Vishal Chavre

Uni
t-
5Basi
csofHacki
ng

5.
1Ethical Hacking:History
 Hacki ngdev elopedal ongside"PhonePhr eaki
ng"
,atermr ef
err
edt oexpl
orat
ion
oft hephonenet workwi thoutauthor i
zati
on,andtherehasoftenbeenov er
lap
betweenbot ht echnologyandpar t
icipants.
 Ethicalhack i
ngi sthesci enceoft estingcomput er
sandnet workforsecuri
ty
vulner abi
li
tiesandpl uggingthehol esfoundbeforetheunaut hori
zedpeople
getachancet oex ploitthem.

Defi
ninghacker,Mal
ici
oususers
Defi
niti
onofHacker:AHackerisapersonwhofindsandexploi
tst
heweaknessin
comput ersyst
emsand/ ornetwor
kstogainaccess.Hackersareusual
l
yskil
led
comput erpr
ogrammerswithknowl
edgeofcomputersecur
it
y.

AnEthicalHacker
,alsoknownasawhi t
ehathacker
,orsimplyawhit
ehat
,isa
secur
it
ypr of
essi
onalwhoappli
estheirhacki
ngskil
lsfordef
ensi
vepur
poseson
behal
foftheownersofinf
ormat
ionsy
stems.

WhatIsaMal i
ciousUser?
Mali
cioususers(orinter
nalatt
ackers)tr
yt ocompromisecomput
ersandsensi
ti
ve
i
nfor
mat i
onfrom theinsi
deasauthor i
zedand“trust
ed”user
s.
Malici
oususersgof orsyst
emst heybelievetheycancompromi
seforfr
audul
ent
gai
nsorrevenge.

 Mali
ciousat
tacker
sare,
gener al
l
yknownasbot h,hacker
sandmali
cioususer
s.
 Mali
cioususermeansar ogueempl oy
ee,contr
actor,i
nter
n,orot
heruser
whoabuseshi sorhertrustedpri
vi
leges.I
tisacommont er
minsecurit
y
ci
rcl
es.

Userssearchthroughcri
ti
caldatabasesystemstocoll
ectsensi
ti
veinf
ormati
on,e-
mailconf
identi
alcli
enti
nformati
ont othecompetit
ionorel
sewheret
ot hecl
oud,or
del
etesensit
ivefil
esfr
om server
st hatt
heyprobabl
ydonothaveaccess.

Mali
cious user
s are of
ten t
he worstenemies ofIT and i
nfor
mation secur
it
y
prof
essional
sbecausetheyknow exact
lywheretogotogett hegoodsanddon’ t
needtobecomput ersav
vytocompromisesensi
ti
veinf
ormati
on.

Theseuser
shav et
heaccesstheyneedandthemanagementtr
ust
sthem,of
ten
wit
houtquest
ion.I
nshorttheytaketheundueadvantageofthetr
ustofthe
management.

Hacker
sar
ecl
assi
fi
edaccor
dingt
othei
ntentoft
hei
ract
ions.

Vishal Chavre
Tabl
e5.
1Cl
assi
fi
cat
ionsofhacker
saccor
dingt
othei
rint
ent
.
Sy
mbol Descr
ipt
ion

EthicalHacker(Whitehat):Ahackerwho
gainsaccesst osystemswi thaviewto
fi
xt heident
ifi
edweaknesses.
Theymayal soper
for m penetr
ati
on
Test i
ngandv ul
nerabil
it
yassessments.

Cracker( Blackhat )
:Ahackerwhogai ns
unaut horizedaccesstocomput er
systemsf orpersonalgai
n.
Thei ntentisusual l
ytostealcorporate
data,v i
olatepri
v acyri
ght
s, t
ransferfunds
fr
om bankaccount setc.

Greyhat:Ahackerwhoi sinbetween
ethi
calandblackhathackers.He/she
breaksint
ocomput ersystemswithout
authori
tywit
hav i
ewt oidenti
fy
weaknessesandrev eal
them tothesystem
owner.

Scri
ptkiddi
es:A non-
skil
l
ed per
son who
gai
nsaccesst ocomputersy
stemsusing
al
readymadetool
s.

Hackti
vi
st:Ahackerwhousehacki ngto
sendsoci
al,r
eli
gious,andpolit
ical
,etc.
messages.Thisisusuallydoneby
hij
acki
ngwebsitesandl eavi
ngthe
messageont hehij
ackedwebsi te.

Phreaker
:Ahackerwhoident
if
iesand
exploi
tsweaknessesi
ntel
ephonesinst
ead
ofcomputers.

Vishal Chavre
WhyEt
hicalHacki ng?
 Informat i
oni soneoft hemostv al
uabl
eassetsofanor ganizat
ion.Keeping
informat i
on secured can prot
ectan organi
zati
on’simage and sav e an
organi zat
ionalotofmoney .
 Ha ckingcanl eadtol ossofbusinessf
ororgani
zationsthatdealinfinance
such asPay Pal
.Et hi
calhacki
ng putsthem a step ahead oft he cyber
cri
mi nalswhowoul dother
wiseleadtol
ossofbusiness.

Legali
tyofEthicalHacking
Ethi
calHackingi slegali ft
he hackerabi des bythe rul
es sti
pul
atedas above.
TheI nternat
ionalCounci lofE-Commer ceConsul t
ants(EC-
Counci
l)provi
desa
cert
if
icati
onpr ogram thattest
sindi
vidual’
sskil
ls.Thosewhopasstheexaminati
on
areawar dedwi thcerti
ficat
es.Thecer t
if
icatesaresupposedtober enewedaft
er
somet i
me.

Fi
g.5.
2Penet
rat
ionTest
ingSt
ages

2U
5. nder
standi
ngt
heneedt
ohacky
ourownsy
stems

Tocat
chat
hief
,thi
nkl
i
keat
hief
.That
’st
hebasi
sforet
hical
hacki
ng.

Fir
ewal l
s, encrypt
ion,andv i
rtualpri
vatenetwor ks(VPNs)cancr eateaf alsefeeling
ofsafety.
Thesesecur it
ysy stemsof tenf ocusonhi gh-l
ev elvulnerabi
l
iti
es,suchasv ir
uses
andt r
afficthroughaf i
rewall
,withoutaff
ecti
nghowhacker swork.
Attacki
ngy ourownsy st
emst odi scovervulnerabil
i
tiesisast ept omaki ngt hem
mor esecur e.
Thisist heonl ypr ovenmet hodofgr eatl
yhar deningy oursystemsf rom attack.If
weaknessesar enoti denti
fi
ed,it’
samat t
eroft imebef orethev ulnerabil
it
iesar e
exploit
ed.

Ashacker
sexpandtheirknowl
edge,oneshouldal
sogai
ntherequi
redknowl
edge
ofi
t.Youmustthi
nklikethem t
oprotectyoursy
stemsf
rom t
hem.Ast heet
hical
hacker ,onemustknow activi
ti
eshackerscar
ryoutandhow tostoptheireff
orts.
Oneshoul dknowwhatt ol
ookforandhowt ousethati
nfor
mationt
ospoilhackers’
efforts.
Howev er,themor ecombinati
onsy outry— themorey outestwholesy st
ems
i
nst eadofi ndi
vi
dualuni
ts,t
hebetteryourchancesofdiscov
eri
ngvulnerabi
li
ti
es
thataf f
ectev er
ythi
ngasawhole.

Bui
l
dingt
heFoundat
ionf
orEt
hical
Hacki
ng

Oneshould notf orgetabouti nsi

dert hreatsfrom mal i
ciousemployees.One’s
over
all
goalsasanet hi
calhackershouldbeasf oll
ows:
 Hacky oursystemsinanon- destructi
vefashion.
 Enumer at
ev ul
nerabil
it
iesand,ifnecessary,provetouppermanagementt hat
vul
nerabil
it
iesexist.
 Appl
yr esul
tstor emovev ul
nerabil
it
iesandbet tersecureyoursy
stems.

3U
5. nder
standi
ngt
hedanger
syoursy
stemsf
ace

Systemsar egener all

yunderf irefrom hacker saroundt hewor l
d.I t
’sanothert o
under standspecifi
cat t
acksagai nstyoursy stemst hatarepossibl
e.
Therear esomewel l-
knownat tacks.Manyi nformation-
securit
yvulnerabi
l
iti
esaren’t
cri
ti
calbyt hemselves.Howev er,exploit
ingsev eralv ul
nerabi
li
ti
esatt hesamet ime
cant akei t
stoll
.
Forexampl e,adefaultWi ndowsOSconf igurati
on,aweakSQLSer veradminist
rator
passwor d,andaser verhost edonawi rel
essnet wor kmaynotbemaj orsecurity
concer nssepar at
ely.Butexpl oitingallt hreeoft hesev ulner
abil
i
t i
esatt hesame
ti
mecanbeaser i
ousi ssueas:
 Nont echnicalattacks
 Net work-i
nfrastructur eattacks
 Oper ati
ng-system at tacks
 Appl i
cati
onandot herspeci ali
zedat tacks

 Nont echnical attacks

Expl oit
sthati nvol vemani pulat i
ngpeopl eorenduser sandev eny ourselfaret he
great estvulnerabi l
i
tywi thinanycomput erornet wor kinfr
ast r
uctur
e.Humansar e
trustingbynat ure, whi chcanl eadt osocial-engineeringexploits.Socialengineering
i
sdef i
nedast heexpl oitati
onoft het rusti
ngnat ureofhumanbei ngst o gain
i
nf ormat i
onf ormal iciouspur poses.
Ot hercommonandef fecti
veat tacksagai nsti nf
ormat ionsy stemsar ephy sical.
Hacker sbreaki nt obui ldings,comput err ooms,orot herar eascont aini
ngcr i
tical
i
nf ormat i
onorpr operty .Physi calattackscani ncludedumpst erdiving( searching
throught rashcansanddumpst ersf orintel
lectualpr opert
y ,passwor ds,networ k
diagr ams,andot herinf ormat i
on) .
 Net work-
inf
rastruct
ureatt
acks
Hackerat
tacksagainstnetwor
kinfr
ast
ructur
escanbeeasy
,becausemany
net
workscanber eachedfrom any
whereintheworl
dvi
atheInt
ernet
.
 Vishal Chavre

Her
ear
esomeexampl esofnetwor k-
infrastructureattacks:
 Connect ingintoanetwor kthroughar oguemodem at t
achedt oacomput er
behindaf i
rewall
 Exploi
t i
ngweaknessesi nnet wor ktranspor tmechani sms, suchasTCP/ I
P
andNet BIOS.
 Floodinganet wor kwit
ht oomanyr equest s,creati
ngaDeni alofServi
ce
(DoS)f orlegit
imaterequests
 Instal
l
inganet workanalyzeronanet wor kandcapt ur
ingev erypacketthat
travel
sacr ossit,r
eveali
ngconf i
dentialinformationincleartext
 Piggybacki ngontoanet workt hroughani nsecurewi r
elessconfigurat
ion.

 Oper at
ing-syst
em attacksHacking
Operati
ng Sy stems (OSs)i s a pref
erred met hod oft he bad guys(hackers)
.
Operati
ngsy stemscompr i
seal argepor ti
onofhackerat t
ackssimpl ybecause
everycomput erhasoneandsomanywel l-
knownexpl oi
tscanbeusedagai nst
them.
Occasional
ly,someoper atingsyst
emst hataremor esecureoutofthebox, suchas
NovellNetWar eandthef lavor’
sofBSDUNI Xar eat t
acked,andv ul
nerabi
lit
iesturn
up.
Buthackerspr eferat
tackingoper at
ingsy st
emsl i
keWi ndowsandLi nuxbecause
theyarewidelyusedandbet t
erknownf ortheirv
ulnerabil
iti
es.
Her
ear esomeexampl esofattacksonoperatingsy
stems:
 Exploit
ingspeci
fi
cprotocolimplementat
ions
 Attackingbui
lt
-i
nauthenti
cationsyst
ems
 Breakingfi
le-
syst
em securi
ty
 Crackingpasswordsandencr ypti
onmechanisms

 Applicati
onandot herspeci al
izedat t
acks
Applicati
onstakeal otofhi tsbyhacker s.Pr ogramssuchase- mailserver
softwareandWebappl icationsof t
enarebeat endown:
 Hy pert
extTr ansf erPr otocol( HTTP)and Si mple MailTr ansf
erPr otocol
(SMTP)appl icationsar ef requentl
yat t
ackedbecausemostf i
rewall
sand
othersecur it
ymechani smsar econf iguredt oallow fullaccesstot hese
programsf rom t heInternet.
 Mal ici
oussof t
war e(mal war e)incl
udesv i
ruses,worms,Tr ojanhorses,and
spy ware.Malwar eclogsnet worksandt akesdownsy stems.
 Spam ( junke- mai l
)iswr eakinghav oconsy stem avai
labi
lit
yandst orage
space.Andi tcancar r
ymal ware.Ethicalhacki nghelpsrevealsuchat t
acks
againstcomput ersystems.

4.
5. Obey
ingt
heEt
hical
Hacki
ngCommandment
s

Everyet
hical
hackermustabi
debyaf
ewbasi
ccommandment
s.I
fnot
,bad
thi
ngscanhappen.
 Wor ki
ngethicall
y
Thewor dethi
cali nthi
scont extcanbedef i
nedaswor kingwi t
hhighpr ofessi
onal
moralsandprincipl
es.Whi l
eperformi
ngethicalhacki
ngtestsagainstownsy st
ems
orforsomeonewhohashi r
edf or
,ev
eryt
hingoneneedt odoasanet hicalhacker
mustbeabov eboar dandmustsuppor tthecompany ’
sgoal s.Nohiddenagendas
areal
lowed.Trustwor t
hinessistheul
ti
mat epri
ncipl
e.Themi suseofinformat i
onis
absol
utelyf
orbidden.That’swhatthebadguy sorhackersdo.

 Respect i
ngprivacy
Treatt hei nfor
mat i
ongat heredwi t
ht hegreatestr espect.Allinformati
onobt ai
ned
duringt estingfrom Web- appli
cati
onl ogfi
lestocl ear-t
extpasswor dsmustbekept
pri
v at
e.Thi sinformationshal lnotbeusedt owat chi ntoconf ident
ialcorpor
ate
i
nfor mat i
onorpr i
vateliv
es.Ify ousenseorf eelthatsomeoneshoul dknowt here’
s
apr oblem, considersharingthatinformati
onwi ththeappr opriatemanager .
I
nv olveot hersinprocess.Thi sisa“ watchthewat cher”sy st
em t hatcanbuildtr
ust
andsuppor tet
hicalhackingproject
s.

 Notcr ashi ngyoursy stems

Oneoft hebi ggestmi stakesseenwhenpeopl et r
yt ohackt heirownsy stemsi s
i
nadv ertentlycr ashi
ngt heirsy stems.Themai nreasonf orthisi spoorpl anning.
Theset est ershav enotr eadt hedocument ationormi sunderst andtheusageand
poweroft hesecur it
yt oolsandt echni ques.
DoS- DenialofSer vi
cecondi tionsont hesy stemsar eeasilycr eatedwhent esti
ng.
Runni ngt oomanyt estst ooqui cklyonasy stem causesmanysy st
em l ockups.
Thingsshoul dnotber ushedandassumedt hatanet wor korspeci fichostcan
handl ethebeat ingthatnet wor kscanner sandv ulnerabi
lityassessmentt oolscan
beusel ess.
Manysecur it
y -
assessmentt oolscancont rolhow manyt estsar eperformedona
system att hesamet i
me.Theset oolsar eespeciallyhandyi foneneedst or unt he
testsonpr oduct i
onsystemsdur ingr egularbusinesshour s.Onecanev encr eatean
accountorsy stem lockoutcondi t
ionbysoci alengineering,changi ngapasswor d,
notrealizi
ngt hatdoingsomi ghtcr eateasy stem lockoutcondi tion.

5T
5. heEt
hical
Hacki
ngPr
ocess

Likepract
icall
yanyI Torsecuri
typr
oject
,ethi
calhacki
ngneedst
obepl annedin
advance.
.Planni
ngisimpor t
antforanyamountoftesti
ngfr
om asimpl
epasswor
d-cracki
ng
testtoanall
-outpenetr
ati
ontestonaWebappl i
cat
ion.

 For mulati
ngy ourpl
an
Approvalf
orethicalhacki
ngisessential
.Whatisbeingdoneshoul dbeknownand
vi
sibl
eatleasttot hedeci
sionmakers.Obtai
ningsponsor shipoftheprojectist
he
fi
rstst
ep.Thiscoul dbethemanager,anexecutive,acust omer,orevent heboss.
Someonei sneededt obackupandsi gnoffonthepl an.Otherwi
se,test
ingmaybe
call
edoffunexpectedl
yifsomeoneclaimstheyneveraut hori
zedonetoper for
mthe

Vishal Chavre
 t
est
s.
Theaut horizati
oncanbeassi mpleasani nt ernalmemof rom thesenior
-mostpersonor
bossi fonei sperf or
mingt hesetest
sonownsy stems.I fthetestingi
sforacust omer,
one shoul d hav e a signed contr
acti n place,st ati
ng t he customer
’s suppor
tand
authorization.Getwr i
tt
enappr ovalont hi
ssponsor shi
passoonaspossi bletoensure
thatnoneoft hetimeoref forti
swast ed.Thi sdocument ationwor ksasapr oofaswhat
oneisdoi ngwhensomeoneasksordemands.
Adet ai
ledpl anisneeded,butt hatdoesn’ tmeant hatitneedsv ol
umesoft esti
ng
procedur es.Onesl ipcancrashyoursy stems.

Awel
l
-def i
nedscopei ncl udest hef ollowinginformat i
on:
 Speci ficsystemst obet ested
 Ri skst hatareinv olv ed
 Whent hetestsar eper formedandy ouroverall t
imeli
ne
 Howt hetestsareper f
ormed
 Howmuchknowl edgeoft hesy st
emsy ouhav ebef or
ey oustarttest
ing
 Whati sdonewhenamaj orv ulnerabil
i
tyisdiscov ered
 Thespeci fi
cdel iver ables—t hisincludessecur ity
-assessmentr eportsanda
higher -levelrepor tout li
ningt hegener alv ulnerabi
li
tiestobeaddr essed,
alongwi thcount ermeasur est hatshoul dbeimpl ement ed.
 Whensel ect
ingsy stemst ot est,startwitht hemostcr i
ti
calorv ulnerabl
e
syst ems.
Thehacker sar en’ thacki ng t hesy stemswi thinal imi
ted scope.Some
except i
onst ot hisappr oachar eper f
ormingDoS,soci alengineeri
ng,and
phy sical-
securit
yt ests.

Oneshoul dnotstopwithonesecur
it
yhole.Thi
scanleadtoaf al
sesenseof
secur
ity.Oneshouldkeepgoingtoseewhatel sehe/shecandiscover.I
t’
s
notli
ket okeephackingunti
ltheendoftimeoruntilonecrashallhi
s/her
syst
ems.Si mplypursuethepathhe/sheisgoingdownuntilhe//shecan’
t
hackitanylonger
.
Oneoft hegoalsmaybet operf
ormthetestswithoutbeingdet
ected.
Forexample,onemaybeper f
orminghi
s/hertestsonr emotesystemsoron
aremot eoff
ice,andhe/shedoesn’
twanttheuserst obeawareofwhatt hey
aredoing.Otherwise,t
heusersmaybeont ohim/ herandbeont hei
rbest
behavi
our.

Extensi
veknowl
edgeoft hesy
stemsisnotneededfort
est
ing.Justabasi
c
underst
andi
ngisrequi
redtopr
otectt
hetest
edsystems.

 Sel
ect
ingt
ool
s

Ifonedon’thavetheri
ghttool
sforethicalhacki
ng,t
oaccompl
i
shthetaski
s
effect
ivel
y dif
fi
cult
.justusi ng the righttool
s doesn’
tmean thatall
vulner
abil
it
ieswil
lbediscover
ed.
Knowt hepersonalandtechni
call
imit
ations.
Vishal Chavre
 Manysecur i
ty-assessmentt ools gener at
ef al
se posi ti
ves and negat i
v es
(i
ncor r
ectlyident if
yingv ul
ner abil
iti
es) .Somet oolsmaymi ssv ulnerabil
it
ies.
Manyt oolsfocusonspeci f i
ct ests,butnoonet oolcant estf orev ery
thing.
Thisiswhyasetofspeci f
ict oolsar er equiredt hatcancal lonf orthet askat
hand.Themor ear et het ools, theeasi eret hicalhackingef fort
sar e.
Makesur et her ighttool isbei ngusedf orthet ask:
 Tocr ackpasswor ds,oneneedsacr ackingt ool suchasLC4, Johnt heRipper ,
orpwdump.
Agener alportscanner ,suchasSuper Scan, maynotcr ackpasswor ds.
 Forani n-dept hanal ysisofaWebappl icat i
on,aWeb- appli
cationassessment
tool(suchasWhi skerorWebI nspect )i smor eappr opriatethananet wor k
analyzer(suchasEt hereal).
Whensel ectingt her ightsecur it
yt oolf orthet ask,askar ound.Getadv ice
from thecol leaguesandf rom ot herpeopl eonl ine.Asi mpl eGr oupssear ch
on Googl e( www. googl e.com)orper usalofsecur i
ty por tal
s,such as
SecurityFocus. com, Sear chSecur ity.com, andI Tsecurit
y.com, oftenpr oduces
greatfeedbackf r
om ot hersecur i
tyexper ts.
Someoft hewi delyusedcommer cial,freewar e,andopen- sour cesecur it
yt ool
s:
 Nmap
 Et herPeek
 Super Scan
 Qual ysGuar d
 WebI nspect
 LC4( for merlycal l
edL0pht cr ack)
 LANguar dNet wor kSecur ityScanner
 Net wor kStumbl er
 ToneLoc
Her
earesomeot herpopul
art
ool
s:
 Int
ernetScanner
 Ethereal
 Nessus
 Ni kto
 Kismet
 THC- Scan
Thecapabili
ti
esofmanysecur i
tyandhackingt ool
sareoft
enmisunder stood.
Thismisunderstandinghasshednegat i
v elightonsomeexcel lentt ools,
suchasSATAN ( Securi
tyAdminist
rat
orToolf orAnal
ysi
ngNetwor ks)and
Nmap( Networkmapper )
.
Someoft heset oolsarecomplex.Whichev ertoolsarebei
ngused,one
shoul
dbef amili
arizedwi
ththem bef
orestart
ingt ouset
hem.

Her
ear
eway st odothat:
 Readt hereadmeand/oronli
nehelpfi
lesfort
ools.
 Studytheuser’
sguideforcommer ci
altool
s.
 Considerformalcl
assr
oom trai
ningfr
om thesecur
ity
-tool
vendoror
 Vishal Chavre

anotherthir
d-partytr
ainingprovider,i
fav ail
abl
e.
 Oneshoul dLookf orthesechar acteri
sticsintool
sforethi
calhacking:
 Adequatedocument ati
on.
 Detail
edr eportsont hediscoveredv ulnerabi
li
ti
es,i
ncl
udinghowt hey
maybeexpl oi
tedandf ixed.
 Updatesandsuppor twhenneeded.
 High-l
evelreportsthatcanbepr esentedt omanagersornon-t
echiet y
pes.
 Thesef eaturescansav eti
meandef fortwhenwr i
ti
ngthereport.
 Execut ingthepl an
Et hicalhackingcant akepersi
stence.Timeandpat iencearei mpor t
ant.One
shoul d be car efulwhen per forming ethicalhacki ng tests.A hackeri n
networ koraseemi nglygentl
eempl oyeel ookingov erone’sshoul dermay
wat chwhat ’sgoi ngon.Thispersoncoul duset hisinformationagai nsttester
.
It
’snotpr acti
calt omakesur et hatnohacker sar eonone’ ssy st
emsbef ore
starting.Justonehast omakesur etokeepev erythingasqui etandpr i
vate
aspossi bl
e.Thisi sespecial
lycrit
ical
whent r
ansmi ttingandst ori
ngownt est
results.Ifpossi ble,oneshouldencr yptthesee- mai l
sandf i
lesusingPr etty
GoodPr i
vacy(PGP)orsomet hingsimilar.Atami nimum,passwor d-
protect
them.
I
nani nvestigati
onmi ssion, attachasmuchi nformat i
onaspossibleabout
theorgani zati
onandsy stems, whi chiswhatmal ici
oushackersdo.
Startwithabr oadv iewandnar rowdownt hef ocus:
1.Sear chtheI nternetforownor ganizati
on’sname, computerandnet work
system names, andt heI Paddr esses.
Googl eisagr eatplacet ost artforthis.
2.Nar r
owt hescope, t
ar getingt hespeci fi
csy stemst obetestedorbei ng
tested.Whet herphy sical-secur it
ystructuresorWebappl icati
ons, a
casual assessmentcant ur nupmuchi nformat i
onaboutthesy stems.
3.Fur t
hernar rowdownf ocuswi thamor ecriti
caleye.Per
form actual
scansandot herdet ailedt estsont hesy stems.
4.Per
for
mtheat
tacks,
ift
hat
’swhatonechooset
odo.
 Evaluatingresults
Assesst her esultst oseewhathasbeenuncov er
ed,assumi ngt hatthe
vulnerabil
it
ies hav en’tbeen made obv ious before now.Thi si s where
knowl edge count s.Ev al
uati
ng the result
s and cor rel
ati
ng the specifi
c
vulnerabil
it
iesdi scov eredisaski l
lthatgetsbetterwit
hexper i
ence.Onewi ll
endupknowi nghi s/herownsy stemsaswel lasanyoneelse.Thismakest he
evaluationprocessmuchsi mplermov i
ngforward.
Submi taf ormalr epor tt ouppermanagementort othecustomer ,outl
i
ning
result
s.Keept heseot herpar t
iesintheloopt oshow t hateff
ortsandt hei
r
moneyar ewel lspent .

 Movingon
Whenf i
nishedwit
het
hicalhacki
ngt
est
s,onesti
l
lneedtoimpl
ementhis/her
anal
ysi
sandr ecommendati
onstomakesuret
hatthesy
stemsaresecure.
 New secur i
tyv ul
ner abi
li
ti
es cont i
nual
ly appear.Inf
ormati
on sy stems
constant
lychangeandbecomemor ecomplex.New hackerexploi
tsand
securi
tyvul
nerabili
tiesar eregul
arlyuncov
ered.Securi
tyt
estsar
easnapshot
ofthesecuri
typost ur eofthesystems.
Atanyt ime,ev erythingcanchange,especi al
lyaftersof
twareupgr ades,
addingcomput ersy stems,orappl yi
ngpatches.Plantotestregul
arl
y( for
example,onceaweekoronceamont h).

6C
5. r
acki
ngt
heHackerMi
ndset
Knowi
ngwhathacker sandmali
cioususer
swanthelpsunderst
andhowtheywor
k.
Under
standinghowt heyworkhel
pstolookatyouri
nformat
ionsy st
emsi
nawhole
newway .Thisunder
standi
ngbett
erprepar
esforet
hical
hacki
ngt est
s.

 WhatYou’
reUpAgai
nst

Hacker scanbecl assi f

iedbybot ht heirabili
ti
esandt heirunder l
yingmot ivati
ons.
Somear eski l
led,andt heirmot ivati
onsar ebenign;t hey’r
emer el
yseeki ngmor e
knowl edge.Att heot herendoft hespect rum,hacker swi t
hmal i
ciousi ntentseek
somef orm ofper sonalgai n.Unf ortunately
, t
henegat iveaspect sofhacki ngusual ly
overshadowt heposi tiveaspect sandpr omot ethenegat ivestereotypes.
Hacker shacked f ort hepur suitofknowl edgeand t het hril
loft hechal l
enge.
Hacker sseewhatot her sof t
enov erl
ook.Theywonderwhatwoul dhappeni facabl e
wasunpl ugged,aswi tchwasf li
pped,orl i
nesofcodewer echangedi napr ogr am.
Theseol d-schoolhacker smatt hinkt heycani mproveel ectroni
candmechani cal
devicesby“ r
ewiri
ngt hem. ”Mor er ecentev idenceshowst hatmanyhacker smay
al
sohackf orpoliti
cal,soci al,compet i
tiv
e,andev enf inancialpurposes,sot i
mes
arechangi ng.
Hacker swhoper form mal i
ciousact sdon’ treall
ythinkaboutt hef actt hathuman
beingsar ebehi ndt hef i
rewal l
s,wi rel
essnet works,andwebappl icationst hey’r
e
att
acki ng.Theyi gnor et hatt heiract ions of t
en affectt hose human bei ngs in
negativeway s,suchasputi ndangert heirjobsecur i
tyandput ti
ngt heirpersonal
safetyatr i
sk.
Thesepeopl edon’ thacki nt hewaypeopl enor mallysuppose.I nstead,theyr oot
aroundi nfil
esonser vershar es;pr obei nt odat abasest heyknowt heyshoul dn’tbe
i
n;andsomet imesst eal,modi f
y,anddel etesensi t
ivei nfor
mat i
ont owhi cht hey
hav eaccess.Thi sbehav i
ouri soft env eryhar dt odet ect.Thi sacti
vit
yiscont inued
i
ft heseuserspassedt heircri
mi nalbackgr oundandcr editchecksbef or
et heywer e
hi
red.Pastbehav i
ouri sof t
ent hebestpr edi ct
oroff utur
ebehav i
our,butj ust
because someone has a cl ean r ecor d and aut horizati
on to access sensi tive
systemsdoesn’ tmeanheorshewon’ tdoany t
hi ngbad.Cr i
minalsmayhav etost art
fr
om somewher e.
As negat i
ve as br eaking int o comput ersy stems of ten can be,hacker s and
mal i
cioususer splaykeyr olesi ntheadv ancementoft echnology.I
nawor l
dwi thout
hacker s,odds ar e good t hatt he l at esti ntrusion pr eventi
on technology,dat a
l
eakagepr otection,orv ulnerabili
tyscanni ngt ool swoul dnotexist.Suchawor ld
maynotbebad,butt echnologydoeskeepsecur it
yprofessi
onalsemployedand
keepthefi
eldmov i
ngf orward.Unfortunatel
y,thetechni
calsecur
itysol
uti
onscan’t
ward offallmalicious attacks and unaut hori
zed use because hackers and
(someti
mes)malicioususer sar eusual l
yaf ew stepsaheadoft hetechnology
desi
gnedtoprot
ectagai nsttheirdi
sobedientacti
ons.
Howev erwhent hester
eoty
picalhackerormal i
cioususerisbeingv i
ewed,
onethi
ng
i
s cer tai
n:Somebody wi l
lal wayst ryt ot ake down comput ersyst
ems and
compr omise i
nformati
on bypoki ng and prodding wher e he orshe shoul
dn’
t,
throughdenialofservi
ceattacksorbycr eat
ingandl aunchingmal war
e.Onemust
taketheappropriat
estepstoprotecthi
s/hersy st
emsagai nstthi
skindofi
ntr
usi
on.

 Thi nki
ngl i
ket hebadguy s
Malici
ousat tacker sof tent hinkandwor kj ustl i
ket hieves,kidnapper
s,andot her
organized criminalsy ou hearabouti nt he news ev eryday .The smar tones
constantl
ydev ise way st of l
yundert he r adarand expl oiteven the smal l
est
weaknessest hatl eadt hem t ot heirtarget .Thef ollowingar eexamplesofhow
hackersandmal i
cioususer sthinkandwor k:
 Ev adingani nt r
usionpr eventionsy stem bychangi ngthei
rMACaddr ess
orI Paddr essev eryfew mi nut est ogetf urtherintoanet workwi thout
beingcompl et el
ybl ocked
 Expl oit
ingaphy sicalsecur i
tyweaknessbybei ngawar eofof f
icest hat
haveal readybeencl eanedbyt hecl eaningcr ewandar eunoccupied( and
thuseasyt oaccesswi thlitt
lechanceofget t
ingcaught )
,whichmi ghtbe
madeobv iousby ,forinstance,t hef actthatt heofficebli
ndsareopened
andt hecur t
ainsar epul l
edshuti ntheear lymor ning

 By passingwebaccesscont rolsbychangingamal i
cioussi te’sURLt oits
dotted deci malI P addr ess equi val
ent and t hen conv er
ti
ng i tt o
hexadeci mal forusei nt hewebbr owser
 Usi ngunaut hor i
zedsof twar et hatwouldot herwi sebebl ockedatt he
fi
rewal lbychangi ngt hedef aultTCPpor tthatitrunson
 Set ti
ngupawi rel
ess“ ev i
lt win”nearal ocalWi -
Fihot spott oent ice
unsuspect ing I nternet sur fers ontoar ogue net wor k wher et heir
i
nfor mat i
oncanbecapt uredandeasi l
ymani pulated
 Usi nganov erlytrusti
ngcol league’suserIDandpasswor dtogai naccess
tosensi tiv
ei nf ormationt hatwoul dot herwisebehi ghlyimpr obablet o
obtain
 Unpl ugging the powercor d orEt hernetconnect ion to a net worked
secur i
tycamer athatmoni tor saccesst ot hecomput err oom orot her
sensi t
iveareasandsubsequent lygai
ningunmoni t
or edaccess
 Performi ngSQLi nj
ectionorpasswor d crackingagai nstawebsi t
ev iaa
neighbor ’
sunpr otectedwi relessnetwor kinor dert ohi det hemal ici
ous
user’sowni dent i
ty

 WhoBr eaksi
ntoComput
erSyst
ems
Inawor l
dofbl ackandwhit
e,descr
ibingthetypi
calhackeri
seasy.A general
ster
eot
ypeofahackeri sanant
isoci
al,unpl
easantmind-
setper
sonal
i
ty.Butthe
Vishal Chavre
 wor l
dhasmanyshadesofgr ayandmanyt y
pesofhacker s.Hacker sar euni que
i
ndiv i
dual s,soanexactpr ofilei shar dtoout line.Thebestbr oaddescr ipti
onof
hacker si st hatal lhacker sar en’tequal.Eachhackerhashi sorherownuni que
mot ives, met hods, andski ll
s.Hackerski l
llevelsf allintot hreegener al categor i
es:
 Scriptki ddies:Thesear ecomput erbegi nner swhot akeadv antageoft hehacker
tools,v ulnerabili
tyscanner s,anddocument ationav ail
abl efreeont heI nternetbut
whodon’ thav eanyr ealknowl edgeofwhat ’sr eallygoi ngonbehi ndt hescenes.
Theyknow j ustenought ocauseheadachesbutt ypicallyar ev erysl oppyi nthei
r
actions, l
eav ingal lsortsofdi gitalfi
ngerprintsbehi nd.
 Criminalhacker s:Thesear eski l
ledcr i
mi nalexper tsandnat ionst ateswhowr i
te
someoft hehacki ngt ools, includingt hescr iptsandot herpr ogramst hatt hescr i
pt
kiddiesandet hicalhacker suse.Thesepeopl eal sowr i
tesuchmal war easv i
ruses
andwor ms.Theycanbr eaki nt osy stemsandcov ertheirt r
acks.
Adv ancedhacker sar eof tenmember sofcol lectivest hatpr efertor emai nnamel ess.
Thesehacker sar ev er ysecr etiveandshar ei nformat ionwi tht heirsubor di
nates
onlywhen t heyar edeemed wor thy.Ty pically,f orlower -
ranked hacker st o be
consi dered wor t
hy ,t hey mustpossess some uni que i nformat i
on or pr ove
themsel vesthr oughahi gh-pr of i
lehack.

Thesehackersar epossi bl
ysomeoft heworstenemi esini
nformati
onsecur i
ty.
 Secur it
yr esearchers:Theseuber-hackersarehighl
ytechnicalandpublicl
y
knownI Tpr of essi
onalswhonotonl ymoni t
orandt r
ackcomput er
,network,
andappl i
cationv ul
nerabil
i
tiesbutal sowrit
et hetoolsandot hercodet o
exploitthem.I ftheseguysdi dn’
texist,
ethi
calhackerswouldn’thavemuch
inthewayofopensour ceandev encer t
aincommer cialsecuri
ty-
test
ing
tools.
Therearegood-
guy(whi
tehat
)andbad-guy(bl
ackhat )hacker
s.Gr
ayhat
hacker
sareal i
tt
lebi
tofboth.Ther
earealsoblue-hathackerswhoare
i
nvit
edbysoftwar
evendor
stofi
ndsecur
ityf
lawsintheirsyst
ems.
Ar ecentst udyatt heBl ackHatsecur it
yconf erencef oundt hatev erydayI T
prof essionalsev enengagei nmal ici
ousandcr iminal acti
vi
tyagai nstother s.
Andpeopl ewonderwhyI Tdoesn’ tgett her especti tdeserves?Per haps
thisgr oupwi l
lev olvei ntoaf our t
hgener alcat egoryofhacker sint he
comi ngy ears.
Per hapsmor ei mpor t
antt hanahacker ’sskil
llevelishisorhermot i
vati
on.
 Hackt i
v i
ststryt odi st
ributepol it
icalorsoci almessagest hrought heirwor k.
A hackt i
vistwant st or aise publ ic awar eness ofan i ssue.I n many
situat i
ons,cr i
mi nalhacker swi l
lt r
yt ot aket heper sondowni fhe/ she
ex pressesav iewt hat’scont raryt otheirs.Exampl esofhackt i
vism include
messagesaboutl egal i
zingdrugs, protestsagainstt hewari nIraq, pr
otest s
cent eredar oundweal thenv yandbi gcor porati
ons,andj ustaboutany
othersoci alandpol it
ical i
ssues.
 Cy ber -
terrori
st s( both or gani zed and unor ganized)at t
ack gov er
nment
comput ersorpubl i
cut ili
tyinf r
ast r
uctures,suchaspowergr i
dsandai r-
traffic cont rolt ower s.Theycr ash cr it
icalsy stems orst ealcl assified
gov ernmenti nformat i
on.Count riest aket hethreatst hesecy ber-ter
rorist s
 poseso ser i
ousl ythatmanymandat einformationsecur itycont r
olsi n
crucialindustries,suchast hepoweri ndustry,t
opr otectessentialsystems
againstt heseat tacks.
 Hacker sf orhirear epartoforganizedcr i
meont heI nternet
.Manyoft hese
hacker shi r
eoutt hemsel v
esort heirbot netsformoneyandl otsofit.
Thesecriminalhacker sar einthemi nori
ty.Li
ket hespam ki ngsoft hewor l
d, many
ofthewickedact sfrom member sofcol l
ectivest hatprefertoremai nnamel essar e
carr
iedoutbyasmal lnumberofcr iminal
s.Manyot herhacker sjustlovet otinker
andonl yseekknowl edgeofhow comput ersy st
emswor k.Oneoft hegr eatest
thr
eatswor ksinsi depremi sesandhasanaccessbadget othebui l
dingandav al
id
networkaccount ,sodon’ tdiscounttheinsidert hreat.

 WhyTheyDoI t?
Reasons:
 Hackingi sacasualhobbyf orsomehacker s.Theyhackj usttoseewhat
theycanandcan’ tbr eakinto,usuall
ytesti
ngonl ytheirownsy stems.
 Manyhacker sgetaki ckoutofout smarti
ngcor porateandgov ernmentIT
andsecur it
yadmi nistr
ators.Theyt hri
veonmaki ngheadl i
nesandbei ng
notori
ouscy berout laws.
 Hacker sof ten pr omot ei ndivi
duali
sm oratl eastt hedecent r
alizat
ion of
i
nformat ionbecausemanybel i
evethatalli
nfor mat i
onshoul dbef ree.
 Theyt hinkcy ber-
at tacksar edif
ferentfr
om at tacksi ntherealwor l
d.Hacker s
mayeasi l
yi gnoreormi sunderstandtheirvictimsandt heconsequencesof
hacking.
 Theydon’ tthinkl ong- t
erm aboutt hechoi cest hey’r
emaki ngt oday .Many
hackerssayt heydon’ tintendt ohar m orpr ofitthrought hei
rbaddeeds,a
beli
eft hathelpst hem j usti
fytheirwork.
 Some common mot ives ar er ev enge,basi c br agging r ights,cur iosity,
bor edom,chal l
enge,v andal i
sm,t hef tforf inancialgai n,sabot age,bl ackmai l,
ext orti
on,corpor atei ntelli
gence, andj ustgener allyspeaki ngoutagai nst“ the
man. ”Hacker sr egul ar l
yci tet hesemot i
v est oexpl aint heirbehav i
or,but
thesemot ivati
onst endt obeci tedmor ecommonl ydur i
ngdi ffi
culteconomi c
condi ti
ons.
 Manybusi nessowner sandmanager s— ev ensomenet wor kandsecur it
y
admi ni
str
at or
sbel i
ev et hatt heydon’ thav eany thingt hatahackerwant sor
thathacker scan’ tdomuchdamagei ft heybr eaki n.Thisi ndiff
erentki ndof
thinkinghel pssuppor tthebadguy sandpr omot ethei robjectives.
 Hacker scancompr omi seaseemi nglyuni mpor t
antsy st
em t oaccesst he
net workandusei tasal aunchi ngpadf orat tacksonot hersy st
ems,and
manypeopl ewoul dbenonet hewi serbecauset heydon’ thav et hepr oper
cont rolstoprev entanddet ectmal icioususe.
 Hacker softenhackj ustbecauset heycan.Somehacker sgof orhigh- profil
e
sy stems, buthacki ngi ntoany one’ ssy stem hel pst hem f itintohackerci r
cles.
Hacker sexploitmanypeopl e’sf alsesenseofsecur it
yandgof oral mostany
sy stem theyt hinkt heycancompr omi se.El ectroni cinformat ioncanbei n
mor ethanonepl aceatt hesamet ime, soi fhacker smer el
ycopyi nformat ion
from t hesy stemst he ybr eaki nt
Vishal Chavre
o,it’stought opr ovet hathacker spossess
 t
hati
nfor
mat
ion.

Comput eropeni ngscont inuet ogeteasi ertoexecut ey ethardert opr eventf or

severalreasons:
 Wi despr eaduseofnet wor ksandI nternetconnect ivi
ty
 Anony mi t
ypr ovidedbycomput ersy stemswor kingov ert heI nternetand
oftenont hei nternal network( because, eff
ectively,
loggingandespeci all
y
l
ogmoni t
ori
ngr arelytakesplace)
 Gr eaternumberandav ai
labil
it
yofhacki ngtools
 Lar genumberofopenwi r
elessnet wor ksthathel phacker scov erthei rtracks
 Gr eatercompl exityandsi zeoft hecodebasei ntheappl icat i
onsand
dat abasesbei ngdev el
opedt oday
 Comput er-
sav vychi l
dren
 Unl i
kelihoodt hatat tackerswi llbei nvest i
gatedorpr osecut edi fcaught
Amal ici oushackeronl yneedst ofindonesecur i
tyholewher easI Tpr ofessi onal
s
andbusi nessowner smustf indandbl ockt hem al l
.
Althoughmanyat tacksgounnot i
cedorunr eported,criminalswhoar ediscov er
ed
are of ten notpur sued orpr osecut ed.When t hey’r
e caught ,hacker s of t
en
rati
onal i
zet heirser vicesasbei ngunsel fishandabenef i
tt osoci ety :They ’r
e
mer el
ypoi nti
ngoutv ulnerabili
ti
esbef or esomeoneel sedoes.
Thesamegoesf ormalici
oususer s.Typicall
y,theirtroublesgounnot i
ced,butif
they’ret r
apped,t he securi
ty breach may be keptsecr etint he name of
shar ehol
derv al
ueornotwant ingt odisturbanycust omerorbusi nesspar t
ner.
Howev er,recentinformati
on secur i
ty and pr i
vacy l aws and regulat
ions are
changi ng this because i
n mostsi tuations br each not i
fi
cat
ion isr equi
red.
Somet i
mes,t heper sonisfir
edoraskedt or esign.Al t
houghpubl i
ccasesof
i
nt ernalbreachesar ebecomi ngmor ecommon,t hesecasesdon’ tgiveaf ul
l
pictureofwhat ’
sreallyt
aki
ngpl aceintheav erageor ganizati
on.

Hacki nginthenameofl i
berty?
Manyhacker sexhibitbehav ioursthatcont radictthei
rst at
edpur poses.Theyf ight
forcivill
iber
tiesandwantt obel eftalone,whi l
eatt hesamet i
me, theylov eprying
i
nt othebusinessofot hersandcont roll
ingt hem inanywaypossi ble.
Manyhacker scallthemsel vescivill
ibert
ariansandcl aimt osuppor tthepr i
nciples
ofper sonalpr i
vacy and f reedom.Howev er,they cont r
adictt hei
rwor ds by
i
nt r
udi ngont heprivacyandpr opert
yofot hers.Theyof t
enst ealthepr opertyand
violat
et herightsofot hers,butar ewill
ingt ogot ogr eatlengthst ogett heirown
ri
ght sbackf rom anyonewhot hreatenst hem.
This appl i
es to ext ernalhacks,i nternalbr eaches,and ev en somet hing as
seemi nglygentleasal ostmobi l
edev i
ceorbackupt apes.

 Pl
anningandPer for
mi ngAtt
acks
At
tackstylesvarywidely:
 Somehacker spreparefari
nadvanceofanat
tack.Theygathersmal
l
bi
tsofi nfor
mat i
onandmet hodi
cal
lycar
ryouttheirhacks.These
hacker
sar ethemostdiffi
cul
ttotr
ack.

Vishal Chavre
  Ot herhacker s—usual lythei nexper i
encedscr iptkiddies—actbef ore
theyt hinkt hrought heconsequences.Suchhacker smayt ry,for
exampl e, totelnetdi r
ect l
yi ntoanor gani zati
on’srout erwi thouthi ding
theirident iti
es.Ot herhacker smayt ryt olaunchaDoSat tackagai nst
aMi crosof tExchangeser verwi t
houtf ir
stdet erminingt hev ersionof
Exchangeort hepat chest hatar ei nst al
led.Thesehacker susual l
yar e
caught .
 Mal ici
oususer sar eal lov erthemap.Somecanbequi tesav vybased
ont hei rknowl edgeoft henet wor kandofhowI Toper atesi nsi det he
organi zat i
on.
Many oft he hacker s,especi ally adv anced hacker s don’ tshar e
informat i
onwi tht hecr owd.Mosthacker sdomuchoft heirwor k
independent l
yi nordert or emai nanony mous.
Hackers who net wor k with one anot heruse pr ivate message boar ds,
anonymouse-mai laddr esses,hackerwebsi tes,andI nternetRel ayChat
(I
RC).Onecanl ogi nt omanyoft hesesi t
est oseewhathacker sar edoi ng.
Foll
owingar et heaspect sofr eal-wor ldsecur it
y:
 Themaj orityofcomput ersy stemsar en’tmanagedpr oper l
y .The
comput ersy stemsar en’tpr operlypat ched,har dened,ormoni tored.
Attacker scanof tenf lybel ow t her adaroft heav eragef irewal l
,an
Intrusionpr eventionsy stem ( IPS) ,oranaccesscont rolsy stem.Thi s
isespeci allyt ruef ormal i
cioususer swhoseact ionsar eof t
ennot
moni t
or edatal lwhi l
e,att hesamet i
me,t heyhav ef ullaccesst ot he
varyenv ironmentt heycanex pl
oit.

 Mostnet wor kandsecur i

tyadmi ni
stratorssi mplycan’ tkeepupwi th
thedel ugeofnewv ulnerabi l
iti
esandat t
ackmet hods.Thesepeopl e
oftenhav et oomanyt askst ost ayont opofandt oomanyot herf i
res
toputout .Net wor kandsecur ityadmi nist r
atorsmayal sof ai
lt o
not i
ce or r espond t o secur ity ev ents because of poor t ime
managementandgoal setti
ng, butt hat’
sf oranot herdiscussion.
 I nformationsy stemsgr ow mor ecompl exev eryy ear.Thisi sy et
anot herreasonwhyov erbur denedadmi nist r
atorsf i
ndi tdiff
icul
tt o
knowwhat ’
shappeni ngacr osst hewi r
eandont hehar ddriv
esofal l
theirsystems.Mobi ledev i
cessuchasl apt ops,tablets,andphones
aremaki ngt hingsexponent iall
ywor se.
Timeisanat t
acker ’sfri
endandi t ’
sal mostal way sonhi sorhersi de.By
att
acking through comput ersr athert han in per son,hacker shav emor e
contr
ol overthet i
mi ngfort heirattacks:
 At tackscanbecar r
iedoutsl owl y ,makingt hem har dt odetect.
 At tacksar ef requent l
ycar riedoutaf tertypicalbusi nesshour s,often
int hemi ddleoft heni ght,andf rom home,i nthecaseofmal i
cious
user s.
Ifonewant sdet ai
ledi nformat iononhow somehacker swor korwantt o
keep up wi tht he latesthackermet hods,sev eralmagazi nes are wor th
checki
ngout :
 2600—TheHackerQuar terlymagazi ne
  Magazi ne
 Hacki n9
 PHRACK
Maliciousat tacker susual lyl earnf rom thei
rmi st
akes.Ev er ymistakemov es
them onest epcl osert obr eakingi ntosomeone’ ssy stem.Theyuset his
knowledgewhencar ryingoutf utureattacks.Asanet hicalhacker ,oneneeds
todot hesame.
 Mai nt ai
ningAnony mi ty
Smar tat tacker swantt or emai nasl ow-keyaspossi ble.Cov eri
ngthei rtracks
i
sapr iority,andmanyt imest heirsuccessdependsont hem r emai ni
ng
unnoticed.Theywantt oav oidr aisi
ngsuspi cionsot heycancomebackand
accesst hesy stemsi nt hef utur e.
Hacker sof t
enr emai nanony mousbyusi ngoneoft hef oll
owi ngresour ces:
 Bor r
owedorst olenr emot edeskt opandVPNaccount sfrom friends
orpr ev i
ousempl oy ers
 Publ i
ccomput er satl ibrar i
es,schools,orkiosksatt helocal mal l
 Openwi relessnet wor ks
 I nter netpr oxyser vers
 Anony mousordi sposabl ee-mailaccount sfrom f r
eee- mail services
 Opene- mai lr
elay s
 I nf ectedcomput ersal socal ledzombi esorbot satot herorgani zat i
ons
 Wor kst ationsorser v ersont hevicti
m’sownnet wor k
Ifhacker suseenoughst eppi ngst onesf ortheiratt
acks, theyar ehar dt ot r
ace.

Vishal Chavre
Tool
sf orEt
hicalhacki
ngofwebappl
i
cat
ions,ser
ver
sand
net
works:
 Net spar keri s an easy t o use web appl ication secur ity
scannert hatcanaut omat ical l
yf i
ndSQLI nj ection,XSSand
otherv ulner abili
ties i ny ourweb appl icat ions and web
serv i
ces.I ti sav ailabl eason- premi sesandSAASsol ut ion.
 Acunet ixisaf ull
yaut omat edet hi calhacki ngsol ut iont hat
mi mi cs a hackert o keep one st ep ahead ofmal i
ci ous
i
nt r
uder s.Thewebappl i
cat i
onsecur ityscanneraccur at ely
scansHTML5,Jav aScr iptandSi ngl e-pageappl icat ions.I t
can audi tcompl ex,aut hent icat ed webapps and i ssues
compl ianceandmanagementr epor tsonawi der angeof
webandnet wor kv ulnerabi l
ities.
 Probel ycont inuousl yscansf orv ul ner abilitiesi ny ourWeb
Appl icat i
ons.I tal lowsi tscust omer st o managet hel if
e
cycle of v ulnerabi liti
es and pr ov ides t hem wi th some
guidanceonhowt of i
xt hem.Pr obel yi sasecur i
tyt oolbui lt
hav i
ngDev el oper si nmi nd.
 Insight VMi sat op- r anked v ul ner abi li
tyr i
sk management
solut i
onf ocusedondet ect ing,pr ioritizing,andr emedi ating
vulner abilit
ies. Wi th I nsi ght VM,y ou can aut omat ically
assess and under st and secur i
tyr isk acr oss y ourent ir
e
i
nf r
ast r
uct ur e.
 Safer VPNi s an i ndi spensabl et ooli n an Et hicalhacker ’
s
arsenal .You may need i tt o check t ar geti n di fferent
geogr aphies,si mul at enon- per sonal izedbr owsi ngbehav i
or,
undi scov er edf il
et ransf er s, etc.
 Bur p Sui tei s a usef ulpl at for m f orper for mi ng Secur ity
Test ing of web appl icat ions. I ts v arious t ool s wor k
seaml essl yt oget hert o suppor tt he ent i
re pen t est i
ng
process.I tspansf rom i ni tialmappi ngt oanal y sisofan
appl i
cat ion'sat t
acksur face.
 Ettercapi sanet hicalhacki ngt ool .I tsuppor t
sact iv eand
passi v edi ssect ioni ncludesf eat ur esf ornet wor kandhost
anal ysis.
 Aircrack i sat rust able et hicalhacki ng t ool .I tcr acks
vulner ablewi r
elessconnect ions.I ti spower edbyWEPWPA
andWPA2encr ypt ionKey s.
 Angr yI PScanneri sopen- sour ceandcr oss- platfor m et hi cal
 hackingt ool.ItscansI Paddr essesandpor ts.
 GFILanGuar di sanet hicalt oolt hatscansnet wor ksf or
vulnerabi li
ti
es. I t can act s as y our ' v i
r t
ual secur i
ty
consul tant '
ondemand.I tall
owscr eatinganasseti nvent ory
ofev erydev i
ce.
 Sav vi
us:I ti
sanet hicalhacki ngt ool .Itper f
or mancei ssues
andr educessecur i
tyr iskwi tht hedeepv isi
bi l
itypr ovidedby
Omni peek.I tcandi agnosenet wor ki ssuesf asterandbet ter
wi t
hSav viuspacketi ntell
igence.
 Qual ysguar dhel psbusi nessesst reaml i
net hei rsecur i
tyand
compl iancesol utions.I tal sobui l
dssecur it
yi ntot heirdigital
transformat i
on i niti
at ives.Thi st oolcan al so check t he
performancev ulner abi l
ityoftheonl inecl oudsy st ems.
 WebI nspecti s aut omat ed dy nami c appl icat ion secur i
ty
testi
ngt hatallowsper f
or minget hicalhacki ngt echni ques.I t
providescompr ehensi vedy nami canal ysisofcompl exweb
applicationsandser vices.
 Hashcati sar obustpasswor dcr acki nget hicalhacki ngt ool.
Itcanhel puser st or ecov erlostpasswor ds, audi tpasswor d
secur i
ty, orjustf i
ndoutwhatdat ai sst oredi nahash.

 L0pht Cr ack6i susef ulpasswor daudi tandr ecov erytool.It

i
dent ifiesandassessespasswor dv ulner abi l
it
yov erl ocal
machi nesandnet wor ks.
 RainbowCr acki sapasswor dcr ackingt oolwi del yusedf or
ethicalhacki ng.I tcr ackshasheswi thr ai nbow t ables.I t
usest ime- memor yt radeof falgorithm f ort hispur pose.
 Hashcati sar obustpasswor dcr ackinget hicalhacki ngt ool.
Itcanhel puser st or ecov erlostpasswor ds, audi tpasswor d
secur i
t y,orjustfindoutwhatdat ai sst oredi nahash.
 IKECr acki sanopensour ceaut henticat i
oncr ackt ool.Thi s
ethicalhacki ngtooli sdesi gnedt obr ute-for ceordi ct
ionar y
attack.Thi stoolalsoal l
owsper formi ngcr ypt ographyt asks.
 IronWASPi sanopensour cesof twar ef oret hicalhacki ng
too.Iti swebappl icationv ulnerabi l
i
tyt est ing.I tisdesi gned
tobecust omizabl esot hatuser scancr eat et heircust om
secur i
t yscanner susi ngi t.
 Medusa i s one oft he bestonl i
ne br ut e-force,speedy ,
parallelpasswor dcr acker set hicalhacki ngt ool.Thi stooli s
alsowi delyusedf oret hi
cal hacki ng.

Vishal Chavre
 Net Stumbleri susedtodetectwi r
elessnet worksontheWi ndowspl
atf
orm.
 SQL Mapaut omat estheprocessofdet ecti
ngandexpl oi
ti
ng
SQL I njecti
on weaknesses.I tisopen sour ce and cr
oss
platform.Itsuppor t
sthefollowingdat abaseengines.
 Recov erMSAccesspasswor ds
 Uncov erpasswordfield
 Snif
fingnetworks
 Crackingencrypt
edpasswor dsusi ngdict
ionar
y
attacks, br
ute-for
ce,andcryptanalysisattacks.
 Ne ssuscanbeusedt operform:

 Remot evulner
abili
tyscanner
 Passworddi ct
ionaryat t
acks
 Denialofservi
ceatt acks.
 I
tisclosedsour ce,crossplat
for
m andf
reef
orper
sonal
use.