Monday 26 March 2012

Certified Ethical Hacking






ETHICAL HACKING

VULNERABILITIES, COUNTERMEASURES & ENUMERATION.









  

 
  
 

HACKERS:

          Hackers are the persons who compromise the computer system, networks, and breach the security policies, firewalls to obtain unauthorized access to the victim’s computer, information and data. There are three types of hackers.
i)             Black Hat Hackers.
ii)            Grey Hat Hackers.
iii)          White Hat Hackers.

BLACK HAT HACKERS:

          Black hats are the bad guys: the malicious hackers or crackers who use their skills for illegal or malicious purposes. They break into or otherwise violate the system integrity of remote systems, with malicious intent. Having gained unauthorized access, black-hat hackers destroy vital data, deny legitimate users service, and just cause problems for their targets.

Black-hat hackers and crackers can easily be differentiated from white-hat hackers because their actions are malicious. This is the traditional definition of a hacker and what most people consider a hacker to be.

GREY HAT HACKERS:

Gray hats are hackers who may work offensively or defensively, depending on the situation. This is the dividing line between hacker and cracker. Gray-hat hackers may just be interested in hacking tools and technologies and are not malicious black hats. Gray hats are self-proclaimed ethical hackers, who are interested in hacker tools mostly from a curiosity standpoint.

They may want to highlight security problems in a system or educate victims so they secure their systems properly. These hackers are doing their “victims” a favor. For- Instance if a weakness is discovered in a service offered by an investment bank, the hacker is doing the bank a favor by giving the bank a chance to rectify the vulnerability.

WHITE HAT HACKERS:

White hats are the good guys, the ethical hackers who use their hacking skills for defensive purposes. White-hat hackers are usually security professionals with knowledge of hacking and the hacker toolset and who use this knowledge to locate weaknesses and implement countermeasures. White-hat hackers are prime candidates for the exam. White hats are those who hack with permission from the data owner. It is critical to get permission prior to beginning any hacking activity. This is what makes a security professional a white hat versus a malicious hacker who cannot be trusted.

PHASES OF ETHICAL HACKING:

The process of ethical hacking can be broken down into five distinct phases. Later in this book, hacking software programs and tools will be categorized into each of these steps.

An ethical hacker follows processes similar to those of a malicious hacker. The steps to gain and maintain entry into a computer system are similar no matter what the hacker’s intentions are. Figure 1.1 illustrates the five phases that hackers generally follow in hacking a computer system.





·        Passive and Active Reconnaissance


Passive reconnaissance involves gathering information about a potential target without the targeted individual’s or company’s knowledge. Passive reconnaissance can be as simple as watching a building to identify what time employees enter the building and when they leave. However, most reconnaissance is done sitting in front of a computer.

When hackers are looking for information on a potential target, they commonly run an Internet search on an individual or company to gain information. I’m sure many of you have performed the same search on your own name or a potential employer, or just to gather information on a topic. This process when used to gather information regarding a TOE is generally called information gathering. Social engineering and dumpster diving are also considered passive information-gathering methods. These two methods will be discussed in more detail later in this chapter.

Sniffing the network is another means of passive reconnaissance and can yield useful information such as IP address ranges, naming conventions, hidden servers or networks, and other available services on the system or network. Sniffing network traffic is similar to building monitoring: a hacker watches the flow of data to see what time certain transactions take place and where the traffic is going. Sniffing network traffic is a common hook for many ethical hackers. Once they use some of the hacking tools and are able to see all the data that is transmitted in the clear over the communication networks, they are eager to learn and see more.

Sniffing tools are simple and easy to use and yield a great deal of valuable information. An entire chapter in this book (Chapter 6, “Gathering Data from Networks: Sniffers”) is dedicated to these tools, which literally let you see all the data that is transmitted on the network. Many times this includes usernames and passwords and other sensitive data. This is usually quite an eye-opening experience for many network administrators and security professionals and leads to serious security concerns. Active reconnaissance involves probing the network to discover individual hosts, IP addresses, and services on the network but the process also increases the chance of being caught or at least raising suspicion. Many software tools that perform active reconnaissance can be traced back to the computer that is running the tools, thus increasing the chance of detection for the hacker.

Both passive and active reconnaissance can lead to the discovery of useful information to use in an attack. For example, it’s usually easy to find the type of web server and the operating system (OS) version number that a company is using. This information may enable a hacker to find vulnerability in that OS version and exploit the vulnerability to gain more access.

·        Scanning


Scanning involves taking the information discovered during reconnaissance and using it to examine the network. Tools that a hacker may employ during the scanning phase include Dialers, Port scanners, Internet Control Message Protocol (ICMP) scanners, Ping sweeps, Network mappers, Simple Network Management Protocol (SNMP) sweepers, Vulnerability scanners.

Hackers are seeking any information that can help them perpetrate an attack on a target, such as the following:

·        Computer names
·        Operating system (OS)
·        Installed software
·        IP addresses
·        User accounts

Gaining Access

Phase 3 is when the real hacking takes place. Vulnerabilities exposed during the reconnaissance and scanning phase are now exploited to gain access to the target system. The hacking attack can be delivered to the target system via a local area network (LAN), either wired or wireless; local access to a PC; the Internet; or offline. Examples include stack based buffer overflows, denial of service, and session hijacking once a system has been hacked, the hacker has control and can use that system as they wish.

·        Maintaining Access
Once a hacker has gained access to a target system, they want to keep that access for future exploitation and attacks. Sometimes, hackers harden the system from other hackers or security personnel by securing their exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns the system, they can use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to as a zombie system.

·        Covering Tracks
Once hackers have been able to gain and maintain access, they cover their tracks to avoid detection by security personnel, to continue to use the owned system, to remove evidence of hacking, or to avoid legal action. Hackers try to remove all traces of the attack, such as log files or intrusion detection system (IDS) alarms. Examples of activities during this phase of attack include

·        Steganography
·        Using a tunneling protocol
·        Altering log files

INFORMATION GATHERING:

          The first step of the hacking process is gathering information on a target. Information gathering, also known as footprinting, is the process of gathering all available information about an organization. In the age of the Internet, information is available in bits and pieces from many different sources.

Seemingly insignificant bits of information can be enlightening when pieced together—which is the purpose of information gathering. Footprinting can be effective in identifying high value targets, which is what hackers will be looking for to focus their efforts.
·        RECONNAISSANCE:

The term reconnaissance comes from the military and means to actively seek an enemy’s intentions by collecting and gathering information about an enemy’s composition and capabilities via direct observation, usually by scouts or military intelligence personnel trained in surveillance. In the world of ethical hacking, reconnaissance applies to the process of information gathering. Reconnaissance is a catchall term for watching the hacking target and gathering information about how, when, and where they do things. By identifying patterns of behavior, of people or systems, an enemy could find and exploit a loophole.

·        FOOTPRINTING:

Footprinting is defined as the process of creating a blueprint or map of an organization’s network and systems. Information gathering is also known as footprinting an organization. Footprinting begins by determining the target system, application, or physical location of the target.
Once this information is known, specific information about the organization is gathered using nonintrusive methods. For example, the organization’s own web page may provide a personnel directory or a list of employee bios, which may prove useful if the hacker needs to use a social-engineering attack to reach the objective.

The information the hacker is looking for during the footprinting phase is anything that gives clues as to the network architecture, server, and application types where valuable data is stored. Before an attack or exploit can be launched, the operating system and version as well as application types must be uncovered so the most effective attack can be launched gainst the target. Here are some of the pieces of information to be gathered about a target during footprinting:
     i.   Domain Name.
    ii.   Network Blocks
   iii.   Network Services & Applications.
   iv.   System Architecture.
    v.   Intrusion detection System.
   vi.   Authentication Mechanism.
 vii.    pecific IP Address.
viii.    Access Control Mechanism.
   ix.   Phone Numbers
    x.   E-mail Addresses.
   xi.   Contact details.
Once this information is compiled, it can give a hacker better insight into the organization, where valuable information is stored, and how it can be accessed.


·        SOCIAL ENGINEERING:

Social engineering is a nontechnical method of breaking into a system or network. It’s the process of deceiving users of a system and convincing them to perform acts useful to the hacker, such as giving out information that can be used to defeat or bypass security mechanisms. Social engineering is important to understand because hackers can use it to attack the human element of a system and circumvent technical security measures. This method can be used to gather information before or during an attack.

DNS ENUMERATION:

          Enumeration occurs after scanning and is the process of gathering and compiling usernames, machine names, network resources, shares, and services. It also refers to actively querying or connecting to a target system to acquire this information. Hackers need to be methodical in their approach to hacking. The following steps are an example of those a hacker might perform in preparation for hacking a target system:

1. Extract usernames using enumeration.
2. Gather information about the host using null sessions.
3. Perform Windows enumeration using the SuperScan tool.
4. Acquire the user accounts using the tool GetAcct.
5. Perform SNMP port scanning.

The object of enumeration is to identify a user account or system account for potential use in hacking the target system. It isn’t necessary to find a system administrator account, because most account privileges can be escalated to allow the account more access than was previously granted.

·        NULL SESSION:

A null session occurs when you log in to a system with no username or password. NetBIOS null sessions are vulnerability found in the Common Internet File System (CIFS) or SMB, depending on the operating system.

Once a hacker has made a NetBIOS connection using a null session to a system, they can easily get a full dump of all usernames, groups, shares, permissions, policies, services, and more using the Null user account. The SMB and NetBIOS standards in Windows include APIs that return information about a system via TCP port 139.

One method of connecting a NetBIOS null session to a Windows system is to use the hidden Inter-Process Communication share (IPC$). This hidden share is accessible using the net use command. As mentioned earlier, the net use command is a built-in Windows command that connects to a share on another computer. The empty quotation marks (“”) indicate that you want to connect with no username and no password. To make a NetBIOS null session to a system with the IP address 192.21.7.1 with the built-in anonymous user account and a null password using the net use command, the syntax is as follows:

C: \> net use \\192.21.7.1 \IPC$ “” /u: “”

Once the net use command has been successfully completed, the hacker has a channel over which to use other hacking tools and techniques.

 SNMP ENUMERATION

SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system. SNMP employs two major types of software components for communication: the SNMP agent, which is located on the networking device, and the SNMP management station, which communicates with the agent.

Almost all network infrastructure devices, such as routers and switches and including Windows systems, contain an SNMP agent to manage the system or device. The SNMP management station sends requests to agents, and the agents send back replies. The requests and replies refer to configuration variables accessible by agent software. Management stations can also send requests to set values for certain variables. Traps let the management station know that something significant has happened in the agent software, such as a reboot or an interface failure. Management Information Base (MIB) is the database of configuration variables that resides on the networking device.

SNMP has two passwords you can use to access and configure the SNMP agent from the management station. The first is called a read community string. This password lets you view the configuration of the device or system. The second is called the read/write community string; it’s for changing or editing the configuration on the device. Generally, the default read community string is public and the default read/write community string is private. A common security loophole occurs when the community strings are left at the default settings: a hacker can use these default passwords to view or change the device configuration.

VULNERABILITY & SCANNING

 
After the reconnaissance and information-gathering stages have been completed, scanning is performed. It is important that the information- gathering stage be as complete as possible to identify the best location and targets to scan. During scanning, the hacker continues to gather information regarding the network and its individual host systems. Information such as IP addresses, operating system, services, and installed applications can help the hacker determine which type of exploit to use in hacking a system.

Scanning is the process of locating systems that are alive and esponding on the network. Ethical hackers use scanning to identify target systems’ IP addresses. Scanning is also used to determine whether a system is on the network and available. Scanning tools are used to gather information about a system such as IP addresses, the operating system, and services running on the target computer.

Port Scanning Port scanning is the process of identifying open and available TCP/IP ports on a system. Port-scanning tools enable a hacker to learn about the services available on a given system. Each service or application on a machine is associated with a well-known port number. Port Numbers are divided into three ranges:
Ø  Well-Known Ports: 0-1023
Ø  Registered Ports: 1024-49151
Ø  Dynamic Ports: 49152-65535
Network Scanning Network scanning is a procedure for identifying active hosts on a network, either to attack them or as a network security assessment. Hosts are identified by their individual IP addresses. Network-scanning tools attempt to identify all the live or responding hosts on the network and their corresponding IP addresses.

Vulnerability Scanning Vulnerability scanning is the process of proactively identifying the vulnerabilities of computer systems on a network. Generally, a vulnerability scanner first identifies the operating system and version number, including service packs that may be installed. Then, the scanner identifies weaknesses or vulnerabilities in the operating system.

During the later attack phase, a hacker can exploit those weaknesses in order to gain access to the system.

Scanning Methodology

This methodology is the process by which a hacker scans the network. It ensures that no system or vulnerability is overlooked and that the hacker gathers all necessary information to perform an attack.

Ping Sweep Techniques

The scanning methodology starts with checking for systems that are live on the network, meaning that they respond to probes or connection requests. The simplest, although not necessarily the most accurate, way to determine whether systems are live is to perform a ping sweep of the IP address range. All systems that respond with a ping reply are considered live on the network. A ping sweep is also known as Internet Control Message Protocol (ICMP) scanning, as ICMP is the protocol used by the ping command.

ICMP scanning, or a ping sweep, is the process of sending an ICMP request or ping to all hosts on the network to determine which ones are up and responding to pings. ICMP began as a protocol used to send test and error messages between hosts on the Internet.

It has evolved as a protocol utilized by every operating system, router, switch or Internet Protocol (IP)-based device. The ability to use the ICMP Echo request and Echo reply as a connectivity test between hosts is built into every IP-enabled device via the ping command. It is a quick and dirty test to see if two hosts have connectivity and is used extensively for troubleshooting.

NMAP Command Switches
Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address detection, and operating system detection.

Nmap has the benefit of scanning a large number of machines in a single session. It’s supported by many operating systems, including Unix, Windows, and Linux. The state of the port as determined by an nmap scan can be open, filtered, or unfiltered. Open means that the target machine accepts incoming request on that port. Filtered means a firewall or network filter is screening the port and preventing nmap from discovering whether it’s open. Unfiltered mean the port is determined to be closed, and no firewall or filter is interfering with the nmap requests.

Nmap supports several types of scans. Table 3.2 details some of the common scan methods.

-sT     TCP connect scan
-sS     SYN scan
-sF     FIN scan
-sX     XMAS tree scan
-sN     Null scan
-sP     Ping scan
-sU     UDP scan
-sO     Protocol scan
-sA     ACK scan
-sW    Windows scan
-sR     RPC scan
-sL     List/DNS scan
-sI      Idle scan
-Po     Don’t ping
-PT     TCP ping
-PS     SYN ping
-PI     ICMP ping
-PB     TCP and ICMP ping
-PB     ICMP timestamp
-PM    ICMP netmask
-oN    Normal output
-oX     XML output
-oG    Greppable output
-OA    All output

DENIAL OF SERVICE
A DoS attack is an attempt by a hacker to flood a user’s or an organization’s system. There are two main categories of DoS attacks Attacks sent by a single system to a single target (simple DoS) and Attacks sent by many systems to a single target (distributed denial of service, or DDoS).
The goal of DoS isn’t to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it. A DoS attack may do the following:

·        Flood a network with traffic, thereby preventing legitimate network traffic.
·        Disrupt connections between two machines, thereby preventing access to a service.
·        Prevent a particular individual from accessing a service.
·        Disrupt service to a specific system or person.

Different tools use different types of traffic to flood a victim, but the result is the same: a service on the system or the entire system is unavailable to a user because it’s kept busy trying to respond to an exorbitant number of requests.

A DoS attack is usually an attack of last resort. It’s considered an unsophisticated attack because it doesn’t gain the hacker access to any information but rather annoys the target and interrupts their service. DoS attacks can be destructive and have a substantial impact when sent from multiple systems at the same time (DDoS attacks).

MECHANISM OF DDOS ATTACK
DDoS is an advanced version of the DoS attack. Like DoS, DDoS tries to deny access to services running on a system by sending packets to the destination system in a way that the destination system can’t handle. The key of a DDoS attack is that it relays attacks from many different hosts (which must first be compromised), rather than from a single host like DoS. DDoS is a large-scale, coordinated attack on a victim system.
The services under attack are those of the primary victim; the compromised systems used to launch the attack are secondary victims. These compromised systems, which send the DDoS to the primary victim, are sometimes called zombies or BOTs. They’re usually compromised through another attack and then used to launch an attack on the primary victim at a certain time or under certain conditions. It can be difficult to track the source of the attacks because they originate from several IP addresses.
Normally, DDoS consists of three parts:
·        Master/handler
·        Slave/secondary victim/zombie/agent/BOT/BOTNET
·        Victim/primary victim

The master is the attack launcher. A slave is a host that is compromised by and controlled by the master. The victim is the target system. The master directs the slaves to launch the attack on the victim system.



Reference:

WORKING OF BOTS/BOTNETS:
         
          A BOT is short for web robot and is an automated software program that behaves intelligently. Spammers often use BOTs to automate the posting of spam messages on newsgroups or the sending of emails. BOTs can also be used as remote attack tools. Most often, BOTs are web software agents that interface with web pages. For example, web crawlers (spiders) are web robots that gather web page information.

The most dangerous BOTs are those that covertly install themselves on users’ computers for malicious purposes. Some BOTs communicate with other users of Internet-based services via instant messaging, Internet Relay Chat (IRC), or another web interface. These BOTs allow IRQ users to ask questions in plain English and then formulate a proper response. Such BOTs can often handle many tasks, including reporting weather; providing zip code information; listing sports scores; converting units of measure, such as currency; and so on.

A BOTNET is a group of BOT systems. BOTNETs serve various purposes, including DDoS attacks; creation or misuse of Simple Mail Transfer Protocol (SMTP) mail relays for spam; Internet marketing fraud; and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. Generally a BOTNET refers to a group of compromised systems running a BOT for the purpose of launching a coordinated DDoS attack.

SMURF ATTACK:
          A smurf attack sends a large amount of ICMP Echo (ping) traffic to a broadcast IP address with the spoofed source address of a victim. Each secondary victim’s host on that IP network replies to the ICMP Echo request with an Echo reply, multiplying the traffic by the number of hosts responding. On a multi access broadcast network, hundreds of machines might reply to each packet. This creates a magnified DoS attack of ping replies, flooding the primary victim. IRC servers are the primary victim of smurf attacks on the Internet.
A SYN flood attack sends TCP connection requests faster than a machine can process them. The attacker creates a random source address for each packet and sets the SYN flag to request a new connection to the server from the spoofed IP address. The victim responds to the spoofed IP address and then waits for the TCP confirmation that never arrives. Consequently, the victim’s connection table fills up waiting for replies; after the table is full, all new connections are ignored. Legitimate users are ignored as well and can’t access the server. A SYN flood attack can be detected through the use of the netstat command. An example of the netstat output from a system under a SYN flood.

Here are some of the methods used to prevent SYN flood attacks:

SYN Cookies SYN cookies ensure the server does not allocate system resources until a successful three-way handshake has been completed.

RST Cookies Essentially the server responds to the client SYN frame with an incorrect SYN ACK. The client should then generate an RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally.

Micro Blocks Micro blocks prevent SYN floods by allocating only a small space in memory for the connection record. In some cases, this memory allocation is as small as 16 bytes.

Stack Tweaking This method involves changing the TCP/IP stack to prevent SYN floods. Techniques of stack tweaking include selectively dropping incoming connections or reducing the timeout when the stack will free up the memory allocated for a connection.
DoS/DDoS Countermeasures

There are several ways to detect, halt, or prevent DoS attacks. The following are common security features:

Network-Ingress Filtering All network access providers should implement network ingress filtering to stop any downstream networks from injecting packets with faked or spoofed addresses into the Internet. Although this doesn’t stop an attack from occurring, it does make it much easier to track down the source of the attack and terminate the attack quickly. Most IDS, firewalls, and routers provide network-ingress filtering capabilities.

Rate-Limiting Network Traffic A number of routers on the market today have features that let you limit the amount of bandwidth some types of traffic can consume. This is sometimes referred to as traffic shaping.

Intrusion Detection Systems Use an intrusion detection system (IDS) to detect attackers who are communicating with slave, master, or agent machines. Doing so lets you know whether a machine in your network is being used to launch a known attack but probably won’t detect new variations of these attacks or the tools that implement them. Most IDS vendors have signatures to detect Trinoo, TFN, or Stacheldraht network traffic.

Automated Network-Tracing Tools Tracing streams of packets with spoofed addresses through the network is a time-consuming task that requires the cooperation of all networks carrying the traffic and that must be completed while the attack is in progress.

Host-Auditing and Network-Auditing Tools File-scanning tools are available that attempt to detect the existence of known DDoS tool client and server binaries in a system. Network scanning tools attempt to detect the presence of DDoS agents running on hosts on your network.

SOCIAL ENGINEERING ATTACKS:
Social engineering includes the acquisition of sensitive information or inappropriate access privileges by an outsider, based on the building of inappropriate trust relationships. The goal of a social engineer is to trick someone into providing valuable information or access to that information.

Social engineering preys on qualities of human nature, such as the desire to be helpful, the tendency to trust people, and the fear of getting in trouble. Hackers who are able to blend in and appear to be a part of the organization are the most successful at social-engineering attacks. This ability to blend in is commonly referred to as the art of manipulation.

People are usually the weakest link in the security chain. A successful defense depends on having good policies in place and teaching employees to follow the policies. Social engineering is the hardest form of attack to defend against because a company can’t protect itself with hardware or software alone.

Types of Social Engineering-Attacks

Social engineering can be broken into two common types:

Human-Based Human-based social engineering refers to person-to-person interaction to retrieve the desired information. An example is calling the help desk and trying to find out a password.

Computer-Based Computer-based social engineering refers to having computer software that attempts to retrieve the desired information. An example is sending a user an email and asking them to reenter a password in a web page to confirm it. This social-engineering attack is also known as phishing.

We’ll look at each of these more closely in the following sections.

Human-Based Social Engineering
Human-based social engineering techniques can be broadly categorized as follows:

Impersonating an Employee or Valid User In this type of social-engineering attack, the hacker pretends to be an employee or valid user on the system. A hacker can gain physical access by pretending to be a janitor, employee, or contractor. Once inside the facility, the hacker gathers information from trashcans, desktops, or computer systems.

Posing as an Important User In this type of attack, the hacker pretends to be an important user such as an executive or high-level manager who needs immediate assistance to gain access to a computer system or files. The hacker uses intimidation so that a lower-level employee such as a help desk worker will assist them in gaining access to the system. Most low-level employees won’t question someone who appears to be in a position of authority.
Using a Third Person Using the third-person approach, a hacker pretends to have permission from an authorized source to use a system. This attack is especially effective if the supposed authorized source is on vacation or can’t be contacted for verification.

Calling Technical Support Calling tech support for assistance is a classic social-engineering technique. Help desk and technical support personnel are trained to help users, which makes them good prey for social-engineering attacks.

Shoulder Surfing Shoulder surfing is a technique of gathering passwords by watching over a person’s shoulder while they log in to the system. A hacker can watch a valid user log in and then use that password to gain access to the system.

Dumpster Diving Dumpster diving involves looking in the trash for information written on pieces of paper or computer printouts. The hacker can often find passwords, filenames, or other pieces of confidential information.
A more advanced method of gaining illicit information is known as reverse social engineering.

Using this technique, a hacker creates a persona that appears to be in a position of authority so that employees ask the hacker for information, rather than the other way around. For example, a hacker can impersonate a help desk employee and get the user to give them information such as a password.

The facilitator of a live Computer Security Institute demonstration showed the vulnerability of help desks when he dialed up a phone company, got transferred around, and reached the help desk. “Who’s the supervisor on duty tonight?” “Oh, it’s Betty.” “Let me talk to Betty.” [He’s transferred.] “Hi Betty, having a bad day?” “No, why?” “Your systems are down.” Betty said, “My systems aren’t down, we’re running fine.” He said, “You better sign off.” She signed off. He said, “Now sign on again.” She signed on again. He said, “We didn’t even show a blip, we show no change.” He said, “Sign off again.” She did. “Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.”

So this senior supervisor at the help desk tells him her user ID and password. In a few minutes a hacker is able to get information that might have taken him days to get by capturing traffic and cracking the password. It is much easier to gain information by social engineering than by technical methods.

Computer-Based Social Engineering
Computer-based social-engineering attacks can include the following:
·        Email attachments
·        Fake websites
·        Pop-up windows

Insider Attacks
If a hacker can’t find any other way to hack an organization, the next best option is to infiltrate the organization by getting hired as an employee or finding a disgruntled employee to assist in the attack. Insider attacks can be powerful because employees have physical access and are able to move freely about the organization. An example might be someone posing as a delivery person by wearing a uniform and gaining access to a delivery room or loading dock. Another possibility is someone posing as a member of the cleaning crew who has access to the inside of the building and is usually able to move about the offices. As a last resort, a hacker might bribe or otherwise coerce an employee to participate in the attack by providing information such as passwords.

Identity Theft
A hacker can pose as an employee or steal the employee’s identity to perpetrate an attack. Information gathered in dumpster diving or shoulder surfing in combination with creating fake ID badges can gain the hacker entry into an organization. Creating a persona that can enter the building unchallenged is the goal of identity theft.

Phishing Attacks
Phishing involves sending an email, usually posing as a bank, credit card Company, or other financial organization. The email requests that the recipient confirm banking information or reset passwords or PINs. The user clicks the link in the email and is redirected to a fake website. The hacker is then able to capture this information and use it for financial gain or to perpetrate other attacks. Emails that claim the senders have a great amount of money but need your help getting it out of the country are examples of phishing attacks. These attacks prey on the common person and are aimed at getting them to provide bank account access codes or other confidential information to the hacker.

Online Scams
Some websites that make free offers or other special deals can lure a victim to enter a username and password that may be the same as those they use to access their work system.
The hacker can use this valid username and password once the user enters the information in the website form. Mail attachments can be used to send malicious code to a victim’s system, which could automatically execute something like a software keylogger to capture passwords. Viruses, Trojans, and worms can be included in cleverly crafted emails to entice a victim to open the attachment. Mail attachments are considered a computer-based social-engineering attack. Here is an example of an email that which tries to convince the receiver to open an unsafe attachment:

URL Obfuscation
The URL (uniform resource locator) is commonly used in the address bar of a web browser to access a particular website. In lay terms, it is the website address. URL obfuscation consists of hiding a fake URL in what appear to be a legitimate website address. For example, a website of 204.13.144.2/Citibank may appear to be a legitimate web address for Citibank but in fact is not. URL obfuscation is used in phishing attacks and some online scams to make the scam seem more legitimate. A website address may be seen as an actual financial institution name or logo, but the link leads to a fake website or IP address. When users click the link, they’re redirected to the hacker’s site.

Addresses can be obfuscated in malicious links by the use of hexadecimal or decimal notations. For example, the address 192.168.10.5 looks like 3232238085 as a decimal. The same address looks like C0A80A05 in IP hex. This conversion requires that you divide 3232238085 by 16 multiple times. Each time the remainder reveals the address, starting from the least significant value.

Here’s the explanation:

3232238085/16 = 202014880.3125 (.3125 × 16 = 5)
202014880/16 = 12625930.0 (.0 × 16 = 0)
12625930/16 = 789120.625 (.625 × 16 = 10 = A)
789120/16 = 49320.0 (.0 × 16 = 0)
49320.0/16 = 3082.5 (.5 × 16 = 8)
3082/16 = 192.625 (.625 × 16 = 10 = A)
192/16 = 12 = C