What to do after hacking.

       FIVE RULES OF HACKER(White hat/Black hat)

 Originally, to “hack” meant to possess extraordinary computer skills to extend the limits of computer systems. Hacking required great proficiency. However, today there are automated tools and codes available on the Internet that makes it possible for anyone with a will and desire, to hack and succeed.However, hackers are generally intelligent individuals with good computer skills, with the ability to create and explore into the computer’s software and hardware. Their intention can be either to gain knowledge or to dig around to do illegal things. Attackers are motivated by the zeal to know more while malicious attackers would intend to steal data. In general, there are five rules in which an intruder advances an attack:

 

 1. Reconnaissance

 2. Scanning

 3. Gaining Access 

4. Maintaining Access 

5. Covering Tracks

1. Reconnaissance (Information gathering):-

 
    Reconnaissance refers to the preparatory phase where an attacker gathers as much information as possible about the target prior to launching the attack. Also in this phase, the attacker draws on competitive intelligence to learn more about the target. This phase may also involve network scanning,either external or internal, without authorization.Another reconnaissance technique is “dumpster diving.” Dumpster diving is the process of looking
through an organization’s trash for discarded sensitive information. Attackers can use the Internet to obtain information such as employee’s contact information, business partners, technologies in use, and other critical business knowledge, but “dumpster diving” may provide them with even more sensitive information such as username, password, credit card statement, bank statement, ATM slip, social security number, telephone number, etc..

2. Scanning :-

  Scanning is the method an attacker performs prior to attacking the network. In scanning, the attacker uses the details gathered during reconnaissance to identify specific vulnerabilities. Scanning can be considered a logical extension (and overlap) of the active reconnaissance. Often attackers use automated tools such as network/host scanners, and war dialers to locate systems and attempt to discover vulnerabilities. Port scanners can be used to detect listening ports to find information about the nature of services running on the target machine. The primary defense technique in this regard is to shut down services that are not required. Appropriate filtering may also be adopted as a defense mechanism. However, attackers can still use tools to determine the rules implemented for filtering.

3.Gaining Access :-

  Gaining access is the most important phase of an attack in terms of potential damage. Attackers need not always gain access to the system to cause damage. For instance, denial-of-service attacks can either exhaust resources or stop services from running on the target system. Stopping of service can be carried out by killing processes, using a logic/time bomb, or even reconfiguring and crashing the system. Resources can be exhausted locally by filling up outgoing communication links.

4.Maintaining Access :-

  Once an attacker gains access to the target system, the attacker can choose to use both the system and its resources, and further use the system as a launch pad to scan and exploit other systems, or to keep a low profile and continue exploiting the system. Both these actions can damage the organization. For instance, the attacker can implement a sniffer to capture all network traffic, including telnet and FTP sessions with other systems.
 Attackers, who choose to remain undetected, remove evidence of their entry and use a BACKDOOR or a Trojan to gain repeat access. They can also install rootkits at the kernel level to gain super user access.

5.Covering Tracks (Don't leave clue):-

  An attacker would like to destroy evidence of his/her presence and activities for various reasons such as maintaining access and evading punitive action. Erasing evidence of a compromise is a requirement for any attacker who would like to remain obscure. This is one of the best methods to evade trace back. This usually starts with erasing the contaminated logins and any possible error messages that may have been generated from the attack process, e.g., a buffer overflow attack will usually leave a message in the system
logs. Next, the attention is turned to effecting changes so that future logins are not logged. By manipulating and tweaking the event logs, the system administrator can be convinced that the output of his/her system is correct, and that no intrusion or compromise has actually taken place.

  Trojans such as AIDS or NETCAT come in handy for any attacker who wants to destroy the evidence from the log files or replace the system binaries with the same. Once the Trojans are in place, the attacker can be assumed to have gained total control of the system. Rootkits are automated tools that are designed to hide the presence of the attacker. By executing the script, a variety of critical files are replaced with trojanned versions, hiding the attacker with ease.

Different types of HTTP headrs

                          

 

                   HTTP Headers

HTTP supports a large number of headers, some of which are designed for specific unusual purpose. Some headers can be used for both request and response, and others are specific to one of these message types. The following sections describe the headers you are likely to encounter when attacking web applications. 

1.General Headers

Connection :- 

  This types of header tells the other end of the communication whether it should close the TCP connection after the HTTP transmission has completed or keep
it open for further messages.

Content-Encoding :-

  This header specifies what kind of encoding is being used for the content
contained in the message body, such as gzip, which is used by some applications
to compress response for faster transmission.

Content-length :-

  It specifies the length of the message body, in bytes (except in the case of response to HEAD request, when it indicates the length of the body in the response to the corresponding GET request).

Content-Types :-

 It specifies the type of content contained in the message body, such as text/html for HTML documents.

Transfer-Encoding :-

  It specifies any encoding that was performed on the message body to facilitate its transfer over HTTP. It is normally used to specify chunked encoding when this is employed.

2.Request Headers

Accept :-

 It tells the server what kinds of content the client is willing to accept, such as image types, office documents formats, and so on.

Accept-Encoding :-

 It tells the server credentials to the server what kind of content encoding the client is willing to accept.

Authorization :-

  This submits credentials to the server for one of the built HTTP authentication types.

Cookies :-

 This submits cookies to the server that the server previously issued.

Host :-

  It specifies the host name that appeared in the full URL(Uniform Resource Locator) being requested.

If-Modified-Since :-

  It specifies when the browser last recieved the requested resource. If the resource has not changed since that time, the server request may instruct the client to use its cashed copy, using a response with status code 304.

If-None-Match :-

  It specifies an entity tag, which is an identifier denoting the contents of the message body. The browser submits the entity tag that the server issued with the requested resource when it was last recieved.The server can use the entity tag to determine whether the browser may use its cached copy of the resource.

Origin :-

  This is used in cross-domain Ajax requests to indicates the domain from which the request originated.

Referer :-

 It specifies the URL from which the current request originated.

User-Agent :-

 It provides information about the browser or other client software that generated the request.

3.Response Header

 Access-Control-Allow-Origin :-

  This indicates whether the resource can be retrieved via cross-domain Ajax request.

Cache-Control :-

  It passes caching directives to the browser (for example, no-cache).

E-tag :-

  It specifies any entity tag. Clients can submits this identifier in future requests for the same resources in the If-None-Match header to notify the server which version of the resource the browser  currently holds in its cache.

Expires :-

 This tells the browser for how long the contents of the message body are valid. The browser may use the cached copy of this resource until this time.

Location :-

 It is used in redirection response (those that have a status code starting with 3) to specify the target of the redirect.

Pragma :-

 This passes caching directives to the browsers (for example, no-cache).

Server :-

  It provides information about the web server software being used.

Set-Cookies :-

 This issues cookies to the browser that it will submit back to the server in subsequent requests.

WWW-Authenticate :-

  This is used in responses that have a 401 status code to provides details on the type(s) of authentication that the server supports.

X-Frame-Options :-

 It indicates whether and how the current response may be loaded within a browser frame.