Kushal Ashar

18-9804

Ethical Hacking

Name :-

1. Enumerate different phases of hacking? Explain

each in detail.

Answer: There are five phases of Hacking which are as follow:

. Reconnaissance
. Scanning
Kushal Ashar
18-9804

. Gaining Access
. Maintaining Access
. Covering Tracks

1. Reconnaissance:- This is the primary phase where the Hacker

tries to collect as much information as possible about the
target. It includes identifying the target, finding out the target's
IP Address Range, Network, DNS records, etc.
2. Scanning:- It involves taking the information discovered
during reconnaissance and using it to examine the network.
Tools that a hacker may employ during the scanning phase can
include dialers, port scanners, network mappers, sweepers, and
vulnerability scanners. Hackers are seeking any information
Kushal Ashar
18-9804

that can help them perpetrate attack such as computer names,

IP addresses, and user accounts.
3. Gaining Access:- After scanning, the hacker designs the
blueprint of the network of the target with the help of data
collected during Phase 1 and Phase 2. This is the phase where
the real hacking takes place. Vulnerabilities discovered during
the reconnaissance and scanning phase are now exploited to
gain access. The method of connection the hacker uses for an
exploit can be a local area network (LAN, either wired or
wireless), local access to a PC, the Internet, or offline. Examples
include stack based buffer overflows, denial of service (DoS),
and session hijacking. These topics will be discussed in later
chapters. Gaining access is known in the hacker world as
owning the system.
4. Maintaining Access:- Once a hacker has gained access, they
want to keep that access for future exploitation and attacks.
Sometimes, hackers harden the system from other hackers or
security personnel by securing their exclusive access with
backdoors, rootkits, and Trojans. Once the hacker owns the
system, they can use it as a base to launch additional attacks. In
this case, the owned system is sometimes referred to as a
zombie system.
5. Covering Tracks:- Once hackers have been able to gain and
maintain access, they cover their tracks to avoid detection by
Kushal Ashar
18-9804

security personnel, to continue to use the owned system, to

remove evidence of hacking, or to avoid legal action. Hackers
try to remove all traces of the attack, such as log files or
intrusion detection system (IDS) alarms. Examples of activities
during this phase of the attack include steganography, the use
of tunneling protocols, and altering log files.

2. Write a note on OWASP top 10?

Answer :
OWASP :- The Open Web Application Security Project, or
OWASP, is an international non-profit organization dedicated to
web application security. One of OWASP’s core principles is
that all of their materials be freely available and easily
accessible on their website, making it possible for anyone to
improve their own web application security. The materials they
Kushal Ashar
18-9804

offer include documentation, tools, videos, and forums.

Perhaps their best-known project is the
OWASP Top 10.
OWASP Top 10:-
The OWASP Top 10 is a regularly-updated report outlining
security concerns for web application security, focusing on the
10 most critical risks. The report is put together by a team of
security experts from all over the world. OWASP refers to the
Top 10 as an ‘awareness document’ and they recommend that
all companies incorporate the report into their processes in
order to minimize and/or mitigate security risks.
Below are the security risks reported in the OWASP Top 10
2017 report:
1. Injection
Injection attacks happen when untrusted data is sent to a code
interpreter through a form input or some other data
submission to a web application. For example, an attacker
could enter SQL database code into a form that expects a
plaintext username. If that form input is not properly secured,
this would result in that SQL code being executed. This is
known as an SQL injection attack.
Kushal Ashar
18-9804

Injection attacks can be prevented by validating and/or

sanitizing user-submitted data. (Validation means rejecting
suspicious-looking data, while sanitization refers to cleaning up
the suspicious-looking parts of the data.) In addition, a
database admin can set controls to minimize the amount of
information an injection attack can expose.
2. Broken Authentication
Vulnerabilities in authentication (login) systems can give
attackers access to user accounts and even the ability to
compromise an entire system using an admin account. For
example, an attacker can take a list containing thousands of
known username/password combinations obtained during a
data breach and use a script to try all those combinations on a
login system to see if there are any that work.
Some strategies to mitigate authentication vulnerabilities are
requiring 2-factor authentication (2FA) as well as limiting or
delaying repeated login attempts using rate limiting.
3. Sensitive Data Exposure
If web applications don’t protect sensitive data such as financial
information and passwords, attackers can gain access to that
data and sellor utilize it for nefarious purposes. One popular
method for stealing sensitive information is using a man-in-the-
middle attack. Data exposure risk can be minimized by
Kushal Ashar
18-9804

encrypting all sensitive data as well as disabling the caching* of

any sensitive information. Additionally, web application
developers should take care to ensure that they are not
unnecessarily storing any sensitive data. *Caching is the
practice of temporarily storing data for re-use. For example,
web browsers will often cache webpages so that if a user
revisits those pages within a fixed time span, the browser does
not have to fetch the pages from the web.
4. XML External Entities (XEE)
This is an attack against a web application that parses XML*
input. This input can reference an external entity, attempting to
exploit a vulnerability in the parser. An ‘external entity’ in this
context refers to a storage unit, such as a hard drive. An XML
parser can be duped into sending data to an unauthorized
external entity, which can pass sensitive data directly to an
attacker. The best ways to prevent XEE attacks are to have web
applications accept a less complex type of data, such as JSON,
or at the very least to patch XML parsers and disable the use of
external entities in an XML application.
XML or Extensible Markup Language is a markup language
intended to be both human-readable and machine-readable.
Due to its complexity and security vulnerabilities, it is now
being phased out of use in many web applications.
5. Broken Access Control
Kushal Ashar
18-9804

Access control refers a system that controls access to

information or functionality. Broken access controls allow
attackers to bypass authorization and perform tasks as though
they were privileged users such as administrators. For example
a web application could allow a user to change which account
they are logged in as simply by changing part of a url, without
any other verification. Access controls can be secured by
ensuring that a web application uses authorization tokens* and
sets tight controls on them. Many services issue authorization
tokens when users log in. Every privileged request that a user
makes will require that the authorization token be present. This
is a secure way to ensure that the user is who they say they are,
without having to constantly enter their login credentials.
6. Security Misconfiguration
Security misconfiguration is the most common vulnerability on
the list, and is often the result of using default configurations or
displaying excessively verbose errors. For instance, an
application could show a user overly-descriptive errors which
may reveal vulnerabilities in the application. This can be
mitigated by removing any unused features in the code and
ensuring that error messages are more general.
7. Cross-Site Scripting
Cross-site scripting vulnerabilities occur when web applications
allow users to add custom code into a url path or onto a
Kushal Ashar
18-9804

website that will be seen by other users. This vulnerability can

be exploited to run malicious JavaScript code on a victim’s
browser. For example, an attacker could send an email to a
victim that appears to be from a trusted bank, with a link to
that bank’s website. This link could have some malicious
JavaScript code tagged onto the end of the url. If the bank’s site
is not properly protected against cross-site scripting, then that
malicious code will be run in the victim’s web browser when
they click on the link. Mitigation strategies for cross-site
scripting include escaping untrusted HTTP requests as well as
validating and/or sanitizing user-generated content. Using
modern web development frameworks like React JS and Ruby
on Rails also provides some built-in cross-site scripting
protection.
Kushal Ashar
18-9804

8. Insecure Deserialization
This threat targets the many web applications which frequently
serialize and deserialize data. Serialization means taking objects
from the application code and converting them into a format
that can be used for another purpose, such as storing the data
to disk or streaming it. Deserialization is just the opposite:
converting serialized data back into objects the application can
use. Serialization is sort of like packing furniture away into
boxes before a move, and deserialization is like unpacking the
boxes and assembling the furniture after the move. An insecure
deserialization attack is like having the movers tamper with the
contents of the boxes before they are unpacked. An insecure
deserialization exploit is the result of deserializing data from
untrusted sources, and can result in serious consequences like
DDoS attacks and remote code execution attacks. While steps
can be taken to try and catch attackers, such as monitoring
deserialization and implementing type checks, the only sure
way to protect against insecure deserialization attacks is to
prohibit the deserialization of data from untrusted sources.
9. Using Components With Known Vulnerabilities
Many modern web developers use components such as
libraries and frameworks in their web applications. These
components are pieces of software that help developers avoid
redundant work and provide needed functionality; common
Kushal Ashar
18-9804

example include front-end frameworks like React and smaller

libraries that used to add share icons or a/b testing. Some
attackers look for vulnerabilities in these components which
they can then use to orchestrate attacks. Some of the more
popular components are used on hundreds of thousands of
websites; an attacker finding a security hole in one of these
components could leave hundreds of thousands of sites
vulnerable to exploit. Component developers often offer
security patches and updates to plug up known vulnerabilities,
but web application developers don’t always have the patched
or most-recent versions of components running on their
applications. To minimize the risk of running components with
known vulnerabilities, developers should remove unused
components from their projects, as well as ensuring that they
are receiving components from a trusted source and ensuring
they are up to date.
10. Insufficient Logging And Monitoring
Many web applications are not taking enough steps to detect
data breaches. The average discovery time for a breach is
around 200 days after it has happened. This gives attackers a
lot of time to cause damage before there is any response.
OWASP recommends that web developers should implement
logging and monitoring as well as incident response plans to
Kushal Ashar
18-9804

ensure that they are made aware of attacks on their

applications.
Kushal Ashar
18-9804

3. Write a note on: Recent attacks – Yahoo, Adult

Friend Finder, eBay, JP Morgan Chase.
Answer:
1.Yahoo :- Date: 2013-14
Impact: 3 billion user accounts
Details: In September 2016, the once dominant Internet giant,
while in negotiations to sell itself to Verizon, announced it had
been the victim of the biggest data breach in history, likely by
“a state-sponsored actor,” in 2014. The attack compromised
the real names, email addresses, dates of birth and telephone
numbers of 500 million users. The company said the "vast
majority" of the passwords involved had been hashed using the
robust algorithm.
A couple of months later, in December, it buried that earlier
record with the disclosure that a breach in 2013, by a different
group of hackers had compromised 1 billion accounts. Besides
names, dates of birth, email addresses and passwords that
were not as well protected as those involved in 2014, security
questions and answers were also compromised. In October of
2017,
Yahoo revised that estimate, saying that, in fact, all 3 billion
user accounts had been compromised.
Kushal Ashar
18-9804

The breaches knocked an estimated $350 million off Yahoo’s

sale price. Verizon eventually paid $4.48 billion for Yahoo’s core
Internet business. The agreement called for the two companies
to share regulatory and legal liabilities from the breaches. The
sale did not include a reported investment in Alibaba Group
Holding of $41.3 billion and an ownership interest in Yahoo
Japan of $9.3 billion.
Yahoo, founded in 1994, had once been valued at $100 billion.
After the sale, the company changed its name to Altaba, Inc .
2.Adult Friend Finder :- A massive data breach targeting adult
dating and entertainment company Friend Finder Network has
exposed more than 412 million accounts. The hack includes 339
million accounts from AdultFriendFinder.com, which the
company describes as the "world's largest sex and swinger
community." That also includes over 15 million "deleted"
accounts that wasn't purged from the databases. The Friend
Finder Network, which included casual hookup and adult
content websites like Adult Friend Finder, Penthouse.com,
Cams.com, iCams.com and Stripshow.com, was breached
sometime in mid-October 2016. Hackers collected 20 years of
data on six databases that included names, email addresses and
passwords. Most of the passwords were protected only by the
weak SHA-1 hashing algorithm, which meant that 99 percent of
Kushal Ashar
18-9804

them had been cracked by the time LeakedSource.com

published its analysis of the entire data set on November 14.
03.Ebay :- Date: May 2014
Impact: 145 million users compromised
Details: The online auction giant reported a cyberattack in May
2014 that it said exposed names, addresses, dates of birth and
encrypted passwords of all of its 145 million users. The
company said hackers got into the company network using the
credentials of three corporate employees, and had complete
inside access for 229 days, during which time they were able to
make their way to the passwords user database.
It asked its customers to change their, but said financial
information, such as credit card numbers, was stored
separately and was not compromised. The company was
criticized at the time for a lack of communication informing its
users and poor implementation of the password-renewal
process.
CEO John Donahue said the breach resulted in a decline in user
activity, but had little impact on the bottom line – its Q2
revenue was up 13 percent and earnings up 6 percent, in line
with analyst expectatio
4.JP Morgan Chase :- Date: July 2014
Kushal Ashar
18-9804

Impact: 76 million households and 7 million small businesses

Details: The largest bank in the nation was the victim of a hack
during the summer of 2014 that compromised the data of more
than half of all US households – 76 million – plus 7 million small
businesses. The data included contact information – names,
addresses, phone numbers and email addresses – as well as
internal information about the users, according to a filing with
the Securities and Exchange Commission.
The bank said no customer money had been stolen and that
there was “no evidence that account information for such
affected customers – account numbers, passwords, user IDs,
dates of birth or
Social Security numbers – was compromised during this attack."
Still, the hackers were reportedly able to gain “root" privileges
on more than 90 of the bank’s servers, which meant they could
take actions including transferring funds and closing accounts.
According to the SANS Institute, JP Morgan spends $250 million
on security every year. In November 2015, federal authorities
indicted four men, charging them with the JP Morgan hack plus
other financial institutions. Gery Shalon, Joshua Samuel Aaron
and Ziv Orenstein faced 23 counts, including unauthorized
access of computers, identity theft, securities and wire fraud
and money laundering that netted them an estimated $100
million. A fourth hacker who helped them breach the networks
Kushal Ashar
18-9804

was not identified. Shalon and Orenstein, both Israelis, pleaded

not guilty in June 2016. Aaron was arrested at JFK Airport in
New York last December.
Kushal Ashar
18-9804

4. Enumerate the different methodology used for

Foot printing. Explain the foot printing through search
engine.
Answer:
Various types of foot printing can be used to access the
information about target organization
1. Foot printing through Search Engines
This is a passive information gathering process where we
gather information about the target from social media, search
engines, various websites etc. Information gathered includes
name, personal details, geographical location details, login
pages, intranet portals etc. Even some target specific
information like Operating system details, IP details, Netblock
information, technologies behind web application etc can be
gathered by searching through search engines
Eg: collecting information from Google, Bingo etc
2. Google Hacking:
Google hacking refers to collecting information using google
dorks (keywords) by constructing search queries which result in
finding sensitive information, details collected include
Kushal Ashar
18-9804

compromised passwords, default credentials, competitor

information, information related to a particular topic etc.
Eg:inurl:, site:, allintitle etc
3. Examining HTML Source and Examining Cookies:
Html source codes of a web application may give us an
understanding of the application functionality, hidden fields,
comments, variable names etc. Cookies are used to identify a
user in his session. these cookies may be stored in the browser
or passed in the URL, or in the HTTP header.
The entire website can be mirrored using tools like HTTtracker
to gather information at our own phase.
Extract website Archives: older versions of website can be
obtained which may reveal some information related to the
target.
eg: www.archive.org
4. Email Foot printing email header reveals information
about the mail server, original sender’s email id, internal IP
addressing scheme, as well as the possible architecture of
the target network .
5. Competitive Intelligence
Kushal Ashar
18-9804

Competitive intelligence gathering is the process of gathering

information about the competitors from resources such as the
Internet.
Eg: company website, search engine, internet, online
databases, press releases, annual reports, trade journals
6. Google Hacking/Google Dorks
This is a process of creating search queries to extract hidden
information by using Google operators to search specific strings
of text inside the search results. Some google operators, site,
allinurl, inurl, allintitle
7. Whois Footprinting
Whois databases and the servers are operated by RIR - Regional
Internet Registries. These databases contain the personal
information of Domain Owners. Whois is a Query response
protocol used for querying Whois databases and its protocol is
documented in RFC 3912. Whois utility interrogates the
Internet domain name administration system and returns the
domain ownership, address, location, phone numbers, and
other details about a specified domain name.
8. DNS Footprinting
DNS is a naming system for computers that converts human-
readable domain names into computer readable IP-addresses
Kushal Ashar
18-9804

and vice versa. DNS uses UDP port 53 to serve its requests. A
zone subsequently stores all information, or resource records,
associated with a particular domain into a zone file; Resource
records responded by the name servers should have the
following fields:
Domain Name — Identifying the domain name or owner of the
records
Record Types — Specifying the type of data in the resource
record
Record Class — Identifying a class of network or protocol family
in use
Time to Live (TTL) — Specifying the amount of time a record
can be stored in cache before discarded.
Record Data — Providing the type and class dependent data to
describe the resources.
A (address)—Maps a hostname to an IP address
SOA (Start of Authority)—Identifies the DNS server responsible
for the domain information
CNAME (canonical name)—Provides additional names or aliases
for the address record
MX (mail exchange)—Identifies the mail server for the domain
Kushal Ashar
18-9804

SRV (service)—Identifies services such as directory services

PTR (pointer)—Maps IP addresses to hostnames
NS (name server)—Identifies other name servers for the
domain
HINFO = Host Information Records
DNS servers perform zone transfers to keep themselves up to
date with the latest information. A zone transfer of a target
domain gives a list of all public hosts, their respective IP
addresses, and the record type.
Foot Printing through search engine:-
1. Attackers use search engines to extract information about a
target such as technology platforms, employee details, login
pages, intranet portals, etc. which helps in performing social
engineering and other types of advanced system attacks.
2. Search engine caches and internet archives may also provide
sensitive information that has been removed from the World
Wide Web (WWW).
Kushal Ashar
18-9804

5. What is network scanning? What are different types of

scanning? What are objectives of network scanning?
Ans. Network scanning is a procedure for identifying
active hosts on a network, either for the purpose of attacking
them or for network security assessment. Scanning procedures,
such as ping sweeps and port scans, return information about
which IP addresses map to live hosts that are active on the
Internet and what services they offer. Another scanning
method, inverse mapping, returns information about what IP
addresses do not map to live hosts; this enables an attacker to
make assumptions about viable addresses.
Type of Scanning :-

PING SCAN
Ping Scans are used to sweep a whole network block or a single
target to check to see if the target is alive. It sends an ICMP
echo request to the target – if the response is an ICMP reply,
then you know the target is alive. However, it is increasingly
becoming more common that ICMP pings are being blocked by
firewalls and routers that you will likely have to resort to other
methods to accurately tell if the target is alive.
TCP HALF-OPEN
This is probably the most common type of port scan. This is a
relatively quick scan that can potentially scan thousands of
ports per second. It works this way because it does not
Kushal Ashar
18-9804

complete the TCP handshake process. It simply sends a packet

with the SYN flag set and waits for the SYN-ACK from the target
and does not complete the connection.
When you initiate a TCP connection you first send a packet with
the SYN (synchronize) flag set to the destination. The
destination then acknowledges this synchronize request with a
packet with the SYN-ACK (synchronize-acknowledge) flag set.
Finally, the sender acknowledges that it got the SYN-ACK
response packet by sending the destination a packet with the
ACK flag set. Now, a connection is established.
By not sending the final ACK packet to the target after receiving
a SYN-ACK, a connection is not established; however, you now
know if the target/port is available and listening.
If you receive a RST (reset) packet back from the target, then
you know that the target is active; however, the port is closed.
If no response is received and you know that the target is alive,
then the port is considered filtered.
TCP CONNECT
This is essentially the same as the half-open scan above but
instead, we finish the handshake process and establish a
connection by sending the final ACK packet. This is a much
slower means of port scanning as it takes more packets to
finish.
UDP
UDP scans are most common to detect DNS, SNMP and DHCP
services. UDP scans work by sending a packet, which is usually
Kushal Ashar
18-9804

empty. This can be changed or even set to a random payload

for each port.
If the target responds with an ICMP unreachable error (type 3,
code 3) packet, you know the port is considered closed. If it
responds with an ICMP unreachable error packet with other
codes, the packet is considered filtered.
The objective of network scanning is as follows:

 Recognize available UDP and TCP network services running

on the targeted hosts
 Recognize filtering systems between the user and the
targeted hosts
 Determine the operating systems (OSs) in use by assessing
IP responses
 Evaluate the target host's TCP sequence number
predictability to determine sequence prediction attack and
TCP spoofing
Kushal Ashar
18-9804

6. What is ARP poisoning? What are the threats due to

ARP poisoning? How can we defend against ARP
poisoning?
Answer:
Address Resolution Protocol poisoning (ARP poisoning) is a
form of attack in which an attacker changes the Media Access
Control (MAC) address and attacks an Ethernet LAN by
changing the target computer's ARP cache with a forged ARP
request and reply packets. This modifies the layer -Ethernet
MAC address into the hacker's known MAC address to monitor
it. Because the ARP replies are forged, the target computer
unintentionally sends the frames to the hacker's computer first
instead of sending it to the original destination. As a result,
both the user's data and privacy are compromised. An effective
ARP poisoning attempt is undetectable to the user.
ARP poisoning is also known as ARP cache poisoning or ARP
poison routing (APR).
Threats:-
ARP poisoning is very effective against both wireless and wired
local networks. By triggering an ARP poisoning attack, hackers
can steal sensitive data from the targeted computers,
eavesdrop by means of man-in-the-middle techniques, and
cause a denial of service on the targeted computer. In addition,
Kushal Ashar
18-9804

if the hacker modifies the MAC address of a computer that

enables Internet connection to the network, access to Internet
and external networks may be disabled.
For smaller networks, using static ARP tables and static IP
addresses is an effective solution against ARP poisoning.
Another effective method for all kinds of networks is
implementing an ARP monitoring tool
Counter-measures:-
We Can Prevent from above attack in 3 ways
1. Static ARP table :-
The easiest and quite very efficient solution: Each host on the
LAN, or at least the most sensitive ones (e.g. default gateway,
DHCP server, DNS, web server, etc), have them MAC address
set manually in the ARP table and can’t be modify with ARP
reply. Even though this measure is easy to implement, in large
LAN, this might be quite long and exhaustive.
2. ARP filtering :-
Another measure, much less efficient than static ARP table is
ARP filtering. A first countermeasure would be to drop each
ARP reply that hasn’t been requested. It is also possible to filter
ARP packet based on different parameters (e.g. source and
Kushal Ashar
18-9804

destination) thanks to the command arp tables(which is like

iptable but for arp packet).
3. Using encrypted and authenticated channel :-
This is not a measure against ARP poisoning but against MITM
attack in general. Using encrypted channel makes the data
captured by an attacker is irrelevant without the proper key.
With ARP spoofing the MITM attack is established on a low-
level on the OSI model (between data-link and network),
therefore, an attacker could first establish a secure connection
with the victim, then with the destination and forward the
information decrypted from the host to an encrypted
communication with the destination. This way, even if the
victim uses an encrypted channel, the attacker can read the
communication anyway. In order to avoid this security issue,
secure hosts (like web server) use an authentication system to
ensure that the communication is established with the proper
host.