A brief Inroduction to Web/System Security through "Ethical Hacking" !!

1. Web/System Security through “ ETHICAL HACKING” Guide : Smt. Jayasree K Presented by, Narayanan K Roll No: 27 C7A

2. PART - 1  What is Hacking?  Categories/Classes of Hackers.  Ethical Hackers – Skills, What do they do?, How much do they get paid?.  Anatomy of Attack

5. Categories/Classes of Hackers  Black Hats  White Hats (Ethical Hackers)  Grey Hats  Script Kiddies  Hactivism

6. Black Hats : -> Hacker s pecialized in unauthorized, illegal penetration. -> Use computers to attack systems for profit, for revenge, or for political motivations White Hats : -> Hacker who identifies security weakness in a computer system or network and -> Exposes these weakness that will allow the system's owners to fix the breach. Grey Hats : -> Hybrid between White Hats and Black Hats.

7. Script Kiddies : -> U se scripts or programs developed by others to attack computer systems and networks. -> Objective - To impress their friends or gain credit in computer-enthusiast communities. Hactivism : -> The non-violent use of illegal or legally ambiguous digital tools in pursuit of political ends . -> W riting of code to promote political ideology - promoting expressive politics, free speech, human rights.

8. Need of Ethical Hackers: Problem - Growth of the Internet - Computer Security has become a Major Concern Solution - Independent computer security professionals attempt to break into their computer systems – White Hats. How much do they get paid ? In the US, pay - > upwards of $120,000 per annum. Freelance Ethical Hackers can expect to make $10,000 per assignment.

9. ETHICAL HACKING “ One of the best ways to evaluate the intruder threat is to have independent computer security professionals (White Hats) appointed by company to attempt and break into their own computer systems.” Ethical hacking – Methodology adopted by ethical hackers to discover the loopholes and vulnerabilities existing in the system and fix them .

10. Skills of Ethical Hackers -> Completely Trustworthy. -> Strong programming and computer networking skills. -> Excellent Unix/Windows internal Knowledge. -> Detailed knowledge of the hardware and software provided by popular vendors. -> Very patient.

11. Anatomy of Attack Reconnaissance – attacker gathers information; Tools used: whois, traceroute, Spam Spade, dig, host etc.. Scanning – searches for open ports (port scan), probes target for vulnerabilities. Tools : Nmap, Ping, IP Scanner etc.. Gaining access – attacker exploits vulnerabilities to get inside system; Tools : John the Ripper etc.. Maintaining access – creates backdoor through use of Trojans to come back again easily; Tools : NetBus, SubSeven etc.. Covering tracks – deletes files, hides files, and erases log files to avoid detection. Tools : ClearLogs, Image Hide etc..

14. Client-Side Attacks  Focuses on the abuse or exploitation of a web site's users.  Attack Examples : 1. Content Spoofing 2. Cross-Site Scripting

19. SQL INJECTION “ SQL injection” is a security vulnerability that occurs in the database layer of an application. The objective -- > To fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.

22. Protection Measurements – Do not create SQL string from input field directly without sanitizing. – Limit the no. of login failure ; then lock account temporarily or permanently – Log the login failure case to monitor the attack (both sql injection and brute-force attack)

24. Cross-Site Scripting (XSS) Attacks Script Injection – Entering malicious script codes into non-validated forms or text fields that will get stored in the database. – When that data is retrieved from database when the users load that webpage the code executes and attack occurs

25. XSS-Attack: General Overview 1. Attacker sends malicious code 2. Server stores message Did you know this? ..... 3. User requests message 4. Message is delivered by server 5. Browser executes script in message Attacker Client Web Server GET Money for FREE !!! <script> attack code </script> !!! attack code !!! This is only one example out of many attack scenarios! Re: Error message on startup ..... I found a solution! ..... Can anybody help? ..... Error message on startup ..... Post Forum Message: Subject: GET Money for FREE !!! Body: <script> attack code </script> GET Money for FREE !!! <script> attack code </script> Get /forum.jsp?fid=122&mid=2241

26. Simple XSS Attack http://myserver.com/test.jsp?name=Stefan http://myserver.com/welcome.jsp?name= <script>alert(&quot;Attacked&quot;)</script> <HTML> <Body> Welcome Stefan </Body> </HTML> <HTML> <Body> Welcome <script>alert(&quot;Attacked&quot;)</script> </Body> </HTML>

29. Google Hacking Queries Inurl : inurl:admin inurl:passwd filetype:txt Index of : &quot;Index of /secret &quot; &quot;Index of /credit-card &quot; Intitle : ?intitle:index.of?MP3 Songname ?intitle:index.of?ebook BookName

30. GHDB (Google Hack Database) http://johnny.ihackstuff.com/- Johnny Long (White hat hacker) GHDB – A database containing Hacking queries

33. Demonstration!!

34. QUESTIONS ??

35. THANK YOU !!