This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
For years, "hacker" was a positive term that described computer enthusiasts who had a zeal for computer programming. Today, "hacking" generally refers to individuals who break into computer systems or use their programming skills or expert knowledge to act maliciously, so it very important to secure network from hackers. A number of technologies are available to companies to prevent hacking attacks, Firewalls and network intrusion detection systems (NIDSs) are widely used to secure computer networks. Though firewall is ultimate system for securing network it may have weak places where attacker can penetrate through by hacking unsecured wireless network, through remote access client, spoofing or by using new hacking tools .This paper addresses what could be approach for finding loopholes in firewall, mitigate that based on penetration test and Best network security design considerations.
Hacking used to be defined as "One who is proficient at using or programming a computer; a computer buff." However, this use has been turned around now, to mean that of a cracker - "One who uses programming skills to gain illegal access to a computer network or file." This information is about this second meaning, cracking. The main differences between the two are that hackers try to make things, crackers try to break things. Hackers made the Internet what it is today. Hacker's program websites (among other things) and they do not try and harm the work of others as is thought in today's society. However, as the word hacker is now in such popular use that it is thought it means cracker. Hacking is not a simple operation or sequence of commands as many people think, hacking is a skill.
A firewall is a hardware or software system that prevents unauthorized access to or from a network. Firewall is believed as ultimate system for securing network so every organization deploy firewall at every access level , this makes attackers to target firewall to get desired access. So it is mandatory that firewall should give hundred percent securities when people rely on firewall system.
Effect on Business because of HACKERS
Global survey revealed hackers cost global businesses around $1.6tn in 2010 year. According to the study, commissioned by US magazine Information Week, technology professionals in the US this year will suffer system downtime of 3.24 per cent, while downtime rises to 3.28 per cent on a worldwide basis.
If the data is altered or stolen, a company may risk losing credibility and the trust of their customers.
There is continued increase in malware that installs open proxies on systems, especially targeting broadband user's zombies.
Businesses most at risk, expert say, are those handling online financial transactions.
Essential terminologies for Hacking
Threat - An action or event that might compromise security. A threat is a potential violation of security.
Vulnerability - Existence of weakness, design or implementation error that can lead to an unexpected and undesirable event compromising the security of the system.
Target of Evaluation - An IT system, product, or component that is identified / subjected to require security to require security evaluation.
Attack - An assault on the system security that is desired from an intelligent threat. An attack is any action that violates security.
Exploit - A defined way to breach the security of an IT system through vulnerability.
How Does hackers hack (Phases of hacking)
Phase 1 - Reconnaissance
Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about target of evaluation prior to launching an attack.
Business Risk: Notable - Generally noted as "rattling the door knobs" to see if someone is watching and responding.
Could be the future point of return, noted for ease of entry for an attack when more about the target is known on a broad scale.
Types of Reconnaissance
Passive reconnaissance involves acquiring information without directly interacting with the target.
. For example: Searching records or news releases.
Active reconnaissance involves interacting with the target directly by any means.
For example: Telephone calls to the help desk or technical department.
Phase2 - Scanning
Scanning refers to the pre-attack phase when the hacker scans the network for specific information on the basis of information gathered during reconnaissance
Business Risk: High - Hackers have to get a single point of entry to launch an attack
Scanning can include use of dialers, port scanners, network mapping, sweeping, vulnerability scanners, and so on. Tools like Nmap Front End are used for scanning.
Phase3 - Gaining Access
Gaining access refers to the penetration phase. The hacker exploits the vulnerability in the system.
The exploit can occur over a LAN, the internet, or as a deception, or theft. Examples include Buffer overflows, Denial of service, Session hijacking, and Password cracking.
Influence factors include architecture and configuration of the target system, the skill level of the perpetrator, and the initial level of access obtained.
Business Risk: Highest - The hacker can gain access at the operating system level, application level, or network level.
Phase4 - Maintaining Access
Maintaining access refers to the phase when the hacker tries to retain his/her ownership of the system.
The hacker has compromised the system
Hackers may harden the system from other hackers as well (to own the system) by securing their exclusive access with Backdoors, Root kits, or Trojans.
Hackers can upload, download, or manipulate data, applications, and configurations on the owned system.
Phase5 - Covering Tracks
Covering Tracks refer to the activities that the hacker does to hide his misdeeds
Reasons include the need for prolonged stay, continued use of resources, removing evidence of hacking, or avoiding legal action.
Examples include Steganography, Tunneling, and Altering log files.
There are several ways an attacker can gain access to a system
Types of Hacker Attacks:
Operating System Attacks:
Today's operating systems are complex in nature
Operating systems run many services, ports, and modes of access and require extensive tweaking to lock them down
The default installation of most operating systems has large numbers of services running and ports open
Applying patches and hot fixes are not easy in today's complex network .
Attackers look for OS vulnerabilities and exploit them to gain access to a network system.
Application Level Attacks:
Software Developers are under tight schedule to deliver product on time
Extreme Programming is on the rise in software engineering methodology
Software applications come with tons of functionalities and features
Sufficient time is not there to perform complete testing before releasing products
Security is often an afterthought and usually delivered as "add-on" component
Poor or non-existent error checking in applications which leads to
"Buffer Overflow Attacks".
Shrink Wrap Code Attacks
There is no need to buy off-the-shelf "libraries" and code.
When you install an OS/Application, it comes with tons of sample scripts to make the life of an administrator easy.
The problem is "not fine tuning" or customizing these scripts.
This will lead to default code or shrink wrap code attack.
System that should be fairly secure are hacked because they were not configured correctly
Systems are complex and the administrator does not have the necessary skills or resource to fix the problem
Administrator will create a simple configuration that works
In order to maximize your chances of configuring a machine correctly, remove any unneeded services and software.
Some techniques used in Hacking
Scanning is the process of locating systems that are alive and responding on the network. Hackers use scanning to identify target systems' IP addresses. Scanning is also used to determine whether a system is on the network and available. Scanning tools are used to gather information about a system such as IP addresses, the operating system, and services running on the target computer.
Types of Scanning -
Port scanning - Determines open ports and services
Network scanning - Identifies IP addresses on a given network or subnet
Vulnerability scanning - Discovers presence of known weaknesses on target systems
Enumeration occurs after scanning and is the process of gathering and compiling usernames, machine names, network resources, shares, and services. It also refers to actively querying or connecting to a target system to acquire this information.
Hackers need to be methodical in their approach to hacking. The following steps are an example of those a hacker might perform in preparation for hacking a target system:
Extract usernames using enumeration
Gather information about the host using null sessions
Perform Windows enumeration using the SuperScan tool
Acquire the user accounts using the tool GetAcct
Perform SNMP port scanning
Cracking a Password -
Manual password cracking involves attempting to log on with different passwords. The
hacker follows these steps:
Find a valid user account (such as Administrator or Guest).
Create a list of possible passwords.
- Rank the passwords from high to low probability.
Key in each password.
Try again until a successful password is found.
A hacker can also create a script file that tries each password in a list. This is still considered
manual cracking, but it's time consuming and not usually effective.A more efficient way of cracking a password is to gain access to the password file on a system. Most systems hash (one-way encrypt) a password for storage on a system. During the logon process, the password entered by the user is hashed using the same algorithm and then compared to the hashed passwords stored in the file. A hacker can attempt to gain access to the hashing algorithm stored on the server instead of trying to guess or otherwise identify the password. If the hacker is successful, they can decrypt the passwords stored on
Keyloggers and Other Spyware Technologies -
If all other attempts to gather passwords fail, then a keystroke logger is the tool of choice for hackers. Keystroke loggers (keyloggers) can be implemented either using hardware or software. Hardware keyloggers are small hardware devices that connect the keyboard to the PC and save every keystroke into a file or in the memory of the hardware device. In order to install a hardware keylogger, a hacker must have physical access to the system. Software keyloggers are pieces of stealth software that sit between the keyboard hardware and the operating system so that they can record every keystroke. Software keyloggers can be deployed on a system by Trojans or viruses.
Spector is spyware that records everything a system does on the Internet, much like a
surveillance camera. Spector automatically takes hundreds of snapshots every hour of
whatever is on the computer screen and saves these snapshots in a hidden location on
the system's hard drive. Spector can be detected and removed with Anti-spector.
eBlaster is Internet spy software that captures incoming and outgoing emails and immediately
forwards them to another email address. eBlaster can also capture both sides of
an Instant Messenger conversation, perform keystroke logging, and record websites
SpyAnywhere is a tool that allows you to view system activity and user actions, shut
down/restart, lock down/freeze, and even browse the file system of a remote system.
SpyAnywhere lets you control open programs and windows on the remote system and
view Internet histories and related information.
Invisible KeyLogger Stealth (IKS) Software Logger is a high-performance virtual device
driver (VxD) that runs silently at the lowest level of the Windows 95, 98, or ME operating
system. All keystrokes are recorded in a binary keystroke file.
Fearless Key Logger is a Trojan that remains resident in memory to capture all user keystrokes.
Captured keystrokes are stored in a log file and can be retrieved by a hacker.
Eâ€‘mail Keylogger logs all emails sent and received on a target system. The emails can be
viewed by sender, recipient, subject, and time/date. The email contents and any attachments
are also recorded.
A rootkit is a type of program often used to hide utilities on a compromised system. Rootkits include so-called backdoors to help an attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. A backdoor may also allow processes started by a no privileged user to execute functions normally reserved for the administrator. A rootkit is frequently used to allow the programmer of the rootkit to see and access usernames and log-in information for sites that require them.
There are several types of rootkits, including the following:
Kernel-Level Rootkits Kernel-level rootkits add code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as loadable kernel modules in Linux or device drivers in Windows. Kernel-level rootkits are especially dangerous because they can be difficult to detect without appropriate software.
Library-Level Rootkits Library-level rootkits commonly patch, hook, or replace system calls with versions that hide information that might allow the hacker to be identified.
Application-Level Rootkits Application-level rootkits may replace regular application binaries with Trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.
Steganography is the process of hiding data in other types of data such as images or text files. The most popular method of hiding data in files is to utilize graphic images as hiding places. Attackers can embed any information in a graphic file using steganography. The hacker can hide directions on making a bomb, a secret bank account number, or answers to a test. Any text imaginable can be hidden in an image. In Exercise 4.3 you will use Image Hide to hide text within an image.
ImageHide is a steganography program that hides large amounts of text in images. Even after adding bytes of data, there is no increase in the image size. The image looks the same in a normal graphics program. It loads and saves to files and therefore is able to bypass most email sniffers.
Blindside is a steganography application that hides information inside BMP (bitmap) images. It's a command-line utility.
MP3Stego hides information in MP3 files during the compression process. The data is compressed, encrypted, and then hidden in the MP3 bitstream.
Snow is a whitespace steganography program that conceals messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs generally aren't visible in text viewers, the message is effectively hidden from casual observers. If the built-in encryption is used, the message can't be read even if it's detected.
CameraShy works with Windows and Internet Explorer and lets users share censored or sensitive information stored in an ordinary GIF image. Stealth is a filtering tool for PGP files. It strips off identifying information from the header, after which the file can be used for steganography.
Covering Your Tracks and Erasing Evidence -
Once intruders have successfully gained administrator access on a system, they try to cover their tracks to prevent detection of their presence (either current or past) on the system. A hacker may also try to remove evidence of their identity or activities on the system to prevent tracing of their identity or location by authorities. To prevent detection, the hacker usually erases any error messages or security events that have been logged. Disabling auditing and clearing the event log are two methods used by a hacker to cover their tracks and avoid detection.
The first thing intruders do after gaining administrator privileges is disable auditing. Windows auditing records certain events in a log file that is stored in the Windows Event Viewer. Events can include logging into the system, an application, or an event log. An administrator can choose the level of logging implemented on a system. Hackers want to determine the level of logging implemented to see whether they need to clear events that indicate their presence on the system.
Auditpol is a tool included in the Windows NT Resource Kit for system administrators. This tool can disable or enable auditing from the Windows command line. It can also be used to determine the level of logging implemented by a system administrator.
Intruders can easily wipe out the security logs in the Windows Event Viewer. An event log that contains one or just a few events is suspicious because it usually indicates that other events have been cleared. It's still necessary to clear the event log after disabling auditing, because using the Auditpol tool places an entry in the event log indicating that auditing has been disabled. Several tools exist to clear the event log, or a hacker can do so manually in the Windows Event Viewer.
The elsave.exe utility is a simple tool for clearing the event log. It's command line based. WinZapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000. WinZapper also ensures that no security events are logged while the program is running.
Evidence Eliminator is a data-cleansing system for Windows PCs. It prevents unwanted data from becoming permanently hidden in the system. It cleans the Recycle Bin, Internet cache, system files, temp folders, and so on. Evidence Eliminator can also be used by a hacker to remove evidence from a system after an attack.
Trojans and Backdoors -
A Trojan is a malicious program disguised as something benign. In many cases the Trojan appears to perform a desirable function for the user but actually allows a hacker access to the user's computer system. Trojans are often downloaded along with another program or software package. Once installed on a system, they can cause data theft and loss, as well as system crashes or slowdowns. Trojans can also be used as launching points for other attacks, such as distributed denial of service (DDoS). Many Trojans are used to manipulate files on the victim computer, manage processes, remotely run commands, intercept keystrokes, watch screen images, and restart or shut down infected hosts. Sophisticated Trojans can connect themselves to their originator or announce the Trojan infection on an Internet Relay Chat (IRC) channel.
Trojans ride on the backs of other programs and are usually installed on a system without
the user's knowledge. A Trojan can be sent to a victim system in many ways, such as
An instant messenger ( NN IM) attachment
An email attachment
NetBIOS file sharing
A downloaded Internet program
Many fake programs purporting to be legitimate software such as freeware, spyware removal tools, system optimizers, screensavers, music, pictures, games, and videos can install a Trojan on a system just by being downloaded. Advertisements on Internet sites for free programs, music files, or video files lure a victim into installing the Trojan program; the program then has system-level access on the target system, where it can be destructive and insidious
A backdoor is a program or a set of related programs that a hacker installs on a target system to allow access to the system at a later time. A backdoor can be embedded in a malicious Trojan. The objective of installing a backdoor on a system is to give hackers access into the system at a time of their choosing. The key is that the hacker knows how to get into the backdoor undetected and is able to use it to hack the system further and look for important information. Adding a new service is the most common technique to disguise backdoors in the Windows operating system. Before the installation of a backdoor, a hacker must investigate the system to find services that are running. Again the use of good information-gathering techniques is critical to knowing what services or programs are already running on the target system. In most cases the hacker installs the backdoor, which adds a new service and
gives it an inconspicuous name or, better yet, chooses a service that's never used and that is either activated manually or completely disabled.
Remote Access Trojans (RATs) are a class of backdoors used to enable remote control over a compromised machine. They provide apparently useful functions to the user and, at the same time, open a network port on the victim computer. Once the RAT is started, it behaves as an executable file, interacting with certain Registry keys responsible for starting processes and sometimes creating its own system services. Unlike common backdoors, RATs hook themselves into the victim operating system and always come packaged with two files: the client file and the server file. The server is installed in the infected machine, and the client is used by the intruder to control the compromised system. RATs allow a hacker to take control of the target system at any time. In fact one of the indications that a system has been exploited is unusual behavior on the system, such as the mouse moves on its own or pop-up windows appearing on an idle system.
Viruses and Worms -
Viruses and worms can be used to infect a system and modify a system to allow a hacker to gain access. Many viruses and worms carry Trojans and backdoors. In this way, a virus or worm is a carrier and allows malicious code such as Trojans and backdoors to be transferred from system to system much in the way that contact between people allows germs to spread.
A virus and a worm are similar in that they're both forms of malicious software (malware).
A virus infects another executable and uses this carrier program to spread itself. The
virus code is injected into the previously benign program and is spread when the program
is run. Examples of virus carrier programs are macros, games, email attachments, Visual
Basic scripts, and animations.
A worm is similar to a virus in many ways but does not need a carrier program. A
worm can self-replicate and move from infected host to another host. A worm spreads from system to system automatically, but a virus needs another program in order to spread.
Viruses and worms both execute without the knowledge or desire of the end user.
Session Hijacking -
Session hijacking is when a hacker takes control of a user session after the user has successfully authenticated with a server. Session hijacking involves an attack identifying the current session IDs of a client/server communication and taking over the client's session.
Session hijacking involves the following three steps to perpetuate an attack:
Tracking the Session The hacker identifies an open session and predicts the sequence
number of the next packet.
Desynchronizing the Connection The hacker sends the valid user's system a TCP reset (RST) or finish (FIN) packet to cause them to close their session.
Injecting the Attacker's Packet The hacker sends the server a TCP packet with the predicted sequence number, and the server accepts it as the valid user's next packet.
Hackers can use two types of session hijacking: active and passive. The primary difference between active and passive hijacking is the hacker's level of involvement in the session.
In an active attack, an attacker finds an active session and takes over the session by using tools that predict the next sequence number used in the TCP session.
In a passive attack, an attacker hijacks a session and then watches and records all the traffic that is being sent by the legitimate user. Passive session hijacking is really no more than sniffing. It gathers information such as passwords and then uses that information to authenticate as a separate session.
SQL injection -
SQL injection occurs when an application processes user-provided data to create a SQL statement without first validating the input. The user input is then submitted to a web application database server for execution. When successfully exploited, SQL injection can give an attacker access to database content or allow the hacker to remotely execute system commands. In the worst-case scenario, the hacker can take control of the server that is hosting the database. This exploit can give a hacker access to a remote shell into the server file system. The impact of a SQL injection attacks depends on where the vulnerability is in the code, how easy it is to exploit the vulnerability, and what level of access the application has to the database. Theoretically, SQL injection can occur in any type of application, but it
is most commonly associated with web applications because they are most often attacked. As previously discussed in Chapter 8, "Web Hacking: GOOGLE, Web Servers, Web Application Vulnerabilities, and Web-Based Password Cracking Techniques," web applications are easy targets because by their very nature they are open to being accessed from the Internet. During a web application SQL injection attack, malicious code is inserted into a web form field or the website's code to make a system execute a command shell or other arbitrary commands. Just as a legitimate user enters queries and additions to the SQL database via a web form, the hacker can insert commands to the SQL Server through the same web form field. For example, an arbitrary command from a hacker might open a command prompt or display a table from the database. A database table may contain personal information such as credit card numbers, social security numbers, or passwords. SQL Servers are very common database servers and used by many organizations to store confidential data. This makes a SQL Server a high-value target and therefore a system that is very attractive to hackers.
Buffer overflows -
Buffer overflows are exploits that hackers use against an operating system or application; like SQL injection attacks, they're usually targeted at user input fields. A buffer overflow exploit causes a system to fail by overloading memory or executing a command shell or arbitrary code on the target system. A buffer overflow vulnerability is caused by a lack of bounds checking or a lack of input-validation sanitization in a variable field (such as on a web form). If the application doesn't check or validate the size or format of a variable before sending it to be stored in memory, an overflow vulnerability exits. The two types of buffer overflows are stack based and heap based. The stack and the heap are storage locations for user-supplied variables within a running program. Variables are stored in the stack or heap until the program needs them. Stacks are static locations of memory address space, whereas heaps are dynamic memory address spaces that occur while a program is running. A heap-based buffer overflow occurs in the lower part of the memory and overwrites other dynamic variables.
Vulnerability research -
Vulnerabilities are software mistakes--mistakes in specification and design, but mostly mistakes in programming. Any large software package will have thousands of mistakes. These vulnerabilities lie dormant in our software systems, waiting to be discovered. Once discovered, they can be used to attack systems. This is the point of security patching: eliminating known vulnerabilities. But many systems don't get patched, so the Internet is filled with known, exploitable vulnerabilities. New vulnerabilities are hot commodities. A hacker who discovers one can sell it on the black market, blackmail the vendor with disclosure, or simply publish it without regard to the consequences. Even if he does none of these, the mere fact the vulnerability is known by someone increases the risk to every user of that software.Security engineers see the world differently than other engineers. Instead of focusing on how systems work, they focus on how systems fail, how they can be made to fail, and how to prevent--or protect against--those failures. Most software vulnerabilities don't ever appear in normal operations, only when an attacker deliberately exploits them. So security engineers need to think like attackers.
Vulnerability research is vital because it trains our next generation of computer security experts. Yes, newly discovered vulnerabilities in software and airports put us at risk, but they also give us more realistic information about how good the security actually is. And yes, there are more and less responsible--and more and less legal--ways to handle a new vulnerability. But the bad guys are constantly searching for new vulnerabilities, and if we have any hope of securing our systems, we need the good guys to be at least as competent. To me, the question isn't whether it's ethical to do vulnerability research. If someone has the skill to analyze and provide better insights into the problem, the question is whether it is ethical for him not to do vulnerability research.
Penetration Testing -
A Penetration test subjects a system or a range of systems to real life security tests. The benefit of a complete penetration suite compared to a normal vulnerability scan system is to reach beyond a vulnerability scan test and discover different weaknesses and perform a much more detailed analysis.
When performing a penetration test with the SecPoint Penetrator, you have the advantage of a wide range of integrated advanced utilities to do penetration testing. This includes extensive vulnerability scanning, launching of real exploits, buffer overflow attacks, a wide range of advanced utilities and Denial of Service.
The user can perform specified attacks in high detail depending on his specific choices and needs. This is normally done via the many advanced techniques and utilities of a security consultant. No matter if you are an end user or a security consultant, the Penetrator allows you to personalize all its reports with the desired logos and text of the user's choice.
The Penetration Test Process
Discovery: The SecPoint Penetrator performs information discovery via a wide range of techniques-that is, whois databases, scan utilities, Google data, and more-in order to gain as much information about the target system as possible. These discoveries often reveal sensitive information that can be used to perform specific attacks on a given machine.
Enumeration: Once the specific networks and systems are identified through discovery, it is important to gain as much information possible about each system. The difference between enumeration and discovery depends on the state of intrusion. Enumeration is all about actively trying to obtain usernames as well as software and hardware device version information.
Vulnerability Identification: The vulnerability identification step is a very important phase in penetration testing. This allows the user to determine the weaknesses of the target system and where to launch the attacks.
Exploitation and Launching of Attacks: After the vulnerabilities are identified on the target system, it is then possible to launch the right exploits. The goal of launching exploits is to gain full access of the target system.
Denial of Service: A DOS (Denial of Service) test can be performed to test the stability of production systems in order to show if they can be crashed or not. When performing a penetration test of a preproduction system, it is important to test its stability and how easily can it be crashed. By doing this, its stability will be ensured once it is deployed into a real environment. It is important to perform DOS testing to ensure the safeness of certain systems. If an attacker takes down your system during busy or peak hours, both you and your customer can incur a significant financial loss.
Reporting: After the completion of the penetration test, it is important to get user-customized reporting suites for a technical and/or management overview. This includes the executive summary, detailed recommendations to solve the identified vulnerabilities, and official security ID numbers for the vulnerabilities. The reports come in different format such as html, pdf, and xml. Furthermore, all the reports are open to be modified as of the user's choice.
Elements of security
. The concealment of information or resources
. The identification and assurance of the origin of information
. The trustworthiness of data or resources in terms of preventing improper and
. The ability to use the desired information or resource
The Security, Functionality and Ease of use Triangle
The number of exploits is minimized when the number of weakness is
reduced => Greater Security.
Takes more effort to conduct the same task => Reduced functionality
Moving the ball towards Security means moving away from the functionality and ease of use
Ease of Use
Remember This Rule!!!!
** If a hacker wants to get inside your system, he/she will and there is nothing you can do about it.
** The only thing you can do is make it harder for him to get in.
No systems give hundred percent securities in computer network. Only Way to stop attacker is think like attacker. Plan, design, implement, operate and optimization is a critical places of the network security, so network security entity should meet maximum of theses lifecycle.