Unit 3

Tools and Methods used in Cybercrime

Tools and techniques to launch attacks against the target

Scareware

Malvertising

Clickjacking

Ransomware
Basic stages of an attack
1. Initial uncovering

2. Network probe

3. Crossing the line toward electronic crime(E-Crime)

4. Capturing the network

5. Grab the data

6. Covering tracks
Proxy Servers and Anonymizers
A proxy server is another computer on the network which act as intermediary
between client and server or between one computer to another computer in the
network.
Attackers can also use proxy to hide their identity.

Purpose of proxy server

1. Hide company server or systems

2. Caching

3. Filter unwanted content (ex: advertisements)

4. IP address multiplexer
Types of Proxy Server
There are many types of proxy servers available. The two most common types of
proxy servers

1. Forward proxy server.

2. Reverse proxy servers.

Forward proxy server: It provides proxy services to the client or group of clients.
There are hundreds and thousands of open forward proxies on the internet.
Reverse Proxy server: It does the opposite of what forward proxy does i.e..
Reverse proxy acts on behalf of servers. Reverse proxy hides the identity of
servers.

Anonymizer or anonymous proxy is a tool that attempts to make activity on the

internet untraceable. In 1997 the first anonymizer software tool was created by
Lance Cottrell, developed by Anonymizer.com.

Examples of anonymizers are Tunnelbear, Proxify, Net proxy server, etc…

Phishing
Phishing is a technique for attempting to acquire sensitive data such as bank
details, ATM pin etc.. through encouraging or requesting in emails or websites.

How Phishing Works?

Phishers work in the following ways

1. Planning

2. Setup

3. Attack

4. Collection

5. Identity theft and fraud

Types of Phishing

There are several types of Phishing Attacks, some of them are mentioned below.

1. Email Phishing

2. Spear Phishing

3. Whaling

4. Smishing

5. Vishing
Key loggers and Spywares

Key logger is used to capture passwords and other information while user is
keying.

Keylogger is quicker and easier way of capturing the passwords and

monitoring the victim’s IT savvy behaviour.

There are two types of keyloggers namely

1. Software keyloggers
2. Hardware keyloggers
Software keyloggers
Software keyloggers are dedicated software programs that are designed to track
and record log user keystrokes.

This programs can be executed in windows, Linux, mac OS and even in mobiles.

Software keyloggers can often be installed in the computer through Trojan horses,
virus or worm.
Hardware Keylogger
Hardware keyloggers are small hardware devices that provide physical access to
the computer to install keyloggers.

These devices are connected to the PC or keyboard and save every keystroke into
a file or in the memory of the hardware device.

For example, Cybercriminals install such devices on ATM machines to capture

ATM card pin and details.
Anti-keylogger
Anti keylogger is a tool that can detect the keylogger installed on the computer
system and can also remove the tool.

Advantages of using anti-keylogger are

1. Firewalls fail to detect the keyloggers installed, hence anti-keylogger can

detect them.

2. This software does not require regular updates of signature bases to work
efficiently.

3. Prevents internet banking frauds.

4. It prevents ID theft.

5. It secures E-Mail and instant messaging/chatting.

Spywares
Spyware is a type of malware that is installed on computers which collects
information about users without their knowledge.

The presence of spyware is typically hidden from user; it is secretly installed on

the user's personal computer.

Spyware can

1. Secretly monitor the user

2. Redirect internet surfing activates

3. Change computer settings

 To overcome spyware, install anti-Spyware software.

Password Cracking

Password cracking is the process of using an application program to identify an

unknown or forgotten password of any computer or network resources.

Purpose of password cracking include

1. To recover a forgotten password

2. Testing the strength of a password

3. To gain unauthorized access to system

Manual process of password cracking

1. Find a valid user account

2. Create a list of possible passwords

3. Rank the passwords from high to low probability

4. Key-in each password

5. Try again until a successful password is found

Passwords can be guessed sometimes with knowledge of the user’s personal
information. Examples of guessable passwords include

1. Blank(none)

2. General passwords like password,admin,1234567 etc..

3. Series of letters like QWERTY

4. User’s name or login name

5. Name of user’s friend/relative/pet

6. User’s birth date or birthplace

7. User’s vehicle number. Office number, mobile number etc..

8. Name of a celebrity or idol

9. Simple modification of the above-mentioned passwords

Password cracking attacks can be classified into three types

1. Online attacks

2. Offline attacks

3. Non electronic attacks

Online attacks
 Use a program or script

 Attacks the target machine directly

 MITM(also called bucket-brigade or Janus attack)

Offline Attacks
Performed on machines other than the target location

Requires physical access to the target for copying password files

Password Hashing process

Types of offline password attacks are

1. Dictionary attack

2. Hybrid attack

3. Brute force attack

Password cracking tools

Cain & Abel

John the Ripper

RainbowCrack

Brutus

Airsnort
Virus and Worms
A virus is a malicious executable code attached to another executable file that can
be harmless or can modify or delete data.

A virus can start on event-driven effects, time-driven effects or can occur at

random.

A Worm is a form of malware that replicates itself and can spread to different
computers via Network. It does not modify the program but replicates itself more
and more to slow down the computer system.
Types of viruses

1. Boot sector viruses

2. Program viruses

3. Multipartite viruses

4. Stealth viruses

5. Polymorphic viruses

6. Macro viruses

7. Active X and java control

Difference between Virus and Worms
Steganography
A way of data hiding

Different names of steganography are

1. Data hiding

2. Information hiding

3. Digital watermarking

Digital watermarks can be used to detect illegal copying of digital images

Steganalysis is the art and science of detecting messages that are hidden in images
How steganography works
DoS & DDoS Attacks
A denial-of-service (DoS) attack floods a server with traffic, making a website or
resource unavailable.

Classification of DoS attacks

1. Bandwidth attacks(Ex: UDP,ICMP,TCP floods)

• Tries to exhaust network bandwidth

2. Logic attack(Ex: Buffer overflow, Vulnerabilities in software)

• DoS attack based on vulnerabilities in a software

3. Protocol attack(Ex: SYN floods, Ping of Death, Smurf attack)

• DoS attack based on vulnerabilities in the communication protocols
 4. Unintentional DoS attack(Flash crowd)
• A sudden increase in genuine traffic of clients

• This is not a DoS attack

Types of DoS attacks

1. Flood attack(Ex TCP,SYN,UDP,ICMP,…)

2. Ping of Death attack(malformed IP packets-modify max, packet size)

3. SYN attack

4. Teardrop attack(send malformed IP packets- incorrect offset)

5. Smurf attack(ICMP flood with victim’s spoofed IP)

6. Nuke (malformed ICMP packets- very old method)

TCP Handshake
TCP SYN Flood
Tools used to launch DoS attack
Jolt2

Nemesy

Targa

Crazy pinger some trouble

How to protect from DoS/DDoS attacks
Implement router filters.

Install patches to guard against TCP SYN flooding.

Disable any unused or inessential network service.

Enable quota systems on your OS if they are available.

Observe your system’s performance and establish baselines for ordinary activity.

Routinely examine your physical security with regard to your current needs.

Invest in and maintain “hot spares”.

DDoS Attack
DDOS Attack means distributed denial of service in this attack dos attacks are
done from many different locations using many systems.

Tools used to launch DDoS attack

1. Trinoo

2. Tribe Flood Network(TFN)

3. Stacheldraht

4. Shaft

5. MStream
Tools for Detecting DoS/DDoS attacks

Zombie Zapper

Remote Intrusion Detector(RID)

Security Auditor’s Research Assistant(SARA)

Find_DDoS

DDoSPing
SQL Injection

SQL Injection is a code-based vulnerability that allows an attacker to read and

access sensitive data from the database.

Vulnerability is present due to

1. Form input is filtered incorrectly

2. Form input is not strongly typed

Prime objective is to gain access to data in a database.

Attackers can bypass security measures of applications and use SQL queries to
modify, add, update, or delete records in a database.
A successful SQL injection attack can badly affect websites or web applications
using relational databases such as MySQL, Oracle, or SQL Server.

SQL injection generally occurs when we ask a user to input their username /
userID. Instead of a name or ID, the user gives us an SQL statement that we will
unknowingly run on our database.

Steps in an SQL injection attack

1. Search for pages that contains a form

2. Identify the vulnerable fields

3. Input crafted code into the vulnerable field

4. Use SQL commands to retrieve or place data into the database

Example for SQL injection attack
Table name: users
Columns: user_id, first_name, last_name, pwd…..

Task: display first name and last name of a specific user

Query: SELECT first_name, last_name FROM users WHERE user_id=‘$id’

SQL injection
To list all data in table
Query: 1’ OR 1=1#

To list all table names in the database

Query: select null,table_name from information_schema.tables#

To list all column names

Query: select table_name,column_name FROM information_schema.columns#

To list the required columns in a table

Query: select user,password from users#
Preventing SQL injection attack
Input validation (use parameterized queries)

Modify error reporting

Other preventions

 No default configurations

 Isolation of database server from web server

 Delegate the attacks to separate servers

Buffer overflow
A Buffer is a temporary data storage area with limited storage capacity

A Buffer overflow occurs when a program tries to store more data in buffer then
storage capacity

The data will overflow to adjacent buffer which leads to overwriting and
corrupting the data that is stored in the adjacent buffer.

Buffer overflow is an attack that occurs when the amount of data that is submitted
is larger then the buffer
Types of buffer overflow

1. Stack-based buffer overflow

2. Heap buffer overflow
Ways to minimize buffer overflow are

1. Assessment of secure code manually

2. Disable stack execution

3. Complier tools

4. Dynamic run-time checks

5. Tools to detect buffer overflow

Tools used to protect buffer overflow

1. StackGuard

2. ProPolice

3. LibSafe
Attacks on Wireless Networks

A wireless network refers to a computer network that makes use of Radio

Frequency (RF) connections between nodes in the network.

Traditional attacks on wireless networks

1. Sniffing

2. Spoofing(MAC, IP, Frame)

3. DoS

4. MITM(Man-In-The-Middle)

5. Encryption cracking
Securing wireless networks
1. Change default settings of all devices

2. Enable WPA/WEP encryption

3. Change the default SSID

4. Enable MAC address filtering

5. Disable remote login

6. Disable SSID broadcast

7. Connect only to secured wireless network

8. Upgrade router’s firmware periodically

9. Assign static IP addresses to device

10. Enable firewall

11. Turn off the network when not in use

12. Monitor wireless network security periodically

Tools to protect wireless Network

Zamzon wireless network tool

AirDefence Guard

Wireless Intrusion Detection System(WIDS)

BSD-Airtools

Google Secure Access