UNIT -IV: Tools and Methods

Used in Cybercrime
• 1. Introduction
• 2. Proxy Servers and Anonymizers,
• 3. Phishing
• 4. Password Cracking
• 5. Key loggers and Spywares
• 6. Virus and Worms
• 7. Trojan Horses and Backdoors
• 8. Steganography
• 9. DoS and DDoS Attacks
• 10. SQL Injection
• 11. Buffer Overflow
• 12. Attacks on Wireless Networks
• 13. Phishing and Identity Theft: Introduction - Phishing,
• 14. Identity Theft (ID Theft)
Introduction
As the Internet and computer networks are integral parts of information systems, attackers have in-depth
knowledge about the technology and/or they gain thorough knowledge about it.

The basic stages of an attack are:

1. Initial uncovering:
i. In the first step called as reconnaissance, the attacker gathers information, as much as possible, about
the target by legitimate means.
ii. In the second step, the attacker uncovers as much information as possible on the company’s internal
network.
2. Network probe: A “ping sweep” of the network IP addresses is performed to seek out potential targets, and
then a “port scanning” tool is used to discover exactly which services are running on the target system.
3. Crossing the line toward electronic crime (E-crime): Now the attacker is toward committing what is
technically a “computer crime” by exploiting possible holes on the target system.
4. Capturing the network: At this stage, the attacker attempts to “own” the network. The attacker gains a
foothold in the internal network quickly and easily.
5. Grab the data: Now that the attacker has “captured the network,” he/she takes advantage of his/her position
to steal confidential data, customer credit card information, deface webpages, alter processes and even launch
attacks at other sites from your network.
6. Covering tracks: This is the last step in any cyberattack, which refers to the activities undertaken by the
attacker to extend misuse of the system without being detected.
 Proxy Servers and Anonymizers

• Proxy server is a computer on a network which acts as an intermediary for connections with
other computers on that network.
• The attacker first connects to a proxy server and establishes a connection with the target
system through existing connection with proxy.
• This enables an attacker to surf on the Web anonymously and/or hide the attack.
• A client connects to the proxy server and requests some services (such as a file, webpage)
available from a different server.
• The proxy server evaluates the request and provides the resource by establishing the
connection to the respective server and/or requests the required service on behalf of the
client.
• Using a proxy server can allow an attacker to hide ID (i.e., become anonymous on the
network).
A proxy server has following
purposes:
1. Keep the systems behind the curtain (mainly for security reasons).
2. Speed up access to a resource (through “caching”). It is usually used to cache the webpages
from a web server.
3. Specialized proxy servers are used to filter unwanted content such as advertisements.
4. Proxy server can be used as IP address multiplexer to enable to connect number of
computers on the Internet, whenever one has only one IP address
• One of the advantages of a proxy server is that its cache memory can serve all users.
• If one or more websites are requested frequently, may be by different users, it is likely to be
in the proxy’s cache memory, which will improve user response time.
• An anonymizer or an anonymous proxy is a tool that attempts to make activity on the
Internet untraceable. It accesses the Internet on the user’s behalf, protecting personal
information by hiding the source computer’s identifying information.
• Anonymizers are services used to make Web surfing anonymous by utilizing a website that
acts as a proxy server for the web client.
 Phishing
• “Phishing” refers to an attack using mail programs to deceive Internet users into
disclosing confidential information that can be then exploited for illegal purposes.
• While checking electronic mail (E-Mail) one day a user finds a message from the bank
threatening to close the bank account if he/she does not reply immediately.
• Although the message seems to be suspicious from the contents of the message, it is
difficult to conclude that it is a fake/false E-Mail.
• This message and other such messages are examples of Phishing – in addition to stealing
personal and financial data – and can infect systems with viruses and also a method of
online ID theft in various cases.
• These messages look authentic and attempt to get users to reveal their personal
information.
 How Phishing Works?

Phishers work in the following ways:

• 1. Planning: Criminals, usually called as phishers, decide the target.
• 2. Setup: Once phishers know which business/business house to spoof and who their victims.
• 3. Attack: the phisher sends a phone message that appears to be from a reputable source.
• 4. Collection: Phishers record the information of victims entering into webpages or pop-up
windows.
• 5. Identity theft and fraud: Phishers use the information that they have gathered to make
illegal
purchases or commit fraud.
• Nowadays, more and more organizations/institutes provide greater online access for their
customers and hence criminals are successfully using Phishing techniques to steal personal
information and conduct ID theft at a global level.
Password Cracking
• Password cracking is a process of recovering passwords from data that
have been stored in or transmitted by a computer system.
• or
• Password cracking is the process of attempting to guess or discover a
password used for authentication purposes
• Usually, an attacker follows a common approach – repeatedly making
guesses for the password.
The purpose of password cracking is as follows:
1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily
crackable passwords.
3. To gain unauthorized access to a system
Manual password cracking is to attempt to logon with different
passwords.
The attacker follows the following steps:
1. Find a valid user account such as an Administrator or Guest;
2. create a list of possible passwords;
3. rank the passwords from high to low probability;
4. key-in each password;
5. try again until a successful password is found.
• Passwords can be guessed sometimes with knowledge of the user’s
personal information.
• Examples of guessable passwords include:
• 1. Blank (none);
• 2. the words like “password,” “passcode” and “admin”;
• 3. series of letters from the “QWERTY” keyboard, for example, qwerty, asdf
or qwertyuiop;
• 4. user’s name or login name;
• 5. name of user’s friend/relative/pet;
• 6. user’s birthplace or date of birth, or a relative’s or a friend’s;
• 7. user’s vehicle number, office number, residence number or mobile
number;
• 8. name of a celebrity who is considered to be an idol (e.g., actors, actress,
spiritual gurus) by the user;
• An attacker can also create a script file (i.e., automated program) which will be
executed to try each password in a list.
• This is still considered manual cracking, is time-consuming and not usually
effective.
• Passwords are stored in a database and password verification process is
established into the system when a user attempts to login or access a restricted
resource.
• To ensure confidentiality of passwords, the password verification data is usually
not stored in a clear text format.
• For example, one-way function (which may be either an encryption function or a
cryptographic hash) is applied to the password, possibly in combination with
other data, and the resulting value is stored.
• When a user attempts to login to the system by entering the password, the same
function is applied to the entered value and the result is compared with the
stored value.
• If they match, user gains the access; this process is called authentication.
• The hash functions can be computed and the attacker can test these
hashes with the help of passwords cracking tools to get the plain text
password.
• Password cracking attacks can be classified under three categories as
follows:
• 1. Online attacks;
• 2. offline attacks;
• 3. non-electronic attacks (e.g., social engineering, shoulder surfing
and dumpster diving)
• Keyloggers and Spywares
• Keystroke logging, often called keylogging, is the practice of noting (or logging)
the keys struck on a keyboard, typically in a covert manner so that the person
using the keyboard is unaware that such actions are being monitored.
• Keystroke logger or keylogger is quicker and easier way of capturing the
passwords and monitoring the victims’ IT savvy behavior.
• It can be classified as software keylogger and hardware keylogger
• Software Keyloggers
• Software keyloggers are software programs installed on the computer
systems which usually are located between the OS and the keyboard
hardware, and every keystroke is recorded.
• Software keyloggers are installed on a computer system by Trojans or
viruses without the knowledge of the user.
• Cybercriminals always install such tools on the insecure computer
systems available in public places (i.e., cybercafés, etc) and can obtain
the required information about the victim very easily.
• • A keylogger usually consists of two files that get installed in the
same directory: a dynamic link library (DLL) file and an EXEcutable
(EXE) file that installs the DLL file and triggers it to work.
• DLL does all the recording of keystrokes.
• Some Important Keyloggers are as follows
• All In One Keylogger Stealth Keylogger Perfect Keylogger
• KGB Spy Spy Buddy Elite Keylogger
• CyberSpy Powered Keylogg
• Hardware Keyloggers
• Hardware keyloggers are small hardware devices.
• These are connected to the PC and/or to the keyboard and save every keystroke
into a file or in the memory of the hardware device.
• Cybercriminals install such devices on ATM machines to capture ATM Cards’ PINs.
• Each keypress on the keyboard of the ATM gets registered by these keyloggers.
• These keyloggers look like an integrated part of such systems; hence, bank
customers are unaware of their presence.
• Antikeylogger
• • Antikeylogger is a tool that can detect the keylogger installed on the
computer system and also can remove the tool.
• Advantages of using antikeylogger are as follows:
• 1. Firewalls cannot detect the installations of keyloggers on the
systems; hence, antikeyloggers can detect installations of keylogger.
• 2. Does not require regular updates for the software.
• 3. Prevents Internet banking frauds.
• 4. It prevents ID theft
• 5. It secures E-Mail and instant messaging/chatting.
• Spywares
• Spyware is a type of malware (i.e., malicious software) that is installed on
computers which collects information about users without their knowledge.
• The presence of Spyware is typically hidden from the user; it is secretly
installed on the user’s personal computer.
• Spywares such as keyloggers are installed by the owner of a shared,
corporate or public computer on purpose to secretly monitor other users.
• Some Important Spywares are as follows
• Spy. Spector Pro. Spector Pro.
• eBlaster. Remotespy . Stealth Recorder Pro.
• Stealth Website Logger. Flexispy. Wiretap Professional.
• PC PhoneHome. SpyArsenal Print Monitor Pro.
• Virus and Worms
• Computer virus is a program that can “infect” legitimate programs by
modifying them to include a possibly “evolved” copy of itself.
• Viruses spread themselves, without the knowledge or permission of the users,
to potentially large numbers of programs on many machines.
• A computer virus passes from computer to computer in a similar manner as a
biological virus passes from person to person.
• Viruses may also contain malicious instructions that may cause damage or
annoyance; the combination of possibly Malicious Code with the ability to
spread is what makes viruses a considerable concern.
• Viruses can often spread without any readily visible symptoms.
• A virus can start on event-driven effects (e.g., triggered after a specific number
of executions), time-driven effects (e.g., triggered on a specific date, such as
Friday the 13th) or can occur at random
• Viruses can take some typical
actions:
• 1. Display a message to prompt
an action which may set of the
virus;
• 2. delete files inside the system
into which viruses enter;
• 3. scramble data on a hard disk;
• 4. cause erratic screen behavior;
• 5. halt the system (PC);
• 6. just replicate themselves to
propagate further harm.
• A worm spreads itself automatically to other computers through
networks by exploiting security vulnerabilities,
• whereas a Trojan is a code/program that appears to be harmless but
hides malicious functions.
• Worms and Trojans, such as viruses, may harm the system’s data or
performance.
• Some viruses and other malware have noticeable symptoms that
enable computer user to take necessary corrective actions, but many
viruses are surreptitious or simply do nothing for user’s to take note
of them.
• Some viruses do nothing beyond reproducing themselves.
• Types of Viruses
• 1. Boot sector viruses: It infects the storage media on which OS is stored (e.g., hard
drives) .
• 2. Program viruses: These viruses become active when the program file (usually with
extensions .bin, .com,.exe, .ovl, .drv) is executed
• 3. Multipartite viruses: It is a hybrid of a boot sector and program viruses.
• It infects program files along with the boot record when the infected program is active.
• 4. Stealth viruses: Detecting this type of virus is very difficult.
• It can hide itself in such a way that antivirus software also cannot detect it.
• Example for Stealth virus is “Brain Virus”.
• 5. Polymorphic viruses: It acts like a “chameleon” that changes its virus signature (i.e.,
binary pattern) every time it spreads through the system (i.e., multiplies and infects a
new file).
• Hence,it is always difficult to detect polymorphic virus with the help of an antivirus
program.
• 6. Macro viruses: Many applications, such as Microsoft Word and Microsoft
Excel, support MACROs (i.e., macrolanguages).
• These macros are programmed as a macro embedded in a document.
• Once macrovirus gets onto a victim’s computer then every document he/she
produces will become infected.
Trojan Horses and Backdoors
• A Trojan horse, often referred to simply as a Trojan, is a type of
malicious software that disguises itself as a legitimate program or file to
trick users into downloading and executing it on their systems.
• Once installed, a Trojan horse can perform various harmful actions, such
as stealing sensitive information, gaining unauthorized access to the
system, or causing damage to files and applications.
• Like Spyware and Adware, Trojans can get into the system in a number
of ways, including from a web browser, via E-Mail.
• One could be forced to reformat USB flash drive or other portable
device to eliminate infection and avoid transferring it to other machines
• Trojans appear gentle and harmless, but once the infected code is
executed , They perform malicious functions to harm the computer
system without the user’s knowledge.
• Some typical examples of threats by Trojans are as follows:
• 1. They erase, overwrite or corrupt data on a computer.
• 2. They help to spread other malware such as viruses (by a dropper Trojan).
• 3. They deactivate or interfere with antivirus and firewall programs.
• 4. They allow remote access to your computer (by a remote access Trojan).
• 5. They upload and download files without your knowledge.
• 6. They gather E-Mail addresses and use them for Spam.
• 7. They log keystrokes to steal information such as passwords and credit card
numbers.
• 8. They copy fake links to false websites, display porno sites, play sounds/videos and
display images.
• 9. They slow down, restart or shutdown the system.
• 10. They reinstall themselves after being disabled.
• 11. They disable the task manager.
• 12. They disable the control panel.
• Backdoor
• A backdoor is a means of unauthorized access to a computer program that by
passes security mechanisms.
• A programmer may sometimes install a backdoor so that the program can be
accessed for troubleshooting or other purposes.
• However, attackers often use backdoors that they detect or install themselves
as part of an exploit.
• A backdoor works in background and hides from the user.
• It is very similar to a virus and, therefore, is quite difficult to detect and
completely disable.
• A backdoor is one of the most dangerous parasite, as it allows a malicious
person to perform any possible action on a compromised system
Functions of backdoor:
• 1. It allows an attacker to create, delete, rename, copy or edit any file, execute various
commands; change any system settings; alter the Windows registry; run, control and
terminate applications
• 2. It allows an attacker to control computer hardware devices, modify related settings,
shutdown or restart a computer without asking for user permission.
• 3. It steals sensitive personal information, valuable documents, passwords, login names,
ID details; logs user activity and tracks web browsing habits.
• 4. It records keystrokes that a user types on a computer’s keyboard and captures
screenshots.
• 5. It sends all gathered data to a predefined E-Mail address, uploads it to a
predetermined FTP server or transfers it through a background Internet connection to a
remote host.
• 6. It infects files, corrupts installed applications and damages the entire system
• Following are a few examples of backdoor Trojans:
• 1. Back Orifice 2. Bifrost: 3. SAP backdoors 4. Onapsis Bizploit:
• Follow the following steps to protect your systems from Trojan Horses
and backdoors:
• 1. Stay away from suspect websites/weblinks:
• 2. Surf on the Web cautiously
• 3. Install antivirus/Trojan remover software
Steganography
• Steganography is the practice of hiding a file, message, image, or
video within another file, message, image, or video.
• It is a method that attempts to hide the existence of a message or
communication.
• The different names for steganography are data hiding, information
hiding and digital watermarking.
• Steganography can be used to make a digital watermark to detect
illegal copying of digitalimages. Thus, it aids confidentiality and
integrity of the data.
• when steganography is used to place a hidden “trademark” in images,
music and software, the result is a technique referred to as
“watermarking”
• Steganalysis
• Steganalysis is the art and science of detecting messages that are
hidden in images, audio/video files using steganography.
• The primary purpose of steganalysis is to identify the presence of
hidden data and potentially reveal the content of the hidden
message.
• Automated tools are used to detect such steganographed
data/information hidden in the image and audio and/or video files
Difference between Steganography and Cryptography
• 1. Steganography:
• - Steganography is the practice of concealing information within other data in a way that is not
readily apparent to observers.
• - The main goal of steganography is to hide the existence of the secret message, rather than to
protect its content through encryption.
• - Steganography techniques involve embedding the secret message within images, audio files,
video files, or other types of digital media.
• - The hidden message is typically encrypted before being embedded to provide an additional
layer of security.

• 2. Cryptography:
• - Cryptography is the practice of securing communication by converting plaintext into
ciphertext using algorithms and keys.
• - The main goal of cryptography is to ensure the confidentiality, integrity, and authenticity of
the information being transmitted.
• - Cryptography techniques involve encryption and decryption processes, where the sender
encrypts the message using a key, and the recipient decrypts it using the corresponding key.
• DoS and DDoS Attacks
• A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS
attack) is an attempt to make a computer resource (i.e., information systems)
unavailable to its intended users.
• DoS Attacks
• In this attack the attacker floods the bandwidth of the victim’s network or fills his E-
Mail box with Spam mail depriving him of the services he is entitled to access or
provide.
• The attackers typically target sites or high-profile web servers such as banks, credit
card payment gateways, mobile phone networks and even root name servers
• Buffer overflow technique is employed to commit such kind of criminal attack known
as
• Spoofing.
• The term IP address Spoofing refers to the creation of IP packets with a forged
(spoofed) source IP address with the purpose of concealing the ID of the sender or
impersonating another computing system
• A packet is a formatted unit of data carried by a packet mode computer network.
• The attacker spoofs the IP address and floods the network of the victim with
repeated requests.
• As the IP address is fake, the victim machine keeps waiting for response from the
attacker’s machine for each request.
• This consumes the bandwidth of the network which then fails to serve the
legitimate requests and ultimately breaks down
• The United States Computer Emergency Response Team defines symptoms of DoS
attacks to include:
• 1. Unusually slow network performance (opening fi les or accessing websites);
• 2. unavailability of a particular website;
• 3. inability to access any website;
• 4. dramatic increase in the number of Spam E-Mails received (this type of DoS
attack is termed as an E-Mail bomb).
• The goal of DoS is not to gain unauthorized access to systems or data, but to
prevent intended users (i.e., legitimate users) of a service from using it.
• A DoS attack may do the following:
• 1. Flood a network with traffic, thereby preventing legitimate network traffic.
• 2. Disrupt connections between two systems, thereby preventing access to a
service.
• 3. Prevent a particular individual from accessing a service.
• 4. Disrupt service to a specific system or person
• Classification of DoS Attacks
• 1 Bandwidth attacks: Loading any website takes certain time. Loading
means complete webpage appearing on the screen and system is
awaiting user’s input.
• 2 Logic attacks: These kind of attacks can exploit vulnerabilities in
network software such as web server or TCP/IP stack.
• 3 Protocol attacks: Protocols here are rules that are to be followed
to send data over network.
• 4 Unintentional DoS attack : This is a scenario where a website ends
up denied not due to a attack by a single individual or group of
individuals, but simply due to a sudden enormous spike in popularity.
• Types or Levels of DoS Attacks
• There are several types or levels of DoS attacks as follows:
• 1. Flood attack: This is the earliest form of DoS attack and is also
known as ping food. It is based on an attacker simply sending the
victim overwhelming number of ping packets, usuallyby using the
“ping” command, which result into more traffic than the victim can
handle.
• 2. Ping of death attack: The ping of death attack sends oversized
Internet Control Message Protocol (ICMP) packets, and it is one of the
core protocols of the IP Suite. It is mainly used by networked
computers’ OSs to send error messages indicating (e.g., that a
requested service is not available or that a host or router could not be
reached) datagrams (encapsulated in IP packets) to the victim.
• 3. SYN attack: It is also termed as TCP SYN Flooding. In the TCP,
handshaking of network connections is done with SYN and ACK
messages.
• ▪ An attacker initiates a TCP connection to the server with an SYN.
• ▪ The server replies with an SYN-ACK.
• ▪ The client then does not send back an ACK, causing the server to
allocate memory for the pending connection and wait.
• ▪ This fills up the buffer space for SYN messages on the target system,
preventing other systems on the network from communicating with
the target system.
• 4. Teardrop attack: The teardrop attack is an attack where fragmented
packets are forged to overlap each other when the receiving host tries
to reassemble them. IP’s packet fragmentation algorithm is used to
send corrupted packets to confuse the victim and may hang the
system. This attack can crash various OSs due to a bug in their TCP/IP
fragmentation reassembly code.
• 5. Smurf attack: This is a type of DoS attack that floods a target system
via spoofed broadcast ping messages.
• This attack consists of a host sending an echo request (ping) to a
network broadcast address.
• 6. Nuke: Nuke is an old DoS attack against computer networks
consisting of fragmented or invalid packets sent to the target.
• Tools Used to Launch DoS Attack
• 1 Jolt2 : The vulnerability allows remote attackers to cause a DoS attack
against Windows-based machines – the attack causes the target
machine to consume of the CPU time on processing of illegal packets.
• 2 Nemesy : This program generates random packets of spoofed source
IP to enable the attacker to launch DoS attack.
• 3 Targa : It is a program that can be used to run eight diff erent DoS
attacks. Th e attacker has the option to launch either individual attacks
or try all the attacks until one is successful.
• 4 Crazy Pinger : This tool could send large packets of ICMP(Internet
Control Message Protocol) to a remote target network.
• 5 SomeTrouble: It is a remote flooder and bomber. It is developed in
Delhi.
• DDoS Attacks
• In a DDoS attack, an attacker may use your computer to attack another computer.
• By taking advantage of security vulnerabilities or weaknesses, an attacker could take control
of your computer.
• He/she could then force your computer to send huge amounts of data to a website or send
Spam to particular E-Mail addresses.
• The attack is “distributed” because the attacker is using multiple computers, including yours,
to launch the DoS attack.
• A DDoS attack is a distributed DoS wherein a large number of zombie systems are
synchronized to attack a particular system.
• The zombie systems are called “secondary victims” and the main target is called
“primaryvictim.”
• Malware can carry DDoS attack mechanisms – one of the better-known examples of this
isMyDoom
• Botnet is the popular medium to launch DoS/DDoS attacks.
• Attackers can also break into systems using automated tools that exploit flaws in
programsthat listen for connections from remote hosts.
• How to Protect from DoS/DDoS Attacks
• Computer Emergency Response Team Coordination Center (CERT/CC) offers many preventive
measures from being a victim of DoS attack.
• 1. Implement router filters. This will lessen your exposure to certain DoS attacks.
• 2. If such filters are available for your system, install patches to guard against TCP SYN
flooding.
• 3. Disable any unused or inessential network service.
• 4. Enable quota systems on your OS if they are available.
• 5. Observe your system’s performance and establish baselines for ordinary activity.
• 6. Routinely examine your physical security with regard to your current needs.
• 7. Use Tripwire or a similar tool to detect changes in configuration information or other files.
• 8. Invest in and maintain “hot spares” – machines that can be placed into service quickly if a
• similar machine is disabled.
• 9. Invest in redundant and fault-tolerant network configurations.
• 10. Establish and maintain regular backup schedules
• 11. Establish and maintain appropriate password policies
• SQL Injection
• Structured Query Language (SQL) is a database computer language designed
for managing data in relational database management systems (RDBMS).
• SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application.
• SQL injection attacks are also known as SQL insertion attacks.
• Attackers target the SQL servers – common database servers used by many
organizations to store confidential data.
• The prime objective behind SQL injection attack is to obtain the information
while accessing a database table that may contain personal information
such as credit card numbers, social security numbers or passwords.
• During an SQL injection attack, Malicious Code is inserted into a web form
field or the website’s code
• For example, when a user logs in with username and password, an
SQL query is sent to the
• database to check if a user has valid name and password.
• • With SQL injection, it is possible for an attacker to send crafted
username and/or password field that will change the SQL query.
• Steps for SQL Injection Attack
• Following are some steps for SQL injection attack:
• 1. The attacker looks for the webpages that allow submitting data, that is, login page, search page, feedback,
etc. The attacker also looks for the webpages that display the HTML commands such as POST or GET by
checking the site’s source code.
• 2. To check the source code of any website, right click on the webpage and click on “view source” – source
code is displayed in the notepad. The attacker checks the source code of the HTML, and look for “FORM” tag
in the HTML code.
• Everything between the <FORM> and </FORM> have potential parameters that might be useful
• to find the vulnerabilities.
• <FORM action=Search/search.asp method=post>
• <input type=hidden name=A value=C>
• </FORM>
• 3. The attacker inputs a single quote under the text box provided on the webpage to accept the username
and password. This checks whether the user-input variable is interpreted literally by the server. If the
response is an error message such as use “a” = “a” then the website is found to be susceptible to an SQL
injection attack.
• 4. The attacker uses SQL commands such as SELECT statement command to retrieve data from the database
or INSERT statement to add information to the database.
• Here are few examples of variable field text the attacker uses on a webpage to test for
SQL
• vulnerabilities:
• 1. Blah’ or 1=1--
• 2. Login:blah’ or 1=1--
• 3. Password::blah’ or 1=1--
• 4. http://search/index.asp?id=blah’ or 1=1--
• Similar SQL commands may allow bypassing of a login and may return many rows in a
table or even an entire database table because the SQL server is interpreting the terms
literally.
• The double dashes near the end of the command tell SQL to ignore the rest of the
command as a comment.
• Blind SQL Injection
• Blind SQL injection is used when a web application is vulnerable to an
SQL injection but the results of the injection are not visible to the
attacker.
• The page with the vulnerability may not be the one that displays data;
however, it willdisplay differently depending on the results of a logical
statement injected into the legitimate SQL statement called for that page.
• This type of attack can become time-intensive because a new statement
must be crafted for each bit recovered.
• There are several tools that can automate these attacks once the location
of the vulnerability and the target information have been established.
• How to Prevent SQL Injection Attacks
• SQL injection attacks occur due to poor website administration and coding. The following
steps can be taken to prevent SQL injection.
• 1. Input validation
• Replace all single quotes to two single quotes.
• Sanitize the input: User input needs to be checked and cleaned of any characters or strings
that could possibly be used maliciously. For example, character sequences such as ; , --,
select, insert and xp_ can be used to perform an SQL injection attack.
• Numeric values should be checked while accepting a query string value. Function –
• IsNumeric() for Active Server Pages (ASP) should be used to check these numeric values.
• Keep all text boxes and form fields as short as possible to limit the length of user input.
• 2. Modify error reports: SQL errors should not be displayed to outside users
• 3. Other preventions
• The default system accounts for SQL server 2000 should never be used.
• Isolate database server and web server.
• Buffer Overflow
• • Buffer overflow, or buffer overrun, is an anomaly where a process stores data in a
buffer outside the memory the programmer has set aside for it.
• This may result unreliable program behavior, including memory access errors, incorrect
results, program termination (a crash) or a breach of system security.
• Buffer overflows can be triggered by inputs that are designed to execute code or alter
the way the program operates.
• They are, thus, the basis of many software vulnerabilities and can be maliciously
exploited.
• Bounds checking can prevent buffer overflows.
• Programming languages commonly associated with buffer overflows include C and C++,
which provide no built-in protection against accessing or overwriting data in any part of
memory and do not automatically check that data written to an array.
• Buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold.
• Although it may occur accidentally through programming error, buffer overflow is an
• increasingly common type of security attack on data integrity.
• • The knowledge of C, C++ or any other high-level computer language (i.e., assembly
• language) is essential to understand buffer overflow.
• For example,
• int main () {
• int buffer[10];
• buffer[20] = 10;
• }
• • This C program is a valid program and every compiler can compile it without any errors.
• • However, the program attempts to write beyond the allocated memory for the buffer, which
• might result in an unexpected behavior.
• Types of Buffer Overflow
• Stack-Based Buffer Overflow
• Stack buffer overflow occurs when a program writes to a memory address on
the program’s call stack outside the intended data structure – usually a fixed
length buffer. Here are the
• characteristics of stack-based programming:
• 1. “Stack” is a memory space in which automatic variables (and often
function parameters) areallocated.
• 2. Function parameters are allocated on the stack and are not automatically
initialized by the
• system, so they usually have garbage in them until they are initialized.
• 3. Once a function has completed its cycle, the reference to the variable in
the stack is removed.
• The attacker may exploit stack-based buffer overflows to manipulate
the program in various ways by overwriting:
• 1. A local variable that is near the buffer in memory on the stack to
change the behavior of the program that may benefit the attacker.
• 2. The return address in a stack frame. Once the function returns,
execution will resume at the return address as specified by the
attacker, usually a user input-filled buffer.
• 3. A function pointer, or exception handler, which is subsequently
executed.
• The factors that contribute to overcome the exploits are
• 1. Null bytes in addresses;
• 2. Variability in the location of shell code;
• 3. Differences between environments.
• A shell code is a small piece of code used as a payload in the
exploitation of software vulnerability.
• It is called “shell code” because it starts with command shell from
which the attacker can control the compromised machine.
• NOPs
• NOP or NOOP (short form of no operation) is an assembly language
instruction/ command that effectively does nothing at all.
• Heap Buffer Overflow
• Heap buffer overflow occurs in the heap data area and may be introduced
accidentally by an application programmer, or it may result from a deliberate exploit.
• The characteristics of stack based and heap-based programming are as follows:
• 1. “Heap” is a “free store” that is a memory space, where dynamic objects are
allocated.
• 2. The heap is the memory space that is dynamically allocated new(), malloc() and
calloc() functions; it is different from the memory space allocated for stack and code.
• 3. Dynamically created variables (i.e., declared variables) are created on the heap
before the execution program is initialized to zero.
• Memory on the heap is dynamically allocated by the application at run-time and
normally contains program data. Exploitation is performed by corrupting this data in
specific ways tocause the application to overwrite internal structures such as linked
list pointers.
• How to Minimize Buffer Overflow
• Although it is difficult to prevent all possible attacks, the following methods will
definitely help to minimize such attacks:
• 1. Assessment of secure code manually: Buffer overflow occurs when a program or
process tries to store more data in a buffer than it was intended to hold.
Developers should be educated about minimizing the use of functions like strcpy(),
strcat(), sprintf() and vsprintf() in C Language.
• 2. Disable stack execution: Malicious Code causes input argument to the program,
and it resides in the stack and not in the code segment. Any code that attempts to
execute any other code residing in the stack will cause a segmentation violation.
• 3. Compiler tools: Over the years, compilers have become more and more
aggressive in optimizations and the checks they perform. Various compiler tools
already off er warnings on the use of unsafe constructs such as gets(), strcpy(), etc.
Developers should be educated to restructure the programming code if such
warnings are displayed
• 4. Dynamic run-time checks: In this scheme, an application has restricted access
to prevent attacks.
• This method primarily relies on the safety code being preloaded before an
application is executed.
• This preloaded component can either provide safer versions of the standard
unsafe functions or it can ensure that return addresses are not overwritten.
• One example of such a tool is libsafe.
• The libsafe library provides a way to secure calls to these functions, even if the
function is not available.