Module 2

1. Introduction to cyber
forensics
Module 2
Anpu Ann Mathews, AP, Dept. of Cyber Forensics

2. CONTENTS
• Router forensics
• Cyber forensic tools and case study
• Ethical hacking
• Windows hacking
• Cracking
• Malware
• Scanning

3. ROUTER FORENSICS
• Router
• Routers can be hardware or software devices that route data from a local area
network to a different network. Routers are responsible for making decisions
about which of several paths network (or Internet) traffic will follow. If more
than one path is available to transmit data, the router is responsible for
determining which path is the best path to route the information.
• Function of a router
• Routers also act as protocol translators and bind dissimilar networks. Routers
limit physical broadcast traffic as they operate at layer 3 of the OSI model.
Routers typically use either link state or hop count based routing protocols to
determine the best path.

4. The Role of a Router
• Routers are found at layer three of the OSI model. This is known as
the networking layer. The network layer provides routing between
networks and defines logical addressing, error handling, congestion
control, and packet sequencing. This layer is concerned primarily with
how to get packets from network A to network B. This is where IP
addresses are defined. These addresses give each device on the
network a unique (logical) address. Routers organize these addresses
into classes, which are used to determine how to move packets from
one network to another.

5. Routing Tables
• Routers are one of the basic building blocks of networks, as they
connect networks together. Routers reside at layer 3 of the OSI
model. Each router has two or more interfaces. These interfaces join
separate networks together. When a router receives a packet, it
examines the IP address and determines to which interface the
packet should be forwarded. On a small or uncomplicated network,
an administrator may have defined a fixed route that all traffic will
follow. More complicated networks typically route packets by
observing some form of metric.

6. • Routing tables include the following type of information:
• Bandwidth
• Cost
• Delay
• Distance
• Load
• Reliability

7. • Bandwidth This is a common metric based on the capacity of a link. If all other
metrics were equal, the router would choose the path with the highest bandwidth.
• Cost The organization may have a dedicated T1 and an ISDN line. If the ISDN line has
a higher cost, traffic will be routed through the T1.
• Delay This is another common metric, as it can build on many factors including router
queues, bandwidth, and congestion.
• Distance This metric is calculated in hops; that is, how many routers away is the
destination.
• Load This metric is a measurement of the load that is being placed on a particular
router. It can be calculated by examining the processing time or CPU utilization.
• Reliability This metric examines arbitrary reliability ratings. Network administrators
can assign these numeric values to various links.

8. Router architecture
• Router architecture is designed so that routers are equipped to
perform two main functions: process routable protocols and use
routing protocols to determine best path. The best example of a
routed protocol is IP. IP must place a target and source address on the
packet.
• All the computers on the Internet have an IP address. The first half of
the IP address is used to identify the proper network; the second
portion of the IP address identifies the host. Combined, this allows us
to communicate with any network and any host in the world that is
connected to the Internet.

9. Routing Protocols
• Routing protocols fall into two basic categories,
• static
• Dynamic.
• Static, or fixed, routing is simply a table that has been developed by a network
administrator mapping one network to another. Static routing works best when a
network is small and the traffic is predictable. The big problem with static routing
is that it cannot react to network changes.
• Dynamic routing uses metrics to determine what path a router should use to
send a packet toward its destination. Dynamic routing protocols include Routing
Information Protocol (RIP), Border Gateway Protocol (BGP), Interior Gateway
Routing Protocol (IGRP), and Open Shortest Path First (OSPF). Dynamic routing
can be divided into two broad categories: link-state or distance vector dynamic
routing protocols.

10. Hacking Routers
• Full control of a router can often lead to full control of the network.
This is why many attackers will target routers and launch attacks
against them. These attacks may focus on configuration errors, known
vulnerabilities, or even weak passwords.
• Router Attacks
• Routers can be attacked by either gaining access to the router and changing
the configuration file, launching DoS attacks, flooding the bandwidth, or
routing table poisoning. These attacks can be either hit-and-run or persistent.
Denial of Service attacks are targeted at routers. If an attacker can force a
router to stop forwarding packets, then all hosts behind the router are
effectively disabled.

11. Router Attack Topology
• The router attack topology is the same as all attack topologies. The
steps include:
1. Reconnaissance
2. Scanning and enumeration
3. Gaining access
4. Escalation of privilege
5. Maintaining access
6. Covering tracks and placing backdoors
• Attacks are Denial-of-service attacks, Routing table poisoning, Hit and
run attacks and persistent attacks.

12. Forensic Analysis of Routing Attacks
• During a forensic investigation the analyst should examine log files for
evidence such as IP address and the protocol. It is a good idea to
redirect logs to the syslog server. This can be accomplished as follows:
#config terminal
Logging 192.168.1.1

13. Investigating Routers
• When investigating routers there are a series of built-in commands
that can be used for analysis. It is unadvisable to reset the router as
this may destroy evidence that was created by the attacker. The
following show commands can be used to gather basic information
and record hacker activity:
• Show access list
• Show clock
• Show IP route
• Show startup configuration
• Show users
• Show version

14. Chain of Custody
• The chain of custody is used to prove the integrity of evidence. The
chain of custody should be able to answer the following questions:
• Who collected the evidence?
• How and where is the evidence stored?
• Who took possession of the evidence?
• How was the evidence stored and how was it protected during storage?
• Who took the evidence out of storage and why?

15. • There is no such thing as too much documentation. One good
approach is to have two people work on a case. While one person
performs the computer analysis, the other documents these actions.
At the beginning of an investigation, a forensic analyst should prepare
a log to document the systematic process of the investigation. This is
required to establish the chain of custody. This chain of custody will
document how the evidence is handled, how it is protected, what
process is used to verify it remains unchanged, and how it is
duplicated. Next, the log must address how the media is examined,
what actions are taken, and what tools are used. Automated tools
such as EnCase and The Forensic Toolkit compile much of this
information for the investigator.

16. Volatility of evidence
• When responding to a network attack, obtaining volatile data should
be collected as soon as possible.
• When starting an investigation you should always move from most
volatile to least volatile.
• The first step is to retrieve RAM and NVRAM. To accomplish this you may use
a direct connection to the console port using RJ-45-RJ-45 rolled cable and an
RJ-45-to-DB-9 female DTE adapter. In instances when a direct connection is
not available a remoter session is the next preferred method. Insecure
protocols such as FTP should not be used; an encrypted protocol Secure Shell
(SSH) is preferred. You should make sure to capture both volatile and
nonvolatile configuration for comparison changes and documentation
purposes.

17. Case reports
• Case reporting is one of the most important aspects of computer
forensics. Just as with traditional forensics everything should be
documented. Reporting should begin the minute you are assigned to
a case. Although it may sometimes seem easier to blindly push
forward, the failure to document can result in poorly written reports
that will not withstand legal scrutiny.

18. Incident Response
• Incident response is the effort of an organization to define and
document the nature and scope of a computer security incident.
Incident response can be broken into three broad categories that
include:
• Triage. Notification and identification.
• Action/Reaction. Containment, analysis, tracking.
• Follow up. Repair and recovery, prevention.

19. Cyber forensic tools
• EnCase
• EnCase is a popular multi-reason forensic platform with many exceptional
tools for numerous areas of the digital forensic system. This tool can swiftly
gather facts from diverse devices and unearth potential proof. It additionally
produces a record based totally at the evidence.
• Registry Recon
• Registry Recon is a popular registry analysis tool. It extracts the registry
information from the proof and then rebuilds the registry illustration. It could
rebuild registries from both present day and former home windows
installations. It isn't a free tool.

20. • The sleuth kit
• The Sleuth Kit is a UNIX and windows based totally tool which allows in
forensic analysis of computers. It comes with numerous equipment which
helps in digital forensics. These tools help in analysing disk images,
performing in-intensity analysis of document systems, and numerous
different matters.
• Volatility
• Volatility [16] is the memory forensics framework. It used for incident
reaction and malware evaluation. With this tool, we can extract data from
running procedures, network sockets, network configuration, DLLs and
registry hives. It additionally has support for extracting records from windows
crash dump files and hibernation files. This device is of free of cost below GPL
license.

21. Application of forensic Issues Tools used
Disk tools and data capture Arsenal Image mounter, DumpIt
FAT32 format, FTK Imager
Nmap, Wireshark
Email analysis EDB viewer, OST viewer, Mail viewer
Mac OS tools Audit, Chainbreaker, FTK Image CLI for Mac OS
Data analysis suites Autopsy, Backtrack, Caine, The sleuth Kit
Internet analysis Browser history viewer, Chrome cache view
Opera passview, Webpage saver
Registry analysis USBDeview
RECmd
UserAssist
Processmonitor
File viewer E01 viewer
OLM viewer
VLC
BKF viewer

22. Case study
1. Hacking
• Background
The complainant approached the police stating that she had been receiving obscene and
pornographic material at her e-mail address and mobile phone. She stated that this person
appeared to know a lot about her and her family and believed that her e-mail account had been
hacked.
• Investigation
The investigating team using a different e-mail ID tried to chat with the accused
using the complainant’s e-mail ID. Subsequently the investigating team was able to
identify the ISP address of the computer system being used and it was tracked to an
organisation in Delhi.
The investigating team visited the company and through its server logs was able to
identify the system from which the obscene material was sent. Using forensic disk
imaging and analysis tools the e-mails were retrieved from the system. The residence of
the accused was located and the hard disk of his personal computer was seized. On the
basis of the evidence gathered the accused was arrested.
• Current status
The case has been finalised and is currently pending administrative approval.

23. 2. Obscene E-mails
• Background
The complainant received an e-mail stating that the sender had in his possession
some objectionable/ morphed/ obscene photographs of the complainant. The
accused in this case demanded to meet the complainant. Failing to do so, the
accused threatened to put these on the Internet and circulate these among her
friends and relatives.
• Investigation
On receiving the complaint, the investigating team extracted the e-mail header to
trace the IP address. This IP address was tracked down to a company.
Using system logs, the exact computer used and its user were identified. The
accused was arrested. The investigating team also seized the computer and some
photographs of a look-alike of the victim from the accused. These evidences were
sent to the forensic sciences laboratory, which confirmed that the seized computer
contained evidence that implicated the accused in the incident.
• Current status
The police filed a charge sheet on October 27, 2004 and the matter is presently
subjudice.

24. ETHICAL HACKING
• Ethical hacking can be defined as a legal and authorized attempt to
locate and successfully exploit computer system for the purpose of
making those systems for more secure. The process includes probing
for vulnerabilities as well as providing proof of concept (POC) attacks
to demonstrate the vulnerabilities are real.
• Ethical hacking also known as pen testing, PT, Hacking, Penetration
testing, White hat hacking.

25. Phases of Ethical Hacking
Reconnaissance
Scanning
Exploitation
Maintaining
Access
Zero Entry Penetration (ZEH) testing methodology

26. 1.Reconnaissance
• Reconnaissance otherwise called information gathering, is arguably
the most important of the four phases. The more time you spend to
collecting information on your target, the more likely you are be
successful in the later phases.
• Active recon : includes interacting directly with the target. During this process
the target may record our IP address and log our activity.
• Passive recon : make use of the information avail on the web. When we are
conducting passive recon we are not directly interacting with the target.

27. 2. Scanning
• Three distinct phases
1. Determining if a system is alive
• Whether the target system is turned on and capable of communicating or interacting
with our machine.
2. Port scanning the system
• Process of identifying specific ports and services running on a particular host
3. Scanning the system for vulnerabilities
• Process of locating and identifying known weakness in the services and software running
on the target machine.

28. Common port numbers and their
corresponding services
PORT SERVICE
20 FTP data transfer
21 FTP control
22 SSH
23 Telnet
25 SMTP
53 DNS
443 HTTPS
80 HTTP
88 Kerberos
137 NetBIOS Name Service
389 LDAP

29. 3. Exploitation
• Exploitation is the process of gaining control over a system. This
process can take many different forms. Exploitation is the attempt to
turn the target machine into a puppet that will execute your
commands and do your bidding.
• Exploit is the realization of vulnerability. Exploits are issues or bugs in
the software code that allow a hacker or attacker to alter the original
functionality of the software.

30. 4. Maintaining access
• Maintaining access or backdoor is a piece of software that resides on
the target computer and allows the attacker to return or connect to
the machine at any time. In most cases, the backdoor is a hidden
process that runs on a target machine and allows a normally
unauthorised user to control thee PC.
• Rootkits are a special kind of software that embed themselves deep
into the operating system and perform a number of tasks, including
giving a hacker the ability to complete hide processes and programs.

31. Terminology
1. Adware − Adware is software designed to force pre-chosen ads to display on
your system.
2. Attack − An attack is an action that is done on a system to get its access and
extract sensitive data.
3. Back door − A back door, or trap door, is a hidden entry to a computing
device or software that bypasses security measures, such as logins and
password protections.
4. Bot − A bot is a program that automates an action so that it can be done
repeatedly at a much higher rate for a more sustained period than a human
operator could do it. For example, sending HTTP, FTP or Telnet at a higher
rate or calling script to create objects at a higher rate.
5. Botnet − A botnet, also known as zombie army, is a group of computers
controlled without their owners’ knowledge. Botnets are used to send spam
or make denial of service attacks.

32. 6. Brute force attack − A brute force attack is an automated and the
simplest kind of method to gain access to a system or website. It tries
different combination of usernames and passwords, over and over again,
until it gets in.
7. Cracker − A cracker is one who modifies the software to access the
features which are considered undesirable by the person cracking the
software, especially copy protection features.
8. Denial of service attack (DoS) − A denial of service (DoS) attack is a
malicious attempt to make a server or a network resource unavailable to
users, usually by temporarily interrupting or suspending the services of a
host connected to the Internet.
9. DDoS − Distributed denial of service attack.

33. 10. Exploit − Exploit is a piece of software, a chunk of data, or a sequence of
commands that takes advantage of a bug or vulnerability to compromise
the security of a computer or network system.
11. Firewall − A firewall is a filter designed to keep unwanted intruders
outside a computer system or network while allowing safe
communication between systems and users on the inside of the firewall.
12. Malware − Malware is an umbrella term used to refer to a variety of
forms of hostile or intrusive software, including computer viruses,
worms, Trojan horses, ransomware, spyware, adware, scareware, and
other malicious programs.

34. 13. Phishing − Phishing is an e-mail fraud method in which the
perpetrator sends out legitimate-looking emails, in an attempt to
gather personal and financial information from recipients.
14. Social engineering − Social engineering implies deceiving someone
with the purpose of acquiring sensitive and personal information,
like credit card details or user names and passwords.
15. Spam − A Spam is simply an unsolicited email, also known as junk
email, sent to a large number of recipients without their consent.
16. Threat − A threat is a possible danger that can exploit an existing
bug or vulnerability to compromise the security of a computer or
network system.

35. 17. Trojan − A Trojan, or Trojan Horse, is a malicious program disguised to
look like a valid program, making it difficult to distinguish from programs
that are supposed to be there designed with an intention to destroy files,
alter information, steal passwords or other information.
18. Virus − A virus is a malicious program or a piece of code which is capable
of copying itself and typically has a detrimental effect, such as corrupting
the system or destroying data.
19. Vulnerability − A vulnerability is a weakness which allows a hacker to
compromise the security of a computer or network system.
20. Worms − A worm is a self-replicating virus that does not alter files but
resides in active memory and duplicates itself.

36. Hacker Classification
• Hackers can be classified into different categories such as white hat,
black hat, and grey hat, based on their intent of hacking a system.
• White Hat hackers are also known as Ethical Hackers. They never intent to harm
a system, rather they try to find out weaknesses in a computer or a network
system as a part of penetration testing and vulnerability assessments.
• Black Hat hackers, also known as crackers, are those who hack in order to gain
unauthorized access to a system and harm its operations or steal sensitive
information. Black Hat hacking is always illegal.
• Grey hat hackers are a blend of both black hat and white hat hackers. They act
without malicious intent but for their fun, they exploit a security weakness in a
computer system or network without the owner’s permission or knowledge.
A script kiddie is a non-expert who breaks into computer systems by using pre-packaged automated
tools written by others, usually with little understanding of the underlying concept, hence the
term Kiddies.
A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or
political message.

37. Password Cracking
• A strong password has the following attributes −
 Contains at least 8 characters.
 A mix of letters, numbers, and special characters.
 A combination of small and capital letters.
 Password type is important in the time of cracking because complex
passwords containing characters, numbers and letters are more
difficult to crack compared to simple passwords.

38. PASSWORD CRACKING TECHNIQUES
1. Dictionary Attack
• In a dictionary attack, the hacker uses a predefined list of words from a dictionary to
try and guess the password. If the set password is weak, then a dictionary attack can
decode it quite fast.
• Hydra is a popular tool that is widely used for dictionary attacks. Take a look at the
following screenshot and observe how we have used Hydra to find out the password
of an FTP service.
2. Hybrid Dictionary Attack
• Hybrid dictionary attack uses a set of dictionary words combined with extensions.
For example, we have the word “admin” and combine it with number extensions
such as “admin123”, “admin147”, etc.
• Crunch is a wordlist generator where you can specify a standard character set or a
character set. Crunch can generate all possible combinations and permutations. This
tool comes bundled with the Kali distribution of Linux.

39. 3. Brute-Force Attack
• In a brute-force attack, the hacker uses all possible combinations of letters,
numbers, special characters, and small and capital letters to break the
password. This type of attack has a high probability of success, but it requires
an enormous amount of time to process all the combinations. A brute-force
attack is slow and the hacker might require a system with high processing
power to perform all those permutations and combinations faster.
• John the Ripper or Johnny is one of the powerful tools to set a brute-force
attack and it comes bundled with the Kali distribution of Linux.

40. 4. Rainbow Tables
A rainbow table contains a set of predefined passwords that are hashed. It
is a lookup table used especially in recovering plain passwords from a cipher
text. During the process of password recovery, it just looks at the pre-calculated
hash table to crack the password.
5. Salted or not salted
Salting is a technique used by cryptographists to make attacks to cipher
difficult. They add hash strings as a prefix or suffix or in the middle of the cipher
to protect the cipher against rainbow table or pre-computation attack.

41. Password Cracking counter measures
• Don’t note down the passwords anywhere, just memorize them.
• Set strong passwords that are difficult to crack.
• Use a combination of alphabets, digits, symbols, and capital and small
letters.
• Don’t set passwords that are similar to their usernames.
• There are many other techniques such as finger printing, hand
geometrics etc.. That may be used to authenticate user based on his
biodata such as fingerprint or the pattern of its iris or retina.
• There are other type of multifactor authentications based on RSA.

42. WINDOWS HACKING
• The most obvious initial observation to make about the Windows
architecture is that it is two-tiered.
• Kernel mode
• User mode
• The most privileged tier of operating system code runs in Kernel mode and
has effectively unrestricted access to system resources.
• User mode functionality has much more restricted access and must request
services from the kernel in many instances to complete certain tasks, such
as accessing hardware resources, authenticating users, and modifying the
system.
• Basic attack methodologies:
• attack the kernel, or attack user mode

43. Attacking the Kernel
• The kernel mode interface is an obviously attractive boundary that
attackers have historically sought to cross.
• Two primary classes of kernel mode compromises can occur:
• Physical attacks against kernel-resident device drivers that parse raw input,
such as from network connections or inserted media. The wireless
networking attacks published by Johnny Cache and others and the Sony CD-
ROM rootkit incident are examples of each of these, respectively.
• Logical attacks against critical operating system structures that provide access
to kernel mode. These structures include certain protected kernel images
(such as ntoskrnl.exe, hal.dll, and ndis.sys).

44. Attacking User Mode
• If you can authenticate to Windows as an authorized user, you will
have access to all the resources and data relevant to that user. if you
are lucky enough to authenticate as an administrative user, you will
likely have access to the resources and data for all the users on the
system. The access control gatekeeper for user mode data and
resources is the Local Security Authority (LSA), a protected subsystem
that works across user and kernel mode to authenticate users,
authorize access to resources, enforce security policy, and manage
security audit events.

45. Security principals
• Windows offers three types of fundamental accounts, called security principals:
• Users • Groups • Computers
User: Anyone with even a passing familiarity with Windows has encountered
the concept of user accounts. We use accounts to log on to the system and to
access resources on the system and the network.
Groups: are primarily an administrative convenience—they are logical
containers for aggregating user accounts. Groups are also used to allocate privileges
in bulk, which can have a heavy impact on the security of a system.
Computers: When a Windows system joins a domain, a computer account is
created. Computer accounts are essentially user accounts that are used by
machines to log on and access resources. This account name appends a dollar sign
($) to the name of the machine.

46. Network Authentication
• The NT family primarily utilizes challenge/response authentication, where in
the server issues a random value (the challenge) to the client, which then
performs a cryptographic hashing function on it using the hash of the user’s
password and sends this newly hashed value (the response) back to the
server. The server then takes its copy of the user’s hash from the local
Security Accounts Manager (SAM) or Active Directory (AD), hashes the
challenge it just sent, and compares it to the client’s response. Thus, no
passwords ever traverse the wire during NT family authentication, even in
encrypted form.

48. • The NT family can use one of three different hashing algorithms to
scramble the 8-byte challenge:
• LANMan (LM) hash
• NTLM hash
• NTLM version 2 (NTLMv2)
• LM hash that allows an attacker with the ability to eavesdrop on the network to
guess the password hash itself relatively easily; the hacker can then use it to attempt
to guess the actual password offline—even though the password hash never
traverses the network!
• NTLM, with NT 4 Service Pack 3 and a further secured version in NT 4 SP4 called
NTLM v2. Windows 95/98 clients do not natively implement NTLM, so the security
offered by NTLM and NTLMv2 was not typically deployed on mixed networks in the
past.

49. The SAM and Active Directory
• the SAM contains user account name and password information. The
password information is kept in a scrambled format such that it
cannot be unscrambled using known techniques although the
scrambled value can still be guessed. The scrambling procedure is
called a one-way function (OWF), or hashing algorithm, and it results
in a hash value that cannot be decrypted. The SAM makes up one of
the five Registry hives and is implemented in the file
%systemroot% system32configsam.

50. SYSKEY
• Under NT, password hashes were stored directly in the SAM file. Starting
with NT 4 Service Pack 3, Microsoft provided the ability to add another
layer of encryption to the SAM hashes, called SYStem KEY.
• To enable SYSKEY on NT 4, you have to run the SYSKEY command.
• Clicking the Update button in this window presents further SYSKEY options,
namely the ability to determine how or where the SYSKEY is stored.
• The SYSKEY can be stored in one of three ways:
• Mode 1 Stored in the Registry and made available automatically at boot time (this is the default).
• Mode 2 Stored in the Registry but locked with a password that must be supplied at boot time.
• Mode 3 Stored on a floppy disk that must be supplied at boot time.

51. Port Scans
• Port scanning is the act of connecting to each potential listening service, or port,
on a system and seeing if it responds. The building block of a standard TCP port
scan is the three-way handshake.
• Port Scanning Variations
• Source port scanning: By specifying a source port on which to originate the TCP
connection, rather than accepting whatever port is allocated by the operating system
above 1024.
• SYN scanning: By foregoing the last SYN packet in the three-way handshake, one-third of
the overhead of a TCP “connect” scan can be avoided, thus increasing speed when
scanning lots of systems.
• UDP scanning: A User Datagram Protocol (UDP) scanning sends a UDP packet to the port in
question, and if a “ICMP port unreachable” message is received, it then flags the service as
unavailable. If no response is received, the service is flagged as listening.

52. Port Scanning Tools
• SuperScan: written by Robin Keir of Foundstone.
• SuperScan is a fast, flexible, graphical network scanning utility that
comes at free.
• It also allows flexible specification of target IPs and port lists. The “Read ports
from file” feature is especially convenient for busy security consultants.
• SuperScan also sports numerous other features, including banner grabbing,
SYN scanning, adjustable scan speed, footprinting capabilities such as whois,
HTML reporting, and even Windows enumeration functionality .

53. WINDOWS HACKING TOOLS
• PWDump
• This handy utility dumps the password database of an NT machine that is held in the
NT registry (under HKEY_LOCAL_MACHINESECURITYSAMDomainsAccountUsers)
into a valid smbpasswd format file (which is understood by practically all Windows
password security auditing tools).
• PWDump2
• This is an application which dumps the password hashes from NT's SAM database,
whether or not SYSKEY is enabled on the system. NT Administrators can now enjoy the
additional protection of SYSKEY, while still being able to check for weak users'
passwords. The output follows the same format as the original pwdump and can be
used as input to password crackers. You need the SeDebugPrivilege for it to work.

54. • Kerbcrack
• Kerbcrack is made up of kerbsniff and kerbcrack. It can perform brute force
cracking attacks on Kerberos packets. Kerbsniff captures Kerberos packet from
network, and kerbcrack performs the actual brute force cracking on the
output first of the first tool.
• Kerbcrack targets the encrypted timestamp embedded in the Kerberos
preauthentication data. The time stamp is encrypted using a key based on the
user’s password.

55. Counter measures for windows hacking by
password cracking
• Use windows smart card logon, or encrypt the network traffic
between the Kerberos client and the DC by using IPsec.
• Enforce password police and require long password and password
expiry in 30 days
• Apply account lockout policy to prevent brute force attacks.
• Use SYSKEY or multifactor authentication
• Do not store LAN manager Hash in Security Account Manager (SAM)
database.

56. MALWARE
• Malware is malicious software such as virus, worm or Trojan program
introduced in a network for prevent a business from operating.
• The main goal of malware is used to be to destroy or corrupt data or
to shutdown a network or computer system.

57. Viruses
• A virus is a program that attaches itself to a file or another program often
send via e-mail.
• A virus doesn’t stand on It’s own, so it can’t replicate itself or operate
without the presence of host.
• Viruses copy themselves to other disks to spread to other computers.
• They can be merely annoying or they can be vastly destructive to your files.
• Many antivirus software packages are available but none can guarantee
protection because new viruses are created constantly.
• Common computer viruses
• Gumblar, Zlob, Luckysploit, blaster

58. Macro viruses
• A macro virus is encoded as a macro in programs that support a
macro programming language such as Visual Basic for
Applications(VBA).

59. Worms
• A worm is a program that replicates and propagates itself without
having to attach itself to a host.
• It uses a network to send copies of itself to other nodes and it may do
so without any user intervention.
• Security professionals are working to protect ATMs from worm
attacks, such as slammer and Nachi worms.
• The most infamous worms are Code Red, Nimda, Mytob, Storm and
conficker.

60. Trojan programs
• One of the most insidious attack against networks and computers
worldwide takes place via Trojan programs, which disguise
themselves as useful programs and can install a backdoor or rootkit
on a computer.
• These are often used to capture your logins and passwords.
• A Trojan horse program has the appearance of having a useful and
desired function.
• Back orifice is still one of the most common torjan program used
today.

61. Spyware
• Spyware is a type of malware installed on computers that collects
information about users without their knowledge.
• A spyware program sends information from the infected computer to
the person who initiated the spyware program on your computer.
• The information could be confidential financial data, passwords, PINs
just about any data stored on the computer.
• It can be used to record and send everything a user enters to an
unknown person located halfway around the world.

62. Adware
• Adware can be installed without users being aware of the presence.
Sometimes it displays a banner that notifies user of its presence.
• Adwares’ main purpose is to determine a user’s purchasing habits so
that web browser can display advertisements tailored to this user.
• The biggest problem with adware is that it slows down the computer
it’s running on.

63. Phishing
• Phishing (pronounced like the word 'fishing') is a message that tries to
trick you into providing information like your social security number
or bank account information or logon and password for a web site.
• The message may claim that if you do not click on the link in the
message and log onto a financial web site that your account will be
blocked, or some other disaster.

64. Damages
1. Data loss
• Many viruses and Trojans will attempt to delete files or wipe hard drives when
activated, but even if you catch the infection early, you may have to delete infected
files.
2. Account Theft
• Many types of malware include keylogger functions, designed to steal accounts and
passwords from their targets.
• This can give the malware author access to any of the user's online accounts,
including email servers from which the hacker can launch new attacks.
3. Botnets
• Many types of malware also subvert control over the user's computer, turning it into
a "bot”.
• Hackers build networks of these commandeered computers, using their combined
processing power for tasks like cracking password files or sending out bulk emails.

65. How Can You Protect Your Computer?
• Install protection software.
• Practice caution when working with files from unknown or
questionable sources.
• Do not open e-mail if you do not recognize the sender.
• Download files only from reputable Internet sites.
• Install firewall.
• Scan your hard drive for viruses monthly.

66. Scanning
• Scanning is the procedure of identifying active hosts, ports and the
services used by the target application.
• Network Scanning is used to find out a vulnerable point in the
network that can be exploited.
• Network Scanning can be classified into different types.
1. Port scanning
2. Vulnerability scanning

67. 1. Port Scanning
• As the name suggests, Port Scanning is a process used to find out active
ports on the network.
• A Port Scanner sends client requests to the range of ports on the target
network and then saves the details about the ports that send a response
back.
• There are total 65536 ports on every computers.
• Ports can be either TCP or UDP depending on the service utilizing the
port or nature of the communication occurring on the port.

68. TCP and UDP Port Scanning
• TCP offers robust communication and is considered a connection
protocol.
• TCP establishes a connection by using what is called a three-way
handshake.
• The TCP header contains a 1-byte field for the flags. Look at the figure
below to see TCP flag structure.
Reserved Urgent ACK Push Reset SYN FIN
1 byte field

69. Common TCP flags
• ACK: The receiver will send an ACK to acknowledge data.
• SYN:Used during the three-step session setup to inform the
otherparty to begin communication and used to agree on initial
sequencenumbers.
• FIN: Used during a normal shutdown to inform the other host that
thesender has no more data to send.
• RST: Used to abort an abnormal session.
• PSH: Used to force data delivery without waiting for buffers to fill.
• URG: Used to indicate priority data

70. Port scanning types
• TCP Full Connect scan: This type of scan is the most reliable but also the
most detectable. It is easily logged and detected because a full connection
is established. Open ports reply with a SYN/ACK; closed ports respond with
a RST/ACK.
• TCP SYN scan: This type of scan is known as half-open, because a full TCP
connection is not established. This type of scan was originally developed to
be stealthy and evade IDS systems, although most now detect it. Open
ports reply with a SYN/ACK; closed ports respond with a RST/ACK.
• TCP FIN scan: Forget trying to set up a connection; this technique jumps
straight to the shutdown. This type of scan sends a FIN packet to the target
port. Closed ports should send back an RST. This technique is usually
effective only on Unix devices.

71. • TCP NULL scan: Sure, there should be some type of flag in the packet,
but aNULL scan sends a packet with no flags set. If the OS has
implemented TCP per RFC 793, closed ports will return an RST.
• TCP XMAS scan: just a port scan that has toggled on the FIN, URG,
and PSH flags. Closed ports should return an RST.

72. User Datagram Protocol
• User Datagram Protocol is a communication protocol which works over the Internet
Protocol (IP).
• It is a connection-less and stateless protocol.
• When a packet is sent to a UDP port, three responses are possible, which is different
from the way TCP ports respond.
• If there is no service running on the UDP port, the system will reply back with "ICMP port
unreachable" message.
• ICMP stands for Internet Control Message Protocol.
• If a service is running, and UDP packet is not a valid query packet with respect to the
application protocol, it may silently drop the packet without giving any response.
• If the UDP packet is a valid packet with respect to application protocol and to which a response
is expected, the application running on UDP will send back a response packet.
• Accordingly, port scanning may report any UDP port to be in a closed, filtered or
open state.

73. • Sniffer
• The Sniffer captures all the UDP and ICMP packets coming to the scanner.
• It has a list, referred here as port-list, of all the ports under scanning.
• When it receives a ICMP port unreachable packet, it marks the corresponding
port as `closed' in the port-list.
• If it receives a UDP response packet, it sets the corresponding port as ‘open’
in the port- list.
• At the end of scanning, all the remaining ports which are not marked as open
or closed are set to `filtered'.

74. • ARP Poisoner
• The ARP Poisoner module responds back to every ARP request made by the
Server Under Testing (SUT) with scanner's own MAC address.
• This allows the scanner to acquire all the IP addresses on the network.
• The ARP Poisoner does not however reply back for gratuitous ARP requests to
avoid IP collision situation.

75. • Packet Sender
• Packet Sender sends UDP packets, also called probe packets, to the Server
Under Testing(SUT).
• In these packets, the Ethernet source address is the address of the scanner
and Ethernet destination address is the address of SUT.
• In IP header, the destination IP address is the address of the SUT and the
source IP address is any valid IP address of the same subnet of SUT.
• If a gateway is configured on SUT, the source IP address can be any valid IP
address.

76. 2. Vulnerability Scanning
• Vulnerability Scanning is to scan the targets for vulnerabilities.
• Vulnerability is a weakness in the software or system configuration
that can be exploited.
• Vulnerabilities can come in many forms but most are associated with
missing patches.
• To scan system for vulnerabilities we will use system a vulnerability
scanner such as Nessus.

77. Nessus
• Key component is plug-ins.
• Plug-in is a small block of code that is sent to the target system to check the
known vulnerabilities.
• Nessus has thousands of plug-ins.
• There are many options that you can use to customise your scan.
• Comprehensive port scanning.
• Network based vulnerability scanning.
• SQL database configuration auditing.
• Software enumeration on UNIX and Windows.