Authentication Hacking attack

Authentication plays a critical role in the security of web applications. When a user provides his login name and password to authenticate and prove his identity, the application assigns the user specific privileges to the system, based on the identity established by the supplied credentials.

HTTP can embed several different types of authentication protocols. These include

• Basic - Cleartext username/password, Base-64 encode (trivially decoded)
• Digest - Like Basic, but passwords are scrambled
• Form-based - A custom form is used to input username/password (or other credentials) and is processed using custom logic on the backend.
• NTLM - Microsoft's proprietary authentication protocol, implemented within HTTP request/response headers.
• Negotiate - A new protocol from Microsoft that allows any type of authentication specified above to be dynamically agreed upon by the client and server. Also adds Kerberos for clients using Microsoft's IE v5+.
• Client-side Certificates - Although rarely used, SSL/TLS provides an option that checks the authenticity of a digital certificate present by the Web client, essentially making it an authentication token.
• Microsoft Passport - A single-sign-in (SSI) service run by Microsoft Corporation that allows web sites (called "Passport Partners") to authenticate users based on their membership in the Passport service. The mechanism uses a key shared between Microsoft and the Partner site to create a cookie that uniquely identifies the user.

These authentication protocols operate right over HTTP (or SSL/TSL), with credentials embedded right in the request/response traffic.

This kind of attack is not a technological security hole in the Operating System or server software. It depends rather on how securely stored and complex the passwords are and on how easy it is for the attacker to reach the server (network security).

Distributed Scan

Distributed scan works by dividing the scanning scope among multiple attack platforms. In such case, each attack platform performs a normal scan for a small range of port numbers. Although this is not 100% spoofing mechanism, it increases the overhead of the system administrator on the other side to trace back the attacker [e.g. there could be hundreds of originating IPs.] Furthermore, those originating IPs could be compromised
hosts of innocent people.

Advantages of Distributed Scan are:
• It minimizes the scan time since multiple scanning platforms are working in parallel.
• Tracing back the attacker is a little hard since there are many originating IPs appearing in the logs of the scanned network.

Disadvantages of Distributed Scan are:
• It requires that the attacker is controlling, in one way or another, all the scanning platforms.
• There is no real spoofing in this technique since all the IP addresses appearing in the scanned network are truly the IPs of the scanning machine.

Decoy Port Scan

    Decoy scan works by sending more than one packet per port. All of these packets
carry spoofed source IPs except one packet, which carries the original scanner IP address.
By doing so, the attacker guarantees at least one reply packet which is the reply to the
scan packet carrying the correct IP address. All other replies will not reach the scanning
machine. This scan type is done using the (-D) switch of nmap tool as follows:
# nmap –sS –P0 –D217.89.54.23,64.56.23.21,98.76.54.32 –p1-1024 10.10.10.10
Decoy port scan is done to make detection of the original scanner harder. The administrator of the scanned target cannot tell exactly which one of the used IPs is the
real scanner’s IP. However, if all IPs were investigated, investigation could lead to the
original scanning IP.

Advantages of Decoy scan are:
• Results are guaranteed. Since reply packets arrive at the scanning machine, the attacker can have true results of port status.
• Freedom of spoofing. Each spoofed IP used in the decoy is not bounded by any set of IPs Disadvantages of Decoy scan are:
• Detection is not impossible though it is hard. Since all used IPs are logged in a way or another on the target system, heavy investigation could lead to the original attacker.
• Lots of traffic. Since for each scanned port there are many packets, this will increase the traffic flow.


Disadvantages of Decoy scan are:
• Detection is not impossible though it is hard. Since all used IPs are logged in a way or another on the target system, heavy investigation could lead to the original attacker.
• Lots of traffic. Since for each scanned port there are many packets, this will increase the traffic flow.

Normal Spoofing Scan

    This is the simplest among all other technique. All the attacker needs to do is to spoof
the source IP of the scanning machine to any other IP without worrying about anything else. That spoofed IP is used for all scan packets. Also, that spoofed IP can by any valid
IP address and does not have to be within the subnet IP range of the scanning machine.
    This normal spoofing could be done with the (-S) switch of nmap tool:

# nmap –sS –S 217.64.121.34 –P0 –p 1-1024 64.23.16.21

However, this technique suffers from a major drawback. That is, there will be no results since all replies will be forwarded to the spoofed IP. The scanning machine will never receive any of those replies. One reason an attacker might attempt such type of spoofing is to fool the scanned target into thinking that somebody else – probably a competitor – is scanning them. The attacker here is not concerned about the replies or about the port status of the target.

Advantages of this spoofing technique are:
• Freedom of spoofing. The attacker is not bounded by a specific range of IPs.
• No wasted or unneeded initiated packets. The attacker sends one TCP/UDP
packet per port.
• No tracing of the original scanner. Detection of the scanning machine is impossible at the IP layer.

Disadvantages of this technique are:
• No replies. There will be no reply packets arriving at the scanning machine.
• No results. Since replies are not received, the attacker won’t know port status.

Dynamic Port Scanning

Dynamic Port Scanning is a new methodology that aims to dynamically spoof the source IP of the scanning machine. What is meant by “dynamic spoofing” is that each TCP or UDP scan packet has a randomly generated IP address. However, that IP address
must fall within the local subnet IP range of the scanning machine. The underlying implementation of such methodology is solely dependent on the integration of ARP
poisoning/spoofing into the scanning process.
    ARP poisoning/spoofing has been in place since the creation of TCP/IP protocols. It has been known and used for network traffic sniffing and interception in switched
network. However, this paper will show how ARP poisoning/spoofing could be used in conjunction with port scanning to achieve the dynamic way of spoofing the source IP of the scanning machine.
    In general, Dynamic Port Scanning [DPS] is implemented by ensuring that the ARP cache of the target host or even the default gateway is poisoned by fake IP/MAC entry which allows scan reply packets to carry the MAC address of the scanning machine. Although the reply packet is destined to a fake IP address (i.e. the spoofed IP), the
placement of scanner’s MAC address as destination MAC address in the reply packet enables that packet to arrive correctly at the scanning machine. The process of poisoning the remote ARP cache is done for each TCP/UDP scan packet that carries a spoofed IP
address.
   This paper will discuss deeply the process of Dynamic Port Scanning [DPS]. First, the paper examines current methodologies used in spoofing the source IP while scanning. Then, it will describe the new methodology along with TCP scan types. Finally, a new open-source tool called Dynamic Port Scanner [DPS], which does exactly the technique described in this paper, is outlined.

Malware Detection Techniques

Techniques used for malware detection classified into two categories:
1)Anomaly based detection
                                            An anomaly based detection techniques uses the knowledge of what is considered as normal to find out what actually is malicious.a special type of anomaly based detection is Specification based detection.
Specification based detection makes use of certain rule set of what is considered as normal in order to decide the maliciousness of the program violating the predefined  rule set.This program violating the rule set are consider as malicious program.Or it is considered as malicious to finds out maliciousness of the program under inspection.

2)Signature based detection
Commercial antivirus scanner look for signature which are typically a sequence of bytes within the malware code to declare that the program scanned is malicious in nature.
Basically there are three type of malware: Basic,Polymorphic,Metamorphic malware
  a) Basic malware
In basic malware the program entry is changed such that control is transferred to malicious payload.
Detection is relatively if the signature can be found for the viral code.
                                Entry ---------> Original code ---------> Malicious code


  b) Polymorphic malware 
Polymorphic viruses mutates while keeping the original code intact. A polymorphic malware consists of encrypted malicious code along with the decryption module. To enable the polymorphic      virus the virus has got polymorphic engine somewhere in the virus body.The polymorphic engine generates new mutants each time it is executed.Strong static analysis based on API sequencing is used for polymorphic virus detection.

          Entry --------> Original code --------> Decrypt code --------> Virus code


  c) Metamorphic malware
this malware can reprogram itself using certain obfuscation techniques so that the children never look like the parents.such malware evade the detection's from he malware detector since each new variant generated will have different signature, hence it is impossible to store the signature of multiple variants of same malware sample.In order to thwart detection a metamorphic engine has to be implemented with some sort of disassemble in order to parse the input code. After disassembly, the engine willl transform the program code and will produced new code that will retain its functionality and would still look different from the original code.

                   Virus                    Form                    Form                     Form
                     A                           B                      C                            D      
                      |                             |                      |                             |
                      |                             |                      |                             |
                   (S1 )                       (S2)                     (S3)                       (S4)

Worm

Viruses Are far from The only maverick programs that can disrupt a computer system.Worms are constructed to infiltrate  legitimate data processing programs and alter or destroy  the data. Often what  people believe is a virus infection is, in fact , a worm program. This is not as serious because worms do not replicate themselves.But the damage caused by a worm attack can be just as serious as a virus, especially if not discovered in time. For ex. suppose a worm program instructs a bank's computer to transfer funds to an illicit account.The fund transfers may continue even after the worm is destroyed.However, once the worm invasion is discovered , recovery is much  easier because there is only single copy of worm program to destroy since the replicating ability of the virus is absent .A worm is similar to a benign tumor while a virus is like a malignant one.