Third Year Diploma Courses in Computer Science & Engineering,

Computer Engineering, Computer Technology & Information

Technology Branch.

Emerging Trends in Computer

Engineering and Information
Technology
As per MSBTE ‘I’ Scheme Syllabus
ETI-22618

Unit- V Basics of Hacking

Total Marks- 12

Content:

5.1 Ethical Hacking  How Hackers Beget Ethical Hackers  Defining hacker, Malicious users
5.2 Understanding the need to hack your own systems
5.3 Understanding the dangers your systems face  Nontechnical attacks  Network-infrastructure attacks
 Operating-system attacks  Application and other specialized attacks
5.4 Obeying the Ethical hacking Principles  Working ethically  Respecting privacy  Not crashing your systems
5.5 The Ethical hacking Process  Formulating your plan  Selecting tools  Executing the plan  Evaluating
results  Moving on
5.6 Cracking the Hacker Mind-set  What You’re Up Against?  Who breaks in to computer systems?  Why
they do it?  Planning and Performing Attacks  Maintaining Anonymity

Prof. Gunwant V. Mankar

B.E(IT), M.Tech(CSE), Purs. LLB, AMIE, MIAEng, MSCI
Director
(ConnectSoft Infotech, IND)
e-mail:- [email protected]
website- www.gunwantmankar.com
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar

5.1 Ethical Hacking:

History Hacking developed alongside "Phone Phreaking", a term referred to exploration of the
phone network without authorization, and there has often been overlap between both
technology and participants. Ethical hacking is the science of testing computers and network
for security vulnerabilities and plugging the holes found before the unauthorized people get a
chance to exploit them.

 Gather Information: This is the first stage, the learns as much as he can about the intended
victim. The information is gathered from company websites, other publications and
sometimes by talking to the users of the target system.
 Plan Attack: The attackers outline how he/she intends to execute the attack
 Acquire Tools: These include computer programs that an attacker will use when launching
the attack.
 Attack: Exploit the weaknesses in the target system.
 Use acquired knowledge: Information gathered during the social engineering tactics such
as pet names, birthdates of the organization founders, etc. is used in attacks such as
password guessing.

Computer Hacking
Computer Hackers have been in existence for more than a century. Originally, "hacker" did not
carry the negative implications. In the late 1950s and early 1960s, computers were much
different than the desktop or laptop systems most people are familiar with. In those days, most
companies and universities used mainframe computers: giant, slow-moving hunks of metal
locked away in temperature-controlled glass cages. It cost thousands of dollars to maintain and
operate those machines, and programmers had to fight for access time. Because of the time and

https://www.gunwantmankar.com 1
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
money involved, computer programmers began looking for ways to get the most out of the
machines. The best and brightest of those programmers created what they called "hacks" -
shortcuts that would modify and improve the performance of a computer's operating system or
applications and allow more tasks to be completed in a shorter time. Still, for all the negative
things hackers have done, they provide a necessary (and even valuable) service, which is
elaborated on after a brief timeline in the history of computer hacking.

How Hackers Beget Ethical Hackers

Hacker is a word that has two meanings:
 Traditionally, a hacker is someone who likes to tamper with software or electronic
systems. Hackers enjoy exploring and learning how computer systems operate. They
love discovering new ways to work electronically.
 Recently, hacker has taken on a new meaning — someone who maliciously breaks into
systems for personal gain. Technically, these criminals are crackers (criminal hackers).
Crackers break into (crack) systems with malicious intent. They are out for personal
gain: fame, profit, and even revenge. They modify, delete, and steal critical information,
often making other people miserable.

What is Hacking?
Hacking is identifying weakness in computer systems or networks to exploit its weaknesses to
gain access.
Example of Hacking: Computers have become mandatory to run a successful businesses. It is
not enough to have isolated computers systems; they need to be networked to facilitate
communication with external businesses.
 Using password cracking algorithm to gain access to a system.
 This exposes them to the outside world and hacking. Hacking means using computers
to commit fraudulent acts such as fraud, privacy invasion, stealing corporate/personal
data, etc.
 Cybercrimes cost many organizations millions of dollars every year. Businesses need
to protect themselves against such attacks.

https://www.gunwantmankar.com 2
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar

Ethical Hacking is identifying weakness in computer systems and/or computer networks and
coming up with countermeasures that protect the weaknesses. Ethical hacking is a branch of
information security or information assurance which tests an organization's information
systems against a variety of attacks. Ethical hackers are also sometimes known as White Hats.

Many people are confused when the terms "Ethical" and "Hacking" are used together.
Usually the term "hacker" has a negative connotation due to media reports using incorrect
terminology.

Definition Ethical hacking:

 Refers to the act of locating weaknesses and vulnerabilities of computer and
information systems by duplicating the intent and actions of malicious hackers.
 known as penetration testing, intrusion testing, or red teaming.
An ethical hacker is a security professional who applies their hacking skills for defensive
purposes on behalf of the owners of information systems.

Defining hacker, Malicious users

Definition of Hacker: A Hacker is a person who finds and exploits the weakness in computer
systems and/or networks to gain access. Hackers are usually skilled computer programmers
with knowledge of computer security.

An Ethical Hacker, also known as a whitehat hacker, or simply a whitehat, is a security

professional who applies their hacking skills for defensive purposes on behalf of the owners of
information systems. Nowadays, certified ethical hackers are among the most sought after
information security employees in large organizations such as Wipro, Infosys, IBM, Airtel and
Reliance among others.

What Is a Malicious User?

Malicious users (or internal attackers) try to compromise computers and sensitive information
from the inside as authorized and “trusted” users. Malicious users go for systems they believe
they can compromise for fraudulent gains or revenge.

https://www.gunwantmankar.com 3
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
 Malicious attackers are, generally known as both, hackers and malicious users.
 Malicious user means a rogue employee, contractor, intern, or other user who abuses
his or her trusted privileges .It is a common term in security circles.

https://www.gunwantmankar.com 4
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar

Why Ethical Hacking?

 Information is one of the most valuable assets of an organization. Keeping information
secured can protect an organization’s image and save an organization a lot of money.
 Hacking can lead to loss of business for organizations that deal in finance such as PayPal.
Ethical hacking puts them a step ahead of the cyber criminals who would otherwise lead to
loss of business.
Legality of Ethical Hacking
Ethical Hacking is legal if the hacker abides by the rules stipulated as above. The International
Council of E-Commerce Consultants (EC-Council) provides a certification program that tests
individual’s skills. Those who pass the examination are awarded with certificates. The
certificates are supposed to be renewed after some time.

5.2 Understanding the need to hack your own systems

To catch a thief, think like a thief. That’s the basis for ethical hacking.
The law of averages works against security. With the increased numbers and expanding
knowledge of hackers combined with the growing number of system vulnerabilities and other
unknowns, the time will come when all computer systems are hacked or compromised in some
way. Protecting your systems from the bad guys and not just the generic vulnerabilities that
everyone knows about is absolutely critical. When the hacker tricks are known, one can see

https://www.gunwantmankar.com 5
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
how vulnerable the systems are. Hacking targets on weak security practices and undisclosed
vulnerabilities. Firewalls, encryption, and virtual private networks (VPNs) can create a false
feeling of safety. These security systems often focus on high-level vulnerabilities, such as
viruses and traffic through a firewall, without affecting how hackers work. Attacking your own
systems to discover vulnerabilities is a step to making them more secure. This is the only
proven method of greatly hardening your systems from attack. If weaknesses are not identified,
it’s a matter of time before the vulnerabilities are exploited.

Building the Foundation for Ethical Hacking

One should not forget about insider threats from malicious employees. One’s overall goals as
an ethical hacker should be as follows:
 Hack your systems in a non-destructive fashion.
 Enumerate vulnerabilities and, if necessary, prove to upper management that
vulnerabilities exist.
 Apply results to remove vulnerabilities and better secure your systems

5.3 Understanding the dangers your systems face

Systems are generally under fire from hackers around the world. It’s another to understand
specific attacks against your systems that are possible. There are some well-known attacks.
Many information-security vulnerabilities aren’t critical by themselves. However, exploiting
several vulnerabilities at the same time can take its toll.
For example, a default Windows OS configuration, a weak SQL Server administrator
password, and a server hosted on a wireless network may not be major security concerns
separately. But exploiting all three of these vulnerabilities at the same time can be a serious
issue as:
 Nontechnical attacks
 Network-infrastructure attacks
 Operating-system attacks
 Application and other specialized attacks

https://www.gunwantmankar.com 6
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar

 Nontechnical attacks
Exploits that involve manipulating people or end users and even yourself are the greatest
vulnerability within any computer or network infrastructure. Humans are trusting by nature,
which can lead to social-engineering exploits. Social engineering is defined as the exploitation
of the trusting nature of human beings to gain information for malicious purposes.
Other common and effective attacks against information systems are physical. Hackers
break into buildings, computer rooms, or other areas containing critical information or
property. Physical attacks can include dumpster diving (searching through trash cans and
dumpsters for intellectual property, passwords, network diagrams, and other information).

 Network-infrastructure attacks
Hacker attacks against network infrastructures can be easy, because many networks can be
reached from anywhere in the world via the Internet. Here are some examples of network-
infrastructure attacks:
 Connecting into a network through a rogue modem attached to a computer behind a
firewall
 Exploiting weaknesses in network transport mechanisms, such as TCP/IP and
NetBIOS.
 Flooding a network with too many requests, creating a Denial of Service (DoS) for
legitimate requests  Installing a network analyzer on a network and capturing every
packet that travels across it, revealing confidential information in clear text
 Piggybacking onto a network through an insecure wireless configuration.

 Operating-system attacks Hacking

Operating Systems (OSs) is a preferred method of the bad guys(hackers). Operating systems
comprise a large portion of hacker attacks simply because every computer has one and so many
well-known exploits can be used against them. Occasionally, some operating systems that are
more secure out of the box, such as Novell NetWare and the flavor’s of BSD UNIX are
attacked, and vulnerabilities turn up. But hackers prefer attacking operating systems like
Windows and Linux because they are widely used and better known for their vulnerabilities.
Here are some examples of attacks on operating systems:

https://www.gunwantmankar.com 7
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar

 Exploiting specific protocol implementations

 Attacking built-in authentication systems
 Breaking file-system security
 Cracking passwords and encryption mechanisms

 Application and other specialized attacks

Applications take a lot of hits by hackers. Programs such as e-mail server software and
Web applications often are beaten down:
 Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP)
applications are frequently attacked because most firewalls and other security
mechanisms are configured to allow full access to these programs from the Internet.
 Malicious software (malware) includes viruses, worms, Trojan horses, and spyware.
Malware clogs networks and takes down systems.
 Spam (junk e-mail) is wreaking havoc on system availability and storage space. And it
can carry malware. Ethical hacking helps reveal such attacks against computer systems.

5.4. Obeying the Ethical Hacking Commandments

Every ethical hacker must abide by a few basic commandments. If not, bad things can happen.

 Working ethically
The word ethical in this context can be defined as working with high professional morals and
principles. While performing ethical hacking tests against own systems or for someone who
has hired for, everything one need to do as an ethical hacker must be above board and must
support the company’s goals. No hidden agendas are allowed. Trustworthiness is the ultimate
principle. The misuse of information is absolutely forbidden. That’s what the bad guys or
hackers do.
 Respecting privacy
Treat the information gathered with the greatest respect. All information obtained during
testing from Web-application log files to clear-text passwords must be kept private. This
information shall not be used to watch into confidential corporate information or private lives.
If you sense or feel that someone should know there’s a problem, consider sharing that

https://www.gunwantmankar.com 8
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
information with the appropriate manager. Involve others in process. This is a “watch the
watcher” system that can build trust and support ethical hacking projects.

 Not crashing your systems

One of the biggest mistakes seen when people try to hack their own systems is inadvertently
crashing their systems. The main reason for this is poor planning. These testers have not read
the documentation or misunderstand the usage and power of the security tools and techniques.

DoS-Denial of Service conditions on the systems are easily created when testing. Running too
many tests too quickly on a system causes many system lockups. Things should not be rushed
and assumed that a network or specific host can handle the beating that network scanners and
vulnerability assessment tools can be useless .
Many security-assessment tools can control how many tests are performed on a system at the
same time. These tools are especially handy if one needs to run the tests on production systems
during regular business hours. One can even create an account or system lockout condition by
social engineering, changing a password, not realizing that doing so might create a system
lockout condition.

5.5 The Ethical Hacking Process

Like practically any IT or security project, ethical hacking needs to be planned in advance.
Strategic and tactical issues in the ethical hacking process should be determined and agreed
upon. Planning is important for any amount of testing from a simple password-cracking test to
an all-out penetration test on a Web application.

 Formulating your plan

Approval for ethical hacking is essential. What isbeing done should be known and visible at
least to the decision makers. Obtaining sponsorship of the project is the first step. This could
be the manager, an executive, a customer, or even the boss. Someone is needed to back up and
sign off on the plan. Otherwise, testing may be called off unexpectedly if someone claims they
never authorized one to perform the tests.
The authorization can be as simple as an internal memo from the senior-most person or boss if
one is performing these tests on own systems. If the testing is for a customer, one should have

https://www.gunwantmankar.com 9
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
a signed contract in place, stating the customer’s support and authorization. Get written
approval on this sponsorship as soon as possible to ensure that none of the time or effort is
wasted. This documentation works as a proof as what one is doing when someone asks or
demands.
A detailed plan is needed, but that doesn’t mean that it needs volumes of testing procedures.
One slip can crash your systems.
A well-defined scope includes the following information:
 Specific systems to be tested
 Risks that are involved
 When the tests are performed and your overall timeline
 How the tests are performed
 How much knowledge of the systems you have before you start testing
 What is done when a major vulnerability is discovered
 The specific deliverables — this includes security-assessment reports and a higher-
level report outlining the general vulnerabilities to be addressed, along with
countermeasures that should be implemented.
 When selecting systems to test, start with the most critical or vulnerable systems. For
instance, one can test computer passwords or attempt social engineering attacks before
drilling down into more detailed systems.

 Selecting tools
If one don’t have the right tools for ethical hacking, to accomplish the task is effectively
difficult. just using the right tools doesn’t mean that all vulnerabilities will be discovered.
Know the personal and technical limitations.
Many security-assessment tools generate false positives and negatives (incorrectly identifying
vulnerabilities). Some tools may miss vulnerabilities. Many tools focus on specific tests, but
no one tool can test for everything. This is why a set of specific tools are required that can call
on for the task at hand. The more are the tools , the easier ethical hacking efforts are.
Make sure the right tool is being used for the task :
 To crack passwords, one needs a cracking tool such as LC4, John the Ripper, or pwdump.
A general port scanner, such as SuperScan, may not crack passwords.

https://www.gunwantmankar.com 10
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
 For an in-depth analysis of a Web application, a Web-application assessment tool (such as
Whisker or WebInspect) is more appropriate than a network analyzer (such as Ethereal).

When selecting the right security tool for the task, ask around. Get advice from the
colleagues and from other people online. A simple Groups search on Google
(www.google.com) or perusal of security portals, such as SecurityFocus.com,
SearchSecurity.com, and ITsecurity.com, often produces great feedback from other
security experts. Some of the widely used commercial, freeware, and open-source security
tools:
o Nmap
o EtherPeek
o SuperScan
o QualysGuard
o WebInspect
o LC4 (formerly called L0phtcrack)
o LANguard Network Security Scanner
o Network Stumbler
o ToneLoc
Here are some other popular tools:
 Internet Scanner
 Ethereal
 Nessus
 Nikto
 Kismet
 THC-Scan

The capabilities of many security and hacking tools are often misunderstood. This
misunderstanding has shed negative light on some excellent tools, such as SATAN (Security
Administrator Tool for Analysing Networks) and Nmap (Network mapper).

https://www.gunwantmankar.com 11
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar

5.6 Cracking the Hacker Mindset

Before assessing the security of systems, one may want to understand something about the
hackers mind-set. Many information security product vendors and other professionals claim
that one should protect the systems from the bad guys , both internal(Insiders) and
external(Outsiders). Knowing what hackers and malicious users want helps understand how
they work. Understanding how they work helps to look at your information systems in a whole
new way. This understanding better prepares for ethical hacking tests.

What You’re Up Against

Thanks to sensationalism in the media, public perception of hacker has transformed from
harmless tamperer to malicious criminal. Hackers often state that the public misunderstands
them, which is mostly true. It’s easy to prejudge what is not understood. Unfortunately, many
hacker stereotypes are based on misunderstanding rather than fact, and that misunderstanding
fuels a constant debate. Hackers can be classified by both their abilities and their underlying
motivations. Some are skilled, and their motivations are benign; they’re merely seeking more
knowledge. At the other end of the spectrum, hackers with malicious intent seek some form of
personal gain. Unfortunately, the negative aspects of hacking usually overshadow the positive
aspects and promote the negative stereotypes.

 Thinking like the bad guys

Malicious attackers often think and work just like thieves, kidnappers, and other organized
criminals you hear about in the news every day. The smart ones constantly devise ways to fly
under the radar and exploit even the smallest weaknesses that lead them to their target. The
following are examples of how hackers and malicious users think and work :
 Evading an intrusion prevention system by changing their MAC address or IP
address every few minutes to get further into a network without being completely
blocked
 Exploiting a physical security weakness by being aware of offices that have already
been cleaned by the cleaning crew and are unoccupied (and thus easy to access with
little chance of getting caught), which might be made obvious by, for instance, the fact
that the office blinds are opened and the curtains are pulled shut in the early morning.

https://www.gunwantmankar.com 12
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar

 Bypassing web access controls by changing a malicious site’s URL to its dotted
decimal IP address equivalent and then converting it to hexadecimal for use in the web
browser
 Using unauthorized software that would otherwise be blocked at the firewall by
changing the default TCP port that it runs on
 Setting up a wireless “evil twin” near a local Wi-Fi hotspot to entice unsuspecting
Internet surfers onto a rogue network where their information can be captured and easily
manipulated
 Using an overly trusting colleague’s user ID and password to gain access to sensitive
information that would otherwise be highly improbable to obtain
 Unplugging the power cord or Ethernet connection to a networked security
camera that monitors access to the computer room or other sensitive areas and
subsequently gaining unmonitored access
 Performing SQL injection or password cracking against a website via a neighbor’s
unprotected wireless network in order to hide the malicious user’s own identity

 Who Breaks into Computer Systems

In a world of black and white, describing the typical hacker is easy. A general stereotype
of a hacker is an antisocial, unpleasant mind-set personality. But the world has many shades of
gray and many types of hackers. Hackers are unique individuals, so an exact profile is hard to
outline. The best broad description of hackers is that all hackers aren’t equal. Each hacker has
his or her own unique motives, methods, and skills. Hacker skill levels fall into three general
categories:
 Script kiddies: These are computer beginners who take advantage of the hacker tools,
vulnerability scanners, and documentation available free on the Internet but who don’t have
any real knowledge of what’s really going on behind the scenes. They know just enough to
cause headaches but typically are very sloppy in their actions, leaving all sorts of digital
fingerprints behind.
 Criminal hackers: These are skilled criminal experts and nation states who write some of
the hacking tools, including the scripts and other programs that the script kiddies and ethical

https://www.gunwantmankar.com 13
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
hackers use. These people also write such malware as viruses and worms. They can break
into systems and cover their tracks. Advanced hackers are often members of collectives
that prefer to remain nameless. These hackers are very secretive and share information with
their subordinates only when they are deemed worthy. Typically, for lower-ranked hackers
to be considered worthy, they must possess some unique information or prove themselves
through a high-profile hack.

Why They Do It?

Reasons:
 Hacking is a casual hobby for some hackers. They hack just to see what they can and
can’t break into, usually testing only their own systems.
 Many hackers get a kick out of outsmarting corporate and government IT and security
administrators. They thrive on making headlines and being notorious cyber outlaws.
 Hackers often promote individualism or at least the decentralization of information
because many believe that all information should be free.
 They think cyber-attacks are different from attacks in the real world. Hackers may
easily ignore or misunderstand their victims and the consequences of hacking.
 They don’t think long-term about the choices they’re making today. Many hackers say
they don’t intend to harm or profit through their bad deeds, a belief that helps them
justify their work.

 Planning and Performing Attacks

Attack styles vary widely:
 Some hackers prepare far in advance of an attack. They gather small bits of
information and methodically carry out their hacks. These hackers are the most
difficult to track.
 Other hackers — usually the inexperienced script kiddies — act before they
think through the consequences. Such hackers may try, for example, to telnet
directly into an organization’s router without hiding their identities. Other hackers
may try to launch a DoS attack against a Microsoft Exchange server without first
determining the version of Exchange or the patches that are installed. These hackers
usually are caught.

https://www.gunwantmankar.com 14
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
 Malicious users are all over the map. Some can be quite savvy based on their
knowledge of the network and of how IT operates inside the organization. Many of
the hackers, especially advanced hackers don’t share information with the crowd.
Most hackers do much of their work independently in order to remain anonymous.

 Maintaining Anonymity
Smart attackers want to remain as low-key as possible. Covering their tracks is a priority, and
many times their success depends on them remaining unnoticed. They want to avoid raising
suspicion so they can come back and access the systems in the future. Hackers often remain
anonymous by using one of the following resources:
 Borrowed or stolen remote desktop and VPN accounts from friends or previous
employers  Public computers at libraries, schools, or kiosks at the local mall
 Open wireless networks
 Internet proxy servers
 Anonymous or disposable e-mail accounts from free e-mail services
 Open e-mail relays
 Infected computers also called zombies or bots at other organizations
 Workstations or servers on the victim’s own network If hackers use enough stepping
stones for their attacks, they are hard to trace.

Sample Multiple Choice Questions:

1) Ethical Hacking is also known as______
a. Black Hat hacking b. White hat hacking
c. Encrypting d. None of these
2) Tool(s) used by ethical hackers ______
a. Scanner b. Decoder
c. Proxy d. All of these
3) Vulnerability scanning in Ethical hacking finds________
a. Strengths b. Weakness
c. a&b d. None of these

https://www.gunwantmankar.com 15
Unit-V Basics of Hacking | ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar

4) Ethical hacking will allow to________ all the massive security breaches.
a. remove b. measure
c. reject d. None of these
5) Sequential steps hackers use are: __, ___, __, __
A) Maintaining Access
B) Reconnaissance
C) Scanning
D) Gaining Access
a. B, C, D, A b. B, A, C, D
c. A, B, C, D d. D, C, B, A

https://www.gunwantmankar.com 16