EXPLORE THE ATTACK

• How does the attack begin ?

Attackers follow a fixed methodology to penetrate into a system. The steps a hacker follows can be broadly divided into five phases:

1. Reconnaissance:

Reconnaissance or Footprinting is consideredthe first pre-attack phase and is a systematic attempt to locate, gather, identify, and record information about the target. The hacker seeks to find out as much information as possible about the victim. Some hackers might dumpster dive to find out more about the victim. Dumpster diving is the act of going through the victim's trash. Another favorite of the hacker is social engineering. A social engineer is a person who can smooth talk other individuals into revealing sensitive information. This might be accomplished by calling the help desk and asking someone to reset a password or by sending an email to an insider telling him he needs to reset an account.

2. Scanning:

Scanning and enumeration is considered the second pre-attack phase. Scanning is the active step of attempting to connect to systems to elicit a response. Enumeration is used to gather more in-depth information about the target, such as open shares and user account information. At this step in the methodology, the hacker is moving from passive information gathering to active information gathering. Hackers begin injecting packets into the network and might start using scanning tools such as Nmap. The goal is to map open ports and applications. Unlike the elite blackhat hacker who attempts to remain stealth, script kiddies might even use vulnerability scanners such as Nessus to scan a victim's network.

3. Gaining Access:

As far as potential damage, this could be considered one of the most important steps of an attack. This phase of the attack occurs when the hacker moves from simply probing the network to actually attacking it. After the hacker has gained access, he can begin to move from system to system, spreading his damage as he progresses. Access can be achieved in many different ways. A hacker might find a vulnerability in the web server's software or might perform a denial of service (DOS) on that server. If the hacker is really bold, he might even walk in and tell the receptionist that he is late for a meeting and will wait in the conference room with network access. Pity the poor receptionist who unknowingly provided network access to a malicious hacker.

4. Maintaining Access:

Hackers are diligent at working on ways to maintain access to the systems they have attacked and compromised. They might attempt to pull down the etc/passwd file or steal other passwords so that they can access other user's accounts. Rootkits are one option for hackers. A rootkit is a set of tools used to help the attacker maintain his access to the system and use it for malicious purposes.

5. Clearing Tracks:

Nothing happens in a void, and that includes computer crime. Hackers are much like other criminals in that they would like to be sure to remove all evidence of their activities. Hackers must also be worried about the files or programs they leave on the compromised system. In order that the target company’s security engineer or network administrator cannot detect the evidence of attack, the hacker needs to delete logs files and replace system binaries with Trojans.

• How do you defend the attack ?

In order to defend a hacker, you have to think from his/her perspective. Being an ethical hacker, you will need to be aware of these tools and techniques to discover their activities and to deploy adequate countermeasures.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

SESSION MANUPLATING FOR WHITE HAT HACK

SESSION SIDEJACKING

• What is Sidejacking ?

Sidejacking is the process of sniffing cookie information, then replaying them against websites in order to clone a victim’s session. We use the term sidejacking to distinguish this technique from man-in-the-middle hijacking. Whereas man-in-the-middle hijacking interferes with the original session, sidejacking does not. The victim continues to use his session blissfully unaware that we are also in his account.

SideJacking works only if the site catches a non-SSL cookie, so any Web site that uses SSL exclusively would be safe from SideJackers. SideJacking was first demonstrated by Robert Graham, CEO of Errata Security at Black Hat in 2007.

• Techniques :

All you need to do in order to sidejack is sniff cookies off the wire and edit cookies. This can be done with a wide variety of tools.

1. WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

Download and install Winpcap from here.

2. Graham leveraged the tools Ferret, essentially a packet sniffing tool that captures cookies and writes them to a hamster.txt file, and Hamster, basically a local proxy that creates a web front end for exploiting the cookie information captured by Ferret.

Download and install Ferret ----Hamster from here.

3. Unzip the tools into a directory such as C:\sidejacking.

4. Open a command prompt and change to that directory as cd c:\sidejacking.

5. Use ferret –W to figure out which interface you want to sniff.

6. Use ferret –i n to start sniffing cookies. Here n is the interface number.

7. Now use hamster in the same directory as hamster.txt to start the proxy.

8. Set up a browser to use the proxy at 127.0.0.1:3128.

9. In that browser, go to http://hamster to go to the proxy console window.

10. Select a victim, then click on a URL to sidejack it.

• Countermeasures :

1. Always try to stick to secured WiFi networks that you know and trust that would not have any strangers on it running packet sniffers.

2. Never use a Wi-Fi hotspot unless they are using VPN (virtual private networking) or SSL (secure sockets layer) to access sensitive information.

3. Graham said that Google Mail users could switch to https://mail.google.com and secure their session from such snooping.

------------------------------------------------------------------------------------------------

SESSION HIJACKING

• What is Session Hijacking ?

Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.

TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.

• Techniques :

There are mainly three methods used to perpetrate a session hijack. These are:

1. Session Fixation:

The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in.


For detailed info on How Session Fixation works click here.

2. Session Sidejacking:

where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client.

1. First the attacker uses a network sniffer to capture a valid token session called Session ID.

2. Now he manipulates the token session to gain unauthorized access to the Web Server or hijack the victim's web session.



For detailed info on How Session Sidejacking works click here.

3. Cross-Site Scripting:

The attacker can compromise the session token by using malicious code or programs running at the client-side. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. The example shows how the attacker could use an XSS attack to steal the session token.


For detailed info on How XSS works click here.

• Protection :

1. Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in.

2. Some services make secondary checks against the identity of the user. For example it will change the value of the cookie with each and every request.

3. Users may also wish to log out of websites whenever they are finished using them.

4. Encryption of the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services.




Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Source -::- xtrmhack 1,2

SOCIAL ENGINEERING

What kind of Engg. is this ?

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.



Phishing:

Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate bank or credit card company, requesting verification of information and warning of some dire consequence if it is not provided.

The e-mail usually contains a link to a fraudulent web page that seems legitimate with company logos and content and has a form requesting everything from a home address to an ATM card's PIN.

Pretexting:

This technique can be used to trick a business into disclosing customer information as well as by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives.

A high profile case of pretexting occurred in 2006 in which HP hired private investigators to investigate a large leak of confidential information. The private investigators impersonated HP board members and several journalists in attempts to gain call records and other personal information.



Vishing:

› Vishing or Phone Phishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward.

This technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system.




Baiting:

Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.
In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.

Notable Social Engineers:
Kevin David Mitnick (born August 6, 1963) is a computer security consultant and author. In the late 20th century, he was convicted of various computer- and communications-related crimes. At the time of his arrest, he was the most-wanted computer criminal in the United States.

He popularized the term social engineering, pointing out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.






Films on Social Engg:

Catch Me If You Can is a 2002 American biopic-crime film based on the life of Frank Abagnale Jr., who, before his 19th birthday, successfully conned millions of dollars by posing as a Pan American World Airways pilot, a Georgia doctor and Louisiana attorney and parish prosecutor.

His primary crime was cheque forgery, becoming so skillful that the FBI eventually turned to him for help in catching other cheque forgers.





Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Source -::- xtrmhack.com

ARP POISONING ATTACK

 ARP POISONING ATTACK

• What is ARP ?

The Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host's hardware address (MAC) or link layer when only its Internet Layer (IP) or Network Layer address is known. In fact it’s a IP to MAC mapping.

Broadcast ARP Request:

Jessica, the receptionist, tells Word to print the latest company contact list. This is her first print job today. Her computer (IP address 192.168.0.16) wants to send the print job to the office's HP LaserJet printer (IP address 192.168.0.45). So Jessica's computer broadcasts an ARP Request to the entire local network asking, "Who has the IP address, 192.168.0.45?"

Unicast ARP Reply:

All the devices on the network ignore this ARP Request, except for the HP LaserJet printer. The printer recognizes its own IP in the request and sends an ARP Reply: "Hey, my IP address is 192.168.0.45. Here is my MAC address: 00:90:7F:12:DE:7F"

• ARP Poisoning:

Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network. ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether.

The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including Denial of Service (DoS), Man in the Middle, and MAC Flooding.

• Man in the Middle Attack (MIMA):

A hacker can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network.

Attack Stage-1:

The hacker wants to see all the traffic between your computer, 192.168.0.12, and your Internet router, 192.168.0.1. The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with 192.168.0.12.

Attack Stage-2:

Now your router thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with 192.168.0.1

Attack Stage-3:

Now your machine thinks the hacker's computer is your router. Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker's machine to forward any network traffic it receives from your computer to the router.

• ARP Poisoning Tool:

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many feature for network and host analysis.

Download ETTERCAP from here.

• Protection:

1. Arpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. Network administrators monitor ARP activity to detect ARP spoofing.

2. Arping is a computer software tool that is used to discover hosts on a computer network. The arping tool is analogous in function to ping, which probes hosts using the Internet Control Message Protocol at the Internet Layer (OSI Layer 3).

3. Capsa Network Analyzer (Packet Sniffer) is an easy-to-use Ethernet network analyzer (aka. packet sniffer or protocol analyzer) for network monitoring and troubleshooting purposes.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it..
Fore More -::-  about dealing with cash memory (view, refresh, clear ) click here

Clear, Refresh, View ARP Cache Entry

ARP (Address Resolution Protocol) is the standard method for finding a host’s hardware address when only its network layer address is known. In other word, in IPv4 and Ethernet network environment, Windows operating system uses ARP to translate IP addresses to Ethernet MAC addresses. However, Microsoft Windows ARP cache will occasionally become corrupt and need to be cleared and deleted so that the cache can be refreshed. When you haven’t problem connecting to Internet where connections to websites or web pages will time out or fail, and unable to surf or browse the Internet pages, the error may because also of ARP cache corruption, other than TCP/IP corruption orWinsock error.

To confirm that it’s indeed an ARP issue, try to ping both the loopback address (127.0.0.1) and the local computer’s IP address. Then try to any other IP addresses such as those of Google.com or Yahoo.com. If you can ping to local IP address and loopback address, but not any other IP addresses, then this is the typical symptom of ARP cache failure.

The Microsoft Windows ARP cache occasionally becomes corrupt and must be cleared.
Another reason is the DOS Denial of service Attack directed to ARB cash memory

When the ARP cache needs clearing, the connections to web pages time out and fail.

If someone troubleshoots further, he/she can ‘ping’ the IP address and 127.0.0.1, but not the other IP addresses.

Clearing the ARP Cache
Use the NetShell (netsh) command to clear, delete or refresh the Address Resolution Protocol (ARP) cache by following the following steps.

1. Click on Start button.
2. Click on Run command and type Cmd into the Run text box, and then press Enter. For Windows 7,Vista, type Cmd in Start Search, and then press Ctrl-Shift-Enter keyboard shortcut to force Administrator privileges. Enter Administrator user ID and password and allow any permission request when prompted.
3. In the Command Prompt window, type the following command then press Enter.
   netsh interface ip delete arpcache
   Copy/Past to cmd

The command works in Windows 7, Vista, Windows XP and Windows 2003.
and be sure the ur system response is Ok.

Viewing the ARP Cache

To view the ARP cache, use the `arp` command:

C:>arp -a  Interface: 192.168.1.100 --- 0x10004  Internet Address Physical Address Type  192.168.1.1 00-0f-66-37-22-32 dynamic

If Clearing the ARP Cache Fails

Occasionally, clearing the ARP cache will fail due to a bug in Microsoft Windows.

If the user tries to use Microsoft Windows to repair the network connection, he/she will receive an error message that says:

Windows could not finish repairing the problem because the following operation could not be completed:
Clearing the ARP cache
For assistance, contact the person who manages your network

This bug occurs when Routing and Remote Services is enabled. Routing and Remote Services is almost unnecessary and can be turned off unless it is being used.

To disable Routing and Remote Services:

• Click the Start button
• Click the Control Panel button
• Switch to “Classic View” if in “Category View”
• Click Administrative Tools
• Click Computer Management
• Double click Services and Applications
• Double click Services
• Scroll down to Routing and Remote Services
• Double click Routing and Remote Services
• Examine the “Startup Type”
• The options are “Automatic,” “Manual,” and “Disabled”
• Set the “Startup Type” to “Disabled”
• Examine the “Service status”
• Make sure that the service status is Stopped. If it is not Stopped, click the Stop button
• Click the OK button

Now, try clearing the ARP cache again and it should clear without any error messages.


FOr more about -::- ARB poisoning Attacking