Unit –V

B.Tech. VII Semester AIM

2024-25
By
Dr. Loshma Gunisetti,
Professor and Head , AIML Dept.
Text Book:
CEH official Certified Ethical Hacking Review Guide, Wiley
India Edition.

Reference Books:
1. Hacking Exposed Web 2.0, by Rich Annings, Himanshu
Dwivedi, Zane Lackey, Tata McGraw Hill Edition.
2. Ethical Hacking & Network Defense, Michael T. Simpson,
Cengage Learning
3. Hacking Exposed Windows, Joel Scambray, CISSP, Stuart
Mcclure, CISSP, Third Edition, Tata McGraw Hill Edition.
4. Hacking Exposed Window server 2003, Joel Scambray
Stuart McClure, Tata McGraw Hill Edition.

EH Unit V - Dr. G. Loshma 2

Course Outcomes
After successful completion of this course, the student will be able to:

Knowledge
CO Course Outcomes
Level

1 Discuss ethical considerations of Hacking. K2

Assess an environment using Footprinting and Social
2 K3
Engineering methods.
Discuss various techniques and tools used in Network Scanning
3 K3
and characteristics in Enumeration phase
Demonstrate techniques and tools used in System Hacking and
4 K3
different Malwares.
Illustrate counter measures to Denial-Of-Service, Session
5 K3
Hijacking.

EH Unit V - Dr. G. Loshma 3

Syllabus

EH Unit V - Dr. G. Loshma 4

Unit V Contents
Sniffers :
• Protocols Susceptible to Sniffing
• Active and Passive Sniffing
• ARP Poisoning
Denial of Service and Session Hijacking:
• Denial of Service
• Types of DoS Attacks
• DDoS Attacks
• BOTs/BOTNETs
• DoS/DDoS Countermeasures
• Session Hijacking
• Spoofing vs. Hijacking
• Types of Session Hijacking
• Steps in Performing Session Hijacking
• Prevention of Session Hijacking

EH Unit V - Dr. G. Loshma 5

Sniffers
• A sniffer can be a packet-capturing or frame-capturing tool.
• It intercepts traffic on the network and displays it in either a command-line
or GUI format for a hacker to view.
• Some sophisticated sniffers interpret the packets and can reassemble the
packet stream into the original data, such as an e-mail or a document.
• Sniffers are used to capture traffic sent between two systems.
• Depending on how the sniffer is used and the security measures in place, a
hacker can use a sniffer to discover usernames, passwords, and other
confidential information transmitted on the network.
• Several hacking attacks and various hacking tools require the use of a
sniffer to obtain important information sent from the target system.

EH Unit V - Dr. G. Loshma 6

Sniffers
Protocols Susceptible to Sniffing
• Sniffer software works by capturing packets not destined for the system’s
MAC address but rather for a target’s destination MAC address. This is
known as promiscuous mode.
• Normally, a system on the network reads and responds only to traffic sent
directly to its MAC address.
• In promiscuous mode, the system reads all traffic and sends it to the
sniffer for processing.
• Promiscuous mode is enabled on a network card with the installation of
special driver software.
• Many of the hacking tools for sniffing include a promiscuous-mode driver
to facilitate this process.

EH Unit V - Dr. G. Loshma 7

Sniffers
Protocols Susceptible to Sniffing
• Any protocols that don’t encrypt data are susceptible to sniffing.
• Protocols such as HTTP, POP3, Simple Network Management Protocol
(SNMP), and FTP are most commonly captured using a sniffer and viewed
by a hacker to gather valuable information such as usernames and
passwords.
• Ethereal is a freeware sniffer that can capture packets from a wired or
wireless LAN connection. The latest version has been renamed WireShark.
Ethereal is a common and popular program because it is free but has some
drawbacks. An untrained user may find it difficult to write filters in
Ethereal to capture only certain types of traffic.

EH Unit V - Dr. G. Loshma 8

Sniffers
• Snort is an intrusion detection system (IDS) that also has sniffer
capabilities. It can be used to detect a variety of attacks and probes, such
as buffer overflows, stealth port scans, Common Gateway Interface(CGI)
attacks, Server Message Block (SMB) probes, and OS fingerprinting
attempts.

EH Unit V - Dr. G. Loshma 9

Active and Passive Sniffing
There are two different types of sniffing: passive and active.
• Passive sniffing involves listening and capturing traffic, and is useful in a
network connected by hubs; active sniffing involves launching an Address
Resolution Protocol (ARP) spoofing or traffic-flooding attack against a
switch in order to capture traffic.
• As the names indicate, active sniffing is detectable but passive sniffing
isn’t.
• In networks that use hubs or wireless media to connect systems, all hosts
on the network can see all traffic; therefore a passive packet sniffer can
capture traffic going to and from all hosts connected via the hub.

EH Unit V - Dr. G. Loshma 10

Active and Passive Sniffing
• A switched network operates differently.
• The switch looks at the data sent to it and tries to forward packets to their
intended recipients based on Media Access Control (MAC) address.
• The switch maintains a MAC table of all the systems and the port
numbers to which they’re connected.
• This enables the switch to segment the network traffic and send traffic
only to the correct destination MAC addresses.
• A switch network has greatly improved throughput and is more secure
than a shared network connected via hubs.

EH Unit V - Dr. G. Loshma 11

ARP Poisoning
• ARP allows the network to translate IP addresses into MAC addresses.
• When one host using TCP/IP on a LAN tries to contact another, it needs
the MAC address or hardware address of the host it’s trying to reach.
• It first looks in its ARP cache to see if it already has the MAC address; if it
doesn’t, it broadcasts an ARP request asking, “Who has the IP address I’m
looking for?”
• If the host that has that IP address hears the ARP query, it responds with
its own MAC address, and a conversation can begin using TCP/IP.
• ARP poisoning is a technique that’s used to attack an Ethernet network
and that may let an attacker sniff data frames on a switched LAN or stop
the traffic altogether.

EH Unit V - Dr. G. Loshma 12

ARP Poisoning
• ARP poisoning utilizes ARP spoofing where the purpose is to send fake, or
spoofed, ARP messages to an Ethernet LAN.
• These frames contain false MAC addresses that confuse network devices
such as network switches. As a result, frames intended for one machine
can be mistakenly sent to another (allowing the packets to be sniffed) or
to an unreachable host (a Denial of Service [DoS] attack).
• ARP spoofing can also be used in a man-in-the-middle attack in which all
traffic is forwarded through a host by means of ARP spoofing and analyzed
for passwords and other information.

EH Unit V - Dr. G. Loshma 13

ARP Poisoning
• To prevent ARP spoofing, permanently add the MAC address of the
gateway to the ARP cache on a system.
• You can do this on a Windows system by using the ARP -s command at the
command line and appending the gateway’s IP and MAC addresses.
• Doing so prevents a hacker from overwriting the ARP cache to perform
ARP spoofing on the system but can be difficult to manage in a large
environment because of the number of systems.
• In an enterprise environment, port-based security can be enabled on a
switch to allow only one MAC address per switch port.

EH Unit V - Dr. G. Loshma 14

Denial of Service and Session Hijacking
• During a Denial of Service (DoS) attack, a hacker renders a system
unusable or significantly slows the system by overloading resources or
preventing legitimate users from accessing the system.
• These attacks can be perpetrated against an individual system or an entire
network and are usually successful in their attempts.
• Session hijacking is a hacking method that creates a temporary DoS for an
end user when an attacker takes over the session.
• Session Hijacking is used by hackers to take over a current session after
the user has established an authenticated session.
• Session hijacking can also be used to perpetrate a man-in-the-middle
attack when the hacker steps between the server and legitimate client and
intercepts all traffic.

EH Unit V - Dr. G. Loshma 15

Denial of Service
• A DoS attack is an attempt by a hacker to flood a user’s or an
organization’s system.
Types of DOS Attacks
• There are two main categories of DoS attacks. DoS attacks can be either
sent by a single system to a single target (simple DoS) or sent by many
systems to a single target (DDoS).
• The goal of DoS isn’t to gain unauthorized access to machines or data, but
to prevent legitimate users of a service from using it.

EH Unit V - Dr. G. Loshma 16

Denial of Service
Types of DOS Attacks
• A DoS attack may do the following:
 Flood a network with traffic, thereby preventing legitimate network
traffic.
 Disrupt connections between two machines, thereby preventing
access to a service.
 Prevent a particular individual from accessing a service.
 Disrupt service to a specific system or person.
• Different tools use different types of traffic to flood a victim, but the result
is the same: A service on the system or the entire system is unavailable to
a user because it’s kept busy trying to respond to an exorbitant number of
requests.

EH Unit V - Dr. G. Loshma 17

Denial of Service
Types of DOS Attacks
• A DoS attack is usually an attack of last resort.
• It is considered an unsophisticated attack because it doesn’t gain the
hacker access to any information but rather annoys the target and
interrupts their service.
• DoS attacks can be destructive and have a substantial impact when sent
from multiple systems at the same time (DDoS attacks).
• DDoS attacks can be perpetrated by BOTs and BOTNETS, which are
compromised systems that an attacker uses to launch the attack against
the end victim.
• The system or network that has been compromised is a secondary victim,
whereas the DoS and DDoS attacks flood the primary victim or target.

EH Unit V - Dr. G. Loshma 18

Denial of Service
• Ping of Death is an attack that can cause a system to lock up by sending
multiple IP packets, which will be too large for the receiving system when
reassembled. Ping of Death can cause a DoS to clients trying to access the
server that has been a victim of the attack.
• SSPing is a program that sends several large fragmented, Internet Control
Message Protocol (ICMP) data packets to a target system. This will cause the
computer receiving the data packets to freeze when it tries to reassemble the
fragments.

EH Unit V - Dr. G. Loshma 19

Distributed Denial-of-Service(DDoS) Attacks
• DDoS is an advanced version of the DoS attack.
• Like DoS, DDoS also tries to deny access to services running on a system
by sending packets to the destination system in a way that the destination
system can’t handle.
• The key of a DDoS attack is that it relays attacks from many different hosts
(which must first be compromised), rather then from a single host like
DoS.
• DDoS is a large-scale, coordinated attack on a victim system. The services
under attack are those of the primary victim; the compromised systems
used to launch the attack are secondary victims.
• These compromised systems, which send the DDoS to the primary victim,
are sometimes called zombies or BOTs.

EH Unit V - Dr. G. Loshma 20

Distributed Denial-of-Service(DDoS) Attacks
• They’re usually compromised through another attack and then used to
launch an attack on the primary victim at a certain time or under certain
conditions.
• It can be difficult to track the source of the attacks because they originate
from several IP addresses.
• Normally, DDoS consists of three parts:
 Master/Handler
 Slave/secondary victim/zombie/agent/BOT/BOTNET
 Victim /primary victim

EH Unit V - Dr. G. Loshma 21

Distributed Denial-of-Service(DDoS) Attacks
• The master is the attack launcher.
• A slave is a host that is compromised by and controlled by the master.
• The victim is the target system.
• The master directs the slaves to launch the attack on the victim system.
DDoS is done in two phases:
• In the intrusion phase, the hacker compromises weak systems in
different networks around the world and installs DDoS tools on those
compromised slave systems.
• In the DDoS attack phase, the slave systems are triggered to cause them
to attack the primary victim.

EH Unit V - Dr. G. Loshma 22

Distributed Denial-of-Service(DDoS) Attacks
• Shaft is a derivative of the Trinoo tool that uses UDP communication
between masters and agents. Shaft provides statistics on the flood attack
that attackers can use to know when the victim system is shut down; Shaft
provides UDP, ICMP, and TCP flooding attack options.
• Mstream uses spoofed TCP packets with the ACK flag set to attack a target.
It consists of a handler and an agent portion, but access to the handler is
password protected.

EH Unit V - Dr. G. Loshma 23

BOTs/BOTNETs
• A BOT is short for web robot and is an automated software program that
behaves intelligently.
• Spammers often use BOTs to automate the posting of spam messages on
newsgroups or the sending of emails. BOTs can also be used as remote
attack tools.
• Most often, BOTs are web software agents that interface with web pages.
• For example, web crawlers (spiders) are web robots that gather web-
page information.
• The most dangerous BOTs are those that covertly install themselves on
users’ computers for malicious purposes.

EH Unit V - Dr. G. Loshma 24

BOTs/BOTNETs
• Some BOTs communicate with other users of Internet-based services via
instant messaging, Internet Relay Chat (IRC) or another web interface.
• These BOTs allow IRC users to ask questions in plain English and then
formulate a proper response. Such BOTs can often handle many tasks,
including reporting weather, providing zip-code information, listing sports
scores, converting units of measure, such as currency, and so on.
• A BOTNET is a group of BOT systems. BOTNETs serve various purposes,
including DDoS attacks, creation or misuse of Simple Mail Transfer Protocol
(SMTP) mail relays for spam, Internet Marketing fraud, the theft of application
serial numbers, login IDs, and financial information such as credit card
numbers. Generally a BOTNET refers to a group of compromised systems
running a BOT for the purpose of launching a coordinated DDOS attack.

EH Unit V - Dr. G. Loshma 25

Smurf Attack
• A smurf attack sends a large amount of ICMP echo (ping) traffic to a
broadcast IP address with the spoofed source address of a victim.
• Each secondary victim’s host on that IP network replies to the ICMP echo
request with an echo reply, multiplying the traffic by the number of hosts
responding.
• On a multiaccess broadcast network, hundreds of machines might reply
to each packet. This creates a magnified DoS attack of ping replies,
flooding the primary victim. IRC servers are the primary victim of smurf
attacks on the Internet.

EH Unit V - Dr. G. Loshma 26

SYN Flooding
• A SYN flood attack sends TCP connection requests faster than a machine
can process them.
• The attacker creates a random source address for each packet and sets
the SYN flag to request a new connection to the server from the spoofed
IP address.
• The victim responds to the spoofed IP address and then waits for the
TCP confirmation that never arrives.
• Consequently, the victim’s connection table fills up waiting for replies;
after the table is full, all new connections are ignored.
• Legitimate users are ignored, as well, and can’t access the server.
• Some of the methods to prevent SYN Flood attacks are SYN cookies, RST
cookies, Micro Blocks, and Stack Tweaking.

EH Unit V - Dr. G. Loshma 27

DoS/DDoS Countermeasures
• There are several ways to detect, halt, or prevent DoS attacks. The
following are common security features available:
• Network-ingress filtering : All network access providers should
implement network-ingress filtering to stop any downstream networks
from injecting packets with faked or spoofed addresses into the Internet.
Although this doesn’t stop an attack from occurring, it does make it much
easier to track down the source of the attack and terminate the attack
quickly.
• Rate-limiting network traffic : A number of routers in the market
today have features that let you limit the amount of bandwidth some
types of traffic can consume. This is sometimes referred to as traffic
shaping.

EH Unit V - Dr. G. Loshma 28

DoS/DDoS Countermeasures
• Intrusion detection systems : Use an intrusion detection system (IDS)
to detect attackers who are communicating with slave, master, or agent
machines. Doing so lets you know whether a machine in your network is
being used to launch a known attack but probably won’t detect new
variations of these attacks or the tools that implement them. Most IDS
vendors have signatures to detect Trinoo, TFN, or Stacheldraht network
traffic.
• Host-auditing tools : File-scanning tools are available that attempt to
detect the existence of known DDoS tool client and server binaries in a
system.

EH Unit V - Dr. G. Loshma 29

DoS/DDoS Countermeasures
• Network-auditing tools : Network-scanning tools are available that
attempt to detect the presence of DDoS agents running on hosts on your
network.
• Automated network-tracing tools : Tracing streams of packets with
spoofed address through the network is a time-consuming task that
requires the cooperation of all networks carrying the traffic and that
must be completed while the attack is in progress.
DoS Scanning Tools
• Find_ddos is a tool that scans a local system that likely contains a DDoS
program. It can detect several known DoS attack tools.
• RID is a free scanning tool that detects the presence of Trinoo, TFN, or
Stacheldraht clients

EH Unit V - Dr. G. Loshma 30

Session Hijacking
• Session hijacking is when a hacker takes control of a user session after
the user has successfully authenticated with a server.
• Session hijacking involves an attack identifying the current session IDs of
a client/server communication and taking over the client’s session.
• Session hijacking is made possible by tools that perform sequence-
number prediction.

EH Unit V - Dr. G. Loshma 31

Session Hijacking
Spoofing vs. Hijacking
• Spoofing attacks are different from hijacking attacks.
• In a spoofing attack, the hacker performs sniffing and listens to traffic as
it’s passed along the network from sender to receiver.
• The hacker then uses the information gathered to spoof or uses an
address of a legitimate system.
• Hijacking involves actively taking another user offline to perform the
attack.
• The attacker relies on the legitimate user to make a connection and
authenticate.
• After that, the attacker takes over the session, and the valid user’s
session is disconnected

EH Unit V - Dr. G. Loshma 32

Session Hijacking
• Session hijacking involves the following three steps to perpetuate an
attack:
• Tracking the session: The hacker identifies an open session and
predicts the sequence number of the next packet.
• Desynchronizing the connection: The hacker sends the valid user’s
system a TCP reset (RST) or finish (FIN) packet to cause them to close
their session.
• Injecting the attacker’s packet: The hacker sends the server a TCP
packet with the predicted sequence number, and the server accepts it as
the valid user’s next packet.

EH Unit V - Dr. G. Loshma 33

Session Hijacking
Types of Session Hijacking
• Hackers can use two types of session hijacking: active and passive.
• The primary difference between active and passive hijacking is the
hacker’s level of involvement in the session.
• In an active attack, an attacker finds an active session and takes over the
session by using tools that predict the next sequence number used in the
TCP session.
• In a passive attack, an attacker hijacks a session and then watches and
records all the traffic that is being sent by the legitimate user.
• Passive session hijacking is really no more than sniffing.
• It is used to gather information such as passwords and then to use that
information later to authenticate as a separate session.

EH Unit V - Dr. G. Loshma 34

Session Hijacking
TCP Concepts: Three-Way Handshake
• One of the key features of TCP is reliability and ordered delivery of
packets. To accomplish this, TCP uses acknowledgment (ACK) packets
and sequence numbers. Manipulating these numbers is the basis for TCP
session hijacking
1. The valid user initiates a connection with the server. This is accomplished
by the valid user sending a packet to the server with the SYN bit set and
the user’s initial Sequence Number (ISN).
2. The server receives this packet and sends back a packet with the SYN bit
set and an ISBN for the server, plus the ACK bit set identifying the user’s
ISN incremented by a value of one.
3. The valid user acknowledges the server by returning a packet with the
ACK bit set and incrementing the servers ISN by one.

EH Unit V - Dr. G. Loshma 35

Session Hijacking
TCP Concepts: Three-Way Handshake
• This connection can be closed from either side due to a timeout, or upon
receipt of a package with the FIN or RST flag set.
• Upon receipt of a packet with the RST flag set, the receiving system closes
the connection, and any incoming packets for the session are discarded.
• If the FIN flag is set in a packet, then the receiving system goes through
the process of closing the connection, and any packets received while
closing the connection are still processed.
• Sending a packet with the FIN or RST flag set is the most common method
hijackers use to close the client’s session with the server and take over
the session by acting as the client.

EH Unit V - Dr. G. Loshma 36

Session Hijacking
Steps in Performing Session Hijacking
• Session hijacking involves the following three steps to perpetuate the
attack:
• Tracking the session: The hacker identifies an open session and
predicts the sequence number of the next packet.
• Desynchronizing the connection: The hacker sends the valid user’s
system a TCP reset (RST) or finish (FIN) packet to cause them to close
their session. Alternately the hacker can use a DoS tool to disconnect the
user from the server.
• Injecting the attacker’s packet: The hacker sends the server a TCP
packet with the predicted sequence number, and the server accepts it as
the valid user’s next packet

EH Unit V - Dr. G. Loshma 37

Session Hijacking
• Juggernaut is a network sniffer that can be used to hijack TCP sessions. It
runs on Linux operating systems and can be used to watch for all network
traffic, or it can be given a keyword such as a password to look for. The
program shows all active network connections and the attacker can then
choose a session to hijack.
• Hunt is a program that can be used to sniff and hijack active sessions on a
network. Hunt performs connection management, Address Resolution
Protocol (ARP) spoofing, resetting of connections, monitoring of
connections, Media Access Control (MAC) address discovery, and sniffing of
TCP traffic.

EH Unit V - Dr. G. Loshma 38

Dangers Posed by Session Hijacking
• TCP session hijacking is a dangerous attack: Most systems are vulnerable
to it, because they use TCP/IP as their primary communication protocol.
• Newer operating systems have attempted to secure themselves from
session hijacking by using pseudorandom number generators to
calculate the Initial Sequence Number (ISN), making the sequence
number harder to guess.
• However, this security measure is ineffective if the attacker is able to
sniff packets, which gives all the information required to perform this
attack.

EH Unit V - Dr. G. Loshma 39

Dangers Posed by Session Hijacking
Reasons for being aware of session hijacking:
• Most computers are vulnerable.
• Few countermeasures are available to adequately protect against it.
• Session hijacking attacks are simple to launch.
• Hijacking is dangerous because of the information that can be gathered
during the attack.

EH Unit V - Dr. G. Loshma 40

Prevention of Session Hijacking
• To defend against session hijack attacks, a network should employ
several defenses.
• The most effective protection is encryption, such as Internet Protocol
Security (IPSec). This also defends against any other attack vectors that
depend on sniffing.
• Attackers may be able to passively monitor your connection, but they
won’t be able to interpret the encrypted data.
• Other countermeasures include using encrypted applications such as
Secure Shell (SSH, an encrypted Telnet) and Secure Sockets Layer (SSL,
for HTTPS traffic)

EH Unit V - Dr. G. Loshma 41

Prevention of Session Hijacking
• Session hijacking can be prevented by reducing the potential methods of
gaining access to a network—for example, by eliminating remote access
to internal systems.
• If the network has remote users who need to connect to carry out their
duties, then use virtual private networks (VPNs) that have been secured
with tunneling protocols and encryption (Layer 3 Tunneling Protocol
[L3TP]/Point-to-Point Tunneling Protocol [PPTP] and IPSec).
• The use of multiple safety nets is always the best countermeasure to any
potential threat.
• Employing any one countermeasure may not be enough, but using them
together to secure your enterprise will make the attack success rate
minimal for anyone but the most professional and dedicated attacker.

EH Unit V - Dr. G. Loshma 42

Prevention of Session Hijacking
Countermeasures that should be employed to prevent session hijacking:
• Use encryption.
• Use a secure protocol.
• Limit incoming connections.
• Minimize remote access.
• Have strong authentication.
• Educate your employees.
• Maintain different username and passwords for different accounts

EH Unit V - Dr. G. Loshma 43