Thursday, 18 April 2013

" Ethical Hacking"


" Ethical Hacking"


Fixing the system by compromising it” Ethical hacking, also known as penetration testing, intrusion testing used to find loopholes (Leakage)  in an IT system and break into it. “Hacking for Information Security”
To ensure the protection and privacy of personally identifiable and/or sensitive information.
The state of security on the internet is poor and the progress toward increased protection is slow.

  • Hackers

White hat – ethical hacker and penetration taster  ( focuses  on IT security )
Black hat – Villain hacker , Hacks for illegal uses , making viruses and Trojans.
Gray hat – hybrid between white and black hat 


  • Hacking techniques 

Vulnerability scanner
Password cracking
Packet sniffer
Spoofing attack (Phishing)
Trojan horses
Viruses
Worms
Key loggers

  •     Vulnerability scanner


A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses.
By different injections like SQL , after scanning the database hackers get information like passwords , user ids etc. from it. 
  •     SQL injection
By sending malicious code of malware to a server by http req., hacker gain a server level access. &get id and passwords. Or by bypassing common id & passwords. E.g. admin'or'0'=‘0


This works on low security servers where SQL data is injected by http request.


  •     Password cracking
• password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. 
The purpose of password cracking is to help a user to recover a forgotten password . But it is mostly use for hacking or accessing illegally a system.

  •     Packet sniffer
It  is a computer program or a piece of computer hardware  that can intercept and log traffic passing over a digital network or part of a network.
It can captures the packets of data which are flows through the network.
So it is used for getting data in between two systems.
  •     Spoofing attack (Phishing)

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
  •     Trojan horses


• A Trojan horse, or Trojan, is a non-self-replicating type of malware which appears to perform a desirable function but instead facilitates unauthorized access to the user's computer system.

  •      Viruses 



• A computer virus is a computer program that can replicate itself and spread from one computer to another. It used to refer to other types of malware, including but not limited to adware and spyware programs that do not have a reproductive ability.

  •     Worms


• It uses a computer network to spread itself, relying on security failures on the target computer to access it. It does not need to attach itself to an existing program.
 .
  •     Keyloggers 


Two types : hardware & software
Software key loggers records all keystrokes and sends it to specific location by a spyware program.
Hardware key loggers are attached between keyboard and CPU.  
 .   
"How Hacking Works ?"
method 1: Drive-by attack
method 2: Opportunistic attack
method 3: Targeted or “Sniper” attack

  •      method 1.1: Drive-by attack-1
• Hacker inserts an image/sound file/animation in a legitimate webpage.
• That contains a malicious script which is run when the webpage is loaded into a user’s unpatched/unsecure web browser
• The script installs some type of virus on the user’s machine, potentially uploading confidential information to the hacker’s computer or allowing the hacker backdoor access to the user’s computer.


  •      method 1.2: Drive-by attack-2

• Hacker designs a webpage that looks identical to some other legitimate page but contains a malicious script (mini-program)
• User clicks on the link, the seemingly legitimate page opens and the script runs and installs some type of virus on the user’s machine potentially uploading confidential information to the hacker’s computer or allowing the hacker backdoor access to the user's computer.
  •      method 1.3: Drive-by attack-3
• Hacker sends out hundreds/thousands of emails spoofing the sender’s name so that the email seems to come from a legitimate source.
The recipient of the email is requested to click on a seemingly legitimate webpage link in the email
The target webpage contains a malicious script which, runs for hacking process.
  •      method 1.4: Drive-by attack-4
• It is same like method 3 but in this method hacker sends different attachments containing virus or malware scripts.
After opening attachments it runs the malware scripts or virus process. 
  •      method 2 : Opportunistic attack  
• The hacker will scan a range of internet address to see which ones respond.
After response , it list may then be read by another piece of software called a “vulnerability scanner” to test each of the devices to see if they are susceptible to known attack methods using known weaknesses in the operating system or running programs.
  •      method 3 : "sniper" attack
• These are calculated attempts to extract data from an organization sometimes for financial reward, sometimes for bragging rights and sometimes for a cause.
Examples of this type of hack would be to steal credit/debit card numbers, personal details such as Social Security numbers, passport or ID details or even social networking website logins.
For Army security & in cyber crime investigation this hacking is done.


what can hacker do ?


Steal Your Number
Take Your Information
Rob Your Money
Give the System a Virus
Spy on You
Access Your Mails



How to prevent hacking ?


Perform required software updates for your operating system and web browser. ( A system that hasn't been updated recently has flaws in it that can be taken advantage of by hackers.)
Install a firewall on your computer.
Change your passwords every month.
Install anti-spyware/adware & antivirus programs onto your system.
Delete emails from unknown sources.

Avoid Scam/Spammy Websites
Clear the Cookies!
Don’t use Generic Usernames
Use Strong Passwords!

Applications


Cyber crime investigation
Secure software development
Penetration testing
Vulnerability assessment



for any queries please contact me : mayurbhimani11@gmail.com 












1 comment: