Category Archives: (B) Basics

How to Get Started in Information Security

I’ve seen a lot of people lately asking how to get started in the Information Security industry. I think there are a lot of misconceptions about what you need, like expertise with tools, certifications, experience in a role, etc. Those help, but I don’t think that’s the number one thing that gets you into the industry. I think the biggest things are curiosity and dedication. Those two things will ensure that the rest follows. And if you don’t have those drives for an Infosec career then you haven’t found what you want to be doing for the rest of your life, so keep looking.

But there’s more to it that you’ll pick up along the way. Rather than tell you what I think you should do I’ll tell you how I got into the industry then try to distill the lessons and skillsets that I think have been most important for me. The story will hopefully tell you why I think the skillsets are important so you can understand for yourself what’s the best path for you.

I started out working break-fix PC support. Someone would call the help desk and if they couldn’t work it out over the phone I’d go out and fix it. I got good at malware cases – spyware, popups, network worms, etc. because I was curious about how to get rid of the malware, not just reimage the system. That doesn’t always cure the issue, as I learned, but it was typically quicker to fix and less work on my part because I didn’t have to copy the data, reinstall software, etc. On larger-scale malware incidents then I was on the front lines to help. And whatever I learned I wrote up for others so they didn’t have to learn the same thing.

I also made sure to take care of the whole problem before leaving. Again, mainly because I was trying to be more efficient (some might say lazy). If I didn’t I’d have to come back out to solve the original problem. And that often meant walking through some basic awareness information so that the system didn’t become reinfected. I wasn’t great at that, but the people appreciated it. It was this bedside manner that meant I was assigned to the higher profile cases with the folks who were more important in the organization.

When a security role opened up I applied for it. I researched for the interview and conversations, looked over what I’d been working on most and how I’d solved those problems. Then all of the questions were about appsec rather than anything I’d been doing. Oops. I guess I still did OK because I got an offer. It was lower than I knew it should be so I asked for industry average. I didn’t get it, but I did get about 5% more than the original offer.

I started reading all the blogs and magazine articles I could, in between doing security things. I figured I’d start writing too. I started my own blog to pass on lessons learned in plain English (go back to the early days of Beau’s Cybersecurity Blog and see how raw that stuff was). And comment on other peoples’ blogs and stories. People started to notice and comment back, email me, etc. and that encouraged me and keep up my momentum.

When I told my boss I was hitting the ceiling she said she understood and was glad – it meant I was growing and thriving. There wasn’t room for me to move up so I let her know I was going to start looking at other organizations. She said that was a good idea – it’s always easier to turn down an offer than to get one in the first place.

So I took stock – what was my passion, how could I best monetize my skills and why was I doing this? My passion was helping people fix problems. My most in-demand skillset was my communications and problem solving skillset, as well as my familiarity (not expertise) with security tools. My why (this is always the most important one) was so I could travel the world and work from anywhere, which meant I needed to improve my network connections and ability to make them more than anything.

So I began a low-intensity search – I still had a job so I could afford to wait for the right opportunity. Trawling job boards, Craigslist, companies I wanted to work for, asked friends, etc. Within a month I found one that looked perfect. I reached out, looked around and found who the hiring company was and applied directly too. Just like the last time I did lots of research and preparation and built a dossier on all the people I’d be talking with, as well as their execs in case I met one of them. All of that came in handy and they hired me. (They also found my blog and liked what I was writing about so that helped too.)

Repeat that process a few more times and here I am.

Below are a couple of lists. The first is traits I found inside myself when I found the right outlet – the area I felt I belonged and was passionate about. The second is the skillets I worked to improve along the way. Both lists are in order that I feel were most important. You’ll see that there aren’t any specific tools listed – that’s because I don’t think a large investment in time in those really helps. But familiarity and some experience playing with the top tools in what you want to do certainly does. If you’re just going for an entry-level job then that’s all they’ll be expecting.

Traits

 

  • Curiosity
  • Desire to get better
  • Self-exploration
  • Humility
  • Ambition

 

Skillets I worked hard at improving 

 

  • Communication (quantity and quality)
  • My value and place I fit best
  • Root-cause analysis
  • Patience
  • Perspective
  • Some technical tools

 

Next Generation Firewall or NGFW

Next Generation Firewall or NGFW

Next Generation Firewall or NGFW is an integrated network platform that combines a traditional firewall with other security system functionalities like an application firewall, Intrusion Prevention System or IPS, SSL/SSH interception, QoS/bandwidth management, malware inspection etc. An NGFW includes the typical functionalities of a traditional firewall, yet it is much more powerful than a traditional firewall in detecting and preventing attacks and enforcing security.

Traditional Firewall and how it works

A traditional firewall monitors incoming and outgoing network packets of a system and prevents unauthorized access depending on some pre-configured rules.
A traditional firewall filters traffic based on mainly the following parameters :
  • Source IP address and destination IP address of the network packets.
  • Source port and destination port of the inbound and outbound traffic.
  • Current stage of connection.
  • Filtering rules based on per process basis.
  • Protocols used.
  • Routing features.
So, though a traditional firewall is good in ensuring security, it is not sufficient. One has to rely on other security solutions like IPS, anti-malware products, content filtering packages etc to ensure proper security.
The disadvantage of using different network security techniologies separately is it increases administrative cost and degrades network performance. An NGFW combines multiple network security technologies to provide better security mechanism while taking care of most of the disadvantages of using seperate security solutions at a time.

Next Generation Firewalls

An NGFW typically includes :
  • Intrusion Prevention System
  • Malware protection
  • Filtering traffic per application basis.
  • QoS or Quality of Service to guarantee network throughput
  • VPN
  • SSL/SSH interception
An NGFW uses Deep Packet Inspection or DPI using which it can examine the data part of the network packets and search for protocol non-compliance, virus, spam, intrusions and other statistical information to filter the traffic and enforce security in a better way.
An NGFW can monitor and filter traffic per application basis instead of port basis, which enables it to troubleshoot network problems in a better way. It can also associate network traffic with specific user or group of users, which helps in enforcing better acceptable-use policies.
NGFW can intercept the encrypted SSL and SSH traffic to look for any malicious traffic concealed in the encrypted traffic. And, this enables it to detect advanced threats and attacks.
And, as NGFW integrates multiple security technologies in an efficient manner, it improves network performance over using different security technologies separately.

Advantages of Next Generation Firewalls

An NGFW has a number of advantages over traditional firewalls. Some of the most important ones are listed below :

Lower Administrative Cost

In an NGFW, all the above mentioned security technologies are installed and configured as a unit. As a result, it reduces administrative cost significantly.

Easier to identify threats

An NGFW monitors the network traffic and reports all the events through a single reporting system, which is much more convenient than using different security techniologies separately.

Inspection of SSL/SSH traffic

Malware can be concealed in an encrypted SSL/SSH communication. For example, botnets and Advanced Persistent Threats often create SSL tunnels and exchange communication with the attackers. But, traditional firewalls cannot decrypt SSL/SSH traffic. As a result, the attackers can take advantage of that to make attacks.
NGFW can decrypt and inspect SSL/SSH traffic using Deep Packet Inspection and filter network traffic based upon that.

Filtering based on application

Traditional firewalls can filter traffic based on port, but that may prove to be inconvenient at times.
NGFW can associate traffic based on application, which enables it to block or monitor network traffic per application and troubleshoot problems based on that.

Identifying network traffic by users

Traditional firewalls cannot associate network traffic to users easily. One has to laboriously look at the log files for that purpose.
But, as NGFW can easily associate network traffic to specific users, it helps in enforcing better acceptable use policies.
For example, in a company marketing and Human Resource group may need to access some social networking sites, but others need not. Using NGFW one can easily set proper acceptable-use policy for that purpose.
Similarly, a company may allow its employees to access some social networking sites to make posts or comments, but may not allow them to play games. Using NGFW the company can set required policies easily.

Improved Network Performance

Using different network security technologies separately often causes degradation of network performance. Administrators often need to respond to that by disabling monitoring of certain ports, disabling some firewall rules or limiting Deep Packet Inspection which compromise network securities.
But, as NGFW integrates multiple network technologies together efficiently, it improves network throughput without having to trade off security for performance.
So, be informed about various security technologies so that you can protect your systems in a better way. And, stay safe, stay protected.

13 More Hacking Sites to (Legally) Practice Your InfoSec Skills

There’s a well-known saying that before you judge someone you should always “walk a mile in the other person’s shoes.”  You can’t get the full picture behind a person without first living like they do and understanding what goes on in their heads.  

 

In organizations around the world, there’s a big push to be more “security aware,” and it’s an important part of our jobs. We’re defenders, and we have a big job to do in making sure our applications and systems are secure from any threat that might come at us. But there’s another side to being good at defending your applications and systems. Those dealing with security also need to “walk a mile in the other persons shoes” – but in our case, it’s about understanding the attackers side not so we can empathize, but so we can minimize the risks posed by and to our applications. 

 

 

Why do we need to learn how to hack apps? Because as builders and defenders, we see our code in totally different ways than hackers see it. Without practicing our hacking skills, we’re playing a one-sided game by only playing defense against attackers. It’s important to act like attackers on your own systems. To attack both your public and private web apps from the viewpoint of hackers. To practice infiltrating apps through SQLi, XSS, CSRF, and other methods of cyber attack hackers continue to use, year after year. You can’t know the real threats your apps are under until you’ve attacked them yourself.

 

And with that, we give you another list of the best hacking sites and downloadable projects available on the web where you can legally practice your hacking skills. Some offer tutorials or walk-throughs to help you if you get stuck, others are more DIY in style. All these sites offer something for us defenders and builders about what the attacker mindset looks at when trying to hack your app. Have fun!

 

 

“The unfortunate reality of the web today is that you’re going to get hacked,” writes Hack Yourself Firsts creator, Troy Hunt (@TroyHunt). And it’s with that inevitability that Troy set out to create a site dedicated to teaching what to look out for when it comes to security vulnerabilities and helping minimize their impacts on web apps.

 

The site is aimed towards developers but is suitable for anyone looking to gain some attack techniques – purely for positive purposes, of course. With 50 vulnerabilities to hunt for, you could get lost trying to exploit them all – but that’s all the fun.

 

The site goes along with Troy’s “Hack Yourself First: How to go on the Cyber-Offense” course offered on Pluralsight, offering detailed walk-throughs of exploiting various vulnerabilities, from XSS to cookies to cross-site attacks, but is also available to the general public.

 

Juice Shop

 

This intentionally insecure JavaScript Web Application was created by Björn Kimminich (@bkimminich) and is great for anyone coding or testing JavaScript that doesn’t understand all its security issuesto watch out for. With both local and containerized environments available, Juice Shop is perfect for a fun challenge to offer in your organization.

 

Juice Shop is available to play and download here and flip through Björn’s SlideShare on the app to get an overview of what the app is and how it was made.

 

 

This platform is innovative, as it not only hosts vulnerable apps but also allows others to contribute their own vulnerable apps. Powered by eLearnSecurity, Hack.me “aims to be the largest collection of ‘runnable’ vulnerable web applications, code samples and CMS’s online.”

 

Check out Hack.me here.

 

 

This OWASP open-source project offers ten realistic scenarios full of known vulnerabilities (especially, of course, the OWASP Top Ten) for those trying to practice their attack skills. Hackademic is great for educational purposes in classrooms and in the workplace, and developers are encouraged to contribute new scenarios and vulnerabilities.

 

Download Hackademic here.

 

 

Hack This Site is more than just a website; it’s a platform for education and a community for security enthusiasts. Hack This Site is a great stopping point for security professionals and developers alike, as it offers varying levels and topics to delve into as you practice hacking.

 

 

hackthissite

 

 

Whether you want to try a wargame based on mobile app vulnerabilities, JavaScript issues, or test your forensic skills, Hack This Site has you covered. In addition, the site streams news, and offers lectures, videos, and more – and accepts submissions, if you’re interested in writing something or submitting a lecture you’ve given.

 

Access Hack This Site here and read more about it here.

 

 

As “one of the oldest challenge sites still around,” you can rest assured that Try2Hack is an oldie but a goodie. The game runs on levels, and there’s no skipping ahead to advanced levels, so more experienced hackers can get a nice ego boost or refresher course in the beginner levels. For newbies, there is an active IRC channel where you can ask for help from others or just chat, and a GitHub repo for walkthroughs if you don’t get help in the forum.

 

Try your hand at Try2Hack here.

 

 

A multiplayer hacking simulation game, SlaveHack allows players to play either defense or offense, with scenarios for both. The goal of the game is to manage your software and hardware and make the computers you hack or defend your ‘slaves’ – hence the name. SlaveHack doesn’t actually require hacking skills, but we included it because it can help security people to see their systems as malicious hackers would see it, hopefully offering a glimpse into real-world ways to secure your systems and applications. The SlaveHack forum helps players connect with each other and is available when you get stuck.

 

Check out SlaveHack here.

 

Deemed ‘the Hacker’s Playground,’ HackThis!! offers various levels and areas of study when practicing your hacking skills. Similar to Hack This Site, HackThis!! is also a good place to go for security-related news, presentations and to connect with like-minded folk in their forum.

 

hack this sqli

 

For newbies, sites like HackThis!! are especially helpful for quickly getting up to speed on hacking techniques, major vulnerabilities, and the scope of the security industry. But with over 50 levels (and new ones added on a regular basis), the site offers something for everyone. HackThis!! even holds CTF competitions every once in awhile, so that’s something to keep your eye out for if virtual CTF’s are your thing!

 

Hack This is available online and is also downloadable for local machines here.

 

 

This web app hacking game, created by @albinowax, has a focus on “realism and difficulty,” and offers a few levels as an online version and more advanced levels as a downloadable full version. Players even get to play the Blackhat hacker scenario, “hired to track down another hacker by any means possible.”

 

Check out the demo version with beginner levels and the downloadable advanced version here.

 

 

Peruggia is yet another legal project dedicated to helping teach developers and security professionals more about common attacks aimed at web apps. Created as an image gallery, the downloadable project contains lots of different types of vulnerabilities, all primed to teach developers, security newbies, and anyone else interested in learning how to find and mitigate security issues in their code.

 

Download Peruggia here.

 

 

Designed for both pentesting tool testing as well as learning manual code review and how to look out for exploitable vulnerabilities, this web app was created by Simon Bennetts (@psiinon). Full of OWASP Top 10 vulnerabilities like XSS, SQL injection, CSRF, Insecure Object References and more, the project also offers various hacking challenges for those trying to make a game out of it for themselves.

Hacking Challenges BodgeIt

Various challenges to complete in BodgeIt

Start finding security bugs in the BodgeIt Store here. In addition, the InfoSec Institute offers a few tutorials for how to setup and manual test the vulnerable web app for the hacking challenges.

 

 

Offered by Bonsai Security, Moth is “a VMware image with a set of vulnerable Web Applications and scripts.” The team designed it as a way to test AppSec tools, but it’s also a great way to practice your exploit skills and see which vulnerabilities you can pick apart.

 

Check out more about Moth here.

 

 

Last but certainly not least, the EnigmaGroup offers another challenge site with a community forum built around it. Built for anyone looking to improve their security savvy, EnigmaGroup offers a wide array of vulnerabilities, starting with the OWASP Top 10. “Are you more of a hands-on learner, than one that can learn from just reading out of a book,” the site asks. If so, EnigmaGroup is another top destination for those learning how to “know your enemy” – in order to defeat the enemy.

 

Get started with EnigmaGroup here – after reading the FAQ section here that will help you begin smoothly.

Common Problems with Mobile Devices

So mobile devices are commonplace, and we know that just by opening our eyes and
looking around.

However, a lot of common problems also occur that could be easy ways for an attacker to cause you harm:

One of the more common problems with mobile devices is that they quite often do not have passwords set, or else the passwords are incredibly weak. While some devices do offer simple-to-use and effective biometric systems for authentication instead of passwords, they are far from being the norm.

Although most devices support passwords, PIN codes, and gesture-based authentication, many people do not use these mechanisms, which means if the device is lost or stolen, their data can be easily accessed.

Unprotected wireless connections are also a known issue with many devices and seem to be worse on mobile devices.

This is more than likely due to owners of these devices being out and about and then finding an open access point and connecting without regard to whether it is protected or not.

Malware problems seem to be more of an issue with mobile devices than they are with other devices. This is due to owners downloading apps from the Internet with little concern that they may contain malware and not having an antimalware scanner on the device.

Users neglect to install security software on mobile devices even though such software is readily available from major vendors without restriction and is free. Many owners of these devices may even believe that malware doesn’t exist for mobile devices or that they are immune.

Unmaintained and out-of-date operating system software is a big problem. Similarly to desktop systems, patches and fixes for mobile OS software are also released from time to time.

These patches may not get applied for a number of reasons.

One of the bigger ones tends to be a provider such as AT&T tweaking stock Android into something that includes their applications and bloatware, not to mention adjustments.

When this happens, the patches and updates that Google releases may not work on those tweaked versions. In this case you would have to wait for some update to be made for your device by your provider before you can apply the patch. This process could take months or even a year and in some cases never.

Much like the OS, there may be software on the device that is not patched and is out of date. Internet connections may be on and insecure, which can lead to someone getting on the system in the same ways we discussed in earlier chapters on scanning, enumeration, and system hacking.

Mobile devices may be rooted or jailbroken, meaning that if that device is connected to your network, it could be an easy way to introduce malware into your environment. Fragmentation is common with Android devices. Specifically, this refers to the fact that unlike iOS there are a vast number of versions of the Android OS with different
features, interfaces, capabilities, and more.

This can lead to support problems for the enterprise due to the amount of variation and inconsistency. While these are some of the known problems that exist with mobile devices, they don’t necessarily represent the current state of threats, and you must do due diligence if you will be managing an environment that allows these devices.

One way to help you get a snapshot of the known problems in the mobile area is to use the Open Web Application Security Project (OWASP). OWASP is an organization that keeps track of various issues such as web application concerns, and it also happens to maintain top 10 lists of various issues including mobile device problems. You may want to check their site, www.owasp.org, periodically to learn the latest issues that may be appearing and that you could use in your testing process.

Best USA People Search Tool | Background Check

We really wanted to provide the BEST solution to our readers for this problem and we  did some extensive research and reverse engineering. After a loot of research and looking around we found the BEST solution of this problem for the people of tha USA Its the BEST USA people Search Tool. Its absolutely FREE to try and gives almost any information you want regarding the person for his / her background verification.

The name of the tool is EVERIFY.

find people for free usa | Find people by phone number

find people for free usa | Find people by phone number

The features of this tool include (but are not limited to) some of the best features you can think of :-

a) People Check – If you are looking for someone in the USA with any detail about the person. You can find the COMPLETE information about the person by looking for the person. In this tool you can :-

  • Search for person by Phone numbers
  • Search for person by Email addresses
  • Search for person by Address history
  • Search for person by DOB
  • Search for person by Relatives and associates

b) Social Media Check – Find all the information about any person from any social networking website including the complete list of his :-

  • Photos
  • Videos
  • Blogs
  • Professional interests
  • Social Networking Profiles
  • Archives and publications
  • And other!

c) Background Check – In case you get a spam email or even think of working with a legitimate person, doing a background check of the person is always a good idea. You can verify the complete information about the person based upon what he mentioned and what’s officially in the record by matching it against the following :-

  • Court Records
  • Marriage/Divorce Records
  • Birth Records
  • Death Records
  • Property Records
  • Asset Information

d) Criminal Check – If the above information was not enough, you can even go for the Criminal Record check of the person. The following information can be looked up about the person under criminal records :-

  • Arrest & convictions
  • Felonies & misdemeanor
  • Sex offenders
  • Mug shots
  • Criminal driving infractions
  • Court and probation records
  • And more

I have personally tested this tool and I loved it. I tried searching a person by phone number, name email and it automatically gave me all the related information about the person.

One think that could be improved about this tool is that currently its available only for the people of USA but we will find such valuable and useful resources for other countries as well and share the same for you guys to use.

I am sure many people will LOVE this tool and might start using it on regular basis. Some of our big corporate clients have been using this tool since long for the verification of the candidates they hire from the USA and save thousands of dollars annually in the actual verification. I myself use if for verification before we deal with any client overseas.

find people for free usa | Find people by phone number

find people for free usa | Find people by phone number

So next time you want to deal with any person from the USA and feel like doing their background checks, remember to use everify and get confident about your search before taking a step forward.

What is Vishing ?

Vishing is the practice of using social engineering over telephone system with the purpose of stealing sensitive financial information or other sensitive personal data from a victim. Vishing is one of the most serious threats today and is widely perpetrated by criminals.
The word “vishing” is a combination of two words “voice” and “phishing”. In this technique, attackers use telephone system to do phishing and hence the name.
Vishing is typically used by criminals to steal sensitive banking information like account number, PIN, password, OTP and credit card numbers or to steal other personal details of users that the attackers can exploit to perpetrate identity theft.
Attackers often use VoIP and automated system like IVR to perpetrate vishing. They may even use techniques like War Dialing and Caller ID Spoofing to serve their purpose.

How does Vishing work ?

Attackers may perpetrate vishing as mentioned below.
  • Criminals first harvest phone numbers of potential victims. They may use several techniques for that purpose. They may steal phone numbers from an institution or they may use war dialing to find out valid phone numbers.
  • The criminals then start making calls to potential victims. They usually use Caller ID Spoofing to deceive the victims and hide their identity.
  • In a vishing call, the attackers may trick a user in revealing sensitive financial details. They may say the call is from a bank and there is a problem with the user’s bank account or credit/debit card and the user needs to give his financial details to the caller in order to address the problem. The attackers may also use automated instructions to ask the victim to type in his credit card number, account number or PIN on the keypad. And, in some cases, the attackers ask the victim for his personal details that the attackers can later use to impersonate the victim for fraudulent purposes.

 

A real life example of Vishing

A widely perpetrated vishing scam is Microsoft tech support scam. In this scam, the attackers typically call a victim posing as a member of Microsoft technical support and inform the victim that his computer is infected with malware which is generating all sort of errors. The attackers can then ask for remote access of the victim’s computer or ask the victim to download some software or fake anti-malware programs to solve the victim’s problem. Some attackers may even deceive a victim to reveal his bank account information to make a payment. In other words, the goal of this vishing scam is to infect the victim’s computer with malware or to steal sensitive financial details from the victims.

 

How to prevent Vishing ?

Vishing is very difficult for legal authorities to monitor or trace. But, we can always take a couple of steps to protect ourselves up to a significant extent.
  • Never ever provide your financial details over phone. A bank will never ask for your account number, credit card number, password or PIN over phone.
  • If someone is asking for any OTP or One Time Password over phone, be sure it is a scam. OTPs are meant for users only and no legitimate authority will ever ask for any OTP from any user.
  • Do not reveal any personal details or personally identifiable information over phone. If you have any doubts, you can politely inform the caller that you are going to call back and then call the authentic number of the website/provider/institution to verify about the call. It is always better to be safe than sorry.
  • If you get a call informing any of your web account is having some problem, please do not reveal any information immediately. You can always login to your account visiting the legitimate website and verify whether there is any such notification or you can call the legitimate customer care numbers and clarify.
  • Get your number registered on the National Do Not Call Registry to block automated calls. It may not stop vishing, but you would get far fewer automated calls than you are used to.
  • Do not trust the caller ID of a phone call. As said above, attackers can very easily spoof that.
  • If you think you have fallen victim of vishing and your financial information are compromised, immediately call the bank and report the incident. Verify whether there is any unauthorized transaction. Also, immediately change your IPIN, password, ATM PIN or other credentials that may have been compromised.
  • It is always good to report vishing incidents to appropriate legal authority. It often helps a lot in catching the actual criminals.
So, to summarize, never ever reveal any financial information or any personally identifiable information over phone. It is always good to verify the authenticity of a call before responding. Be informed about various security threats and stay safe and stay secure.

Pharming Attack Methods

DNS Cache Poisoning

The domain name SDNS definition, according to Wikipedia is: A domain name system server translates a human readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes. Normally if the server doesn’t know a requested translation it will ask another server, and the process continues recursively. To increase performance, a server will typically remember (cache) these translations for a certain amount of time, so that, if it receives another request for the same translation, it can reply without having to ask the other server again.”

DNS Cache Poisoning Attack Scenario

Here is the attack scenario that an attacker will follow when performing the pharming attack:

  1. An attacker hacks into the DNS server (a cache poisoning attack).
  2. The attacker changes the IP address for www.targetsite.com to the IP of www.faketargetsite.com.
  3. The victim enters www.targetsite.com in the address bar and the computer asks the DNS server for the IP address of www.targetsite.com.
  4. Because the DNS server has already been poisoned by the attacker, it returns the IP address of www.faketargetsite.com.
  5. The victim will believe it is the original website, but it is the fake one.

Hosts File Modification

The hosts file definition, according to Wikipedia, is: The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The hosts file is a plain text file, and is conventionally named hosts.”

The hosts file is a plain text file that contains lines of text consisting of an IP address followed by one or more host names where each field is separated by white space.

An IP address may refer to multiple host names (see the following example), and a host name may be mapped to both IPv4 and IPv6 IP addresses (see the following example).

By the way, you can leave comments in the hosts file by using the hash character (#), which indicates this line is a comment. Here is an example of hosts file content:

1
2
3
# This is an example of the hosts file
127.0.0.1 localhost loopback
::1 localhost

The hosts file location differs from one operating system to another; for example, in the Linux operating system, it’s located in /etc/hosts” and in the windows operating system it’s located in “%SystemRoot%\system32\drivers\etc\hosts“.

Hosts file Modification Attack Scenario

There are many ways to replace the victim hosts file with the attacker (modified) hosts file. The attacker can do this either by using a SFX archive or by using a batch file.

The SFX definition, according to Wikipedia, is: A self-extracting archive (SFX) is a computer application which contains a file archive, as well as programming to extract this information. Such file archives do not require a second executable file or program to extract from the archive, as archive files usually require. The files in an archive can thus be extracted by anyone, whether they possess the appropriate decompression program or not, as long as the program can run on their computer platform.”

The batch file definition, according to Wikipedia, is: A batch file is the name given to a type of script file, a text file containing a series of commands to be executed by the command interpreter in windows operating systems.”

In this tutorial, we will use the second way, which is creating a batch file.

Here is the batch file content that we will use to modify the victim hosts file which will redirect www.facebook.com to the fake website (attacker website):

1
2
3
@echo off
echo X.X.X.X www.facebook.com >> C:\windows\system32\drivers\etc\hosts
exit

Replace “X.X.X.X” with IP address of the attacker website and, finally, save it as Something.bat. To make it seem more like a legitimate file, we can use any binder software, which will help us to hide the malicious file in another file with any extension.

Now we will send the file to our victim via email or upload the file and ask our victim to download and run it, once it has been run, his hosts file will be modified.

Now when the victim tries to access facebook.com, he will access the fake website and the URL won’t change.

Conclusion

A pharming attack will help the attackers perform their phishing attack scenarios in a more sophisticated way to make it reliable and harder to discover that you’re under attack.

What Is a Pharming Attack?

The pharming attack definition, according to Wikipedia: “Pharming is an attacker’s attack intended to redirect a website’s traffic to another, bogus site. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as “poisoned.” Pharming requires unprotected access to target a computer, such as altering a customer’s home computer, rather than a corporate business server.

The term “pharming” is a neologism based on the words “farming” and “phishing.” Phishing is a type of social-engineering attack to obtain access credentials, such as user names and passwords. In recent years, both pharming and phishing have been used to gain information for online identity theft. Pharming has become a major concern to businesses hosting ecommerce and online banking websites. Sophisticated measures known as anti-pharming are required to protect against this serious threat. Antivirus software and spyware removal software cannot protect against pharming.

A pharming attack will redirect the victim to the fake website (an attacker website) even though the victim enters the correct address for the legitimate website. For Example: The victim intends to access www.twitter.com, so he writes the right URL to the browser, the URL will still be www.twitter.com, but he will surf the fake website instead.