Cyber offenses: How criminals plan

them
 Lecture Plan of Unit-III
• L-13How criminals plan them: Introduction, How criminals plan the
attacks
• L-14Social Engineering
• L-15Cyber stalking
• L-16Cyber cafe and cyber crimes
• L-17Botnets: The fuel for cybercrime
• L-18Attack vector Cloud computing
 Introduction
• Cybercriminals use the World Wide Web and
Internet to an optimal level for an illegal activities.
• These criminals take the advantage of the wide
spread lack of awareness about cybercrimes and
cyber laws among people who are constantly
using the IT infrastructure for official and personal
purposes.
 Few terminologies
• Hacker: A hacker is a person with strong interest in computers who
enjoys learning and experimenting with them.
• Hackers are usually very talented, smart people who understand
computers better than the others.
• Brute force Hacking: it is a technique used to find passwords or
encryption keys. It involves trying every possible combination of
letters, numbers, etc., until the code is broken.
 Few terminologies
• Cracker: a cracker is a person who breaks into computers.
• They are computer criminals.
• Their act include vandalism, theft and snooping in unauthorized areas.
• Cracking: it is the act of breaking into computers.
• Cracking is a popular, growing subject on the internet.
• Many sites are devoted to supplying crackers with programs that allow
them to crack computers (like guessing passwords)
• Cracker tools: these are programs that break into computers. Like
password crackers, Trojans, viruses, war dialers and worms.
 Few terminologies
• Phreaking: This is notorious art of breaking into phone or other
communication systems.
• War dialer: it is program that automatically dials phone numbers
looking for computers on the other end.
• It catalogs numbers so that the hackers can call back and try break in.
 Categories of Cybercrime
• Target of the crime
• Crimes targeted at individuals
• Crimes targeted at property
• Crimes targeted at organizations
• Whether the crime occurs as a single event or as a series of events.
• Single event cybercrime: hacking or fraud
• Series of events: cyberstalking
 Categories of vulnerabilities that hackers
typically search for
• Inadequate border protection
• Remote access servers(RASs) with weak access controls.
• Application servers with well-known exploits.
• Misconfigured systems and systems with default configurations.
 Inside Attack

• An attack originating and/or attempted within the security perimeter

of an organization is an inside attack.
• It is usually attempted by an “insider” who gains access to more
resources than expected.
 Outside Attack

• An outside attack is attempted by a source outside the security

perimeter.
• It may be attempted by an insider and/or an outsider.
• It is attempted through the Internet or a remote access connection.
 How Criminals plan the attacks

• Phases involved in planning cybercrime-

• 1. Reconnaissance (information gathering) is the first phase and is
treated as passive attacks.
• 2. Scanning the gathered information for the validity of the
information as well as to identify the existing weakness.
• 3. Launching an attack.
 Phase: I Reconnaissance

• The meaning of Reconnaissance is an act of reconnoitering – explore,

often with the goal of finding something or somebody.
• Reconnaissance phase begins with “Footprinting”.
• Footprinting is the preparation toward preattack phase.
• Footprinting gives an overview about system weakness and provides a
judgment about “How to break this?”.
• The objective of this phase is to understand the system, its
networking ports and services, and any other aspects of its security.
 An attacker attempts to gather
information in two phases
•Passive attack
•Active attacks
 Passive Attack

• In computer security, attempt to steal information stored in a system by

electronic wiretapping or similar means.
• Although, in contrast to active attack, passive attack does not attempt to
interfere with the stored data, it may still constitute a criminal offense.
• A passive attack involves gathering information about a target without
his/her knowledge. Information can be gathered from :
• It is usually done using Internet searches or by Googling. They use
Google Earth to locate information about employees.
• Surfing online community groups like orkut/facebook will prove useful
to gain the information about an individual.
 Passive Attack
• Organization’s website may provide a personnel directory or
information about key employees.
• Bolgs, newgroups, press releases, etc. are generally used as the
mediums to gain information about the company or employee.
• Going through the job postings in particular job profiles for technical
persons.
• Network sniffing is another means of passive attack to yield useful
information such as IP, hidden servers or networks.
 Tools used for Passive Attack

• Google Earth
• WHOIS
• Nslookup (name server lookup)
• Dnsstuff
• eMailTrackerPro
• Website Watcher
 Active Attack

• In computer security, persistent attempt to introduce invalid data into

a system, and/or to damage or destroy data already stored in it.
• In many countries, it is a criminal offense to attempt any such action.
 Tools used during active attacks
• Arphound
• Arping
• Bing
• Bugtraq
• Dig
• DNStacer
• Dsniff
• Filesnarf
• FindSMB
 Phase – 2 : Scanning and Scrutinizing
gathered information

• Scanning is a key step to examine intelligently while gathering information

about the target.
• The objectives of scanning are as follows :
• Port Scanning :
• Identify open/close ports and services.
• Network scanning :
• Understand IP addresses and related information about the computer
network system.
• Vulnerability scanning :
• Understand the existing weaknesses in the system.
 Phase – 2 : Scanning and Scrutinizing
gathered information
• The scrutinizing (inspecting) phase is called “enumeration” (listing) in
the hacking world.
• The objective behind this step is to identify :
• The valid user accounts or groups;
• Network resources and/or shared resources;
• OS and different applications that are running on the OS.
• Note : Usually most of the attackers consume 90% of the time in
scanning, scrutinizing and gathering information on a target and 10%
of the time in launching the attack.
 Port Scanning

• The act of systematically scanning a computer's ports.

• Since a port is a place where information goes into and out of a computer,
port scanning identifies open doors to a computer.
• It is similar to a thief going through your neighbourhood and checking
every door and window on each house to see which ones are open and
which ones are locked.
• There is no way to stop someone from port scanning your computer while
you are on the Internet because accessing an Internet server opens a port,
which opens a door to your computer.
• There are, however, software products that can stop a port scanner from
doing any damage to your system.
 Port Scanning
• TCP (Transmission Control Protocol) and UDP (User Datagram
Protocol) are two of the protocols that make up the TCP/IP protocol
suite which is used universally to communicate on the Internet.
• Each of these has ports 0 through available so essentially there are
more than 65,000 doors to lock.
• The first 1024 TCP ports are called the Well-Known Ports and are
associated with standard services such as FTP, HTTP, SMTP or DNS.
• Some of the addresses over 1023 also have commonly associated
services, but the majority of these ports are not associated with any
service and are available for a program or application.
 Port scan
• A port scan consists of sending a message to each port, one at a time.
• The kind of response received indicates whether the port is used and
can therefore be probed for weakness.
• The result of a scan on a port is usually generalised into one of the
following categories:
• Open or accepted
• Closed or not listening
• Filtered or blocked.
 Types of port scans
• vanilla: the scanner attempts to connect to all 65,535 ports.
• Strobe: a more focused scan looking only for known services to exploit
• fragmented packets: the scanner sends packet fragments that get through
simple packet filters in a firewall
• UDP: the scanner looks for open UDP
• portssweep: the scanner connects to the same port on more than one
machine
• FTP bounce: the scanner goes through an FTP server in order to disguise the
source of the scan
• stealth scan: the scanner blocks the scanned computer from recording the
port scan activities.
 Phase 3 : Attack
• The attack is launched using the following steps :
• Crack the password;
• Exploit the privileges;
• Execute the malicious command/applications;
• Hide the files (if required);
• Cover the tracks – delete the access logs, so that there is no trail illicit
activity