Saturday, July 18, 2009

DoS and DDoS attacks. Part :- 2

In the last part, we saw what is DoS, DDoS and how it is performed. In this part, I am going to introduce you with the types of DoS or DDoS attacks. According to the way of exploitation, DoS attacks are classified into three groups:
1. Exploitation of Vulnerabilites in the TCP/IP protocols suite.
2. Exploitation of Vulnerabilites in the IPv4 implementation.
3. Exploitation with Brute-Force attacks.

This was classification according to way of exploitation. The another way of classification is used widely and very well known. It is classified on the basis of carrier or medium of attack. Before we go on to discuss the types of dos attacks, I recommend you having basic knowledge about networking, packets, protocols, types of packets, ports etc. If you are not familiar with this, you can go and prepare these basics nicely and then you can go ahead. Ok, once if you are comfortable with this, here we move ahead.

Types of DoS attacks:
1.Ping of Death:You must have heard about ping. When we ping a target, ICMP echo requests are sent to the target. Target responds with ICMP echo reply telling that it is up and running. This ping is used to diagnose networks and find what the problem is going on. But this simple ping command can also be destructive. Normal size of an ICMP ping packet is not more than 100 bytes. But in this type of attack, an ICMP ping packet is generated which is more than 65,536 bytes in size. This giant packet is sent to the target. The target cannot handle this much giant load in a single packet and it simply crashes. The command to generate ping packet with this much size is:
C:\windows>ping -l 65540 targethost
Where the numerical value is the size of the ICMP packet and 'targethost' is the address of the target whom you have to send this ping request. Please note that this doesn't work on all hosts as they have fixes for them.

2.Teardrop: When the data is transmitted from one system to another, the whole data is not sent in a single go. Data is broken down into packets. These packets carry the data from certain point to certain point. Means, if the data is 5000 bytes in size, First packet would carry data from 1 byte to 1000 byte. Second one would carry data from 1001 byte to 2000 byte and further. The information about 'from where to where' the packet is carrying the data is mentioned in its headers. This value in header is called offset. So, the overall structure looks like this:
Packet no.Carrying dataOffset value
11-1000 bytes1-1000
21001-2000 bytes1001-2000
32001-3000 bytes2001-3000
43001-4000 bytes3001-4000
54001-5000 bytes4001-5000

When the packets are received by the target, it reassembles the data from these packets by refering to offset field. Ok, now we will modify the offset value in each packet. Note down the difference in this table.

Packet no.Carrying dataOffset value
11-1000 bytes1-1500
21001-2000 bytes1001-4000
32001-3000 bytes2001-3000
43001-4000 bytes3001-5000
54001-5000 bytes4001-5000

Have you noticed the change? Offset value is changed. Computers just use this offset value to reassemble the data packets. What if any computer tries to reassembles such packets? Probably it won't be able to do that and it will get confused causing itself to crash.

3.SYN flood:You must be aware of TCP three way handshake. You can read about that here. So, here what attacker does, it sends a large number of SYN requests to the server. All these SYN packets have spoofed source address. The server tries to reply these addresses with SYN/ACK and waits for ACK. But, these spoofed addresses don't really exist! So, the server will keep waiting for their ACK which it won't get at all! By this way, server's capacity will be consumed by unnecessary connections which will never establish. This causes failure for other connections to the server. Other people won't be able to connect as the server is waiting for thousands of ACK replies which it is not going to get. The following requests will be kept in queue until the server gets any response from these! This causes timeout. Denial of Service happens here. People can't get access to the server. Servers may have to restart as there is going to be no response from thousands of half-established connections.

4.LAND attack: It is similar to SYN flood. But, in this case, the source IP is kept same as that of server! Means, both source address and destination addresses are same. The server tries to reply itself. This creates an infinite loop within the server. This causes itself to hand or crash. Server can't handle other requests. Please note that this doesn't work on all servers as they have fixes for them.

5.Smurf attack:This also exploits ICMP echo request and replies. What is done here, ICMP echo requests are sent to a large number of computers. Same as the upper cases, source address is spoofed. It is kept as the victim's IP. So, what will these large number of computers do, they will give out ICMP echo replies to that victim IP which was kept as source address. Now, the actual victim computer will start receiving so much ICMP echo replies. The victim computer didn't send a single ping request to any computer and it is getting so much of replies. This 'confusion' causes it to crash or hang.

6.Fraggle attack: This attack is nearly same as that of smurf. Except, it uses UDP instead of ICMP. This is also called 'UDP flooding'. All the process is same that of smurf. Fraggle attack exploits UDP echo and chargen services.

So, these were the types of DDoS attack. Please note that not all the types of attack will work on each server. Many of them have got solutions and fixes for most of these. Also, Dos attacks require very large bandwidth speed nearly 10mbps or above. Dos attacks are more powerful if the bandwidth is high. Therefore, they play good on LANS where this much speed is possible.
Here we arrive to the end of DoS and DDoS article which was divided in 2 sections. Hope you have liked it! have a nice day!...

DoS and DDoS attacks. Part :- 1

Dos attacks are on a rising scale now-a-days. DOS means denial of service. In this type of attack, target system is not actually 'hacked'. It is just flooded with overwhelming number of synchronization requests or something similar. Sometimes, specially crafted data (packets) is sent to the target system. These things cause the target system to crash, hang or reboot just because it can't handle that much connections or can't handle badly constructed data. Dos attacks don't 'steal' or take out any private information. What they do is just damage and force systems to reboot and cause nuisance. These attacks have solutions over them such as port blocking, protocol blocking, address blocking etc. They are possible to prevent because they are generated from only one machine. But what if it is generated from thousands of systems worldwide? This is one of the most dangerous upcoming concept called 'DDoS' (Distributed Denial of Service).

Before we go on to look what is ddos, I will give you an example of it. This is a story of a ghost. There was a ghost hunter who was giving troubles to a ghost. Once, the ghost managed to run away and started living on a tree. Some days passed away. The ghost now started attracting people towards that tree. Once they have arrived near that tree, the ghost used to bite them and from that moment, the people psycologically affected and used to be a slave of that monster after that. Like this, thousands of people were affected by the ghost. Now, they would listen only to that what their master ghost would say. Once the ghost ordered them, "go and kill that hunter at once!". Obeying the command, whole flock marched towards the hunter. Surprised hunter tried to remove effect of ghost on many of them. But they were in thousands. Hunter didn't get success. Hunter was killed by the people who were under the control of ghost.

So, what is the relation of this story with ddos attack? Can such things happen on internet? oh yes! They are happening! The ghost in this story is the actual main hacker. The hunter is playing the role of legetimiate websites like government websites, websites of federal agencies or educational systems. And who are the slaves of ghost? They can be any innocent pc users like anybody! So, how does this happen? Attacker, by using one of the various methods, gives out malicious programs to mass community. These malicious programs or malwares, once reached to any pc, they infect it. Due to this infection, the infected pc starts obeying commands that are coming from the attacker. These infected machines are known as 'zombies' or 'bots'. Once the attacker has control over thousands of such machines situated worldwide. He gives out command to all these zombies to lauch dos attack on a particular web server. The infected machines obey the rule and starts flooding the target. So, what will happen now? This would be preventable if the floods are coming from few machines. Server could block them. But here, the flood is coming from thousands of systems from worldwide. They can be form any country. How many such systems will the web-server block? Finally, same happens with them what happened with the hunter in that story. The have to be shutted down. Many programs running on server may be crashed causing a great loss. Case is even worse when the target is e-commerce website. They have to tremendously suffer from loss. The only outcome from such attacks is 'nuisance' and no 'benefit' for the attacker.

Wednesday, July 15, 2009

Phishing: what is it and how it is done

Phishing is one of the most easy to implement and mostly unpredictable for victims. Phishing is the word which rhymes with 'fishing'. Well, it is nearly same as what we do in fishing. Some kind of foodstuff is attached to one end of rope and it is dipped in water. Any unfortunate fish comes there and starts eating that foodstuff. At the same time, rope is pulled from other side causing fish to get trapped.
Same thing happens here. Attacker uses luring or some kind of technique to let the victim arrive in the fake environment. This environment is made such that victim believes that this is the original one. Please note that there may be slight difference between the original one and this duplicate one.
Anyways, the victim is asked to give private information here. It maybe in the form of login username-password or any other. The way of letting the victim give the information is not changed. So, the victim gives out sensitive information as they don't experience any change. As this is the duplicate one, the attacker has control over this virtual environment. As soon as the information is received, it is stored or conveyed to the attacker by one of the various ways. In the efficient traps, victim is redirected to original environement pretending the login was unsuccessful. Victim may also be authenticated to the original environment leaving no doubt in their mind. In some of the non-efficient traps, an error is shown to the victim or they are also told that 'we have received your private information. Thank you!' This may surely arise a doubt in victim's mind.
Phishing has a close relation with 'social engineering'. Social engineering is a process of pretending to be an authority, professional, needy or someone willing to help whom you can trust and give away private information for some of the reasons presented by the same. It is considered as easiest to perform as it requires little or no technical knowledge. Phishing and social engineering are very close concepts and are often implemented together.
Phishing should not be considered as any attack as it doesn't bypass any technical security. It is a part of hacking, but the word hacking should not be used instead of phishing as most of the people mistakenly consider hacking as defacing and disabling.
Phishing is just like stealing. Rather, it should be called as 'fooling by pretending'.
Other types of hacking such as buffer overflows, xss, sql injection may have any patches or solutions for them but phishing can't have any patch or fix as you cannot block each and every phishing site. Further, proxies are also there. Day by day, the use of web browsers is becoming the only medium between you and internet. Uploading, downloading, emailing, chatting etc. things are becoming web-based (some of them used to be software or telnet based like outlook and irc chat etc.). Therefore, cloning them and making phishing sites is also increasing. Phishing is very difficult to block from firewall or any such systems or softwares. The best way to detect phishing is by 'human'. But, it is also said that, "Humans are the weakest link in security chain".

Friday, July 3, 2009

Hacking : Defintion

You may think "whats special in this post". Yes, there is nothing special in this post. Actually, this post covers only the definition of hacking. Nothing else. But just the definition is not so simple. Try asking a common man, "what is hacking?". He may say that "breaking into systems","stealing information" or any such thing in one sentence. But, if you ask a hacker, what is hacking, he will surely get confused what to tell. Because, when you tell "hacking", they remember all types of attacks, processes, tricks, ways and intentions of doing it. It becomes difficult to relate those things and tell those things in order.
Two days before, I also passed from the same situation. Someone asked me, "Basically, what is hacking?". Too many points gushed in my mind but I was not able to cover all of them. This simple question may arise doubt if you are really a hacker or not. So, after that, I sat and taking into consideration all the types, ways etc. I managed to make a definition of hacking. It is not a simple sentence. It is divided into 5 sections. So, without waiting so much for that, here we go with definition.
(note: This may feel a little bit lawyer-like language, but I have no other alternative.)


Hacking is defined as
1. breaking into or gaining access to computers, networks, systems or accounts,
2. or/and rendering their services/processes down
3. with one of the various methods of interaction and attack
4. after which one can (not always) view,change,destroy,modify,damage,copy sensitive or insensitive data/information
5. with or without any intention of it.


So, this was primary definition of "hacking" according to me. But still there are other 5 points in the definition. You may consider them as "secondary points". Well, they are not this much necessary for the definition. But they are essential as a complete definition. Here we go with the other 5 points.



6. It may involve gaining the information about the target before hacking.
7. It may also involve successful or unsuccessful attempts to keep their access to compromised systems.
8. It may also involve successful or unsuccessful attempts to clear their tracks or evidences from the compromised systems.
9. It is considered as ethical if you are doing it with permission from the target in order to test (and improve) digital security of the same and are not going to fiddle with sensitive information/data after compromise.
10.It may also involve help from insider or outsider humans or systems (with or without their intention) which contributes to successful hacking attempt.

Please note that everyone may have different definitions of hacking. This one is good according to me. I have not copied this from any other source. This is made by my own.

© Vipul Chaskar, 2009.

Tuesday, June 30, 2009

How to enter hacking and become a hacker

Media has contributed to increase the gap between laymen and hackers. The image of hackers is always related to some sort of criminals sitting in front of computers and and hacking something. Media imposes on people hackers are just hungry criminals on internet which just hack anything they want. Please note that "Not all hackers are criminals". There are three types of hackers. I would like to discuss about them before going ahead:

1. Black-hat hackers: These are underground hackers. This type of hackers actually try to hack into computers, networks and systems. Their intention is of course bad. Many of them steal private information or alter/change the information or data which can sometimes cause penalty to them or can land them in jail. These hackers actually perform what media calls "crime". Most people know hackers as only this type of hackers. but these are not the only group of people who are called as hackers. There is also something called "white-hat" hackers.

2. White-hat hackers: These hackers know how to attack, hack or crack something. They have extensive knowledge of computer hacking and security. They are aware of the hacking tools and they know actually how to hack something. But they don't utilize this for bad purposes. They don't illegally hack into anything and devastate the data or information. They are good people and they are appointed to protect the information. THEY TEST THE SECURITY OF NETWORKS, COMPUTERS AND TRY TO INCREASE THE SECURITY AND PROTECT SENSETIVE DATA AS THEY ARE AWARE OF HOW HACKING IS DONE. "If you know what the threat is and know how it is created, then you can do better in protection against it". Same is the thing what white-hat hackers do. They help in tracing, detecting, blocking and eliminating the threat of black-hat hackers.

3. Gray-hat hackers: The name is self-explanatory. These type of hackers perform the task of both black-hat and white-hat depending on the situation. They maybe originally black-hat hackers who are helping law force or maybe white-hat hackers who are going on the wrong way. They also maybe some people learning from underground hacker communities to help law force and police. These type of hackers play important role in attempts to hack something or protect something.

One more thing, I would like to clarify. Hacking is a cyber crime (if it is illegal). But all cyber crimes are not hacking. Means, hacking is a subset of cyber crimes. There are also other types of cyber crimes such as fraud, piracy, copyright, pornography etc.

Okay, now coming to the point. Please note that hacking is not that much easy. It is not the game of few clicks. It is not the case that open a tool, give the email ID, wait for some time and you will get the password of that person. Also, it is not the thing that you download one hacking tool and now you are ready to hack anything you want. Hacking is a vast subject and itself has many core topics. It has different types of hacking, different types of attacks, different types of tricks and thousands of different tools. Yes, Hacking is difficult. But not this much that you need to be a geek to learn that. You can learn hacking. At last, "a perfect combination of desire and perspire has nothing impossible". Unless you have deep interest and strong desire for hacking, try not to learn it. There is no specific age bar to learn hacking. It can be leant at any stage of life - depends on your willpower.

Now, let us come down to the point - How do I become a hacker? Well, the actual underground hackers have acquired their knowledge from the google. Google is the friend from which they learn hacking. Actually, just learning from google is not a satisfying thing because you are not learning, you are searching for a particular thing. You need to join a course to learn hacking. There maybe many local courses available for 'ethical hacking' (ethical hacking is just same as hacking, but the white-hat way). The only internationally accepted course covering most of the hacking is Certified Ethical Hacker (CEH) which is offered from EC-Council. When you complete this course, you are actually treated as hacker. There is a condition. You cannot go in black-hat and start illegal hacking if you finish this course. You must remain as white-hat or gray-hat hacker after this course. If you don't obey, please keep using google rather than attending this course. There are other courses about Information Security (not hacking!) which are also good, but for pure hacking, it is the only recommended one. You can do this course and once finished, you are actually treated as a hacker. Means, you have crossed the gap between laymen and hackers and are now sitting within other hackers. Please note that this exam is not easy. People say that you need to struggle to pass this exam. All other details can be found at their site. About the things which you need to know before starting this course, or about the foundation things before this course, I will discuss them in next post about CEH.

Tuesday, June 16, 2009

Hacking Orkut

Orkut is becoming a popular Social Networking site Now-a-days. More and more people are joining Orkut regularly especially from India and Brazil. Due to this vast number of users, hacking orkut accounts is also increasing day by day. Orkut has really taken great efforts to prevent hacking and it has successed in it upto some extent. Most of the vulnerabilities in Orkut are vanished and they are pursuing towards it continuously. This extending security is also causing problem to ease of use. Still there are some methods to hack orkut because, as we say, weakest link in security is of course Human. I am going to explain three methods to hack orkut as these stand valid currently. I am not going to teach you step-by-step process, but just going to tell you how it is done.
Here we go:

1. Trojans, Keyloggers: These are one of the difficult to implement methods. What you have to do is, by anyhow, give the victim a file containing trojan keylogger. Once they execute it, trojan should execute and complete its primary steps properly. After that, when the victim logs on to orkut, this trojan will automatically log down their username and password and will then convey to you by one of the various methods. This one seems to be far easier but antivirus is one of the most difficult hurdle in that. Most of the computers today have good antiviruses but still some of them lack it. Also there are some non-truseted antiviruses which may not be able to detect the trojan. This trick requies knowledge and careful handling of trojans as they may also target your computer if programmed so. Ok, So lets move on to another trick.

2. Cookie Stealing: Cookies are a small piece of information that websites store on your computer for many reasons. When you log in into orkut, a cookie is generated. This cookie authenticates you and allows you to access your account. This cookie lasts until you log off from orkut. What if someone gets that cookie? When he keeps that cookie on his computer and log into orkut, orkut will read that cookie. It will grant person who has that cookie to access the victim account. Actually, this is not a fault of orkut. So, how can someone get that cookie which is stored in victim computer? You must have heard about javascripts. Something code that we paste in address bar and hit Enter. Then some effect takes place. These javascripts are the best way to get someone's cookie. There is a specially designed javascript for that. If you give that javascript to victim and if he executes it, automatically, the attacker gets the cookie of victim. Now he can log on into his/her account without tackling username/password and can made whatever changes they want.

3. Phishing: This is one of the most efficient and wide-used trick. Also, it is one of the easiest to implement. In this, what hackers do, they send a link to victim. If the victim clicks that link, He will see the orkut login page. He then logs in with his username and password. It gets failed. When he tries again to login, he gets logged in. So, now their account is hacked! What went wrong? The link which attacker sent to the victim was a duplicate copy of orkut login page. Anyone who logs on to that duplicate page, their emails and passwords are conveyed to the hacker by one of the various ways. After their email and password is sent to the hacker, they are taken to the orkut login page saying that login was not successful. So, there remains no doubt in victim's mind that we logged into another page. Most of the effort in this trick lies in putting such a page and finding a service which conveys you their email and password after they put it in that duplicate (fake login) page. There is no increased awareness about this trick. So, generally people fall prey for this hack.

After all discussion above, I am writing below some safety measures that you must take to preserve your account:

1. Always have a good antivirus and keep scanning your computer regularly. Many people think that a computer virus can't interfere with what we do in browsers. Well, upto some extent, it is right, but it can log your typped emails and passwords while signing in into orkut or such a service.

2. Dont execute any javascript given by anybody. As we discussed before, it can prove very risky to your account.

3. Dont click on any suspecious links given by anybody. As these maybe links to fake login pages.

4. When logging in to orkut, have a look at address bar and confirm that it is something like this:
https://www.google.com/....... (note that it is https which is very important)

5. Keep in mind what security question you have kept while creating the account and do not disclose its answer to anybody especially while chatting.

6. Before closing orkut, you must click "log out". This may not affect so much but it is recommended for keeping your account safe. There can be chances of "Man in the middle attack" but they dont occur so often.

So, this was a short article related to how orkut hacking is done. I hope you understand and like it. Please remember that I have not taught you "how to hack" but "how hacking is done".