13.94M

Category:

informatics

Hacking Lab

1.

Hacking Lab
Dr Bishwajeet Pandey, SMIEEE
Professor-Department of Intelligent System and Cyber
Security, Astana IT University, Kazakhstan
PhD (Gran Sasso Science Institute, L'Aquila, Italy)
Visiting Professor at
L.N. Gumilyov Eurasian National University, Kazakhstan
UCSI UNIVERSITY-Malaysia

2.

ABOUT COURSE TEACHER
PhD from Gran Sasso Science Institute, Italy
PhD Supervisor Prof Paolo Prinetto from Politecnico Di Torino
MTech from Indian Institute of Information Technology, Gwalior, India
Visited 47 Countries Across The Globe
Written 200+ Research paper with 212 Researcher from 93 Universities
Scopus Profile: https://www.scopus.com/authid/detail.uri?authorId=57203239026
Google Scholar: https://scholar.google.com/citations?user=UZ_8yAMAAAAJ&hl=hi
IBM Certified Solution Designer
EC-Council Certified Ethical Hacker
AWS Certified Cloud Practitioner
Email: [email protected], [email protected], [email protected]

3.

Syllabus of Ethical Hacking
• THEORY
• Week 1-2: Introduction to Ethical Hacking
• Week 3-4: Scanning and Enumeration
• Week 5-6: Sniffing and Social Engineering
• Week 7-8: DOS and Session hijacking
• Week 9-10: Webserver and Applications
• Lab Experiments 1-16 Based on All ABOVE UNIT

4.

My Certification

5.

6.

My Research Publication

7.

8.

9.

10.

11.

My Research Areas

12.

CYBER RANGE AND CYBER
SECURITY OF CYBER PHYSICAL
SYSTEM

13.

Ethical Hacking CONCEPTS
• What
is
Ethical
Hacking?
• Ethical hacking is the process where a professional hacker
legally and deliberately tries to break into the computers
and devices of an organisation. In doing so, ethical
hackers can test the organisation's defences,
highlighting any vulnerabilities in their systems and
networks.

14.

Ethical Hacking CONCEPTS
• What are the 5 steps of ethical hacking?
Five Phases of Ethical Hacking
● Phase 1: Reconnaissance.
● Phase 2: Scanning.
● Phase 3: Gaining Access.
● Phase 4: Maintaining Access.
● Phase 5: Clearing Tracks

15.

Ethical Hacking CONCEPTS: Types of Hacker
Hackers can be classified into different categories such as white hat, black
hat, and grey hat, based on their intent of hacking a system.
White Hat hackers are also known as Ethical Hackers. They never intent to
harm a system, rather they try to find out weaknesses in a computer or a
network system as a part of penetration testing and vulnerability assessments.
Black Hat hackers, also known as crackers, are those who hack in order to
gain unauthorized access to a system and harm its operations or steal
sensitive
information.
Grey hat hackers are a blend of both black hat and white hat hackers. They
act without malicious intent but for their fun, they exploit a security weakness
in a computer system or network without the owner’s permission or
knowledge.

16.

Ethical Hacking CONCEPTS
• What
is
reconnaissance
in
hacking?
• In the context of cybersecurity, reconnaissance is the
practice of covertly discovering and collecting
information about a system. This method is often used
in ethical hacking or penetration testing.

17.

Ethical Hacking CONCEPTS
• What is hacker full form?
• Full form of HACKER is "Hardcore Programmer"

18.

Ethical Hacking CONCEPTS
• Who was the first hacker?
• The first major hacking came in 1971, by a vietnam vet
named John Draper. He figured out a way to make free
phone calls. This was later called "Phreaking".

19.

Ethical Hacking CONCEPTS
• Why
do
people
hack?
• Some common reasons for hacking include basic
bragging rights, curiosity, revenge, boredom,
challenge, theft for financial gain, sabotage, vandalism,
corporate espionage, blackmail, and extortion. Hackers
are known to regularly cite these reasons to explain their
behavior.

20.

Ethical Hacking CONCEPTS
• Who was the youngest hacker?
• Kristoffer
von
Hassel
• At the age of five, Hassel exposed security lapses in
the Microsoft Live Xbox system, prompting wide media
coverage, with some journalists highlighting the
dropping age of hackers and their technology mastery.

21.

Ethical Hacking CONCEPTS
• Who Hacked NASA in 1999?
• Jonathan James
• Between August and October of 1999, Jonathan
James used his skills as a hacker to intercept data
from the Defense Threat Reduction Agency or DTRA
(a division of the US department Of defense). He had
access to over 3,000 messages, usernames and
passwords of DTRA employees.

22.

Ethical Hacking CONCEPTS
• Why do hackers use Linux?
• Although it is true that most hackers prefer Linux
operating systems, many advanced attacks occur in
Microsoft Windows in plain sight. Linux is an easy
target for hackers because it is an open-source
system. This means that millions of lines of code can
viewed publicly and can easily be modified.

23.

Ethical Hacking CONCEPTS
• Who
is
the
best
hacker
in
the
world
2022?
• Today, he is a trusted, highly sought-after security
consultant to Fortune 500 and governments worldwide.
Kevin Mitnick is the world's authority on hacking,
social engineering, and security awareness training. In
fact, the world's most used computer-based end-user
security awareness training suite bears his name.

24.

Ethical Hacking CONCEPTS
• What
is
Kali
Linux?
• Kali Linux is a Debian-derived Linux distribution
designed for digital forensics and penetration testing.
It is maintained and funded by Offensive Security.

25.

Ethical Hacking CONCEPTS
Rules for Ethical Hacking
● Before hacking the network or computer system, first, you must
receive written permission from the system owner.
● Place top priority on protecting the privacy of the owner of the
hacked system.
● Report all the revealed vulnerabilities in a transparent way to the
owner of the hacked system.
● Software and Hardware vendors using that system or product
must also be informed about the system’s vulnerabilities.

26.

Ethical Hacking CONCEPTS
Ethical Hacking: Legal or Illegal?
Ethical Hacking is a legal action only if the hacker follows all the
rules defined in the Previous slide. The International Council of ECommerce provides certification programs for ethical hacker skills
testing. These certificates must be renewed after a period of time.
There are other ethical hacking certificates that will also suffice,
such as the RHC Red Hat and Kali InfoSec certifications.

27.

Ethical Hacking TERMINOLOGY
• Adware − Adware is software designed to force pre-chosen
ads
to
display
on
your
system.
• Attack − An attack is an action that is done on a system to
get
its
access
and
extract
sensitive
data.
• Back door − A back door, or trap door, is a hidden entry to a
computing device or software that bypasses security
measures, such as logins and password protections.

28.

Ethical Hacking TERMINOLOGY
Bot − A bot is a program that automates an action so that it can be
done repeatedly at a much higher rate for a more sustained period
than a human operator could do it. For example, sending HTTP, FTP
or Telnet at a higher rate or calling script to create objects at a higher
rate.
Botnet − A botnet, also known as zombie army, is a group of
computers controlled without their owners’ knowledge. Botnets are
used to send spam or make denial of service attacks.

29.

Ethical Hacking TERMINOLOGY
• Brute force attack − A brute force attack is an automated and
the simplest kind of method to gain access to a system or
website. It tries different combination of usernames and
passwords, over and over again, until it gets in.
• Buffer Overflow − Buffer Overflow is a flaw that occurs when
more data is written to a block of memory, or buffer, than the
buffer is allocated to hold.

30.

Ethical Hacking TERMINOLOGY
Clone phishing − Clone phishing is the modification of an existing, legitimate email with
a false link to trick the recipient into providing personal information.
Cracker − A cracker is one who modifies the software to access the features which are
considered undesirable by the person cracking the software, especially copy protection
features.
Denial of service attack (DoS) − A denial of service (DoS) attack is a malicious attempt
to make a server or a network resource unavailable to users, usually by temporarily
interrupting or suspending the services of a host connected to the Internet.
DDoS − Distributed denial of service attack.

31.

Ethical Hacking TERMINOLOGY
Exploit Kit − An exploit kit is software system designed to run on
web servers, with the purpose of identifying software vulnerabilities
in client machines communicating with it and exploiting discovered
vulnerabilities to upload and execute malicious code on the client.
Exploit − Exploit is a piece of software, a chunk of data, or a
sequence of commands that takes advantage of a bug or
vulnerability to compromise the security of a computer or network
system.

32.

Ethical Hacking TERMINOLOGY
Firewall − A firewall is a filter designed to keep unwanted intruders
outside a computer system or network while allowing safe communication
between systems and users on the inside of the firewall.
Keystroke logging − Keystroke logging is the process of tracking the keys
which are pressed on a computer (and which touchscreen points are
used). It is simply the map of a computer/human interface. It is used by
gray and black hat hackers to record login IDs and passwords.
Keyloggers are usually secreted onto a device using a Trojan delivered
by a phishing email.

33.

Ethical Hacking TERMINOLOGY
Logic bomb − A virus secreted into a system that triggers a malicious
action when certain conditions are met. The most common version is the
time bomb.
Malware − Malware is an umbrella term used to refer to a variety of forms
of hostile or intrusive software, including computer viruses, worms, Trojan
horses, ransomware, spyware, adware, scareware, and other malicious
programs.
Master Program − A master program is the program a black hat hacker
uses to remotely transmit commands to infected zombie drones, normally
to carry out Denial of Service attacks or spam attacks.

34.

Ethical Hacking TERMINOLOGY
• Phishing − Phishing is an e-mail fraud method in which the
perpetrator sends out legitimate-looking emails, in an
attempt to gather personal and financial information from
recipients.
• Phreaker − Phreakers are considered the original
computer hackers and they are those who break into the
telephone network illegally, typically to make free
longdistance phone calls or to tap phone lines.

35.

Ethical Hacking TERMINOLOGY
Rootkit − Rootkit is a stealthy type of software, typically malicious,
designed to hide the existence of certain processes or programs from
normal methods of detection and enable continued privileged access
to
a
computer.
Shrink Wrap code − A Shrink Wrap code attack is an act of exploiting
holes
in
unpatched
or
poorly
configured
software.
Social engineering − Social engineering implies deceiving someone
with the purpose of acquiring sensitive and personal information, like
credit card details or user names and passwords.

36.

Ethical Hacking TERMINOLOGY
Spam − A Spam is simply an unsolicited email, also known as junk email,
sent to a large number of recipients without their consent.
Spoofing − Spoofing is a technique used to gain unauthorized access to
computers, whereby the intruder sends messages to a computer with an
IP address indicating that the message is coming from a trusted host.
Spyware − Spyware is software that aims to gather information about a
person or organization without their knowledge and that may send such
information to another entity without the consumer's consent, or that
asserts control over a computer without the consumer's knowledge.

37.

Ethical Hacking TERMINOLOGY
SQL Injection − SQL injection is an SQL code injection technique,
used to attack data-driven applications, in which malicious SQL
statements are inserted into an entry field for execution (e.g. to dump
the database contents to the attacker).
Threat − A threat is a possible danger that can exploit an existing bug
or vulnerability to compromise the security of a computer or network
system.

38.

Ethical Hacking TERMINOLOGY
Trojan − A Trojan, or Trojan Horse, is a malicious program disguised to look
like a valid program, making it difficult to distinguish from programs that are
supposed to be there designed with an intention to destroy files, alter
information, steal passwords or other information.
Virus − A virus is a malicious program or a piece of code which is capable of
copying itself and typically has a detrimental effect, such as corrupting the
system or destroying data.

39.

Ethical Hacking TERMINOLOGY
• Vulnerability − A vulnerability is a weakness which allows
a hacker to compromise the security of a computer or
network system.
• Worms − A worm is a self-replicating virus that does not
alter files but resides in active memory and duplicates
itself.

40.

Ethical Hacking TERMINOLOGY
• Cross-site Scripting − Cross-site scripting (XSS) is a type of
computer security vulnerability typically found in web
applications. XSS enables attackers to inject client-side script
into web pages viewed by other users.
• Zombie Drone − A Zombie Drone is defined as a hijacked
computer that is being used anonymously as a soldier or
'drone' for malicious activity, for example, distributing
unwanted spam emails.

41.

Different Phases Involved in An Exploit by A Hacker.
Clearing
Tracks

42.

Different phases involved in an exploit by a Hacker.
Five Phases of Ethical Hacking
● Phase 1: Reconnaissance.
● Phase 2: Scanning.
● Phase 3: Gaining Access.
● Phase 4: Maintaining Access.
● Phase 5: Clearing Tracks

43.

Different phases involved in an exploit by a Hacker
Reconnaissance
This is the first step of Hacking. It is also called as
Footprinting and information gathering Phase. This is the
preparatory phase where we collect as much information as
possible about the target. We usually collect information
about three groups,
1. Network
2. Host
3. People involved

44.

Different phases involved in an exploit by a Hacker
Reconnaissance
There are two types of Footprinting:
● Active: Directly interacting with the target to gather
information about the target. Eg Using Nmap tool to scan
the target
● Passive: Trying to collect the information about the target
without directly accessing the target. This involves
collecting information from social media, public websites
etc.

45.

Different phases involved in an exploit by a Hacker.
Scanning:
● Port scanning: This phase involves scanning the target for the information
like open ports, Live systems, various services running on the host.
● Vulnerability Scanning: Checking the target for weaknesses or
vulnerabilities which can be exploited. Usually done with help of
automated tools
● Network Mapping: Finding the topology of network, routers, firewalls
servers if any, and host information and drawing a network diagram with
the available information. This map may serve as a valuable piece of
information throughout the hacking process.

46.

Different phases involved in an exploit by a Hacker.
Scanning
Three types of scanning are involved:
Port scanning: This phase involves scanning the target for the information like open ports,
Live systems, various services running on the host.
Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities which can be
exploited. Usually done with help of automated tools
Network Mapping: Finding the topology of network, routers, firewalls servers if any, and host
information and drawing a network diagram with the available information. This map may
serve as a valuable piece of information throughout the haking process.

47.

Different phases involved in an exploit by a Hacker
Gaining Access
• This phase is where an attacker breaks into the
system/network using various tools or methods.
• After entering into a system, he has to increase his
privilege to administrator level so he can install an
application he needs or modify data or hide data.

48.

Different Phases Involved in An exploit by A Hacker
Maintaining Access
• Hacker may just hack the system to show it was vulnerable or
he can be so mischievous that he wants to maintain or persist
the connection in the background without the knowledge of
the user.
• This can be done using Trojans, Rootkits or other malicious
files.
• The aim is to maintain the access to the target until he finishes
the tasks he planned to accomplish in that target.

49.

Different Phases Involved in An exploit by A Hacker
Clearing Tracks
• No thief wants to get caught. An intelligent hacker always
clears all evidence so that in the later point of time, no
one will find any traces leading to him.
• This involves modifying/corrupting/deleting the values of
Logs, modifying registry values and uninstalling all
applications he used and deleting all folders he created.

50.

51.

Overview of Attacks
• A cyberattack is a malicious and deliberate attempt by an
individual or organization to breach the information system
of
another
individual
or
organization.
• Usually, the attacker seeks some type of benefit from
disrupting the victim’s network.

52.

53.

Malware
Malware is a term used to describe malicious software, including
spyware, ransomware, viruses, and worms. Malware breaches a
network through a vulnerability, typically when a user clicks a
dangerous link or email attachment that then installs risky software.
Once inside the system, malware can do the following:
● Blocks access to key components of the network
(ransomware)
● Installs malware or additional harmful software
● Covertly obtains information by transmitting data from the hard
drive (spyware)
● Disrupts certain components and renders the system
inoperable

54.

Phishing
• Phishing is the practice of sending fraudulent
communications that appear to come from a reputable
source, usually through email.
• The goal is to steal sensitive data like credit card and login
information or to install malware on the victim’s machine.
Phishing is an increasingly common cyberthreat.

55.

Man-in-the-middle attack
• Man-in-the-middle
(MitM)
attacks,
also
known
as
eavesdropping attacks, occur when attackers insert themselves
into a two-party transaction. Once the attackers interrupt the
traffic, they can filter and steal data.
• Two common points of entry for MitM attacks:
1. On unsecure public Wi-Fi, attackers can insert themselves
between a visitor’s device and the network. Without knowing,
the visitor passes all information through the attacker.
2. Once malware has breached a device, an attacker can install
software to process all of the victim’s information.

56.

Denial-of-service attack
• A denial-of-service attack floods systems, servers, or
networks with traffic to exhaust resources and bandwidth.
• As a result, the system is unable to fulfill legitimate
requests.
• Attackers can also use multiple compromised devices to
launch
this
attack.
• This is known as a distributed-denial-of-service (DDoS)
attack.

57.

SQL injection
• A Structured Query Language (SQL) injection occurs
when an attacker inserts malicious code into a server that
uses SQL and forces the server to reveal information it
normally
would
not.
• An attacker could carry out a SQL injection simply by
submitting malicious code into a vulnerable website
search box.

58.

REPORTED INCIDENT OF CYBER
TERRORISM RELATED TO WATER
SOURCE: THESIS OF GRAN SASSO SCIENCE INSTITUTE L'AQUILA, ITALY

59.

ATTACKS ON HARRISBURG
WATER TREATMENT PLANT
• IT IS ONE OF THE MOST FAMOUS CYBER-
ATTACKS ON WATER SCADA SYSTEM.
• IN 2006, A HACKER COMPROMISED REMOTE
ACCESS OF EMPLOYEE’S LAPTOP AND USED
COMPROMISED LAPTOP AS AN ENTRY POINT
INTO TREATMENT PLANT OF WATER AT
HARRISBURG AND INSTALL A COMPUTER
VIRUS AND SPYWARE.
• AFTER THE INCIDENT OF THE INTRUSION, THE
PLANT CHANGED ALL SYSTEM PASSWORDS
AND ALSO ELIMINATED HOME ACCESS TO THE
NETWORK.

60.

60
ATTACKS ON TEHAMA
COLUSA CANAL AUTHORITY
• MICHAEL KEEHN WAS THE MAIN PERPETRATOR
BEHIND THIS ATTACK. HE WAS AN OLD
EMPLOYEE AT TCCA.
• HE
DELIBERATELY ENTERS AND DESTRUCTS
COMPUTER
SYSTEM
AND
INSTALLED
ILLEGITIMATE SOFTWARE IN SCADA SYSTEM OF
TCAA.
• HE WAS ARRESTED FOLLOWING A GRAND
JURY INDICTMENT ON NOVEMBER 15, 2007. HE
GOT
A
SENTENCE
OF
10
YEARS
IMPRISONMENT. THE INTRUSION COST THE
TCCA MORE THAN $5,000 IN DAMAGES.

61.

ATTACKS ON OUR EMULATOR:
TOOLS USED & ATTACKER
SECURITY ATTACKS→TOOLS
USED
1. INFORMATION DISCLOSURE
→ FIREFOX ANALYZER,
WAPPALYZER
2. SCANNING : ACCESSIBLE
FOLDER → DIRBUSTER
3. EXPLOITATION: SQL
INJECTION → SQLMAP
4. EXPLOITATION: DOS →
SOURCE: THESIS OF GRAN SASSO SCIENCE INSTITUTE L'AQUILA, ITALY
SQLMAP

62.

ATTACKS ON OUR
EMULATOR: SUMMARY
SOURCE: THESIS OF GRAN SASSO SCIENCE INSTITUTE L'AQUILA, ITALY

63.

STEPS TAKEN TO ENHANCE SECURITY
• WE TAKE FOLLOWING STEPS
• INPUT VALIDATION,
• PARAMETERIZED QUERIES AND
• USAGE OF STORED PROCEDURES
• TO REDUCE THE POSSIBILITY OF
EXPLOITATION: SQL INJECTION AND DOS.
• WE MAKE IMAGES FOLDER NO MORE
REACHABLE TO REDUCE THE ATTACKS OF
FORCED BROWSING - ACCESSIBLE FOLDER.
• WE INTEGRATE SECUBE IN OUR EMULATOR.

64.

64
SECUBE
• SECUBE IS DEVELOPED BY BLU5 GROUP.
• BLU5 GROUP IS A GLOBAL ALLIANCE OF BLU5
LABS LTD MALTA, CINI ITALY, LERO IRELAND,
LIRMM FRANCE AND TU DORTMUND GERMANY.
• THE CORE OF SECUBE IS A 3-D SYSTEM ON CHIP
(SOC).
• THIS SOC CONSISTS OF
HARDWARE COMPONENTS:
THE
FOLLOWING
• STM32F4 PROCESSOR
• LATTICE MACHXO2-7000 FPGA
• EAL5+ CERTIFIED SMART CARD
SOURCE: THESIS OF GRAN SASSO SCIENCE INSTITUTE L'AQUILA, ITALY

65.

SECUBE IN BETWEEN SLAVE AND
MASTER CONTROLLER
• WE INSERT SECUBE IN
BETWEEN
SLAVE
AND
MASTER RASPBERRY PI.
• SECUBE ENCRYPTS AND
DECRYPTS
MESSAGE
TO/FROM MASTER/SLAVE
USING AES.
SOURCE: THESIS OF GRAN SASSO SCIENCE INSTITUTE L'AQUILA, ITALY

66.

WEB-INTERFACE OF OUR
EMULATOR
GRAN SASSO SCIENCE INSTITUTE L'AQUILA, ITALY

67.

Identification of Exploit Categories
• Software and networks come with built-in protection against
hackers, sort of like locks that keep unwanted guests from
sneaking
inside.
• A vulnerability, then, is like an accidental open window that a
thief
can
climb
through.
• In the case of a computer or network, thieves can install
malicious software through these vulnerabilities (open windows)
in order to control (infect) the system for their own nefarious
ends.

68.

Identification of Exploit Categories
• Vulnerabilities are weaknesses or security flaws in a system or
network that can allow malicious actors or hackers a way in.
• So if a vulnerability is the open window into the system, an
exploit is the rope or ladder the thief uses to reach the open
window.
• An exploit is simply a tool created to leverage a specific
vulnerability — without vulnerabilities, there’s nothing to
exploit.

69.

Identification of Exploit Categories
● In the illustration above, the window on the left is locked, so there’s no
vulnerability.
● The window on the right is open and vulnerable, but too high up to exploit.
● The window in the middle is open and vulnerable and, crucially, close
enough to the ground to exploit.

70.

Identification of Exploit Categories
• Exploits are commonly classified as one of two types:
known
or
unknown.
• Known exploits have already been discovered by
cybersecurity
researchers.
• Whether the known exploit is due to a vulnerability in the
software, OS, or even hardware, developers can code
patches to plug the hole.

71.

Identification of Exploit Categories
• Unknown exploits or zero-day exploits, in contrast, are created
by cybercriminals as soon as they discover a vulnerability, and
they use the exploit to attack victims on the same day.
• When a zero-day exploit attack happens, software developers
and cybersecurity researchers have to scramble to figure out how
the exploit works and how to patch the vulnerability.

72.

73.

Some Famous Exploit: EternalBlue
• EternalBlue is one of the most famous — and most damaging —
exploits
out
there.
• Originally developed by the NSA, EternalBlue was stolen by the
Shadow Brokers hacking group and then leaked in March 2017.
• Although Microsoft discovered the leak and issued a security
update to patch the vulnerability, many people and organizations
failed
to
apply
the
patch
in
time.
• This allowed hackers to proceed with some of the most damaging
cyberattacks in history, including WannaCry and NotPetya.

74.

Some Famous Exploit: WannaCry
• WannaCry was the stuff of nightmares: a wormable attack that used
the EternalBlue exploit to spread exponentially across computer
networks, infecting 10,000 machines per hour in 150 countries.
• As ransomware, WannaCry encrypted computers, rendering them
inaccessible — a huge issue for the national health services,
governments, universities, and large corporations that WannaCry hit.
• Although WannaCry is no longer active, other exploits can still take
advantage of EternalBlue to attack Windows users running outdated
software — so make sure yours is updated.

75.

Legal implications of Hacking
• Is Ethical Hacking legal in India?
• Hacking is a wrongful act under Indian legal system.
• Although Indian laws do not specifically deal with ethical
hacking yet hacking is a punishable offense in India.
• The act of Hacking contravenes the underlying principles of
India legal system.
• The subject of ethical hacking has not been dealt with
explicitly in Indian laws, therefore, it enjoyed neutral status
under Indian legal system.

76.

Legal implications of Hacking
Information Technology Act, 2000
Information technology (IT) Act, 2000 is a watershed
movement in Indian legal system and a landmark in the
cyber
law
arena.
If we look at the provisions of IT act cautiously, we can
deduce that it covers almost all the wrongs that emerge from
hacking because hacking is such offence which is very wide
and covers a lot of other offenses

77.

Legal implications of Hacking
• Chapter XI Section 66 of IT Act, 2000 particularly deals with the act
of
hacking.
• Section 66(1) defines a hack as, any person, dishonestly or
fraudulently, does any act referred to in Section 43 is called hacking,
• Section
66(2)
prescribes
the
punishment
for
it.
• Hacking is a punishable offense in India with imprisonment up to 3
years, or with fine up to two lakh rupees, or with both.

78.

Legal implications of Hacking
• Chapter IX Section 43 of IT act, 2000 prescribes a penalty for the
damage
to
computer
or
computer
system.
• It is a common thing which happens whenever a computer system is
hacked.
• Black hats damage the system that they hack and steal the
information.
• This enumerative provision includes a lot of activities.

79.

Legal implications of Hacking
• Chapter XI Section 65 of the said act makes tampering with
computer
source
documents
an
offense.
• Section 72 of the same chapter makes the breach of
confidentiality
and
privacy,
a
punishable
offense.
• This is the most common aftermath of hacking.

80.

What is Reverse Engineering?
• Reverse engineering refers
to the duplication of another
producer’s
product
following
a
thorough
examination
of
its
construction or composition.

81.

Reverse Engineering
• Benefits:
• Examining the structures and processes of an
application can lead to product innovation.
• Knowledge gain by other researcher’s work
• Reconstructing a product that is outdated
• The discovery of software vulnerabilities
• The development of applications that are more efficient
and cheap.

82.

Reverse Engineering in Hacking
• In the security world, researchers use reverse engineering
to find security risks in programs, to understand malicious
applications,
etc.
• Cyber-criminals can also use this technique to exploit
security bugs in applications, the difference with the
security researchers is what they do with that vulnerability
information.

83.

Reverse Engineering in Hacking
In a report conducted on April 2019, found that 97% of the 30
mobile financial apps that were tested, were lacking binary
protection, making decompiling and review of the source code
possible.
Upon decompiling an app all kinds of sensitive information can be
exposed, API URLs API keys hardcoded into the apps.
The URLs can lead attackers to nonstandard port numbers,
development servers, private keys, application file directories that
were used for testing by developers, quality assurance engineers
and can lead an attacker to compromise entire applications.

84.

Reverse Engineering: Exploit, Vulnerabilities
• The more obfuscated the code is, the more often it’s true that the
code in question is rich in vulnerabilities.
• We can use our expertise to examine our environment and
develop exploits for our red teams to test our blue team's or
company's defenses.
• We won’t understand the true impact of vulnerabilities in your
environment unless you can measure impact.

85.

Reverse Engineering: Zero Days

86.

Methodology:Reverse Engineering & Exploit Development
Discover functionality, in order to determine how to undermine it
Use targeted fuzzing to identify behavior which can be abused
Reverse engineer proprietary protocols
Find vulnerabilities
Build attack chains for exploits
Provide exploit proof of concepts or packaged exploit modules

87.

Reverse Engineering and manual PT
• What
is
Penetration
Testing?
• Penetration Testing has been evolving throughout the year with
a robust increase in highly sophisticated attacks.
• Every organization is now aware of the damage caused by
cyber-attacks.
• Private and Government organizations are now conducting
scheduled penetration tests for every three months or less than
that.

88.

Reverse Engineering and manual PT
• The attacks are increasing day by day and now almost every
device is vulnerable to an unpatched zero-day vulnerability.
• Attacks like Meltdown and Spectre have gone too deep that it
exploits
a
vulnerability
at
the
processor
level.
• Likeways, the firmware is also one of the important attack
vectors. This paper discusses multiple methods for reverse
engineering a router firmware and the process of backdooring it.

89.

Manual Penetration Testing
Manual penetration testing is the testing that is done by human
beings. In such type of testing, vulnerability and risk of a machine
is tested by an expert engineer.
Generally, testing engineers perform the following methods −
● Data Collection − Data collection plays a key role for testing.
One can either collect data manually or can use tool services
(such as webpage source code analysis technique, etc.) freely
available online. These tools help to collect information like
table names, DB versions, database, software, hardware, or
even about different third party plugins, etc

90.

Manual Penetration Testing
● Vulnerability Assessment − Once the data is collected, it helps
the testers to identify the security weakness and take
preventive steps accordingly.
● Actual Exploit − This is a typical method that an expert tester
uses to launch an attack on a target system and likewise,
reduces the risk of attack.
● Report Preparation − Once the penetration is done, the tester
prepares a final report that describes everything about the
system. Finally the report is analyzed to take corrective steps to
protect the target system.

91.

Manual Penetration Testing

92.

Manual Penetration Testing
Manual penetration testing is normally categorized in two following ways:
● Focused Manual Penetration Testing − It is a much focused method that
tests specific vulnerabilities and risks. Automated penetration testing
cannot perform this testing; it is done only by human experts who
examine specific application vulnerabilities within the given domains.
● Comprehensive Manual Penetration Testing − It is through testing of
whole systems connected with each other to identify all sorts of risk and
vulnerability. However, the function of this testing is more situational, such
as investigating whether multiple lower-risk faults can bring more
vulnerable attack scenario, etc

93.

Pro's and Con's of Manual Penetration Testing
Read more at: https://www.appknox.com/blog/automated-penetration-testing-vs.-manual-penetration-testing

94.

Reverse Engineering Hacking Tools
• Binwalk – is an inbuilt Linux utility that allows us to carve
and analyze binary files.
• Unsquashfs – is a tool to decompress or extract the
squashfs file system.
• Hexdump – allows the users to view the hexadecimal view of
the specific input data with ability to extract file contents into
multiple formats like decimal, octal, and ASCII.
• Objdump – displays information about the object files and
used to disassemble executable files.
• Strings – extracts the strings embedded inside the binary
files and other executable files

95.

Reverse Engineering Hacking Tools
• GDB – the GNU Debugger helps in decompiling executables
and binary files that are written in embedded C, C++, etc.
• Radare2 – is a framework built for reverse engineering and
analyzing binaries.
• Ghidra – consists of a set of reverse engineering tools and
licensed open source by NSA.
• IDA – is commercial software that allows debugging and
decompiling the source code from executables.
• Firmware mod kit – allows decompression of various firmware
in embedded devices. It supports various file systems and
versions such as SquashFS 2.0, 3.0 and 4.0.

96.

What is Banner Grabbing?
Banner grabbing is the process of obtaining a target company’s
application names and versions, regardless of manner—manually or
automatically by using an open-source tool—in preparation for an attack.
All connected systems and devices often expose confidential information
that includes software names and operating systems (OSs), along with
their
versions,
collectively
known
as
“banner
data.”
Knowing these data points allows threat actors to find exploitable
vulnerabilities in target networks

97.

What is Banner Grabbing?
Banner
Penetration testers also perform the act when an organization hires
them
to
determine
all
its
weak
spots.
The process is also useful for IT teams performing security audits
to know which systems and applications require stronger
cyberdefense.
Think of banner grabbing as sending a spy to work for a competitor
so he or she can report the company’s weaknesses to his or her
real employer.
grabbing
is
not
always
bad.

98.

Banner Grabbing Tools and Techniques
• Telnet: this classic cross-platform client allows hackers and
pentesters to interact with remote services for banner
grabbing.
• Pen-testers and attackers can telnet to hosts on the default
telnet port (TCP port 23) to discover relevant information.
• Attacks can telnet other commonly used ports like SMTP,
HTTP, and POP3. Most operating systems can establish
Telnet sessions, allowing users to perform banner grabbing

99.

Banner Grabbing Tools and Techniques
• Whatweb: the tool recognizes websites, helping hackers
and security analysts to grab the web-applications banner
by disclosing the server information such as the IP
address, version, webpage title, and running operating
system
• cURL: the tool has a command that includes the
functionality for retrieving banner details from HTTP
servers

100.

Banner Grabbing Tools and Techniques
• Wget: the banner grabbing tool can lead users to
remote or local servers’ banner.
• Wget uses a simple script to suppress the expected
output and print the headers sent by the HTTP
server
• Netcat: the tool is one of the oldest and popular
network utilities for Unix and Linux.

101.

Banner Grabbing Tools and Techniques
DMitry: The Deepmagic Information Gathering Tool can gather as
much host information as possible.
DMitry allows attackers to get all the data from a remote host,
including DNS enumeration, subdomain mapping, open ports, and
much more.
Nmap: this simple banner grabber connects to an open TCP port and
prints out details sent by the listening service within a few seconds

102.

How Does Banner Grabbing Work?
• A banner grabbing attack has three necessary steps.
• First, the attacker chooses the service he or she wants to
target.
• He or she then launches a request to the target application
or
system.
• When the software or device responds, he or she inspects
the response to determine what exploit to use for the
attack.

103.

NMAP for Banner Grabbing
• sudo nmap -Pn -F --script banner scanme.nmap.org

104.

NMAP for Banner Grabbing
• sudo nmap -Pn -p22,80 --script banner scanme.nmap.org

105.

Two Types of Banner Grabbing Attacks
• There
are
• Active
• Passive
two
kinds
of
banner
grabbing

106.

Two Types of Banner Grabbing Attacks
What Is Active Banner Grabbing?
• Specially crafted packets are sent to remote OS and the
responses are noted.
• The responses are then compared with a database to
determine the OS.
• Response from different OSes varies due to differences in
TCP/IP stack implementation.

107.

Two Types of Banner Grabbing Attacks
What
Passive banner grabbing allows users to get the same information
while avoiding exposure.
Banner grabbing from error messages: Error messages provide
information such as type of server, type of OS, and SSL tool used by
the target remote system.
Sniffing the network traffic: Capturing and analyzing packets from the
target enables an attacker to determine OS used by the remote
system.
Banner grabbing from page extensions: Looking for an extension in
the URL may assist in determining the application version. Example:
.aspx => IIS server and Windows platform.
Is
Passive
Banner
Grabbing?

108.

Banner Grabbing from Page Extensions
Looking for an extension in the URL may assist in determining
the application version.
• Example: .aspx => IIS server and Windows platform.
• Example: .jsp => Apache Tomcat and Java Virtual Machine
• Example: .php => LAMP server and Linux platform.

109.

Preventing Banner Grabbing
We can follow these tips to prevent banner grabbing:
● Restrict access to services on the network
● Shut down unused or unnecessary services running on network hosts
● We can override our server’s default banner behavior to hide version
information. System administrators can customize default banners,
configure the network host’s application or operating system to disable
the banners, or remove information from the banners that could give an
attacker a leg up.
● Keep our server and systems up to date to secure our applications
against known server exploits

110.

Preventing Banner Grabbing
Disabling or Changing Banner
● Display false banners to misguide attackers.
● Turn off unnecessary services on the network host to limit the
information disclosure.
● Use ServerMask tools to disable or change banner information.
● Apache 2.x with mod_headers module - use a directive in
httpd.conf file to change banner information Header set
Server "New Server Name".
● Alternatively,
change
the
ServerSignature
line
to

111.

Preventing Banner Grabbing
Hiding File Extensions from Web Pages
● File extensions reveal information about the underlying server
technology that an attacker can utilize to launch attacks.
● Hide file extensions to mask the web technology.
● Change application mappings such as .asp with .htm or .foo, etc. to
disguise the identify of the servers.
● Apache users can use mod_negotiation directives.
● IIS users use tools such as PageXchanger to manage the file
extensions.
● It is even better if the file extensions are not at all used.

112.

SHODAN
• Shodan is a search engine that lets users search for
various types of servers (webcams, routers, servers, etc.)
connected to the internet using a variety of filters.
• The website scans the Internet for publicly accessible
devices.[12]
• The primary users of Shodan are cybersecurity
professionals, researchers and law enforcement agencies.
• While cybercriminals can also use the website, some have
access to botnets that could accomplish the same task
without detection.

113.

https://www.shodan.io/search/examples
SHODAN

114.

TELNET

115.

What's that site running?
• https://www.netcraft.com
• Using results from our internet data mining, find out the
technologies and infrastructure of any site.

116.

What's that site running?
• https://www.netcraft.com
• Using results from our internet data mining, find out the
technologies and infrastructure of any site.

117.

What's that site running?
• https://www.netcraft.com
• Using results from our internet data mining, find out the
technologies and infrastructure of any site.