Web and Network Hacking

Dr. M.A.Srinuvasu

Associate Professor

SQL injection

• SQL injection is an attack where the hacker makes use of unvalidated user input to enter arbitrary data or SQL commands; malicious queries are constructed and when executed by the backend database it results in unwanted results. The attacker should have the knowledge of background database and he must make use of different strings to construct malicious queries to post them to the target.

​

• For Example, in user login screen, username and password are the dynamic fields where users enter the data. Depending upon the user’s inputs dynamic queries will be constructed; the usual query will be

​

​

• Select * from users table where username=’Username.txt’ and password=’Password.txt’.

If the input fields are not sanitized properly, then the malicious user can enter some data like this

Username = blah’ or 1=1—

Password = password

Here both username and password are incorrect. But the query which is constructed will be

• Select * from users where username=’blah’ or 1=1—and password=’password’

The query will run and the user will be granted access. This is because the first part of the query is

• Select * from users where username=’blah’ or 1=1—

Because – is a comment line in SQL, everything following that will be ignored. The query will only validate between username=’blah’ or 1=1.

Because 1=1 is always true, the user will be granted access.

​

Types of SQL Injection

Error based Injection

• The attacker sends some malicious query to the database which results in errors. The errors should be very generic, otherwise, they may give useful hints to the attacker.
• Comment-Line: Using comment line to cause the database to ignore a part of a valid query.
• E.g. Select * from stores where product_id = blah’ or 1=1-- (everything after this will be neglected)
• Tautology: There are a lot of strings which always evaluates to be true, like ‘1’ = ‘1’ ‘a’ = ‘a’, etc., using them in the query to create constantly true conditions.
• E.g. Select * from users where username=’blah’ or ‘a’=’a’ -- and password=’pass’

​

Union Based SQL injection

• Using union command in SQL query to execute additional queries; thereby, modifying/inserting/deleting or dropping the contents of the table.
• E.g. Select * from stores where product_id=1 union select 1,database(),user(),4#
• Stored procedures: Creating malicious inputs to execute malicious queries.
• Incorrect queries: Coming up with logically incorrect queries to see the error messages to get more information about the target database.
• Select * from stores where id=1’
• The above query will result in a syntax error and might reveal the backend database type.

​

Blind SQL injection

• This is a type of SQL injection where we don’t have a clue as to whether the web application is vulnerable to injection attack or not.
• Types:
• Boolean: Only correct queries show the result, wrong queries do not return anything. Attackers should try to generate logically correct queries.

​

• If suppose the original query to the database is
• Select * from users where id=’id.txt’
• If we give blah’ and 1=1# as input which evaluates to be a right query
• Select * from users where id=’blah’ or 1=1#, we will see the user results.
• If we give blah’ and 1=2# as input which is a wrong query then we don’t see any results.
• Select * from users where id=’blah’ or 1=2#
• Time delay: Depending on some conditions, setting a time delay. If that condition is satisfied, we can observe the time delay; thereby, concluding that the input we gave produced a positive result. This is a time consuming process.

• Tools:
• SQLMAP, Marathon tool.
• Perimeter tools (IDS) Evasion Techniques:
• Use encryption.
• Obfuscate string to avoid pattern matching.
• Use Concatenation to confuse the IDS.
• Use encoding like ASCII encoding, hexadecimal encoding to avoid detection.
• Insert inline comments between query.

​

​

Hacking Wireless Networking

• Wireless networks come with excellent advantages- connectivity beyond walls, wireless connection, easy to access internet even in areas where laying cables is difficult, speed and sharing. But, wireless networks have a few disadvantages, the major issue being- the questionable security.

• Access Point: The point where the mobile device, computers connect to the wireless network.
• SSID: Service Set Identifier identifies the access point, it is a human-readable text which when broadcasted leads to the identification of an access point. 
• BSSID: Mac address of the Access point.
• Bandwidth: Amount of information that can be transferred over the connection.

​

Open Authentication

• When a client wants to connect to an open access point he/she sends a probe request, and the AP sends a probe response; the client then sends an authentication request. Upon receiving a response, the client establishes an association with the AP.

Shared Key Authentication Process

• Here, the client sends a probe request, and the access point sends the probe response; then, the client requests for an authentication request, the AP sends an authentication challenge to the client. The client needs to send the shared key as authentication challenge response. AP, then, verifies the client and authenticates him/her, who then establishes a connection with the access point.

Centralised Authentication

• In the corporate environment, instead of an Access point verifying client’s authentication details, a centralised server does the job of verifying the client. RADIUS is a centralised authentication server which verifies clients who want to connect with the access point.

Encryption Types

• WEP: Wired Equivalent privacy
• WAP: Wi-Fi protected Access
• WPA2: Wi-fi Protected Access with FAD

WEP: Wired Equivalent Privacy

• It is the simple encryption technique which used the 40-bit key with the 24-bit initialisation vector and utilized the RC4 algorithm for encryption. It also used CRC-32 for integrity check mechanism; because the initialisation vector was very small, there was a possibility that the IV’s getting reused. This weakness caused the algorithm to be broken easily.

WAP: Wi-Fi Protected Access

• This algorithm uses 48 bit IV and is based on the 802.11i standard. The RC4 algorithm used temporal keys of 128-bit size and 64 bit MIC check which made the encryption stronger than WEP. Here 128-bit temporal keys, mixed with 48 bit IV and MAC address of the sender create the key stream to encrypt the data using RC4. Temporal keys are changed every 10,000 packets.

WPA2: Wi-Fi Protected Access with FAD

• This is for enterprise use with strong data protection and network access control. Here, instead of RC4, AES (Advanced encryption standard) is used for encryption with temporal keys. The key size is 128-bit keys. It makes use of centralised RADIUS server for authentication.

Virus

• A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document.
• It infects other programs,
• Alters Data
• Transforms itself
• Encrypts Itself
• Corrupt files and Programs
• Self Propagates

​

Different types of Viruses:

• Boot sector virus: Replaces itself with boot sector moving boot sector into another location on the hard disk
• File overwriting or cavity Virus: Replaces the content of files with some other content leaving the file unusable
• Crypter: Encrypts the contents of the file which causes the file unusable for the user
• Polymorphic virus: The virus code mutates itself by keeping the algorithm intact.
• Tunnelling Virus: These viruses trace the steps of interceptor programs that monitor operating system request so that they get into the BIOS and DOS to install themselves. To perform this activity they even tunnel under anti-virus software programs

• Metamorphic virus: They rewrite themselves every time, reprogram themselves into a completely different code and back to normal vice versa
• Macro Virus: Infects Microsoft products like WORD and EXCEL. They are usually written in the macro language visual basic language or VBA
• Cluster Virus: Modifies the directory entries so it always directs the user to the virus code instead of the actual program
• Stealth/ tunnelling virus: They intercept the anti-virus call to the operating system and give back uninfected version of the files requested for thereby evading anti-virus
• Extension Virus: Hides the extension of the virus files, deceiving the unsuspecting user to download the files.

• Metamorphic Virus: As with a polymorphic virus, a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behaviour as well as their appearance.
• Add-on Virus: Add-on viruses append their code to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning.

​

Worms

• The worm is a standalone malicious program which spreads from computer to computer, but unlike a virus, it has the capability to travel without any human action. A worm takes advantage of file or information transport features on the system, which is what allows it to travel unaided. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it