromised.
Information Security Threats
There can be different types of threats for your data, namely:
1. Natural Threats
1. Floods
2. Earthquake
3. Natural disaster
2. Physical Threats
1. Physical intrusion
2. Sabotage or espionage
3. Physical damage to your system
3. Human Threats
1. Insiders
2. Hackers
3. Social Engineering
Further if we try to look deeper the Information Security threats can be on your Network, Host or
Application.
Under each of these there can be different types of threats like :
Network Threat Host Threat Application Threat
Information Gathering Password attack Information Disclosure

Sniffing Backdoor Attack Cryptography attack
Spoofing Malware Attack Authorization attacks
Session Hijacking Physical Security Authentication attacks
SQL Injection Elevated privileges Configuration management
ARP Poisoning Target Foot printing Data Input validation
Password cracking DoS : Denial of Service Buffer Overflow

DoS : Denial of Service Unauthorized access Phishing
Necessity of Ethical Hacking
Organizations are in need of Ethical Hackers in order to prevent their network being
compromised by some other hacker / cracker. This helps them save the organization secrets.
Ethical hacker does proper tests on the Network and reports all the loop hole to the management
and accordingly action is taken to prevent any attack to happen.
Incident Management Process
These are processes that are defined to identify prioritize, analyze and resolve any incident and to
resolve or restore the system.
Benefits of Incident Management
- Service quality improvement
- Meet Service availability requirement
- Customer satisfaction improved
- Proactive problem resolving
- Help to deal with future incidents
Security Policies
The organization should have Security policies defined as per the standards. Based on these
policies the compliance is done and which help the organization be secure from many of the
attacks. There are different types of policies that can be implemented as:
User Account policy: Who can create users and with what permissions
Remote Access policy: Should the organization network be able to be accessed outside of office
premises
Firewall management policy: how to configure the firewalls and monitor them for any attacks
Network connection policy: Who has authority to configure the network. The IP address details,
network diagrams etc, can be shared with whom
Email Security: Email going out and coming in the organization should be managed.
Password policy: Each organization should force this policy so weak passwords are not used and
chances of getting compromised are reduced.
Penetration Testing and Testing Types
Penetration Testing is the mechanism through which the Ethical hacker follows all the stages of
hacking and tries to break into the organizations network or system. He basically simulates the
complete attack like an outsider would perform. Based on the penetration test documentation is
done and reports are shared to the management and measures are taken to avoid any security
breaches.
Types of Testing
Black Box: Testing with no information about the network. You need to start finding everything
the IP, ports etc no information is shared and it is the most difficult type of testing. This exactly
simulates a situation like a hacker / cracker trying from outside to get into your network without
any prior information about the network. As no information is available with the hacker for
testing, this does take a lot of time to complete.
White Box: In this type of testing the hacker or pen tester has knowledge about the network
infrastructure. Thus the phase of information gathering is bypassed and this method becomes
quick and can directly focus on the main security aspects.
Gray Box: This is a mix of both types mentioned above some information is disclosed and some
needs to found out by the tester. This way audit can be done to see if employees have access to
servers, Internet or any restricted sites etc.
Footprinting and Reconnaissance Tutorial

Footprinting is process of collecting as much information as possible about a target system
/network for identifying different ways of intruding an organizations network.
Process involved:
Collect basic info
Find OS version, Webserver edition etc.
Get DNS info using Whois etc
Look for vulnerabilities and exploits for launching attacks.
It is the first step in ethical hacking which involves collecting info about target and its
environment. Important information can be collected in this stage which is then helpful in further
stages of Ethical hacking.
Passive Information Gathering: Using this means, the hacker will get information about target
from publically accessible sources and this is also called Open source Footprinting. In this type
of information gathering no direct contact with the target organization is required e.g. TV,
newspaper, social networking. Details can also be collected like IP address boundaries, OS
details, Webserver software, TCP, UDP services on the system.
Active Information Gathering: This type of information gathering involves getting data
through social engineering, on-site visits, and interview questions. Try to collect info from some
insider or employee of the Target Company or organization.
Anonymous Footprinting: Gather from where author of information cannot be identified.

Collect info anonymously so efforts cannot be tracked back to you.
Pseudonomous Footprinting: Collect info that might be published in a different name to keep
privacy. Published on Internet but not directly linked to authors name. Author may use pen-
name.
Private Footprinting: From organizations websites, emails, calendars etc
Internet Footprinting: Collect info from Internet
Why Footprinting
It is very important understand current security position of the organization. Based on the
currently security position, you can look for loopholes and make plan accordingly.
So the attack can be specific based on area of weakness, IP, DNS etc
Attacker can build his own DB and use accordingly for attack. It can be helpful to understand the
network diagram of the target. Tracert is used popularly.
Objective of Footprinting
Collect Network info: Domain Name, running services, VPN Points, ACLs etc using Whois
Database analysis and tracert
Collect System Info: User and Group names, Passwords, Routing tables, SNMP
Collect Organization info: Employee names, address and phone number, HTML source code,
CEO name, job skills etc.
Footprinting Threats
- Social Engineering: Gathering information using non-technical means.
- System and Network Attack

- Information Leakage
- Privacy Loss: Once u access system and escalate privileges, their privacy is lost. Can access
tender etc.
- Corporate Espionage: competitors can spy an attempt to steal sensitive data. Competitors can
launch similar products in market causing loss to the initial company.
Footprinting Methodology
Through search engines: In todays world almost everyone would have registered on some
website and you may have put your email / phone on some registration website. Google, Yahoo,
Bing are search engines and can be helpful to search employee details, intranet page.
Reconnaissance is also a term that means collecting information about the target before attacking
it.
There are 7 stages of Reconnaissance
1. Gathering Info
2. Locate the network range
3. Active machine s to be identified
4. Find open ports and applications
5. Detect Operating System
6. Fingerprinting services
7. Map the network
Whois is an important tool that can be used to collect information about a target. This would
give information about the domain registrant, domain servers, contact details etc. It collects DNS
related information from a URL.
In Linux this utility is inbuilt but for Windows you need to use some 3rd party tool or some
online websites like:
www.samspade.org
www.allwhois.com
www.dnsstuff.com
https://who.is/
See below example from https://who.is/

Enter the domain name, i.e. URL or IP address of the webserver.
In this case I will use: serverfather.com

Nslookup is a program to query Internet Domain servers.

Footprinting through Search Engine
The hacker can make use of Search Engine to get information about the organization, its
employees, headquarters etc.
One can go to the wikipage and get some information. They can also browse images of their
offices to understand the physical location and infrastructure and then use this information in
their next phases of attack.
We can find URLs for an organization using search engines. Deeper checks may also get you
URL of their ftp servers or intranet URLs.
Location footprinting
Using features of Google maps, you can get more detailed view of organizations and directions
to reach to their offices. How the surroundings look, which other nearby cafes etc are nearby
from where the hacker can watch the office reception or premises.
People Search or Footprinting
A hacker can also search for employee names working in an organization using LinkedIn,
Facebook etc. Also can search on Internet for the employee name and you will get good
information about him.
People search also can take place using Social networking sites like twitter, Facebook, LinkedIn
and also job sites.
As we access financial sites these days, even our banking information can be collected by
hackers if they are closing watching the traffic flowing through our network. Thus most financial
institutions use encryption and SSL for such transaction.
Also valuable information can be extracted from the website page, using the View Source option.
Website footprinting
Using some tools, a hacker can create a clone of your website which is a mirror of your site, they
can then use this to send the link to end users and gather their information. One such tool is
HTTrack Website Copier (https://www.httrack.com/)
Email Footprinting
Tools that are used for email tracking can reveal information of email headers, IP address,
location from where the email came etc.
A popular tool used is: Email tracker pro (http://www.emailtrackerpro.com/)
Footprinting using Google
Google offers some operators through which you can search specific information. We have may
such Google operators like:
1. Define: Will give the definition of the work you mention.
2. Allintitle: This will show results that has the text mentioned after the allintitle operator
3. Filetype: Give search results of the file type you mention. E.g. Filetype: pdf, will result link
that have pdf files.
4. Inurl: will give results for the text you mention with the operator. E.g. Inurl: Microsoft will
give results of links that have microsoft in the URL.
DNS footprinting
A tool like DNS stuff can be helpful in getting DNS related information from a URL or domain
name. http://www.dnsstuff.com/
Footprinting using Traceroute

Traceroute or tracert is the command that is used to check connectivity to a destination and the
path that it follows. It uses ICMP packets which are routed to a destination nearby and then till
the end or destination. With this you can get the IP address or hostname of each point in the path.
https://www.pathanalyzer.com/
Path Pro Analyzer is a GUI tool that is similar to traceroute.
Scanning Networks
Scanning is an important phase and a hacker needs to have knowledge of operating systems,
ports, protocols and networks.
In this phase the target system is scanned to look for open ports and vulnerabilities. One can find
reach ability of devices using the ping command and then run port scans on the active IPs. This
phase is still a part of the information gathering but is more interesting than the footprinting
phase and this begins to give you the feel of hacking.
It is in this phase that we get to know:
Live systems on the network by pinging
Find out services that are run on target
Find the TCP and UDP ports and services
Find the Operating System running on the target
Types of Scanning
1. Port Scanning : To find open ports and services on target
2. Network Scanning: Find IP address in the network of the target
3. Vulnerability Scanning: Find weakness or vulnerabilities on the target
Port Scanning: In this process the hacker identifies available and open ports and understands
what services are running. You must understand the ports and port numbers. The ports numbers
can be in these three ranges:
1. Well known Ports from 0 to 1023
2. Registered ports from 1024 to 49151
3. Dynamic Ports from 49152 to 65535
In you are using a Windows system, you can see the common or well-known ports in the below
path: C:\Windows\System32\Drivers\etc\services
Some common port numbers are as below:
Port Number Service
20 and 21 FTP
23 Telnet
25 SMTP
80 HTTP
443 HTTPS
110 POP3
500 IP Sec : ISAKMP
53 DNS
Network Scanning: This means to look for active machines or targets on the network. This can
be done using tools or scripts that ping to all IP addresses on the networks and get a list of the
alive nodes and their IP addresses.
Vulnerability Scanning: This is the mechanism where the target is scanned or looked for any
vulnerability. In this scan the Operating system is found out with installed patches etc and then
based on the information vulnerabilities are found in that particular version of Operating System.
If you use scanning on a target network, if the target network has Intrusion Detection System
(IDS) installed, then the hacker or scanner can be traced back easily. The IDS then send alert on
the system that someone is trying to seek information from the system. Being a CEH if you
perform any scans it should not be detected, as we would not want target systems to know
someone is trying to attack their system.
Scanning Methodology
This is the sequence or steps how the scanning needs to be carried out and what information
needs to be collected and documented so it can be used for further phases of hacking.
Steps or phases for scanning
Look for Live Systems -> Check for Open Ports -> Identify running services -> Check running
Operating System ( OS Footprinting) -> Scan Vulnerabilities -> Document details and draw
Network diagram -> Prepare Proxies to avoid being caught -> Proceed with Attack
Looking for Live systems, this is done either using the normal PING command or using third
party tools or scripts to run multiple pings to destination or target.
As we know PING uses the protocol ICMP, thus an ICMP echo request is sent to the destination
or target IP address, if the target is active or alive it would respond with an ICMP Reply. This
also informs if ICMP can be passed through a firewall. Mostly organizations have started
blocking ICMP requests to be safe from attacks.
NMAP is a very popular tool used for scanning. It can be downloaded from the below link.
https://nmap.org/download.html
It is available for Windows GUI (Zenmap) and CLI (nmap).

The installation is simple and once installed you can see the screen like below. You need to
specify the target IP or range, the type of scan you want to perform under Profile.
If you note, Zenmap also give you a command line equivalent when you fill in the details, you
can directly copy the syntax or command from here and run it on CLI.
The types of scans in nmap are as below; you can see it in the drop down list.
The syntax and example of types of scans are mentioned as below:
Intense scan, all TCP Ports
nmap -p 1-65535 -T4 -A -v 192.168.12.131
Intense Scan
nmap -T4 -A -v 192.168.12.131

In the above screenshot we see that scan is complete and it shows the port numbers and service.
When you check the Ports /Host tab, you see the ports and the corresponding service name.
To Find the Operating System of a host, you need to use the O switch as below
nmap -O 192.168.12.131
To Scan multiple IP address or subnet (IPv4)
nmap 192.168.1.1/24
To scan a range of IP address:
nmap 192.168.1.1-20
For scanning you can mention the IP addresses in a file and have NMAP read these IP from the
file. The -iL option is used.
Create a file as below:
cat > /temp/test_ips.txt
Sample outputs:
server1.domain1.com
192.168.1.0/24
192.168.1.1/24
Now to run the command the syntax is:

nmap -iL /temp/test_ips.txt
To Exclude some hosts/networks
You can exclude hosts from a scan if you do not want to access the full network.
nmap 192.168.2.0/24 exclude 192.168.2.10
nmap 192.168.2.0/24 exclude 192.168.2.10,192.168.2.234
To find if a machine or network is behind a firewall and protected
nmap -sA 192.168.2.25
nmap -sA server1.domain1.com
To scan a device even if it is protected by the firewall
nmap -PN 192.168.2.25
nmap -PN server1.domain1.com
If you want to scan IPv6 addresses, use the -6 option.
nmap -6 server1.domain1.com
nmap -6 2302:f0e0:1001:41::3
If need to look only at open ports
nmap open 192.168.1.5
nmap open server1.domain1.com

The screenshot above shows the open ports and also shows the response coming from Windows
System, as IIS is active, NetBIOS is being used.
To see the target interfaces and routes
nmap iflist < IP Address of target>
nmap iflist 192.168.12.131

The above screenshot has some MAC address hidden, but in an actual scan you can see all the
information. Also you see routes used on the device.
To scan for specific ports
map -p [port] Target name or IP address
nmap -p 80 192.168.12.131
The above screenshot shows that the HTTP service is being used. We used the port 80 to do a
scan.
Tools for ping sweep are:
Angry IP scanner http://angryip.org/download/#windows
SolarWinds Engineer Ping Sweep -> http://www.solarwinds.com/engineers-toolset/ping-

sweep.aspx
TCP 3 Way handshake
As TCP is a connection oriented protocol, it does need to establish a connection before data
transfer. It uses process in which SYN, SYN+ACK and an ACK packet are used and is known as
3 way handshake.
The process goes like this:
First the Computer A, send a SYN packet, initiating the connection and then Computer B, sends
a SYN+ACK, confirming it is ok for communication. Finally, Computer A, acknowledges the
connection and thus connection is established.
Different Type of Scanning:

a) TCP Connect / Full Open: This scan technique is used to detect open ports by completing
the 3 way handshake. The connection is teared down using the RST flag.
b) Stealth Scan: Half Open, XMAS Scan, FIN Scan, NULL Scan: This technique is used by
hackers to hide themselves from firewalls by bypassing them and any other logging system.
c) IDLE Scan: Web servers are usually listening on port 80, it waits for a client to form
connection. If a SYN is sent to a target machine and if the sender receives SYN + ACK, it means
the port is open. If a RST is received then the port is closed on target.
d) SYN /FIN Scanning: In this scanning only either a SYN or FIN is sent in the TCP Frame.
It works with older version of Windows and not with the current ones. If FIN is sent and no
response it means the port is open. But if it gets a RST /ACK, it means the port is closed.
e) ICMP Scan: This is the scanning technique where PING is used to get information from
the target system. It tells if the target machine is ALIVE.
f) NULL Scan: In this technique, none of the flags are set. TCP Frame is sent with NO Flags.
This also does not work with newer versions of Windows OS. This avoid the IDS and 3 way
handshake but only woks on UNIX.
Some popular Third Party tools are: Mega Ping, Free Port Scanner, IP Tools, and PRTG Network
Monitor etc.
NOTE:
There are some IP which you should NOT Scan, please note these and you may also get a list of
such IPs on the Internet. PLEASE DO NOT SCAN ANY SUCH IPs or any PUBLIC IP without
permission or do it at your own risk. Because it may be part of Cyber Crime if you are caught
trying to scan someones Network, even though you may be doing it for learning
purpose. SCRIPT NO TO SCAN IP ADDRESSES without PERMISSION, Else you are in
TROUBLE.
RANGE 128
128.37.0.0 -> Army Yuma Proving Ground
128.38.0.0 -> Naval Surface Warfare Center
RANGE 129
129.29.0.0 -> United states Military Academy
129.50.0.0 -> NASA Marshal Space Center

And Many Such Ranges Like: 130, 131, 132, 6, 7 and many more, always be careful while
playing with NMAP for scanning, one silly mistake and you may be in trouble.
Some ways to be protected from Scanning
a) Use of Firewalls and IDS
b) Do not keep unnecessary ports Open
c) Do not keep sensitive data on public servers
d) Keep latest release packets updated on all devices
Banner Grabbing / OS Finger Printing
Is the technique to find the Operating System of the target. It is very important to know the target
Operating System as based on the OS, the hacker can look for vulnerabilities in the OS and
accordingly plan the attack.
Active Banner Grabbing: intentionally packets are sent to target to retrieve information of OS,
like its name, Version etc.
Passive Banner Grabbing: Based on some errors we can understand what type of Operating
System is running on the matching. If you get some error related to IIS (Internet Information
Server), you understand it is the web server running on Windows OS.
There are some third party tools used for banner grabbing, such as: ID Serve, Netcraft, Netcat.
The below can help to protect yourself from attack of banner grabbing.
->Use false banners, will misguide the hacker
->Do not keep unnecessary servers open
->If using IIS, then can prevent banner being used with IIS Lock down Tool or Server Mask
Vulnerability Scanning
This is done using a very popular tool called Nessus. It is the most popular tool and gives all
information about the vulnerability on the target.
http://www.tenable.com/products/nessus-vulnerability-scanner
This tool helps in:
- Data collection
- Identify hosts
- Scan Ports
- Report the information found
Some screenshots below show how Nessus is helpful.
In the below screenshot we see that Nessus shows vulnerabilities in some Databases, it gives a
brief description about it.
This below screenshot shows the risk level or severity of the vulnerabilities.
This screenshot below will show the hosts and the level of risk on each host
GFI LAN guard is another important tool that helps in handling the network inventory and also
looking for vulnerabilities on the nodes or servers.
Some other popular tools for Network Vulnerability scanning are: Retina CS, Qualys Guard,
Nexpose, Open VAS etc.
Draw Network Diagram
Tools like Solar Winds LAN Surveyor can be helpful to make a network diagram of the network.
These diagrams can them be moved to Visio for documenting it.
Other tools used for this is LAN State, NetMapper, OpManager, Network View, Dude, etc.
Proxy Servers
A Proxy server means some other computer is used as an alternative to connect with other
computers. Organizations configure Proxy servers so the main servers are not directly accessible
to outside world. Thus the IPs etc are not released in public and the servers can be safe. The basic
working is as such: If a hacker wants to access some page, the request goes to proxy server and
then from the Proxy server to the Main server. Thus the main server is isolated from the outside
network.
The use of proxy can also be done by Hacker, to avoid them from being caught. Hackers try and
attack a target computer from some other computer using Proxies, so the actual IP address is not
traced back or is very difficult to trace back.
There are several free proxies available on the Internet if you use those your IP address is not
revealed, the IP of the proxy server is sued. An attacker can also make use of multiple Proxies
and do a final attack, since the attacker uses a chain of proxies it is known as Proxy chaining.
Some tools used are: Proxy Work bench, Proxifier, Proxy Switcher, TOR (The Onion routing) is
a very popular one.. Gproxy, Fillder etc.
All the information gathered using the scanning techniques mentioned above, need to be
documented which can be used for the future.
Hope this is helpful!!!

Trojans and Backdoors
Hackers do make use of Trojans and backdoors to get access to a system. Both of these are
installed on the target system but with the use of some other program or by somehow making the
user on target system install your program.
Trojans and backdoors come under the category of malware which is used to compromise a
target system. When the Trojan reaches a target system it looks like a genuine application or
software that makes the user click and install it. But eventually it was sent in disguise to the
target system.
Once these Trojans and backdoors are installed the system becomes slow and it does crash often
as it eats up resources of your system. Also if connected to the internet it can cause data theft and
transfer some info out of the target computer.
Once such malware is installed, a hacker can then use the target system to attack other systems.
Mainly such techniques are used for DDoS (Distributed Denial of Service). If its a key logger
then the Trojan can also make notes of all the keys types on the system. Such Trojans are also
capable of taking screenshots of screen.
As trojans are sent along with some useful programs, below are ways how the Trojans are sent to
the victims system.
- Using Instant messaging or chat: While having a chat discussion, someone may share a
picture with your or a video asking you to have a look at the latest phone etc, but be careful in
opening such images etc from unknown people.
- Email attachment: You may receive an email that looks genuine, like from your Bank or
some friends name, asking you to click a link and update your contact details etc. by clicking
such link you download the Trojan on your system and thus get compromised.
- Using File sharing: You may be in need of some application of video and there are
attackers around who would mask the Trojan with the required file and share it using pen drive,
or Internet, email etc.
- Any program that can be downloaded from Internet: Some good application or even
video of your favorite celebrity or sportsperson can be shared provoking you to click the click or
see the video and thus in turn get a Trojan or backdoor installed on your computer.
Making use of advertisements when browsing data are major sources of such malware. The
advertisement shows that it allows downloading free software which the victim may be
interested in but finally he is downloading a Trojan.
Some common Trojans are as below:
Deep Throat -> UDP -> Port 2140, 3150
Net Bus -> TCP -> 12345, 12346
Back Orifice -> UDP-> 31337 or 31338
Backdoor as it name suggest, is used for reentry into that target system by the attacker. This
program is installed and the victim is not aware of it and the service for this backdoor is running
on the victims computer with a name that sounds genuine so the victim does not know that his
system is compromised.
RATs (Remote Access Trojans) are types of backdoor through which the attacker takes remote
control of the system. These RAT applications are installed on the victim and attacker computer.
The RAT server is installed on the victim and RAT client on victims computer, thus the attacker
can connect to the server (victim). Once can make out if a RAT is installed on their system if the
movement of mouse is observed on its own and some popup opening.
Overt and Covert Channels
If a program uses the normal or legitimate way for communicating with the system is known as
Overt Channel.
Using Programs or communication path that is not normal and intended is considered COVERT
Channel.
The Trojans installed on the victims computer use the covert channels. Attacker can also form
tunnels where one protocols can be carried over another protocol.
Types of Trojans
- RATs (Remote Access Trojan) : Gain Remote control of victim

- Destructive Trojan: Corrupt or delete files
- DoS ( Denial of Service) Trojan: Launch a DoS attack
- FTP Trojan: Create FTP server and copy files onto it. E.g. TinyFTPD
- Data Sending Trojan: Send data from victim to hackers computer
- Proxy Trojan: Use victims computer as Proxy to attack another victim
- Command shell Trojan: Netcat is a command line tool that is popularly used command line
tool through which TCP/ UDP ports can be opened on the target system. Then these open ports
are used by the attacker with telnet to gain access and control the target.
Email Trojans: Access to victims computer is taken using sending email and having them click
a link.
VNC Trojan: The victims computer is controlled by the attacker using VNC server. Since VNC
is considered a utility, these are not detected by the antivirus as problematic. E.g. WinVNS, VNS
stealer, etc.
Botnet Trojans: Botnet is a group of software robots that run automatically. These robots are
nothing but worms, Trojan horses etc. E.g. NetBot Attacker, Illusion Bot.
Some GUI tools are also available like MoSucker, Jumper and Biodex.
How to attack Systems using Trojan
1. Making use of a Trojan Horse Construction Kit, a new Trojan packet is created.
2. A Dropper is created; this is part of the malicious code in the trojanized packet which is
to be installed on the target.
3. Making use of wrapper tools to create a wrapper and have it installed on the victims
computer. Tools that be used are: Graffitti.exe, Elite Wrap etc.
4. Transfer this Trojan to victims computer. It can be done via using normal means like pen
drive, floppy etc and copy it to victims computer or they can be spread using emails,
chats, network sharing etc.
5. Execute or run the dropper, using this dropper the malware is disguised making the
victim feel that the application or link is genuine. After the victims computer is infected
with one malware, it then helps other malware and unwanted programs to be installed on
it.
6. Finally execute the damage routine, which means that do the action that the Trojan
actually wanted to, like copy some files and send to attacker, delete important files or
even format the hard disk of the victim.
The above picture demonstrates the steps taken by an attacker. The Attacker, making user of a
Dropper, take a Trojan and combines it with a Funny Video Clip and shares it you as a Gift. Once
the victim open that video for viewing, the dropper will drop the Trojan on the system and then it
may be executed to cause damage.
Wrappers: are tools that help a Trojan to be bound with a genuine looking application. When
this wrapped exe or image is clicked, the main Trojan is installed on the victims computer in
background while in foreground the wrapper application is being installed. Wrappers are also
known as guleware, as it sticks other application or exes with itself.
Some wrapper programs are: Kriptomatik, SCB Labs Professional Malware Tool,
Evading Antivirus
Hackers use some techniques to avoid being caught by the anti-virus programs:
- Do not uses downloaded Trojans from web
- They write own Trojans
- Rename Trojan files to different application names like :
Exe to vbscript
Exe to .xls file
Exe to ppt
Exe to mp4
- The checksum value is changed so signature does not match and IDS cannot detect it
- Send multiple parts than once on the target system are combined to make one Trojan file.
How to detect Trojan
1. Look for unnecessary open ports using tools like TCPView, CurrPorts
2. Look for unnecessary services using tools like, Process Monitor, Whats running
3. Scan for registry and remove unwanted entries using tools like Registry Cleaner, Registry
Mechanic
4. Scan the system for device drivers that are not used using tools like Driver View, Driver
Easy
5. Check startup programs using tools like starter, Security Auto run, Active Startup
6. Remove suspicious files and folder on the system using tools like FCIV- File checksum
Integrity Verifier, Tripwire, Sigverify
7. Run scanners to detect trojans using tools like Trojan hunter etc.
Trojan Countermeasures
- Avoid downloading unknown application from the Internet and untrusted sources
- Keep the system patches with latest security updates
- Scan external media like floppies, CDs, pen drives etc before copy content from them
- Run firewalls and antivirus software on your system with latest definitions
- Keep protection on your system to avoid unauthenticated access and installation of

applications
Backdoor Countermeasures
- Understand the danger of being compromised, always be cautious while accessing

Internet and opening emails
- Use Antivirus with latest definitions and patches
- Keep applications updated with latest security patches.
Some tools like Trojan Hunter, Emsisoft Anti-Malware, and Trojan Remover can also be used to
remove Trojans from infected computers.
Enumeration In Ethical Hacking
This phase Enumeration is done after scanning. As in scanning the hacker collects information
about the active targets, ports, services etc.
It is this phase where the hacker will make active connections to the target system and then try
collecting more details information using queries etc. The goal is to get more details information
about the target that needs to be compromised.
Information such as, usernames, machine names, share paths etc are collected in this phase. The
attacker access possible open share files mainly the remote IPC share which can be accessed
using IPC$ in Windows.
The information that is enumerated by the attacker is :
- Users and Groups
- Networks and shared paths
- Hostnames
- Route Tables
- Service Settings
- SNMP port scanning and DNS Details

- Applications and Banners
In windows Operating System, the use of many tool is done to enumerate NetBIOS names with
commands like:
Net accounts
Net config server
Net config workstation
Net view
And many such commands.
Net config server: this command gives details of the Server name, NetBIOS name and
information about user logged on, OS Version etc.
Net config Workstation: this command gives details of the workstation name, NetBIOS name
and information about user logged on, OS Version etc.
Net view: command will display shared folder information.
C:\ net view \\<hostname> /domain:<domainname>
DumpSec is a tool that is used for NetBIOS enumeration, which uses the net use command and
connects to a target system, as null user.
Another tool SMB Auditing is used for auditing passwords for Windows SMB (Server Message
Block)
NBTSTAT is another command line tool in Windows that displays some important information
about a system.
The below output shows the hostname, IP address

To enumerate user accounts, some tools like : PsExec, PsFile, PsKill, PsList, PsPasswd are used.
SNMP Enumeration
With the use of SNMP user accounts and hosts are enumerated. SNMP consists of a manager and
an agent. The agents are installed on the network devices and the manager software is installed
on a different machine.
SNMP makes use of password but known as Community string in SNMP. Using this community
string the agents can be configured from a remote machine as well. The community strings are of
two types:
Read Community String: By default this is public and can be used to view the device
configuration.
Read / Write Community String: By default this is private and can be used to edit or modify
device configuration.
SNMP uses MIB (Management Information Base) which is a database that has the description of
network objects that SNMP can manage.
The objects in the MIB are called OIDs or Object Identifiers. These can be wither Scalar (single
object) or Tabular (multiple objects in tables)
Some MIB are as below:
DHCP.MIB:- Traffic between DHCP servers and remote hosts are monitored
WINS.MIB:- To be used for WINS Server
HOSTMIB.MIB:-To manage and monitor hosts
SNMPUtil is one such tool that is used for SNMP enumeration. OpUtils , SolarWinds IP
Network Browser, GetIf, SNMP Scanner etc are also some other tools.
Linux Enumeration
In Linux to make use of enumeration the command like below are used:
Finger: Using this command you can view the home directory of a user, the login time, idle
time etc.
Rpcinfo: This will help enumeration of The Remote Procedure Calls which can then get control
over the applications.
Showmount: This command shows the mounted directories and shared directories on the host.
The remotely mounted clients will be displayed when run the showmount command
LDAP Enumeration
LDAP or Light Weight Directory Access Protocol is a Directory service protocol which is
hierarchical in structure.
When a client connects to a DSA (Directory System Agent) on the port 389 by sending an
operation request to DSA, a LDAP session is formed.
The Basic Encoding Rules or BER is used for transmission of information between client and
server.
A hacker would generate queries towards the LDAP service to collect information about valid
users, groups, departments etc.
Some tools like: Softerra LDAP enumerator, LDAP Admin Tool, LEX : LDAP Explorer etc are
used for LDAP Enumeration.
NTP Enumeration
NTP is a Network Time Protocol, which is mainly used for synchronization of clocks on the
devices. This is an ignored protocol but this protocol can also help in extracting some
information from the devices.
NTP uses Port 123 and is extremely good at accuracies for synchronization where the accuracy
can be about 200 microseconds.
A hacker can query the NTP server and collect information about:
Connected hosts to that NTP server
The System Names in the network and their IP addresses and Operating System
information
Command like below can be used for ntp enumeration.
a) ntptrace: this command give information about frm where the NTP server is updating its
time.
b) ntpdc: This command queries the ntpd daemon and can get current state of the daemon and
also change its state.
c) ntpq: To determine ntpd daemon and find the performance.
SMTP Enumeration
SMTP uses port 25 and is used for sending of emails. It has the below built-in commands:
a) VRFY: this is used to validate users
b) EXPN: this will inform the delivery address

c) RCPT TO: the recipients of the message are defined here
The attacker usually Telnets to the SMTP server and then makes use of the command to get
information from the server.
Tools like NetScanTools Pro can be used for SMTP enumeration.
DNS Enumeration
The main tools used here is Nslookup. Using DNS enumeration the attackers motive is to find
location of the DNS server and find records of the server. If the attacker get in deep he may also
collect a copy of the Zone file for a domain.
The below screenshot show all the command that can be used with NSLOOKUP.
Countermeasures
To avoid any enumeration on SNMP, do not keep the agent on devices that do not need it and
also disable SNMP services
Keep strong community strings or passwords and do not allow null sessions to be created.
Block access to DNS enumeration, makes sure zone transfer to unknown host is disabled.
For SMTP, beware of opening emails from unknown persons.
LDAP allow only authenticated users to access it. Also make use of SSL for traffic being
transmitted.
Sniffing as in common terms means to look or find for something, like sniffer dogs do in crime
scene investigation, so in the Hacking world we do use some tools called sniffers. These tools are
used to capture traffic flowing on a network and then store and analyze them. The stored captures
can be used to later check for configuration and passwords etc.
Sniffers are computer programs that help capture traffic or data flowing in and out of a system.
These tools are mainly used to capture traffic and these tools normally do not modify the packets
flowing.
In earlier days when phones were more popularly used, Wiretapping was done, which is the
process of monitoring phone conversations and also Internet conversations. Such techniques
were very popularly used during world wars to listen to communication between other countries.
Active Wiretapping: Is the process of listening to the conversation, recording, monitoring the
conversation but also inserting or injecting something in the communication.
Passive Wiretapping: is the process of only listening and monitoring the traffic or conversation
and collecting information or knowledge of what is happening.
NOTE: WIRETAPPING IS ILLEGAL AND CONSIDERED A CRIME IN MOST

COUNTIRES. ONE NEEDS LEGAL PERMISSIONTO TAP COMMUNICATIONS.
PACKET SNIFFING
- This is the process where traffic is monitored going and coming out of the system
- Packet sniffing can be done using hardware and software
- It is similar to a wiretap, but this is mainly done on computer networks
- Using packet sniffers, an attacker can gain access to information about accounts,
passwords etc.
In the above image we see, that the device A is sending traffic / data to device B, but the attacked
in between can start a sniffer and check or collect all data.
Sniffing Tools
- Wireshark / Ethereal: This is the most popular packet capture or sniffing tools. It is GUI
based and offer many features to analyze the captured packet
- TCPdump: This is another commonly used traffic capture tool. You can get this at
tcpdump.org. This mainly used in Linux.
- Windump: This is a part of the tcpdump but used for which shows header information etc.
- DSniff: This is used to sniff passwords and other protocols. This tool is also mainly used
in Linux and UNIX environments.
There are many more tools, but Wireshark and tcpdump are the most popular among all of these.
Wireshark
This tool is available for both Windows and Linux and can be downloaded from
https://www.wireshark.org/
Once you open Wireshark you see the below screen

In the Captures, menu, you see option Interfaces
We see the list of Interfaces on the system. Select the interface on which you want to take
captures. We also see some packets flowing on the Interface. In our case we selected the Wireless
Network Connection
Once you click on Start you see packets in the Wireshark main window
Once you think you have collected sufficient information, you can click on Stop Button on the
toolbar or Go to Capture Menu and Click Stop.
Then Save this capture and use it for analyzing.
There are some filters which are helpful in searching for information in the capture files.
Operator Function Example

== Equal ip.addr == 192.168.1.2
eq Equal tcp port eq 80
!= Not Equal ip.src != 192.168.1.2
ne Not Equal ip.src ne 192.168.1.2
contains That contains specified value http contains http://www.abc.com
In the below screenshot we see that we have filtered only IP addresses 192.168.0.2, using the
filter
ip.addr == 192.168.0.2
Wireshark also comes with some inbuilt smaller CLI tools like below:
Function
Command
tshark This is similar to Tcpdump, its the CLI of Wireshark
dumpcap This is a smaller package that is intended to take captures only
mergecap This is helpful in merging multiple capture files into one file
text2cap Using ASCII hexdump, a capture is made
editcap To edit or change or translate the format of the captured file
capinfos After reading the capture provide info or statistics about it
TCPDump
You can download TCPdump from the site http://www.tcpdump.org/

This tool is almost equally popular among Linux / UNIX users. This is a command line tool and
is very good and reliable among some other available tools. This has been used even before
Wireshark was used, thus it is a really well tested and used tool.
Sniffing Threats
The below are some types of information that can be stolen using packet sniffers
- Emails
- Web traffic
- ftp password ( as its clear text)
- chat session
- network device configuration, mainly router
- DNS traffic
- Telnet passwords ( as it is clear text)
- Traffic related to logs i.e. syslog
These days al devices are connected using Switches; there are certain types of attacks that can be
done or possible in a switched environment.
1. ARP Spoofing / Poisoning: ARP (Address Resolution Protocol) is the protocol that is
used for IP to MAC address mapping. ARP Poisoning is the technique in which the ARP
tables are messed up with and the mapping dont point to the correct device. The attacker
may spoof the ARP table and share its MAC address for some server IP and all client
traffic will be sent to the hacker instead of the server.
2. MAC Flooding: MAC is the hardware address of a device. The switches store this
information with mappings to the IP addresses. An attacker can flood in many fake MAC
address for some IP which the switch is unable to handle. The goal of the attacker is to
get the switch in a state called fail open mode, in this mode the switch acts like a hub
thus broadcasting all packets to all the ports. And the attacker can be sitting on one of
those ports to sniff the packets
Countermeasures against Network sniffing
- Switches are configured with feature like Port Security, where only specific MAC
addresses can send traffic through those switches
- Use of IPv6 is one way as it has security feature that IPv4 did not have
- Instead if using telnet, try to use ssh which is secure and encrypts the passwords sent
- Make use of Virtual Private Network (VPN) can be helpful as VPNs use encryption and
do not allow someone to directly break in.
- Also making use of IDS, intrusion detection systems and NIDS, Network IDS can help
fight sniffing attacks
Social Engineering
Social Engineering is a non-technical way of collecting information from someone. A hacker
uses his convincing skills to get confidential information out from someone.
People have vital information about their accounts, system passwords etc, but do not care to store
them or take care of them safely. The hacker makes use of this negligence or carelessness and
tries to extract information from a person.
This is performed with human interaction either by meeting in person or by calling someone and
trying to get his information by speaking to him / her. The final goal here also is to get access to
the victims system and steal necessary data / information but it begins with discussing
personally.
For example, some hacker may dress up like a technician and come into your office, and your
receptionist may allow the person and guide him to the systems that have problem etc.
In this type of attack the weakness of the individual person is compromised first and then the
computer or network devices. The hackers or social engineers are basically con artists who make
you a fool or cheat you and do what they intended to do.
The attacker makes use of these human behaviors to get information:
1. Moral obligation
2. Trust
3. Threat
4. Get reward to disclose information
5. Ignorance
Why Social Engineering is Effective or why does it work?
Improper Security policies: No outsider should be allowed without proper ID card verification
and appointment.
Difficult Detection: It is difficult to detect that a social engineering is going to take place,
because there are no set signatures, like technical attacks have. Also if the attack is making i.e. if
information is gathered and the hacker disappears or goes away, there are no logs as to what
happened and who came in etc.
Lack of Training: People should be aware of what information to reveal when talking.
Understand that someone is trying to probe and gather vital information and could then be
misused again oneself.
No patch or software can help: There is no patch or software than can be installed on all your
employees for not revealing the information. If some social engineer gets along well with one of
the employees, he can get some valuable information in few minutes.
Trojan attacks are mainly done due to Social engineering techniques, a hacker may convince a
person to open an email or click a link or install software and then the Trojan gets installed on
the system / network to compromise the system.
Success behind Social engineering
The reasons behind Social Engineering being a useful tool are:
a) Trust: Humans have the feeling of Trust and is natural to species. Being dressed like a
police officer and asking the receptionist to let you in for an immediate check, the receptionist
may trust you and allow access to the building or other internal offices.
b) Nature and Habits: People follow habits and do same things on regular basis, and the
hacker can observe the same for few days and then act accordingly. For Example, if the
employees enter the office building or premises at 8:45 AM and the security guard does not have
time to check all employees, the hacker can observe the behavior for few days and then someday,
dress up formally and enter along with other genuine employees.
Social Engineering Phases
Like any other attack, this is also not done at random; It needs to be done in proper phase or
steps.
1. Collect as much information about the target or your so called victim using different tools
like social engineering, research and observation. This could include phishing, dumpster
diving, company visits, employee giving information.
2. Choose your source or individual or group that may have the maximum probability of get
some information to you. Through this you should be able to get closer to your target.
The hacker may take into account a frustrated employee who may disclose some valuable
information about the company.
3. Try and cheat the victim and get close to him/her till information is extracted. Or also
behave as if you are someone else, send emails on behalf of someone, join a company as
some employee, as at times the employer has not seen the employee till he joins in.
4. Once you are close and seem to be in a position to extract maximum information, go
ahead and collect as much information as possible and then move out.
These above steps or phases seem to look like these components:
- Research ( Phase 1)
- Develop ( Phase 2 and Phase 3)
- Exploit ( Phase 4)
Impact of Social Engineering
Social engineering can cause many implications on the organization and individual like:
Financial Loss: The most common impact and reason why an attacker would try to compromise
your system or organization. Some tender or business idea may be taken off which could incur
loss for the victim organization.
Terrorism: This is also common as few terrorists may be part of your organization or act like
your friends, flat mates etc and then cause some severe damage to the organization or state or
country.
Privacy Exposed: The attacker can extract personal information and use it to blackmail or for
any other acts.
Lawsuits and Arbitrations: Depending on the type of information captured or collected by the
attacker, there could be some legal actions taken on the victim organization. E.g. If a milk
manufacturing company is involved in adulteration and this information is brought out by some
hacker, the organization needs to face legal consequences.
Permanent or temporary Closure: Based on the type of information collected and revealed
outside, the victim organization can be closed down temporarily.
Loss of Goodwill: If some information that can be disturbing to customers is out of the
organization, then the good will of the company can be lost.
Targets of Social Engineering
An attacker is always out to look for someone who has more information which is reliable and
available. Some of these are targets of social engineering:
Receptionists: The receptionist is a face of the company as they would be knowing majority of
people in the organization and also hear other information taking place in the organization. If
some attacker gets close to a receptionist, then he can gain very valuable and reliable information
from the receptionist.
Helpdesk: These people have information about the infrastructure and can be a valuable source
of information for the hacker.
System Administrators: These can be very useful targets as these personnel have extremely
valuable information about the IT infrastructure, domains, accounts, passwords etc. They can be
enticed to reveal some information that the hacker is interested in knowing.
SOCIAL NETWORKING
This is a new form of social gathering that people have started to use since the past few years.
Using social networking applications people share information about their families, work etc.
Some social networking application and sites are: Facebook, Twitter, LinkedIn etc.
The type of information that is posted on these sites is:
- Personal information
- Personal and family photographs
- Information about their location
- Employment details
- Friend list and their details as well
Social Networking Countermeasures
- Dont disclose personal information and professional information, more than required.
- Do not blindly add friends on these social networking websites, if you do not know them.
- Keep passwords different in different sites, so if one gets compromised, other sites can
still be safe
Session Hijacking
The concept session hijacking involves a hacker to take over an existing session between a user
and host machine. By taking over the valid session the attacker then violates or exploits the
session.
The attacker steals the valid session id which is used to get into the system and then snoop data.
One the attacker get the valid session, he can take over access of any authenticated device or
resource like an ftp server, webserver or a telnet session.
Once the hijacker /attacker make a successful hijack, then he could play the role of a genuine
user or can even silently just monitor / watch what communication is happening.
As a session is created for some specific time and during this time the client is authenticated by
the server thus during this time the Server and client trust each other for the session. The data
transfer that takes place during the session are not authenticated every time till the session is
active and it is this benefit that the attacker takes and keeps on stealing information.
The danger when a successful session hijack is done is activities like data theft, identity theft and
data corruption can take place. The traffic can be sniffed and the transaction can be recorded.
TCP Session hijacking means taking over a TCP session between two devices.
Blink Hijacking is another method where the response on the system can be assumed.
Man-in-the-middle attack is one common method where sniffing is used to track what is being
communicated between two systems.
Steps involved in session hijacking:
- Track the connection
- Desynchronize the connection
- Inject the attackers packet

The following can lead to a session being hijacked
- No timeout set for invalid session ids
- Insecure handling
- Indefinite session expiry time
- Transmission of data in clear text
- Session id being small in length
Techniques of Session Hijacking
Brute force a session ID: This is similar to Brute Force passwords, where the attacker will try to
guess the session id. The attacker would have some idea of the session ids available. The attacker
could be benefited or helped with the uses of some malware, sniffing, cross site scripting or
HTTP refreshers.
Steal the session ID: Sniffing can be used to steal a session id and then compromise the
communication or the target.
Calculate a session ID: Some really good attackers could also calculate the session id based on
the session id he seeing and can then guess or calculate the next session id thus understanding the
sequence.
Hijacking v/s Spoofing
In spoofing the attacker pretends or fakes being someone else like a genuine user or computer. In
this the session is not taken over by the attacker.
In hijacking the session is taken over by the attacker. The attacker would wait for the session to
be established between two resources and then that session is taken over.
Process
1. Sniffing: Using this technique the attacker should be able to sniff the traffic between the
source and destination whose session he intends to take over.
2. Monitoring: Observe the communication for some time and try to predict the sequence
numbers. Here the attacker will observe the traffic flow and try to find patterns in the
communication to guess the sequence numbers.
3. Session Desynchronization: At times the communication can only occur between two
parties, thus the attacker after taking over the session break the between the genuine
client and server. He can either continue his session with the server acting as a genuine
client or can prevent the client and server from doing any communication by just
breaking their sessions.
4. Session ID Prediction: This involves only predicting the session id based on which the
attack will be made later.
5. Command injection: This being the final stage, the attacker injects commands in the
session trying to achieve what he want either data theft or identity theft etc.
Category of session hijack
a) Active attack: An active attack is where the attacker will take over the session from the
client and communicate with the server. Here the client is being manipulated and the server is
being fooled by thinking the attacker is a genuine user / client.
b) Passive attack: In a passive attack the focus is on monitoring the traffic or communication
taking place between the client and the server. Sniffing software is sued in this situation where
the traffic monitored and captured while going across the wire.
Session Hijacking in OSI model
1. Network Level Hijacking : Interception of packets during the transmission or

communication between client and server in a TCP or UDP session
2. Application Level Hijacking: This involves taking control over a users HTTP session by
obtaining the session ids.
Session IDs can be seen in:
- In the embedded URL that is received by the GET request for the application
- In the hidden fields of a form
- Client machines would have it in the cookies
Application Level Session Hijacking
This involves taking control over a users HTTP session by obtaining the session ids. By
obtaining the respective session ids and unique identifier of HTTP sessions, the HTTP session
can be hijacked. The session token can be compromised by one of the follow:
- Predictable session token
- Man-in-the-middle attack
- Client side attacks ( XSS, Trojans etc)

- Man-in-the-browser attacks
- Session sniffing
Session sniffing: Using a sniffer the attacker captures a valid session token which is called the
Session ID. The attacker then uses this valid token session to get unauthorized access to the
webserver. If the traffic is unencrypted the session ids can be determined easily. This
unencrypted session can also have username and passwords information.
The above figure shows the representation of how a valid session id between the Client and
server is hijacked by the attacker and then used the same session id to communicate with the
server by spoofing itself as a genuine client.
Predictable Session Token: This is a method of hijacking or impersonating a website user. When
a client tries to access a website, the website will try to authenticate and track the user identity.
Only once the authentication is done then the website will share the data.
When a user submits the username and password, the website will generate the unique session
id and this session id shows that the user is authenticated to access the website. All subsequent
communications will have this session id tagged as a proof of the authenticated session.
If this session id is with the attacker, he can access the website as the genuine user.
If the attacker captures the below session ids:
http://www.abc.com/view/ABCD20022015162820
We see some similarities in the session id, example in this session id: ABCD20022015162820
ABCD: this part is constant
20022015: is the Date (20-02-2015)
162820: is the Time (16:28:20)
Thus from learning the above pattern the attacker can predict the session id for a time:
13:05:00 on 25th Feb 2015
Man-in-the-Middle-attack (MITM)
In this the attackers get in middle of an existing connection between two or more computers and
intercept the messages. The entire communication goes though the attacker.
The victims messages go to the attacker and the attacker then sends it to the server. And in reply
the server sends some message which again goes through the attacker sitting in middle. Both the
client and server are unaware that they are not communicating directly and someone is sitting in
middle and intercepting the messages and relaying them.
The complete MITM takes place in a two phase, like:
- Client to attacker
- Attacker to Server
Network Level Session Hijacking
This involves hijacking Session and transport protocols. These include:
- TCP/IP hijacking
- IP spoofing
- RST Hijacking
- Blind Hijacking
- Man-in-the-middle: packet sniffer
- UDP hijacking
TCP communication between two parties takes place with the help of a 3 way handshake which
involves:
- Client initiates a connection by sending an ISN Initial Sequence Number and setting the
SYN flag
- On receipt of this packet the server then acknowledges the packet and send its own SYN
along with Acknowledgement ( ACK)
- On receiving this packet the client acknowledge the server sequence number by
incrementing it and setting the ACK flag.
Session Hijacking Tools
- Zaproxy ( OWASP Zed Attack Proxy)
- Burp Suite
- JHikack
- PeterJack
Countermeasures against Session Hijacking
- Use string or long random number for Session id
- Use secure shell ( SSH) for communication
- Pass authentication token over HTTPs
- Implement logout option for user session to close
- Generate session id after successful login
- Have encrypted data be passed between users and webservers.
Web Servers Hacking

Web Servers are very popular these days and we have almost all types of applications hosted on
the Internet.
The Open source Webserver architecture comprises of the LAMP stack where the end user will
be accessing the websites and application through Internet that are hosted on these web servers.
L: Linux: The Webservers Operating System
A: Apache: The web server component
M: MySQL: A relational Database
P: PHP: the application Layer
IIS Webserver Architecture, this is the webserver developed by Microsoft and can be used on MS
Windows Operating Systems. IIS stands for Internet Information Service. This is the second
most widely used and second largest webserver after Apache HTTP Webserver. IIS supports
HTTP, HTTPS, SMTP, FTP, and NNTP.
How Web Server Works?
Files from webservers can be accessed and downloaded using HTTP and HTTPS (Hyper Text
Transfer Protocol) and (Hyper Text Transfer Protocol Secure). HTTP is the protocol that works
on the Application Layer of the TCP/IP stack. The webpages are created using the HTML i.e.
Hypertext Markup Language. The webpages are then view able using a web browser on the
client.
Webserver Vulnerabilities
- Webserver Software Misconfigured: In most instances with Microsoft IIS the default
website is kept enable which is one of the causes of being compromised. Since the permissions
are open on the default website. Once IIS is installed it is important to change the permissions for
the default user, IUSR_COMPUTERNAME
- Operating System bugs: the Operating system should be patched with the latest updates
regularly to avoid any compromise done. You can have them patched manually or automatically.
- Application bugs or flaws in code: Make sure the application bugs are fixed and hot
patched and hot fixes are released as and when any issue is observed or identified.
- Vulnerable default installation: The software setting and OS setting should never be left as
default, for example the default admin name is administrator it should be changed to
something else.
Attacking Webserver
As webservers run on HTTP and HTTPS, they listen on TCP port 80 for http and port 443 for
https. These ports must be open on the firewall for the client to communicate to the webserver.
Web application sits on top of the webserver and can have their different ports for
communication.
Banner grabbing is one of the steps when targeting a web server.
First you telnet to the IP address of the webserver, from the windows command prompt:
telnet < Webserver IP> 80
You can also use the URL instead of the webserver IP address. Here 80 is the port number.
(HTTP: 80)
Once you login to the session, you type the below and press Enter:
HEAD/HTTP/1.0
Once you hit Enter the webserver banner will be shown on the CLI
Server: Microsoft-IIS/6.0
Date: Wed, 2 Dec 2015 1:18:32 GMT
Content- Length: 340
Content-Type: text/html
With the help of this the webserver type is identified along with its version details. Based on this
version the attacked which needs to be done can be identified. Since we know its an IIS server
we also identify that the underlying Operating System is a Windows OS.
The next step would be to attack the webserver and then take control of the data on the
webserver.
A very common type of attack done on websites is DEFACEMENT. With this an attacker or
hacker would mainly focus on showing his hacking skills and increase his reputation rather than
actually stealing data from the website.
In the Website Defacement process, the hacker would modify the website files and leave a mark
on the homepage saying that this website is hacked. Mostly the hackers name or group name is
shown along with some image. Something like below:
Hacking IIS
Windows IIS is a popularly used webserver and this also makes it a popular target for attackers.
There are different types of attacks that can be launched against the Windows IIS webserver.
1. Directory Traversal: A client accessing a server will have limited access to certain
directories. The Root directory on the webserver is the initial directory access by a
client. This directory has the default or the index page along with other folders or files
related to HTML. There can also be sub-directories that have other files, images or scripts which
a normal user should not be allowed access to but using Directory Traversal
attack access to these directories can be made.
This Directory traversal attack is also known as Unicode exploit. This compromise on the server
is done due to not having the server patched with latest updates and thus the CGI
scripts and ISAPI (Internet Server Application Programming Interface) like
.asp.
2. Source Disclosure: This means that the source code of the application is accessible. If
the code is identified the hacker can then identify the programming language,
application type etc. Based on this many security holes can be identified and then
exploited.
3. Buffer Overflow: These are not specific to webservers but also being carried out on
other systems. Like the term overflow which mean sending more than it
can take or handle, in buffer overflow more data is sent than what the
application can handle.
Patch Management
This is a very crucial technique for mitigating risk of web servers and web applications being
attacked. In this process the patches and hotfixes of different vendors are updated. The proper
process would involve checking or verifying which patches need to be installed and also have
these patches tested in a lab environment before testing them on a production box or
environment.
It is a good practice to maintain the list of patches installed and have log files. These days there
are many patch management tools that can help automate the patch management process.
Hardening Webservers
Hardening webservers means increasing the security. The below methods can be used to harden
the webserver.
- Use strong password and rename the administrator name. Renaming can be done from
User manager and by right clicking the administrator name and rename it.
- Disable default FTP sites and other sites, this can be done by right clicking the default
website and then choose Stop on the IIS Manager.
- Have unused applications removed from webservers. The Control Panel Add/ Remove
Programs option can be used.
- Keep a legal notices or banner when someone logs into the Webserver, clearly mentioning
the legal consequences of any malpractice or theft of identity and data.
- Have forms and query strings bound checked to make sure buffer overflow or malicious
input cannot be provided.
- Do not allow administration to happen remotely, only administrators from within the Data
center or DMZ can access the admin console.
- Have regular audits and logging done for the webserver
- Use a good firewall between the webserver and Internet so traffic coming in and count
can be inspected by the firewall. Also keep only necessary ports open like HTTP port 80 and for
HTTPS port 443.
Impact of Webserver Attacks
- User accounts compromised
- Data Tampering
- Deface Website
- Launch secondary attacks from the website
- Data Theft
- Gain root access to other application servers or applications

Webserver Hacking Tools
- HTTPRecon
- ID Serve
- Metasploit
- Wfetch
- Brutus ( Password breaking)
Webserver attack using Mirroring website: With the help of some tools like HTTrack, WinWSD,
WebCopier and Blackwidow, you can create the complete copy of the website offline and save in
your directory. Thie sill copy all html pages, images etc. This downloads all the directories
recursively. The attacker then goes through all the links and pages offline and prepares for the
attack and once ready goes for the online attack.
Patch Management Tools
- Altris Client Management tool
- GFI LAN Guard
- VMWare vCenter Protect
- Prism Patch Manager
Countermeasures for Webserver hacking
Keep the webserver patched and updated with latest hotfixes
Keep a back-out plan in case you need to revert back to the old configuration
Test the patch in non-production before applying it in production
Keep service pack upgrades scheduled and done holistically
Block unnecessary ports
If using Telnet, FTP etc, make sure you use IP Sec to protect it
Disable WebDAV if it is not being used
Disable unused user accounts and access to database to all users

Use strong password policies
Eliminate unnecessary files within .jar files
Monitor and check web services log regularly

Ethical Hacking Tutorial

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ethical Hacking Tutorial

Uploaded by

Copyright:

Available Formats

http://www.certiology.com/tutorials.

Ethical Hacking Tutorial

Ethical Hacking is something performed by extremely skilled computer experts. Computers

Denial of Service Dos

What is Ethical Hacking

Footprinting and Reconnaissance

Trojans and Backdoors

Enumeration Hacking Phase

Session Hijacking in Ethical Hacking

How to hack a web server

DoS: Denial of Service

Indication of DoS attack

- Unable to access a website

- Slowness / delay in using or opening apps

- Many spam emails

Webservers: The Companys website is hosted on a webserver and every company or

Types of DoS Attacks

DDoS: Distributed Denial of Service

The process for the DDoS attack goes like this:

Botnets creation tools

- LOIC ( Low Orbit Ion Cannon)

The below are tools used for DoS attack:

UDP Flood: Generating UDP packets for a specific destination

DoSHTTP: HTTP based DoS Tool, used to target URLs.

The below are tools used for DDoS attack:

Below info from Wikipedia

- Unnecessary services to be disabled: By disabling unnecessary services you may the

Countermeasures for Botnets

- Filtering based on Source IP reputation: Based on the history of traffic flows

What is Ethical Hacking?

There are types of hackers in the industry namely:

Information security comprises of these main elements:

Confidentiality: This means to have information confidential or no disclosed to unintended

Ethical Hacking Terminology

Threat: A condition or situation which is prone to being breached of security

Exploit: Taking advantage or capitalizing on a bug or vulnerability to seek elevated privileges or

Ethical hacking is not a one step process; it needs to be done in phases.

Below are the phases of Ethical hacking:

Attacks on the target can be like below:

1. Operating System Attack: Based on the OS vulnerability try to attack.

Information Security Threats

There can be different types of threats for your data, namely:

3. Physical damage to your system

Under each of these there can be different types of threats like :

Network Threat Host Threat Application Threat

Information Gathering Password attack Information Disclosure

Password cracking DoS : Denial of Service Buffer Overflow

Necessity of Ethical Hacking

Incident Management Process

Benefits of Incident Management

- Service quality improvement

- Meet Service availability requirement

- Customer satisfaction improved

- Proactive problem resolving

- Help to deal with future incidents

Penetration Testing and Testing Types

Footprinting and Reconnaissance Tutorial

Collect basic info

Find OS version, Webserver edition etc.

Get DNS info using Whois etc

Look for vulnerabilities and exploits for launching attacks.

Anonymous Footprinting: Gather from where author of information cannot be identified.

Private Footprinting: From organizations websites, emails, calendars etc