Dr Shakuntala Misra

National Rehabilitation
University

Subject
Information technology

Topic
Cyber hacking

Submitd to Submited by
Dr vijeta dua mam Vaibhav Shukla
Faculty of Law 10-semester
D.S.M.N.R.U D.S.M.N.R.U
ACKNOWLEDGEMENT

I would like to express my special

thanks of gratitude to my teacher Mrs
Vijeta Dua mam who give me the
golden opportunity to do this
wonderful project of Information
technology on “Cyber hacking “ , I
come to know about so many new
things, I would also like to thank my
friend who helped me a lot in
finalizing this project within the
limited time frame.
INTRODUCTION
Nowadays, wired networks, especially the Internet, have already become
a platform to support not only high-speed data communication, but also
powerful distributed computing for a variety of personal and business
processes every day. However, the principles for designing and
developing a network mainly targeted at providing connection and
communication capabilities, until a series of security “disasters”
happened on the Internet recently as shown in Figure 1. As a result,
without making security an inherent part of the network design and
development process, existing networks are very vulnerable to cyber
attacks because of various security vulnerabilities. Such vulnerabilities,
when being exploited by the hacker, can motivate the development of a
variety of hacking techniques. These hacking techniques directly lead to
cyber attacks; and these cyber attacks have become a more and more
serious threat to our society.

In order to better protect networks, this article tries to give an

overview on a variety of hacking techniques. No wonder, the better we
understand the hacker, the better networks can be protected. This article
will focus on the objectives, principles, functionalities and
characteristics of different types of hacking techniques in wired
networks, but will not address detailed and indepth hacking processes,
which can be found in several other articles of this handbook. In
addition, we only discuss well-known and published vulnerabilities and
attacks. Most of these attacks have been prevented by the improved
protocols and systems. Although it is not possible to identify all
vulnerabilities and attacks, this article will provide in-depth discussions
on the common characteristics of cyber attacks, the structure and
components of cyber attacks, and the relationships among cyber attacks.
These discussions can help security professionals grasp the “soul” of a
“new” cyber attack in an easier and quicker way.
This article is organized as follows. In Section 2, the principles of
hacking are summarized. We overview the common hacking procedures,
review most used hacking toolkits, and illustrate how these tools are
employed in hacking. In Section 3, we discuss how hacking techniques
can be used to construct attacks on the Internet infrastructure. In Section
4, we discuss how hacking techniques can be used to construct attacks
on end systems of the Internet. In Section 5, we discuss how hacking
techniques can be used to construct attacks on enterprise network
systems.
Finally, in Section 6, we conclude this article.

PRINCIPLES OF HACKING

In this article, attacks and hacking techniques are two different concepts
that are, nevertheless, closely related to each other. An attack typically
goes through several steps or phases. In each phase, some attack actions
will be carried out by the hacker, and these attack actions will typically
involve the use of one or more hacking techniques. The hacking
techniques involved in different attack phases could be different.
Moreover, an attack or hacking (software) tool may cover several phases
of an attack and involve multiple hacking techniques.

Seven Steps of Hacking

No matter how to hack or attack a network, the attacker always takes

certain procedures to accomplish his objectives. In general, these
procedures fall in one of the following seven steps [3]: reconnaissance,
probe, toehold, advancement, stealth, listening post, and takeover, where
each step is enabled or helped by its previous steps and prepares for its
following steps. These seven steps can serve as a procedural
classification of hacking techniques because the hacking techniques used
in each step are for the same purpose and share many common
characteristics.

Reconnaissan

The information of interest may include host names, host addresses,

host owners, host machine types, host operating systems, network
owners, network configurations, hosts in the networks, list of users, etc.
An intruder may start with searching the Internet for references to the
target in order to find the domain information of the target. Then the
intruder can obtain further information about other machines within that
domain such as their host names and network addresses. For example,
the intruder can analyze the target web pages to gather useful
information about the users of the target system, because most web
pages contain user information, such as contact emails or some personal
information (name, address, phone number, etc). If the intruder obtains a
user account in the target system, he can begin to guess the password.
Sometimes, he can even directly contact a person through phone or E-
mail to acquire the person’s account information.

Probe

Probe is to detect the weaknesses of the target system in order to deploy

the hacking tools.
After gathering enough information of the target, the intruder begins
to probe the perimeter of the system for potential weaknesses. He can
utilize remote exploit tools, which enable the intruder to conduct security
surveys and automatically collect and report security-related
vulnerabilities of remote hosts and networks. Using these hacking tools,
the intruder can find out the remote services the target is providing, such
as WWW, FTP, SMTP, finger, X server, etc., by scanning the hosts of
the target network. In addition, the intruder can obtain such information
as machine names, software names and version numbers. Then, he can
refer to the known vulnerabilities of the detected services for further
exploitation.

Toehold

Toehold is to exploit security weaknesses and gain entry into the system.
Once a vulnerability is found, the intruder will first exploit this
vulnerability to build a connection (or session) between his machine and
the target host, and then remotely execute hostile commands on the
target. (For example, the intruder can generate an X terminal emulation
on his own display.) In this way, a toehold into the target network has
been established and the intruder can go further to compromise the
system. Gaining entry into the system, the intruder can also search for
more critical system information. If the current user identification (UID)
is for a privileged user, the intruder will jump to the stealth step;
otherwise, he will get into the advancement phase.
Overview of Hacking Toolkits

In broad sense, hacking toolkits include not only the softwares

developed for attacks, but also the human activities for the collection of
sensitive information and the penetration into the target system. In the
following, we discuss fourteen types of representative hacking softwares
and approaches.
Scanners

A scanner is a tool to obtain information about a host or a network. It is

developed to probe the networks and report security related information.
Serving for different purposes, a scanner is used by both security
administrators for securing networks and systems, and hackers for
breaking into. Scanners can be broken down into two categories:
network auditing tools and host-based auditing tools. Network auditing
tools are used to scan remote hosts [21,22,24]. For example, NMAP [22]
is a free open source utility for network exploration and security
auditing. It can rapidly scan large networks and single hosts. NMAP
uses raw IP packets to determine what hosts are available on the
network, what services those hosts are offering, what operating systems
they are running, what type of packet filters/firewalls are in use, etc.
Host-based auditing tools, working in a local system, are used to scan a
local host and report its security vulnerabilities [12,27]. For example, the
COPS package [12] can help identify file permission problems, easyto-
guess passwords, known vulnerable services and improperly configured
services. Sniffers and Snoopers
A sniffer monitors and logs network data [16]. The network traffic that
passes through a host’s network interface usually contains user name-
password pairs as well as other system information that would be useful
to an intruder. In a network where data is transmitted without
encryption, an intruder with physical access to the network can plug in a
sniffer to monitor the network traffic and obtain necessary information
to access other hosts in the network. A snooper, also known as spyware,
monitors a user’s activities by snooping on a terminal emulator session,
monitoring process memory, and logging a user’s keystrokes [26]. By
watching the user’s actions, an intruder can obtain useful information to
attack other users on the computer or even other systems in the network.
Spoofing Tools

In a network, a data packet always contains the source address field,

which can expose the source of the intruder if he sends malicious
packets. Hence, in order to hide and avoid detections, the intruder uses
spoofing tools to forge another source address that is usually the address
of another host or a nonexistent address. The spoofed address can be an
IP address or a physical address, depending on the type of the network.
Another usage of spoofing tools is to gain access to a network from
outside. If the firewall of the target network is not configured to filter
out incoming packets with source addresses belonging to the local
domain, it is possible for an intruder to inject packets with spoofed inner
addresses through the firewall.

Password Crackers

A password cracker is to find a user’s password [17,23]. It is used by

both computer crackers and system administrators for recovering
unknown or lost passwords. There are three major types of crack
approaches. The first type is the smart guessing cracker, which infers or
guesses the password based on user’s information, such as user name,
birthday and phone number. The second is the dictionary-based cracker,
which generates a large set of possible passwords, called dictionary,
from a collection of words and phrases. These two types of crackers are
smart and quick, but may not work if the password is randomly
generated. The third type is to enumerate and test all possible passwords
in a brute-force way. When the password is extremely long, the last type
of password cracker will usually take a tremendous amount of time.
Denial of Service Tools
A DoS (Denial-of-Service) tool is used by an attacker to prevent
legitimate users from using their subscribed services. DoS attacks aim
at a variety of services and accomplish the objective through a variety
of methods [14]. Attackers can flood the target network, thereby
throttling legitimate network traffic; can disrupt connections between
two machines, thereby denying access to the service; can prevent a
particular individual from accessing the service; and can disrupt the
service to a specific system or person. Different from inappropriate use
of resources, DoS tools explicitly and intentionally generate attack
packets or disrupt the connections. For example, they can consume
scarce or non-renewable resources with a large number of ICMP echo
packets, break network connectivity with SYN flooding, alter network
configuration by changing the routing information, or even physically
destroy network components. Stealth and Backdoor Tools
Backdoors are programs furtively installed in the target system. They are
malicious replacements of critical system programs that provide
authentication and system reporting services. Backdoor programs
provide continued and un-logged use of the system when being
activated, hide suspicious processes and files from the users and system
administrators, and report false system status to the users and system
administrators. They may present themselves as an existing service, such
as FTP, but implant a function to accept controls and execute commands
from the intruder. They can also be a new service, which may be
neglected because they hide their processes and do not generate
noticeable network traffic.

Malicious Applets and Scripts

A malicious applet or script is a tiny piece of code, which is written in

web compatible computer languages, such as Java, Jscript and Vbscript.
The code is embedded in a web page, an email or a web-based
application. When a person accesses the web page or opens the email,
the code is downloaded to his personal computer and executed. The code
may misuse the computer’s resources, modify files on the hard disk,
send fake e-mail, or steal passwords.

Bugs in Software

A piece of software is vulnerable once it is released. First, it typically

contains unknown bugs. More complex it is, more bugs it may have. If
an intruder finds a bug before it is fixed or patched, he can exploit it to
hack a system. For example, the unchecked buffer size is a bug for
possible buffer overflow attacks. Second, for the purpose of developing
software, the developers usually write some codes for debugging. These
debugging codes generally give the developers a lot of authorities. In
case these codes are not removed from the released version, the intruder
can utilize them for attack.

Holes in Trust Management

Trust management is crucial for a large-scale security system. Due to the

complexity of trust management, mistakes in managing and configuring
trust relationships may happen in many cases and leave holes for an
intruder to gain an authorized access as an unauthorized user. For
example, logic inconsistence could be such a hole. Assume that there are
three parties, an intruder, a database, and a school. The database trusts
the school, but does not trust the intruder. However, if the school trusts
the intruder (maybe an adolescent student), the intruder can access the
database through the school.
Social Engineering

Social engineering is a tactic to acquire access information through

talking and persuasion. The target person is a user who can access the
computer system desired by the intruder. The intruder may pretend to be
a salesman, a consultant, a listener, a friend of the user, or whatever
roles that the user does not suspect when they are chatting and
exchanging information. The intruder thus can obtain valuable
information, such as passwords, to gain access to the system.

Dumpster Diving

Trash is not trash in the eyes of a serious hacker. Trash usually contains
shattered and incomplete information. The intruder can sift through
garbage of a company to find and recover the original information so
that he can break into the company’s computers and networks.
Sometimes, the information is used as an auxiliary to help intrusion,
such as making social engineering more credible.

Classifications of Hacking Toolkits

Each of the hacking toolkits can help hackers to achieve certain

objectives. They may be applied in different hacking phases, provide
different information, and used in different attack scenarios.
Accordingly, we classify them and illustrate how they may be used.
Procedural Classification
As shown in Table 1, a hacking toolkit can be used in one or several
penetration steps, and different penetration steps usually need a different
set of hacking toolkits. In the reconnaissance step, an intruder wants to
gather information about the target system or network. He needs
scanners to collect information of computers, user accounts, and services
of the target. He may also apply social engineering and dumpster diving
to facilitate the information collection. Then, in the second step, he
probes the system for weaknesses. He uses scanners and sniffers to
capture the activities of the target system and network and analyze
possible security holes and vulnerabilities.
Knowing the weaknesses, the intruder tries to gain entry into the
system. In this step, the useful toolkits include spoofing tools, malicious
applets, buffer overflow tools, password crackers, etc. These tools enable
him to break into the system remotely or obtain authorized local access.
Once getting inside the system, he tries to advance from an unprivileged
account to a privileged account. In this step, he can first find some
system files containing the information of privileged accounts, and then
use password crackers to get the name-password pairs. He can also
exploit the system bugs to advance his privileges.
Now the system is under control. The intruder hurries to hide his
traces before the administrators find him. So he will use stealth and
backdoor tools to remove his traces while continuing his access to the
system. To keep monitoring the hacked system, the intruder establishes a
listening post. He uses sniffers and backdoor tools to watch system
activities and report crucial information, so that he can fully control the
compromised system and prepare for further attacks.
Finally, the intruder expands his control from a single host to other
hosts in the network. The previous tools will be used again. Scanners,
sniffers, spoofing tools, malicious applets, buffer overflow tools and
password crackers are all necessary tools for him to break into other
hosts.
Functional Classification

According to the functions of the hacking toolkits, they can be broken

into four categories, namely information gathering tools, remote exploit
tools, local exploit tools, and DoS tools as shown in Table 2.
Information gathering tools are used to obtain the target’s system
information before and after attack. These tools include scanners,
sniffers, backdoors, etc. Before attack, scanners and sniffers are mostly
used to detect the target’s vulnerabilities; while after attack, the intruder
will monitor the compromised system’s activities and keep the control of
the victim by installing sniffers and backdoors.
To break into a system and obtain the desired privileges, the intruder
needs either remote or local exploit tools. If the intruder does not have
any account in the target system, he will use remote exploits tools, which
enable the intruder to penetrate into a remote host. Spoofing tools,
malicious applets and buffer overflow tools are mostly employed. These
tools allow the intruder to compromise the target without much prior
knowledge about the target.
If the intruder has already had a local account, he can use local exploit
tools to gain unauthorized privileges on the computer. He can use
password crackers to guess the password of the root account. If he
succeeds, he can gain the root privilege. Another method is to exploit the
system bugs or un-removed debugging codes. These system holes enable
the intruder to execute programs with only an unprivileged account.
The fourth category is denial-of-service tools. DoS tools will typically
apply some information gathering (or reconnaissance) techniques first.
But instead of trying to break into the target system, as both remote
exploit tools and local exploit tools want to do, DoS tools try to disrupt
the services provided by the target system.
ATTACKS AGAINST THE INTERNET
INFRASTRUCTURE

It is hard to give a precise meaning of the Internet infrastructure. In

general, the infrastructure includes all hardware and protocols that
support the communication between two hosts inter networks, such as
routers, gateways, fibers and cables (as hardware) and TCP, ICMP and
BGP (as protocol). In this section, we use several representative attacks
to demonstrate the principles of infrastructure-oriented attacks, which
may directly impact our daily usage of the Internet. Readers can identify
other similar attacks against the Internet infrastructure.
Figure 2 shows a diagram of a daily activity in the Internet, e.g.
browsing a webpage. In this browsing procedure, a user first puts the
text-based URL (Uniform Resource Locator) of the web page into his
browser. His computer then sends a DNS query to the corresponding
DNS server to resolve the IP address of the web server, and starts a
HTTP session with the web server to retrieve the webpage. The HTTP
session is based on the TCP/IP communication, which ensure the
feasibility and reliability of the browsing. The webpage is retrieved in a
series of data packets, which are routed through a sequence of routers
according to their embedded IP headers. In this process, three basic
components of the Internet are involved, i.e. DNS, TCP/IP, and

Attacks against DNS

The DNS (Domain Name System) is a distributed database to provide

mapping between host names and IP addresses. A domain name is
divided into a series of zones separated by periods, and all names form a
name tree. For example, “www.mysite.com” is a domain name, in which
“com” is one of the root zones of the name tree, and “mysite” is a branch
of “com”, and “www” is a branch of “mysite”. A DNS server resides at
a certain level of the name tree and contains name-address mapping
information of some zones and the corresponding subzones.
Forward DNS mapping means that a host queries the DNS server for
the address of a domain name. Inverse DNS mapping means address-to-
name mapping, i.e., a host queries for the domain name of an address.
The response to a DNS query may contain the address or the name that
is desired, a pointer to the proper DNS server if the information is not
contained within the current zone, or an error indication if the record
requested does not exist. The mapping can be multinames to multi-
addresses and vise versa. In general, hosts that use the DNS maintain a
local cache to record returned DNS entries. All these records contain a
Time-to-Live field set by the creator. At the end of that period, the
cached record must be discarded.
In [2], a famous DNS attack is identified. The essence of the DNS
attack lies in that the attacker controls a DNS server for the target zone
and is able to make any malicious forward and inverse mapping.
Consequently, the attacker can make the target host believe that a remote
host is trusted. In the early Berkeley version UNIX, the attacker can
exploit this attack to gain access to the target host from an untrusted host
[2]. To illustrate, assume that the target host is “target.com” with IP
address 190.190.190.190, the attacker’s host is “attack.com” with IP
address 180.180.180.180, and the target host trusts “trust.com”. Before
attack, the attacker changes the inverse mapping so that the attacker’s IP
address is associated with “trust.com”. When the attacker attempts to
“rlogin” to “target.com” from the attacker’s machine, the target machine
will try to validate the name of the attacker’s machine, that is, it sends
the DNS server a query with the attacker’s IP address. However, because
the DNS has been modified by the attacker, the DNS server will reply to
the target host that 180.180.180.180 is associated with the domain name
“trust.com”. Hence the target host believes that one of its trusted hosts,
i.e. “trust.com”, is trying to connect. Thus the remote login is accepted
and the attacker obtains the access. Forward DNS mapping can also fail
because a compromised DNS server can return false IP addresses.
The attacker can also exploit the DNS attack to go inside a victim’s
network [15]. To illustrate, assume that “trust.com” and “target.com” are
in the same network segment. The attacker first makes a name-to-
address mapping so that “attack.com” has two IP addresses: the IP
address of “target.com”, namely 190.190.190.190, and its own IP
address 180.180.180.180. If, on host “trust.com”, the victim occasionally
visits a web page on “attack.com”, an embedded malicious applet may
be downloaded to the victim's browser and run. The applet asks to create
a network connection to “attack.com”. The victim’s Java virtual machine
first looks up the address of “attack.com” to make sure that the applet
does come from “attack.com”. Not surprisingly, the Java virtual machine
will get the IP address pair (190.190.190.190, 180.180.180.180) and it
will compare this address pair with the address of the machine from
which the applet came, i.e. 180.180.180.180. Since the pair includes the
address 180.180.180.180, the Java virtual machine allows the
connection. However, the Java virtual machine actually connects to the
first address, namely 190.190.190.190 (i.e., “target.com”). Hence, the
attacker now gets into the victim’s network with a connection from an
inside host “trust.com” to another inside host “target.com”.

ATTACKS AGAINST END SYSTEMS OF THE

INTERNET

In this section, we summarize most famous attacks that happened

recently across the Internet as summarized in Table 3. Different from the
previous sections where attacks are against the infrastructure of the
Internet, the attacks in this section take advantage of the Internet
infrastructure and target the hosts or end systems of the Internet. Most of
these attacks exploit vulnerabilities in softwares, operating systems and
protocols above the transport layer. They impacted hundreds and
thousand of computers connected to the Internet.
CONCLUSION

In this article, we discussed a variety of hacking techniques. From the

functionalities, objectives, and principles of different hacking
techniques, we can summarize that vulnerabilities of a network or
system always come from two major factors, technical factor and human
factor. The technical factor refers to those imperfect designs of networks
and systems, such as unencrypted data, unprotected communications,
buffer overflow problems and software bugs. These deficiencies provide
holes through which intruders can penetrate into the system. The human
factor is another important perspective. For example, users’ incautious
talk can become the source to disclose critical information about
network and system. Inappropriate use of the system may let attackers
sneak in. Insiders may be the most serious threats to the system.