Hacking-MSA-Technosoft

Hacking | Types | Purpose | Hackers | SQL Injection | SQLMAP | Penetration Testing

by

Hacking: Introduction

The scope of business has expanded with World Wide Web. Internet connectivity is everywhere. Computer systems acts as an essential tool to run a successful business. Isolated computer system is not enough. They need to be networked to facilitate communication with external world. The use of computer and internet exposes them to the outside world and hacking. The first known event of hacking had taken place in 1960 at MIT and at the same time, the term “Hacker” was originated.

What is Hacking?

Computer hacking is the term that refers to the practice of alteration in computer software and hardware to accomplish something that was not in the original objective of the creator. Hacking identifies weak points in computer systems or networks.

Hacking is an attempt to exploit a computer system or a private network through a computer. It is an unauthorised control over computer network security systems for some illicit purpose. Hacking is usually done to gain unauthorized access to a computer system or a computer network. It is done either to harm the systems or to steal sensitive information available on the computer. Hacking generally deals with fraudulent acts such as fraud, privacy invasion, stealing corporate or personal data using computer system.

If hacking is done with the purpose to find weaknesses in a computer or network system for testing, it is legal. This sort of hacking is termed as Ethical Hacking.

Hackers are computer experts. Hackers are those who seek knowledge and understand computer system architecture and organisation well along with its working. They attempt to play with computer system and involved in the activity of hacking.

Types of Hacking

On the basis of different categories, we can define following types of hacking:

  • Website hacking: taking control of website from website owner to the person who has hacked it. It include unauthorised access to a web server and its associated software such as databases and other interfaces.
  • Network hacking: gathering information about domain over the network using telnet, ping, net stat etc. the intension behind is either to harm the network system or to hamper its operations.
  • Ethical hacking: hack to find system’s weakness and patch them.
  • Email hacking: unauthorized access to email account or email correspondence.
  • Password hacking: process of recovering password from the data stored in the system or transmitted by computer system.
  • Online banking hacking: unauthorised access to bank account without password and account holder’s permission.
  • Computer hacking: create, edit or view files of a system without permission of system owner. It includes stealing computer id and password with hacking methods.

Types of Hackers

Types-of-Hackers-MSA-Technosoft

Hackers can be classified on the basis of their intentions behind hacking a system. The terms for hacker types black hat & white hat come from old spaghetti westerns, where bad guy wears black cowboy hat and good guy wears white. The types of hackers are as follows:

White hat hackers

White Hat hackers are also called Ethical Hackers. White hat hackers try to find out weaknesses of the computer system or the network with the help of penetration testing and vulnerability assessments. They never intent to harm a system.

Ethical hacking is legal and white hat hacker’s job is one of the demanding jobs available in IT industry. Numerous companies hire ethical hackers for their system and network security via penetration testing and vulnerability assessments.

Black hat hackers

Black Hat hackers are also called crackers. These are people who hack to gain unauthorized access to a system and harm its operations or steal sensitive data.

Black Hat hackers are illegal. They work with bad intentions like stealing corporate data, violating privacy, damaging the system, blocking network communication, etc.

Grey hat hackers

Grey hat hackers are a blend of both black hat and white hat hackers. They act without malicious intent but for their fun, they exploit a security weakness in a computer system or network without the owner’s permission or knowledge. The intention behind their work is to bring the weakness to the attention of the owners and getting appreciation or a little bounty from the owners.

Red hat hackers

Red hat hackers are also blend of both black hat and white hat hackers. They usually hack government agencies, top-secret information hubs, and generally anything that falls under the category of sensitive information.

Blue hat hackers

Blue hat hackers belong to outside of computer security consulting firms. They are used to test bugs of the system prior to its launch. They look for loopholes or security holes that can be exploited and try to close these gaps. Microsoft also uses the term Blue Hat to represent a series of security briefing events.

Green hat hackers | Newbie | Neophyte

Neophyte, “n00b”, or “newbie” or “Green Hat Hacker” is one who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology and hacking.

Script Kiddie

Script kiddie is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding of the underlying concept.

Hacktivist

Hacktivist is one who utilizes technology to announce a social, ideological, religious, or political message. Most hacktivism involves website defacement or denialof-service attacks.

Why do hackers hack?

The idea behind performing hacking activity may include various positive and negative intentions. Here is a list of probable reasons why people indulge in hacking activities:

  • Just for fun
  • To Show-off
  • To steal information
  • To damage the system
  • To hamper privacy
  • For money extortion
  • To test System security
  • To break policy compliance

SQL Injection

SQL injection is a set of SQL commands placed in URL string or in data structures to retrieve a response from the databases connected with the web applications. This type of attacks generally takes place on webpages developed using PHP or ASP.NET.

The intentions behind SQL injection attack can be as follows:

  • To dump the whole database of a system,
  • To modify the content of the databases,
  • To perform different queries that are not allowed by the application.

SQL Injection works when the applications don’t validate the inputs properly before passing them to an SQL statement. SQL Injections are normally placed in address bars, search fields, or data fields.

The easiest way to find out whether a web application is vulnerable to an SQL injection attack is to use the ” ‘ ” character in a string and see if you get any error.

SQLMAP

SQLMAP is one of the best tools available to detect SQL injections. It can be downloaded from http://sqlmap.org/

It comes pre-compiled in the Kali distribution. You can locate it at − Applications → Database Assessment → Sqlmap.

After opening SQLMAP, we go to the page that we have the SQL injection and then get the header request. From the header, we run the following command in SQL −

./sqlmap.py --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) 
Gecko/20100101 Firefox/25.0" --cookie="security=low;
PHPSESSID=oikbs8qcic2omf5gnd09kihsm7" -u '
http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#' -
level=5 risk=3 -p id --suffix="-BR" -v3

The SQLMAP will test all the variables and the result will show that the parameter “id” is vulnerable.

Here are few tips to prevent your web application from SQL injection attacks:

  • Unchecked user-input to database should not be allowed to pass through the application GUI.
  • Every variable that passes into the application should be sanitized and validated.
  • The user input which is passed into the database should be quoted.

Penetration Testing

Penetration testing is a method of reducing the risk of security breaches in a system. Most of the companies hire ethical hackers for penetration testing. This is the way to find out security breaches and loopholes of a system so that it can be fixed.

Penetration testing is legal. It is done with the permission of the owner. Penetration testing is conducted by professional ethical hackers. They mainly use commercial, open-source tools, automate tools and manual checks. There are no restrictions for their work. The only objective here is to reveal as many security flaws as possible.

Penetration testing can also cause problems such as system malfunctioning, system crashing, or data loss. Therefore, a company should take calculated risks before going ahead with penetration testing. The risk is calculated as follows and it is a management risk.

RISK = Threat × Vulnerability

Must tell us your views about the post in the comment section below. for more interesting blogs must check out our Tech-Blogs.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.