Tools and Methods Used in Cybercrime

By: Gurwinder Singh Jatana

Objectives
• Overview of steps involved in planning cybercrime.
• Understand about Proxy Server and anonymizers
• Understand different types of attack
• Learn about Password Cracking
• What is purpose of a keylogger and spyware
• Overview of Virus and Worms
• Trojan Horse and backdoors
• What is steganography
• DoS and DDoS attack
• SQL Injection
• Understand buffer overflow
• Overview of wireless network hacking
How Criminals plan the attack

• How
• Where
• When
• Who
Trace Vulnerabilities

• Criminals use many tools to locate the

vulnerabilities of their target. The target
can be an individual or an organization.
Criminals plan active or passive plan.
• In addition to active or passive categories
attacks can be categorized as either inside
or outside.
Inside Attacker

• An attack originating and/or attempted

within the security perimeter of an
organization is an inside attack; it is
usually attempted by an “insider” who
gains access to more resources than
expected.
Outside Attack

• An outside attack is attempted by a source outside

the security perimeter, maybe attempted by an
insider and/or outsider, who is indirectly associated
with the organization. It is attempted through the
internet or a remote access connection. Following
phases are involved in planning cybecrime:
– Reconnaissance (Investigation)
– Scanning and Scrutinizing (Examining) the
gathered information for the validity of the
information as well as to identify the existing
vulnerabilities.
– Launching an attack.
Reconnaissance

• The literal meaning of “Reconnaissance” is an

act investigation often with the goal of finding
something or somebody to gain information
about an enemy.
• In the world of hacking reconnaissance phase
begins with “Footprinting” – this is the
preparation toward preattack. Footprinting gives
vulnerabilities and provides a judgments about
possible exploitation of those vulnerabilities.
• An attacker attempts to gather the information in
two phases: Passive and Active attack.
Passive Attack

• A passive attack involves gathering information

about a target without his/her knowledge.
• It can be as simple as watching a building to
identify what time employees enter the building
premises.
• Network sniffing is an another means of passive
attack where network traffic is sniffed for
monitoring the traffic on the network- attacker
watches the flow of data to see what time certain
transaction take place and where the traffic is
going.
Active Attack

• An active attack involves inquiring the network to

discover individual host to confirm the
information ( IP addresses, Operating System
type and version and services on the network)
gathered in the passive attack phase.
• It involves the risk of detection and is also called
“Rattling the doorknobs” or “Active
reconnaissance” .
• This provides confirmation to an attacker about
security measures.
• How criminals plan a cybercrime?
– Footprinting
– Reconnaissance
– Scanning and Scrutinizing
– Launching an attack
• Initial uncovering
• Network probe
• Crossing the line toward electronic crime
• Capturing network
• Grab the data
• Covering tracks
Tools for cover tracks

• Evidence Elliminator
• Traceless
• El Slave
• Winzapper
• Tracks eraser pro
Proxy Server

• Proxy Server is a computer on a network

which acts as an intermediary for
connections other computers on that
network.
Proxy Server

• Proxy server

– It is a computer on network which acts as an

intermediary for connections with other
computers on that network.
How Proxy works?

• A client connects to proxy server and

requests some services available from
different servers.
Purpose of a Proxy Server

• Keep the system behind the curtain

• Speed up access to a resource (Caching)
• IP address multiplexer
• To share internet connection on LAN
• To bypass security restriction and filters.
Annonymizers

• An Anonymizer or anonymous proxy is a

tool that attempts to make activity on the
Internet untraceable.
• The first anonymizer software tool was
created in 1997 by Lance Cottrell,
developed by Anonymizer.com.
• The anonymizer hides/removes all the
identifying information from a user computer
while the user surfs on the internet.
Annonymizers
• Cookies are small files which are stored on a
user's computer.
• They hold a modest amount of data specific to a
particular client and website, and can be
accessed either by the web server or the client
computer.
• This allows the server to deliver a page tailored
to a particular user, or the page itself can contain
some script which is aware of the data in the
cookie and so is able to carry information from
one visit to the website (or related site) to the
next.
Cookie

• Persistent Cookie
• Session Cookie
The time of expiry of a cookie can be set
when the cookie is created.
By default the cookie is destroyed when the
current browser window is closed, but it can
be made to persist for an arbitrary length of
time after that.
Phishing

• It is believed that “Phishing” is an alternative

spelling of “Fishing” as in “to fish for
information”

Phishing Web sites are well known for suddenly appearing and then
disappearing to reduce the risk of being traced.
Phishing
• One of the most common forms of social
engineering is phishing, or sending an e-mail or
displaying a Web announcement that falsely claims
to be from a legitimate enterprise in an attempt to
trick the user into surrendering private information.
• The user is asked to respond to an e-mail or is
directed to a Web site where he is to update
personal information. However, the Web site is
actually a fake and is set up to steal the user’s
information.
Fake Web Page
Steganography

• The word Steganography comes from two

Greek words: steganos meaning “covered”
and graphein meaning “to write” that
means “concealed writing”.
• The term “cover” or “cover medium” is
used to describe the original, innocent
message, data, audio, still, video and so
on.
Definition

• Steganography is the art of science of

writing hidden messages in such a way
that no one apart from the intended
recipient knows the existence of the
message.

In October 2001, the New York Times published an article claiming that
al-Qaeda had used steganography technique to prepare and
execute the 11 September 2001 Terrorist attack
Steganography
Steganalysis

• Steganalysis is the art and science of

detecting messages that are hidden in
images, audio/video files using
steganography.
Password

• Password
– The password is like a key to get an entry into
computerized system like a lock.
– Sometimes referred to as a logical token
– A secret combination of letters and numbers
that only the user knows
• A password should never be written down
– Must also be of a sufficient length and
complexity so that an attacker cannot easily
guess it (password paradox)
Weak Password

• Blank (None)
• The words like “password”, “passcode” or “admin”.
• Series of letter from QWERTY keyboard, for example
qwerty, asdf or qwertyuiop.
• User’s name or login name.
• Name of user’s friend, relative or pet
• User’s birth place or date of birth
• User’s vehicle number, residence number or mobile
number.
• Name of celebrity who is consdidered to be an idol by
the user.
Example

• Invisible ink used in older days.

• one could hide a text message within a
paragraph of words, so that by isolating
every 10th word, the secret message can
be detected.
• Secret messages can be hidden in digital
data, such as .bmp or .jpg images, .wav
audio files.
Password Cracking

• Process of recovering passwords from

data that have been stored in or
transmitted by a computer system.
Pwd Cracking Purpose

• To recover a forgotten password.

• To gain unauthorized access to a system.
• As a preventive measure by system
administrator to check for easily crackable
passwords.
Manual Password Cracking

• Find a valid user account

• Create a list of possible passwords
• Rank the passwords from high to low
probability.
• Key in each password.
• Try again until a successful password is
found.
Examples Guessable PWD

• Blank
• Passcode, password, admin
• Series of letter from Qwerty keyboard like
asdfg,12345,qwertyuiop
• Users name
• Name of user’s friend/relative/pet
• User’s birth place/DOB, Vehicle
name/number
Authentication

• To ensure the confidentiality of password,

verification data is not usually stored in
clear text. Hashing function are used.
• When a user attempts to login to the
system by entering the password

• www.defaultpassword.com
• www.oxid.it
Pwd Cracking Attacks

• Online Attack: Attacker can create a script

file that will be executed to try each pwd in
a list and when matches, an attacker can
gain the access to the system.
• Man in the middle attack (Eavesdropping)
…cont

Offline attacks
Dictionary attack: It attempts to match all the
words from dictionary to get the password.

Brute Force attack: It attempts all possible

permutation combination of letters, number
and special characters.
…cont

– Passwords typically are stored in an

encrypted form called a “hash”
• Attackers try to steal the file of hashed passwords
and then break the hashed passwords offline
Strong Password

• A strong password is long enough, random

or otherwise difficult to guess- producible
by the user who chooses it. For example
– jnm@357$
– 4pRte!ai@3
Guidelines PWD Policies
• Password shall be changed after 45 days.
Most OS can enforce a pwd with an
automatic expiration and prevent repeated
password.
• User account should be frozen after 5
unsuccessful log on attempts.
• Session should be suspended after 15
minutes of inactivity.
• Successful logon should display date and
time of last logon and log off.
DoS and DDoS Attack

• Denial of service (DoS) attack

– Attempts to consume network resources so
that the network or its devices cannot respond
to legitimate requests.
• Distributed denial of service (DDoS)
attack
– A variant of the DoS
– May use hundreds or thousands of zombie
computers in a botnet to flood a device with
requests
Example
Wireless DoS attack
Goal of DoS

• Flood a network with traffic, thereby

preventing legitimate network traffic.
• Disrupt connection between two systems ,
thereby prevention access to service.
• Prevent a particular individual from access
a service.
• Disrupt service to a specific system or
person.
Symptoms DoS attacks

• Unusually slow network performance.

• Unavailability of a particular website.
• Inability to access any website.
• Dramatic increase in number of spam e-
mails.
Classification of DoS attacks

• Bandwidth attacks
• Logic attacks
• Protocol attacks
• Unintentional DoS attacks
Level of DoS attacks

• Flood attack
• Ping of Death
• Syn
• Teardrop
• Smurf
Tools for doing DoS

• Jolt2
• Nemsey
• Targa
• Crazy Pinger
How to protect from DoS
• Implement router filter.
• Disable any unused or inessential network service.
• Enable quota system on your OS.
• Observe your system performance.
• Routinely examine the physical security.
• Invest in redundant and fault tolerant network
configurations.
• Establish and maintain regular backups.
• Establish and maintain appropriate password
policies.
Detection Tools DoS

• Zombie Zapper
• Remote Intrusion Detector
• Find_DDOS
• DDoSPing
Buffer Overflow

• Buffer overflow
– Occurs when a process attempts to store data
in random access memory (RAM) beyond the
boundaries of a fixed-length storage buffer
– Extra data overflows into the adjacent
memory locations and under certain
conditions may cause the computer to stop
functioning.
• Attackers also use a buffer overflow in
order to compromise a computer
Virus

• Malware
• Vital Information Resources under seize
• For harming the working of system
• It spread themselves without the
knowledge or permission of users, to large
numbers of programs on many machines.
Virus actions

• Display message to prompt an action

which may set of virus.
• Delete files inside the system into which
viruses enter.
• Scramble data on hard disk
• Cause erratic screen behavior
• Halt the system
• Just replicate themselves to propagate
further harm.
Virus

• Technically different from worms and

Trojans.
• Worms spread automatically(self
replicating) through networks by exploiting
security weaknesses.
• Trojan appears to harmless but hides
malicious functions.
Virus Classifications

Based on which part of the system they

harm.
• Boot sector
• Program
• Multi partitite
• Stealth virus
• Polymorphic viruses
• Macro virus
Virus (Boot Sector)

• This type of virus affects the boot sector of

a floppy or hard disk.
• The best way of avoiding boot viruses is to
ensure that floppy disks are write-
protected and never start your computer
with an unknown floppy disk in the disk
drive.
Examples: Polyboot.B, AntiEXE.
Program Virus (File Infectors)

• A program virus becomes active when the

program file (usually with extensions
.BIN, .COM, .EXE, .OVL, .DRV) carrying
the virus is opened.
• Once active, the virus will make copies of
itself and will infect other programs on the
computer. 
Stealth Virus

It is a hidden computer virus that attacks

operating system processes and averts
typical anti-virus or anti-malware scans.
Stealth viruses hide in files, partitions and
boot sectors and are adept at deliberately
avoiding detection. 

Stealth virus eradication requires advanced

anti-virus software or a clean system reboot.
Polymorphic virus

• It is a self-encrypted virus designed to
avoid detection by a scanner.
• Upon infection, the polymorphic
virus duplicates itself by creating usable,
albeit slightly modified, copies of itself.

• Ex. Dark Avenger

Rootkit Virus (stealth)

•  It installs an unauthorized rootkit on an

infected system, giving attackers full
control of the system with the ability to
fundamentally modify or disable functions
and programs.
• Rootkit viruses were designed to bypass
antivirus software, which typically scanned
only applications and files.
Multipartite Virus

• It is a hybrid of boot sector and program

virus.
Worm

• Worm
– Program designed to take advantage of a vulnerability
in an application or an operating system in order to
enter a system
– Worms are different from viruses in two regards:
• A worm can travel by itself
• A worm does not require any user action to begin its
execution
– Actions that worms have performed: deleting files on
the computer; allowing the computer to be remote-
controlled by an attacker
Trojan Horse

• Trojan Horse (or just Trojan)

– Program advertised as performing one activity
that but actually does something else
– Trojan horse programs are typically
executable programs that contain hidden
code that attack the computer system
Logic Bomb

• Logic bomb
– A computer program or a part of a program
that lies dormant until it is triggered by a
specific logical event
– Once triggered, the program can perform any
number of malicious activities
– Logic bombs are extremely difficult to detect
before they are triggered
Backdoor

• A backdoor is a mean of access to a

computer program that bypass security
mechanisms.
• A backdoor works in background and
hides from the user. A backdoor allows an
attacker to edit a file, control computer
hardware, steal personal information,
records keystrokes, installs hidden FTP
server.
How to Protect from Trojan and
Backdoors

• Stay away from suspect websites/weblinks

• Surf on web cautiously
• Install antivirus/Trojan software
Key logger

• Keylogger
– A small hardware device or a program that
monitors each keystroke a user types on the
computer’s keyboard
– As the user types, the keystrokes are
collected and saved as text
• As a hardware device, a keylogger is a
small device inserted between the
keyboard connector and computer
keyboard port
Hardware Key logger/grabber
Virtual Keyboard (QWERTY)
Virtual Keyboard
Key logger

• Software keyloggers
– Programs that silently capture all keystrokes,
including passwords and sensitive information
– Hide themselves so that they cannot be easily
detected even if a user is searching for them
Spyware

• Spyware is a type of malware that secretly

monitor the users and collects information
about users without their knowledge.
• The presence of spyware is typically
hidden from user.
SQL Injection
SQL Injection

• Structured Query Language is a database

computer language designed for managing data
in RDBMS.
• SQL injection is a code injection technique that
exploits a security vulnerability occurring in the
database layer of an application.
• Attacker uses SQL injection to fetch the
database used by organization to store
confidential data of employees, such as credit
card number, social security number or
password etc.
How it works

• Whenever a user logs in with username

and password, a SQL query is sent to the
database to check if a user has valid name
and password.
• With SQL injection, it is possible for an
attacker to send crafted username and or
password field that will change the SQL
query.
Step for SQL injection attack

• The attacker looks for the web pages that

allow submitting data, that is, login page,
search page, feedback etc.
• The attacker also look for the webpages
that display HTML command such as
POST or GET by checking source code.
• Attacker looks for a FORM tag in a source
code.
Step for SQL injection attack

• Attacker looks for a single quote under the

text box provided on the webpage to
accept the user name and password.
• The attacker use SQL commands such as
SELECT command to retrieve data from
the database or INSERT statement to add
information to the database.
How to Prevent SQL Injection Attack

• Input Validation: Numeric values should

be checked while accepting a query string
value. Function IsNumeric() may be used
for this purpose.
• Keep all text boxes and form fields as
short as possible to limit the length of user
input.
…cont.

• Modify error reports: SQL errors report

should not displayed to outside user, this
error sometime display full query pointing
to the syntax error involved and the
attacker can use it for further attacks
…cont.

• Other Prevention: The default system

account should never be used.
• Isolate database server and web server,
both should be on different machines.
Attacks on Wireless Networks

• Wireless technology have become

increasingly popular in day to day
business and personal lives.
• Handheld devices such as PDAs allows
individuals to access data anywhere
anytime.
Different Types of Mobile Workers

• Tethered/Remote Workers: Employee who

generally remains at a single point of work.
• Roaming User: Employees who work in
multiple areas.
• Nomad: This category covers employees
requiring solution in hotel rooms and other
semi tethered environment.
• Road Warrior: Employees who spend little
time in office, but require regular access of
data.
Wireless standards

• IEEE standards 802.11

• 802.11: WLAN, 1-2Mbs, 2.4GHZ, FHSS
• 802.11a: 54 Mbps, 5GHZ,OFDM
• 802.11b: 11Mbps,2.4GHZ
• 802.11g: 54Mbps,2.4GHZ, OFDM
• 802.11n: 140 Mbps
• 802.15: Bluetooth Standard
• 802.16: WiMax
Access Point

• Hardware Device that acts as a transmitter

and receiver of WLAN radio signals.
• This is further connected to wired LAN.
Wi-Fi Hotspots

• A hotspot is a physical location where

people may obtain Internet access,
typically using Wi-Fi technology, via a
wireless local area network (WLAN) using
a router connected to an internet service
provider
SSID

• Simply the technical term for a network

name. when setting up a wireless home
network, you give it a name to distinguish
it from other networks in your neighbor
hood. It is made of 32 Alphanumeric
characters.
• Service set identifier (long up to 32
characters)
WEP

• Wired Equivalent Privacy (WEP) is a

security protocol, specified in the IEEE
Wireless Fidelity (Wi-Fi) standard,
802.11b, that is designed to provide a
wireless local area network (WLAN) with a
level of security and privacy comparable to
what is usually expected of a wired LAN.
WPA

• WiFi Protetced Access (2003)

• WPA2: WAP + AES
MAC

• Media Access Control

• Unique identifier of each node of the
network
• Given by manufacturer of NIC card
• Size of MAC address: 48 bits
• Physical Address
Traditional techniques of attacks on
wireless network

• Sniffing: Sniffing is the simple process of

intercepting wireless data that is being
broadcasted on an unsecured network. It
gathers about the active/available Wi-Fi
networks.
• The attacker usually installs the sniffers on the
wireless network and conduct activities such as:
– Detection of SSID
– Collecting the MAC address
– Collecting frame to crack WEP
…cont.

• Spoofing: The attacker often launches an

attack on wireless network by simply
creating a new network with stronger
wireless signal and a copied SSID in the
spoofed network instead of the real one.
• The attacker can conduct this activity
easily because while setting up a wireless
network the computers no longer need to
be informed to access the network.
…cont.

• Man in Middle: It refers to the scenario

wherein an attacker on host A inserts A
between X an Y, without there knowledge.

• The objective behind this attack is to

merely observe the communication or
modify it before sending it out.
• DoS:
• MAC Spoofing
• IP Spoofing
• Frame Spoofing
Wardriving

• Act of searching for Wi-Fi wireless

networks by a person in a moving vehicle,
using a portable computer or PDA.
• Warbiking
• Warwalking
Warkitting

•  Combination of wardriving and rootkitting.

• In a warkitting attack, a hacker replaces
the firmware of an attacked router. This
allows him to control all traffic for the
victim, and could even permit him to
disable SSL by replacing HTML content as
it is being downloaded.
WAPjacking

• Malicious configuring of the firmware

settings, but making no modification on the
firmware itself
How to Secure Wireless Network

• Change the default settings of all the equipments/

components of wireless networks.
• Enable WPA/WEP encryption.
• Change the default SSID
• Enable Mac address filtering
• Disable remote login
• Disable SSID broadcast
• Disable the features that are not used in the AP
• Connect only to secured wireless network
• Upgrade router’s firmware periodically.
Ways to Secure Wireless Network

• Assign Static IP addresses to devices.

• Enable firewalls on each computer and
router.
• Position the router safely.
• Turn off network during extended periods
when not in use.
• Periodic and regular monitor wireless
network security.