Hacking for Beginners Step By Step Guide to Cracking Codes Discipline, Penetration Testing, and Computer Virus. Learning Basic… (Karnel, Erickson) (Z-Library)

Hacking for Beginners Step By Step Guide to Cracking Codes Discipline, Penetration Testing, and Computer Virus. Learning Basic Security Tools On How To Ethical Hack And Grow Karnel Erickson

Download the Audio Book Version of This Book for FREE If you love listening to audio books on-the-go, I have great news for you. You can download the audio book version of this book for FREE just by signing up for a FREE 30-day audible trial! See below for more details! Audible Trial Benefits As an audible customer, you will receive the below benefits with your 30- day free trial: FREE audible book copy of this book After the trial, you will get 1 credit each month to use on any audiobook Your credits automatically roll over to the next month if you don’t use them Choose from Audible’s 200,000 + titles Listen anywhere with the Audible app across multiple devices Make easy, no-hassle exchanges of any audiobook you don’t love Keep your audiobooks forever, even if you cancel your membership And much more Click the links below to get started! For Audible US

https://www.audible.com/pd/B081ZFW4RP/?source_code=AUDFPWS0223189MWT- BK-ACX0-173769&ref=acx_bty_BK_ACX0_173769_rh_us For Audible UK https://www.audible.co.uk/pd/B081ZHSSD3/?source_code=AUKFrDlWS02231890H6- BK-ACX0-173769&ref=acx_bty_BK_ACX0_173769_rh_uk For Audible FR https://www.audible.fr/pd/B081ZCF4KZ/?source_code=FRAORWS022318903B-BK- ACX0-173769&ref=acx_bty_BK_ACX0_173769_rh_fr For Audible DE https://www.audible.de/pd/B081ZGBFT8/?source_code=EKAORWS0223189009-BK- ACX0-173769&ref=acx_bty_BK_ACX0_173769_rh_de

© Copyright 2019 - All rights reserved. The content contained within this book may not be reproduced, duplicated or transmitted without direct written permission from the author or the publisher. Under no circumstances will any blame or legal responsibility be held against the publisher, or author, for any damages, reparation, or monetary loss due to the information contained within this book. Either directly or indirectly. Legal Notice: This book is copyright protected. This book is only for personal use. You cannot amend, distribute, sell, use, quote or paraphrase any part, or the content within this book, without the consent of the author or publisher. Disclaimer Notice: Please note the information contained within this document is for educational and entertainment purposes only. All effort has been executed to present accurate, up to date, and reliable, complete information. No warranties of any kind are declared or implied. Readers acknowledge that the author is not engaging in the rendering of legal, financial, medical or professional advice. The content within this book has been derived from various sources. Please consult a licensed professional before attempting any techniques outlined in this book. By reading this document, the reader agrees that under no circumstances is the author responsible for any losses, direct or indirect, which are incurred as a result of the use of information contained within this document, including, but not limited to, — errors, omissions, or inaccuracies.

INTRODUCTION Congratulations on purchasing Hacking For Beginners and thank you for doing so. There are plenty of books on this subject on the market, thanks again for choosing this one! Every effort was made to ensure it is full of as much useful information as possible. Please enjoy! How Are Victims Found? Fingerprinting, Google Hacking, and Co. In front of a hacker attack on a system, it is common practice for an attacker to engage in education and to inform himself about the target system, if it is already known. This allows the attack to be tailored to the target and aligned with any weak points that may be present in order to be effective at all costs. Depending on the target and motivation of the attackers, various types of systems are attacked. The spectrum of these target systems ranges from unsuspecting surfers across web pages and servers to corporations and governments. The enlightenment phase - the phase before the actual attack in which a system is scouted out - can be subdivided into passive recognition and active enlightenment. By passive elucidation, we mean the gathering of information without direct contact with the target system. On the other hand, active enlightenment attempts to gather information through direct interaction with the target system. In passive enlightenment, foot- printing, attackers seek information about the entire target system. So it is trying to create a rough "footprint." The information you are looking for, for example, the hardware used, IP address ranges, IP addresses of individual computers or information about a company's employees. Active enlightenment or fingerprinting attempts to profile individual components of a system. Thus, individual computers are scouted to find vulnerabilities

such as open ports. The attackers thus create a "fingerprint " of individual system components and thus try to discover potential entry gates. The aim of this book is to introduce the techniques used in preparation for the preparations and to point out appropriate countermeasures. For this purpose, first, the various types of attackers and their motivation for attack and potential target selection are introduced. Subsequently, the phase of clarification with the techniques used in passive and active elucidation is presented in detail. Finally, countermeasures are shown, addressing both general measures and those specifically tailored to the clarification techniques presented here.

CHAPTER 1 – TYPES OF ATTACKERS As attackers differ in their motivation and technical capabilities, different types of attackers attack different types of systems and have different attacking intentions. According to Roge, attackers can be divided into seven types. These will be briefly presented below. Newbie Members of this group are mostly new to hacking and have only basic computer and network security skills. Therefore, they use preprogrammed software tool kits for their attacks. These software tool kits are widely used on the internet and easy to find. Their attacks are therefore limited to systems for which already existing tool kits exist. Cyber Punks    Cyberpunks possess advanced software, programming, and system knowledge. They are quite criminal in their intentions. Cyberpunks attack web servers to redesign web pages (defacing) and are often active in spam and credit card fraud. Internals    The Internals group consists of former and dissatisfied employees. They are usually technically savvy and can make attacks based on their former or current job functions and responsibilities. Their attacks are directed against their former or current employers since they can use their knowledge of the systems there. Coders   

This group has the extensive technical knowledge and is able to exploit security vulnerabilities and so-called program exploits. Old Guard Hackers    This group does not necessarily pursue criminal intentions but is guided by the hacker ethic of the first hacker generation. According to [Raym03], hacking ethics is defined as the belief that information should be freely available, and the belief that attacks on computer systems are ethical. It is, therefore, considered ethical as long as no criminal intentions are being pursued, but rather the onslaught of fun and exploration enjoyment. Legally, attacks on computer systems are ethically unjustifiable and thus punishable. Professional Criminals and Cyber Terrorists    These groups consist of professional criminals and former secretaries who are well trained and equipped. They mainly engage in the field of industrial espionage and its targets are thus networks. Little is known about this group, and they are considered very dangerous . Enlightenment Despite the differences in target selection, technical capabilities, and motivation for attacks, all types of attackers need detailed knowledge of the target system prior to an attack. Thus, prior to each attack, clarification must be provided, and information must be collected. The techniques used in the explanation are presented in the following section. Explanation Aufklarung means that the information gathering and evaluation is under attack in the context of the topic of the seminar. For an attacker, it is necessary to select a target before the actual attack and to scout it out. A first impression of the target and the subsystems used, i.e., the individual computers, is made by an attacker using passive elucidation. After evaluating this information, he usually finds a system that he now investigates in more detail to find vulnerabilities. With the help of active enlightenment, it is now possible to more accurately profile such concrete goals and adapt them to the software used. Aufklarung is used in a hacker attack so in order to increase the chances of success of the attack.

CHAPTER 2 – PASSIVE ENLIGHTENMENT AND FOOT-PRINTING Included in the passive enlightenment/foot-printing category are techniques that can be used to gather information about a goal without interacting directly with the target system. By using "third " sources for obtaining information, no traces of the attacker will be left on the target system, for example in the form of IP addresses in server log entries. The possibilities of foot-printing include, among other things, examining the company website, possibly using a proxy to disguise your own identity and IP address. General Search General information about a destination can be found with a general search using search engines, web pages or news. Important information The technology used in the target system can be used to study vacancies, as the requirements for network specialists can be used to refer to the products used. For an attacker, it may also be important to examine the personal web pages of employees (if any) and collect instant messaging usernames, email addresses, and phone numbers. In general, any information about the target can be useful at attack time, and therefore, at least in the phase of enlightenment, is important and should be collected . Google Hacking Google hacking is a technique that uses the so-called "advanced " operators of search engines to find information on the web that an attacker can exploit for an attack. This technique can be used to find all the files and information that reside on a web server indexed by search engine web

crawlers. These include directory lists of servers, the exact version of the server software used, information about a company's intranet, or personal information about employees. So, as Google Hacking exploits, private or security-sensitive information have been inadvertently compromised on servers, and search engine crawlers have indexed that information, leaving them with a search query. Other possible Google Hacking queries include a company's domains, security vulnerabilities, and associated exploits, targets that match specific exploits, usernames, passwords, or source code. The following operators represent a selection of operators used in Google Hacking searches: ·                     intitle: restricts the results to documents containing the directly following expression in the title    ·                     inurl: constrain the results to documents containing the directly following expression in the URL    ·                     filetype: limits the results to documents with the corresponding file extension. In addition, a desired search term ff must be specified.    ·            site: restrict the results to documents in the specified domain    These operators can now be combined in almost any way to search queries and can 'bring up' a lot of security-relevant data. As an example, here is a search query from the Google Hacking database [Long07], in which many Google requests from the network security area are recorded. Enlightenment If the permissions on the server are not set correctly and the Google crawlers can read the contents of the / etc / password folder, an attacker can use this search to find password files. The attacker can then attempt to decrypt the found password files, which are usually encrypted, by means of a dictionary attack, and access the discovered system with the decrypted passwords. Another possibility for the attacker is to add the decrypted "password" to his dictionary for further attack. DNS

The Domain Name System is a hierarchical, distributed database that assigns one or more IP addresses to a domain name. Normally, this IP address is hidden from the user, but it can be explicitly queried and thus used as a starting point for further searches regarding the IP address range of an organization or for WHOIS queries. [Mock87] WHOIS queries The NICNAME/WHOIS protocol is used to query distributed databases that provide a directory of registered domains and IP addresses. Originally, the standard [HaSF85] provided only one central database on one central server, as all domains were managed centrally by the Network Information Center. As the Internet grew, the standard was updated and switched to a distributed database system. [Daig04] The administration of the various top-level domains has also been transferred to several registrars, each of which maintains its own WHOIS database. WHOIS queries are possible with different tools or via web interfaces. The DENIC (German Network Information Center) is responsible for assigning and administering .de domains, whose database provides the following information for a WHOIS query of a domain [DENI07]: ·            Holder    This is the domain owner who is the contracting party of DENIC and has material claims to this domain. ·            Admin-C    This is the administrative contact person named by the domain owner and obliged to DENIC to make binding decisions on the domain. This is important if the domain owner is not a person but a company or organization. ·            Tech-C    This is the technical maintainer of the domain, in private individuals with rented webspace usually a provider. These providers rent webspace and operate name-servers for domains stored on their webspace, which would be a great expense for private individuals. ·            Zone-C   

The zone administrator is the technical maintainer of the registered name servers of the domain, which is responsible for the accessibility of the name servers. For private individuals, this is usually the same provider that is also Tech-C. Name, organization, address, postal code, city, country, and timestamp of the last changes issued. Optionally for Holder and Admin-C, but always at Tech-C and Zone-C, phone numbers, faxes, and email addresses are displayed. Furthermore, technical information such as the expiration date of the domain and at least two name servers are issued for each domain. The attacker can now use the specified name servers as a starting point for more intensive searches. The specified contact details for the admin can be used by attackers for social engineering (Section 3.3.1), and the specified expiration date of the domain is important . Enlightenment If a WHOIS query with an IP address as a parameter is executed, the database of the responsible RIR is queried and information about the holder of the IP address and the holder assigned IP address range is output. This information is very useful for active enlightenment, as certain IP addresses can now be examined for active systems, i.e. connected computers that respond to requests from outside. Active Enlightenment Active enlightenment refers to techniques that interact directly with the target system to gather more information about the target system. Examples include port scanning to find open ports on a server, and OS fingerprinting to identify the running operating system of the server. These techniques are applied to servers discovered by passive enlightenment. The then-found information about the systems, in turn, makes it possible to make better adapted and thus potentially more successful attacks. Ping Sweeps Network Ping sweeps such computers that are turned on and respond to a ping request—there are active systems that can be found in a network by all the IP address ranges being equally studied. The ping process itself is implemented using the Internet Control Message Protocol (ICMP) and

sends out ICMP echo request packets. If a system is active, it responds with an ICMP Echo Reply packet. If an attacker has found a list of active systems by ping sweeps on an IP address area, they can be further investigated. Port Scanning If an attacker has found active systems, he can perform this one port scan with the aim of finding open ports. Open ports are ports where applications wait for incoming connections and accept connections. A port scanner sends TCP or UDP packets to a port range and can close responses to the status of those ports. Responses to packages with certain flags set are standardized according to [Info81b]. Some known scan types are [McSK99]: ·            TCP Connect Scan    This scan establishes a TCP connection with the 3-way handshake (SYN, SYN / ACK, ACK) to the destination port. If successful, it can be deduced that a service is running on this port and accepts connections. ·            TCP SYN Scan    Here, no connection is established, but only an SYN package sent to the destination port. If the system responds with SYN / ACK, this port is open. If an RST / ACK comes back, the system will not listen to this port. Because no connection is established, this scan does not appear as a connection or connection attempt in the server logs. This leaves the IP address of the attacker and the scan attempt undetected. ·            TCP FIN Scan, TCP Xmas Tree Scan, TCP Zero Scan These scans set the FIN flag/FIN, URG and PSH flag/no flags. If the ports are closed, an RST is received as a response, open ports ignore these packets and do not respond. ·            UDP scan    An empty UDP packet is sent to the destination port. If the answer is ICMP port unreachable, the port is closed, if no answer is received, it will be closed.

Using the open ports of a system, an attacker can identify running applications that accept connections. With this information, the attacker can see what function the system is doing, ie for a web server, port 80 is usually for HTTP and for a mail server, ports 25 and 587 for SMTP. With this knowledge, the attacker can decide if he chooses this server as the target, and adapt his attack to the existing applications. OS Fingerprinting With OS fingerprinting, TCP/IP packets with specific flags are sent to a destination and the answers are analyzed, so that the operating system used can be concluded by comparing them with a database. The database contains the responses from different operating systems to these TCP/IP packets that were discovered experimentally. OS fingerprinting leverages the TCP/IP stack, the signature TCP/IP implementation that differs from OS to OS. A system can respond to a series of requests by creating a "fingerprint." The request types used for fingerprinting can be broken down according to the package types used: TCP Requests These requests use TCP packets. The packages contain different flags and the reactions of the target system to these flags are analyzed. FIN sample    A packet with a set FIN flag is sent to an open port. The correct answer would be not to respond, but many implementations send an RST back. FIN Probe is similar to TCP FIN Scan but assumes that only closed ports return an RST. So the FIN sample only provides information about an implementation if it is safe to say that the requested port is open due to another scan. TCP ISN Sampling    Here the initial sequence number of the TCP implementation is tried to determine a binding request. Depending on the operating system, different methods will be used. Older Unix systems increase in 64k increments, newer ones increase randomly, Linux systems choose random numbers, and Microsoft uses a time-dependent method in which the ISN increments by a fixed amount in each unit of time.

TCP Timestamp    Here, the value of the TCP timestamp option, a field with the current time of the sender, is examined. Some implementations do not support the option, while others increase the value at fixed time intervals. TCP Options    Here, certain TCP options are used in the sent packages. Depending on whether these are included in the answer, you can see which options are supported and thus close to the implementation. In one package several options can be set and tested at the same time. TCP Initial Window    TCP Initial Window checks the set window size for returned packets. The window size is partially unambiguous to an implementation. ACK Value    The ACK flag is set in response to a FIN / URG / PSH and the acknowledgment number field contains a different number depending on the implementation. Most systems set the Initial Sequence Number (ISN) of the received packet as an acknowledgment number in response to a FIN/PSH/URG request, and some implementations increase ISN by 1. ICMP Requests ICMP requests are requests through the ICMP protocol. The ICMP protocol is used to exchange error and control messages. ICMP Error Message Quenching    Some operating systems limit the sending rate for error messages. This is tested by sending multiple packets to a random UDP port that is closed. This provokes ICMP Destination Unreachable error corrections. The implementation can then be identified based on the input rate of the scanned system's error alerts. ICMP Message Quoting    With an ICMP error notification, part of the error-causing packet is returned. The implementations differ here in the amount of data sent. Almost all systems send the IP header and eight bytes back. Solaris and Linux operating systems return one bit or more.

ICMP Error Message Echoing Integrity    This method works like ICMP Message Quoting, again the ICMP error notifications are examined. Here especially the header field and the checksum are analyzed . Type of Service    The Type of Service field in the ICMP error notification ICMP Port Unreachable is set to 0 by default. However, some implementations differ on this point. IP Requests For IP requests, fields of the IP header [Info81a] and special properties of the respective implementation are examined with respect to fragmentation. IPID sampling    Here the IP Identification field is analyzed. The Identification field in the IP header contains a number that helps to correctly re-assemble fragmented parts of a datagram. Most operating systems increase the IP ID by 1 with each packet sent, while others randomly choose the ID or increase it by 1 in increments. Don’t Fragment Bit    They do not fragment bit in the IP header prohibits fragmenting the datagram. Some systems set this bit in certain cases, while others do not set it so that the particular behavior can help identify the implementation. Fragmentation handling     This technique examines the reassembly of fragmented IP packets. In particular, the reassembly of overlapping fragments is observed here. Passive OS fingerprinting, a variant of the presented OS fingerprinting, does not actively send packets but observes incoming packets. An attacker could use passive OS fingerprinting by connecting to a server, making a request to the server, and examining packets sent by the server. Since the TCP / IP implementation differs, the observation and analysis of the following fields identify operating systems [PeCh04]:

·            TTL start value (8 bit) (IP header)    ·            Window size¨ (16 bit) (TCP header)    ·            Maximum segment size¨ (16 bit) (TCP header)    ·            "Don 't fragment " flag (1 bit) (IP header)    ·            sackOK option (1 bit) (TCP header)    ·            nop option (1 bit) (IP header)    ·            Window Scaling Option (8 bit) (TCP header)    ·            Start packet size¨ (16 bit) (TCP header)    These fields together result in a 67-bit long signature, which is compared with a database. Since only the incoming packets are examined, the examination for the source host is not apparent . Mixed Forms Some techniques are both passive (with no direct interaction with the target), as well as active enlightenment, through direct interaction with the goal, to be assigned, or used both in enlightenment and attack. The best known of these hybrid forms is social engineering. Social Engineering Social engineering is the art of manipulating a human being to act in the interests of the aggressor. [PeCh04] It is usually used to: ·            get physical access to protected resources    ·            to obtain permissions for the remote access    ·            access protected information   ·            violate other security controls   If social engineering is used in direct interaction with, for example, employees of the target company in order to obtain information, it can be attributed to active explanation. If the attacker does not interact directly with the employees but overhears, e.g., a conversation between two employees, this is to be assigned to the passive explanation. Social engineering can be used, for example, in order to give the attacker access to a protected security area .

CHAPTER 3 – COUNTERMEASURES In this section, we will now discuss some countermeasures for use against the clarification techniques discussed above. First, some general countermeasures are presented, followed by special techniques against passive enlightenment, active enlightenment, and social engineering. General Common countermeasures include applicable security policy, removal of standard files such as the server software, and the software version number and changing the default settings, such as the default user name and password. It is also important to educate users on secure passwording and handling sensitive information. It is also absolutely necessary to regularly update the software used and to keep track of reports about "security gaps" in the software used. Passive Enlightenment/Foot-printing As a countermeasure to Internet research and Google hacking, it is advisable to check the contents of your own website and remove unneeded published information. If this is not possible, it is important to hide sensitive files or directories because Google Crawlers index all files residing on a web server. By creating a robots.txt file containing control statements for the various crawlers, the behavior of the search engine crawlers can be influenced. For example, by specifying in robots.txt, crawlers can be banned from entering certain directories and tracking links. Specifying META tags in the HTML header allows the crawlers to index the pages found in the search engine cache. Setting up password-protected areas using htaccess also helps hide information from crawlers. Sufficient protection of a page can be checked by Google search queries. In doing so,