TYCS Semester VI Ethical Hacking

UNIT 1
Information Security: Attacks and Vulnerabilities
Introduction to Information security: Asset, Access Control, CIA, Authentication,
Authorization, Risk, Threat, Vulnerability, Attack Surface, Malware,
Security-Functionality-Ease of Use Triangle.

Types of malware: Worms, viruses, Trojans, Spyware, Rootkits.

Types of vulnerabilities: OWASP Top 10: Cross-site scripting(XSS), Cross site request forgery
(CSRF/XSRF), SQL injection, input parameter manipulation, broken authentication, Sensitive
information disclosure, XML External Entities, broken access control, Security
misconfiguration, Using components with known vulnerabilities, Insufficient logging and
monitoring, OWASP Mobile Top 10, CVE Database.

Types of attacks and their common prevention mechanisms: Keystroke logging, Denial of
Service (DoS/DDoS), waterhole attack, brute force, phishing and fake WAP, Eavesdropping,
Man-in-the-middle, Session Hijacking, Clickjacking, Cookie Theft, URL Obfuscation, buffer
overflow, DNS poisoning, Identity Theft, IoT Attacks, BOTs and BOTNETs.

Case-Studies: Recent attacks – Yahoo, Adult Friend Finder, e Bay, Equifax, WannaCry, Target
Stores, Uber, JP Morgan Chase, Bad Rabbit.

What is Information Security?

Information Security is not only about securing information from unauthorized access.
Information security is basically the practice of preventing unauthorized access, use, disclosure,
disruption, modification, recording or destruction of information. Information can be physical or
electronic one. Information can be anything like your details or your profile on social media,
your data in mobile phone, your biometrics etc. Thus Information Security spans so many
research areas like Cryptography, Mobile Computing, Cyber Forensics etc.

Attack:

An attack is an information security threat that involves an attempt to obtain, alter, destroy,
remove, or reveal information without authorized access or permission.

It happens to both individuals and organizations.

TYCS Semester VI Ethical Hacking

There are many different kinds of attacks, including but not limited to passive, active, targeted,
botnet, phishing, spamming and so on.

Thus an attack is one of the biggest security threats in information technology, and it comes in
different forms.

A passive attack is one that does not affect any system, although information is obtained. A good
example of this is wiretapping.
An active attack has the potential to cause major damage to an individual’s or organization’s
resource because it attempts to alter system resources or affect how they work. A good example
of this might be a virus or other type of malware.

Types of Attacks or Security Attacks

Security attacks are classified into two types, passive attack and active attack.
A passive attack attempts to learn or make use of information from the system but does not
affect system resources, whereas active attack attempts to alter system resources or affect
their operation.

Passive attacks: A Passive attack attempts to learn or make use of information from the system
but does not affect system resources. Passive Attacks are in the nature of eavesdropping on or
monitoring of transmission. The goal of the opponent is to obtain information is being
transmitted.
Types of Passive attacks are as following:
1. The release of message content –
Telephonic conversation, an electronic mail message or a transferred file may contain sensitive
or confidential information. We would like to prevent an opponent from learning the contents of
these transmissions.
TYCS Semester VI Ethical Hacking

2. Traffic analysis –
Suppose that we had a way of masking (encryption) of information, so that the attacker even if
captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could
observe the frequency and length of messages being exchanged. This information might be
useful in guessing the nature of the communication that was taking place.

Active attacks: An Active attack attempts to alter system resources or effect their operations.
Active attack involves some modification of the data stream or creation of false statement. Types
of active attacks are as following:
TYCS Semester VI Ethical Hacking

1. Masquerade: meaning fraud

Masquerade attack takes place when one entity pretends to be different entity. A Masquerade
attack involves one of the other form of active attacks.

2. Modification of messages –
It means that some portion of a message is altered or that message is delayed or reordered to
produce an unauthorized effect. For example, a message meaning “Allow JOHN to read
confidential file X” is modified as “Allow Smith to read confidential file X”.

3. Repudiation –
This attack is done by either sender or receiver. The sender or receiver can deny later that he/she
has send or receive a message. For example, customer ask his Bank “To transfer an amount to
someone” and later on the sender(customer) deny that he had made such a request. This is
repudiation.

4. Replay –
It involves the passive capture of a message and its subsequent the transmission to produce an
authorized effect.
TYCS Semester VI Ethical Hacking

5. Denial of Service –
It prevents normal use of communication facilities. It is an attack meant to shut down a
machine or network, making it accessible to its intended users. This attack may have a
specific target. For example, an entity may suppress all messages directed to a particular
destination. Another form of service denial is the disruption of an entire network withers
by disabling the network or by overloading it by messages so as to degrade performance.

Vulnerability
Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to
attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a
set of procedures, or in anything that leaves information security exposed to a threat.
Vulnerabilities are what information security and information assurance professionals seek
to reduce. Cutting down vulnerabilities provides fewer options for malicious users to gain access
to secure information.
Examples of vulnerability include these:

 A weakness in a firewall that lets hackers get into a computer network

 Unlocked doors at businesses
 Lack of security cameras
TYCS Semester VI Ethical Hacking

All of these represent a weakness that can be used by others to hurt a business or any other asset
that you care about. Actually, your business is considered one of your assets. All of your
suppliers, materials, and finished products for your business are all assets too.
Types of vulnerabilities
 Physical vulnerabilities
 Natural vulnerabilities
 Hardware/software vulnerabilities
 Media vulnerabilities (e.g., stolen/damaged disk/tapes)
 Emanation vulnerabilities---due to radiation
 Communication vulnerabilities
 Human vulnerabilities
Examples of Information Security Vulnerabilities
 Information security vulnerabilities are weaknesses that expose an organization to risk.
 Through employees: Social interaction, Customer interaction, Discussing work in public
locations, Taking data out of the office (paper, mobile phones, laptops), Emailing
documents and data, Mailing and faxing documents, Installing unauthorized software and
apps, Removing or disabling security tools, Letting unauthorized persons into the office
(tailgating) , Opening spam emails, Connecting personal devices to company networks,
Writing down passwords and sensitive data, Losing security devices such as id cards,
Lack of information security awareness, Keying data
 Through former employees---Former employees working for competitors, Former
employees retaining company data, Former employees discussing company matters
 Though Technology---Social networking, File sharing, Rapid technological changes,
Legacy systems, Storing data on mobile devices such as mobile phones, Internet browsers
 Through hardware---. Susceptibility to dust, heat and humidity, Hardware design flaws,
Out of date hardware, Misconfiguration of hardware
 Through software---Insufficient testing, Lack of audit trail, Software bugs and design
faults, Unchecked user input, Software that fails to consider human factors, Software
complexity (bloatware), Software as a service (relinquishing control of data), Software
vendors that go out of business or change ownership
 Through Network---Unprotected network communications, Open physical connections,
IPs and ports, Insecure network architecture, Unused user ids, Excessive privileges,
Unnecessary jobs and scripts executing, Wi-Fi networks.
TYCS Semester VI Ethical Hacking

Asset:

Ensure that an asset (controlled-by, contained-in) a computer system

 is accessed only by those with the proper authorization (confidentiality);
 can only be modified by those with the proper authorization (integrity);
 is accessible to those with the proper authorization at appropriate times (availability).

Access Control:

Access control overview

Given a subject, which objects can it access and how?
Given an object, which subjects can access it and how?
Subject Reference monitor Object
User process Access request ? Resource

Policy

Access control is a way of limiting access to a system or to physical or virtual resources. In

computing, access control is a process by which users are granted access and certain privileges to
systems, resources or information.
In access control systems, users must present credentials before they can be granted access. In
physical systems, these credentials may come in many forms, but credentials that can't be
transferred provide the most security.
For example, a key card may act as an access control and grant the bearer access to a classified
area. Because this credential can be transferred or even stolen, it is not a secure way of handling
access control.
A more secure method for access control involves two-factor authentication. The person who
desires access must show credentials and a second factor to corroborate identity. The second
factor could be an access code, a PIN or even a biometric reading.
There are three factors that can be used for authentication:

 Something only known to the user, such as a password or PIN

 Something that is part of the user, such as a fingerprint, retina scan or another biometric
measurement
TYCS Semester VI Ethical Hacking

 Something that belongs to the user, such as a card or a key

For computer security, access control includes the authorization, authentication and audit of the
entity trying to gain access. Access control models have a subject and an object. The subject - the
human user - is the one trying to gain access to the object - usually the software. In computer
systems, an access control list contains a list of permissions and the users to whom these
permissions apply. Such data can be viewed by certain people and not by other people and is
controlled by access control. This allows an administrator to secure information and set
privileges as to what information can be accessed, who can access it and at what time it can be
accessed.

CIA:

The CIA (Confidentiality, Integrity, and Availability) triad of information security is an

information security benchmark model used to evaluate the information security of an
organization. The CIA triad of information security implements security using three key areas
related to information systems including confidentiality, integrity and availability.

The CIA triad of information security was created to provide a baseline standard for evaluating
and implementing information security regardless of the underlying system and/or organization.
TYCS Semester VI Ethical Hacking

The three core goals have distinct requirements and processes within each other.
 Confidentiality:
Ensures that data or an information system is accessed by only an authorized person.
User Id’s and passwords, access control lists (ACL) and policy based security are some
of the methods through which confidentiality is achieved
The term is closely related to privacy. Confidentiality means that access to confidential
information must be restricted only to authorized people.
For example, keeping a client’s information only between you and client and not
disclosing it to other employees is confidentiality. User Id’s and passwords, access
control lists (ACL) and policy based security are some of the methods through which
confidentiality is achieved.

 Integrity:
Integrity assures that the data or information system can be trusted. Ensures that it is
edited by only authorized persons and remains in its original state when at rest. Data
encryption and hashing algorithms are key processes in providing integrity.
Integrity means the data in transit/rest is not modified and is accurate. Accuracy and
consistency of data should always be maintained.
For example, when you send some data to client it should reach them as it is. If any other
person is able to modify the contents and forwards it to the client, then the integrity of the
data is lost. Data encryption and hashing algorithms are key processes in providing
integrity.

 Availability:
Data and information systems are available when required. Hardware maintenance,
software patching/upgrading and network optimization ensures availability.
Availability means the data is always available and accessible to the right people at the
right time. i.e. When needed.
For example, when your hard disk crash, you don’t have access to the data in it. i.e. it is
unavailable to you. Hardware maintenance, software patching/upgrading and network
optimization ensures availability.
TYCS Semester VI Ethical Hacking

Authentication

Definition: Authentication is the process of recognizing a user’s identity. It is the mechanism of

associating an incoming request with a set of identifying credentials. The credentials provided
are compared to those on a file in a database of the authorized user’s information on a local
operating system or within an authentication server.

Description: The authentication process always runs at the start of the application, before the
permission and throttling checks occur, and before any other code is allowed to proceed.
Different systems may require different types of credentials to ascertain a user’s identity. The
credential often takes the form of a password, which is a secret and known only to the individual
and the system. Three categories in which someone may be authenticated are: something the user
knows, something the user is, and something the user has.

Authentication process can be described in two distinct phases - identification and actual
authentication. Identification phase provides a user identity to the security system. This identity
is provided in the form of a user ID. The security system will search all the abstract objects that it
knows and find the specific one of which the actual user is currently applying. Once this is done,
the user has been identified. The fact that the user claims does not necessarily mean that this is
true. An actual user can be mapped to other abstract user object in the system, and therefore be
granted rights and permissions to the user and user must give evidence to prove his identity to
the system. The process of determining claimed user identity by checking user-provided
evidence is called authentication and the evidence which is provided by the user during
process of authentication is called a credential.
TYCS Semester VI Ethical Hacking

Authorization
Definition: Authorization is a security mechanism to determine access levels or user/client
privileges related to system resources including files, services, computer programs, data and
application features. This is the process of granting or denying access to a network resource
which allows the user access to various resources based on the user's identity.

Description: Most web security systems are based on a two-step process. The first step is
authentication, which ensures about the user identity and the second stage is authorization, which
allows the user to access the various resources based on the user's identity. Modern operating
systems depend on effectively designed authorization processes to facilitate application
deployment and management.

Access control in computer systems and networks relies on access policies and it is divided into
two phases:
1) Policy definition phase where access is authorized.
2) Policy enforcement phase where access requests are permitted or not permitted.
Thus authorization is the function of the policy definition phase which precedes the policy
enforcement phase where access requests are permitted or not permitted based on the previously
defined authorizations. Access control also uses authentication to check the identity of
consumers. When a consumer attempts to access a resource, the access control process
investigates that the consumer has been authorized to use that resource. Authorization services
are implemented by the Security Server which can control access at the level of individual files
or programs.

Risk
Definition: Risk implies future uncertainty about deviation from expected earnings or expected
outcome. Risk measures the uncertainty that an investor is willing to take to realize a gain from
an investment.

Description: Risks are of different types and originate from different situations. We have
liquidity risk, sovereign risk, insurance risk, business risk, default risk, etc. Various risks
originate due to the uncertainty arising out of various factors that influence an investment or a
situation.

Risk Management
Risk management is the process of identifying, assessing and controlling threats to an
organization's capital and earnings. It is the identification, evaluation, and prioritization of risks.
It involves managing risks to the confidentiality, integrity, and availability of an organization's
assets. There are 3 stages in risk management. They are
TYCS Semester VI Ethical Hacking

1. Identification

2. Assessment

3. Treatment

1. Identification:

Risk identification is the process of documenting any risks that could keep an organization or
program from reaching its objective. It's the first step in the risk management process, which is
designed to help companies understand and plan for potential risks.

a) Identify assets: what data or system should be considered as most significant.

b) Identify vulnerabilities
c) Identify threats
d) Identify controls: what control methods are used to protect

2. Assessment:
The process of combining the information we have gathered in identification stage to define a
risk. Risk can be defined as,
Risk = Threat * Vulnerability

3. Treatment:
It refers to the options and choices available to handle a specific risk.
a) Remediation: Implementing a control that fully fixes the risk.
b) Mitigation: Lessening the impact of the risk, but not fixing it entirely.
c) Transference: Transferring the risk to another entity.
d) Risk acceptance: occurs when a business or individual acknowledges that the potential loss
from a risk is not great enough to spend money and time to avoid it.
e) Risk avoidance: Removing all exposure to a risk.

What is Threat?
In cybersecurity, the most common understanding of a threat is anything that could exploit a
vulnerability, which could affect the confidentiality, integrity or availability of your systems,
data and more. A more advanced definition of threat is when an adversary or attacker has the
opportunity, capability and intent to bring a negative impact upon your operations, assets,
workforce or customers.
TYCS Semester VI Ethical Hacking

Attack surface
An attack surface is the total sum of the vulnerabilities in a given computing device or network
that are accessible to a hacker.

Anyone trying to break into a system generally starts by scanning the target’s attack surface.

Keep the attack surface as small as possible.

Attack surfaces can be divided in to a few categories:

 The network attack surface.

 The software attack surface.
 The physical attack surface.

Every point of network interaction is a potential part of the network attack surface. A network
attack surface can be reduced by closing unnecessarily open ports and limiting the resources that
are available to untrusted users.

As all running code has the possibility of having exploitable vulnerabilities, one of the first and
simplest ways to limit software attack surface is to reduce the amount of running code. The more
a piece of malware can use various exploits, the more chance it can get in via a hole in a target
system’s attack surface.

Physical access also constitutes an attack surface, which overlaps with the social engineering
attack surface. External risks include password retrieval from carelessly discarded hardware or
from password sticky notes. Best practices for physical attack surface remediation include
enforcing strong authentication, destroying hard drives before throwing them out and refraining
from leaving hard copy access data.

How to measure attack surface?

3 steps to understand attack surface:
1. Visualize: Seeing your attack surface in its entirety will help prevent data breaches, respond
faster to threats and attacks and improve security management to reduce risk. From a simple
picture, security teams can view integrated data from dozens of security and networking products
- despite vendor or location - and see Indicators of Exposure (IOEs) prioritized in the unique
context of their organization.
2. Find indications of exposures (IOEs): IOEs describe security weaknesses that are particular
to an enterprise network and can be exploited by an attacker. It is not enough to only catalog a
list of vulnerabilities. Consideration must be given to those vulnerabilities that are not only
exposed to a potential attack, but also put key assets at risk. By linking together IOEs with an
TYCS Semester VI Ethical Hacking

understanding of network topology and assets, enterprises can discern which attack vectors are
most likely to be exploited in a multistep attack.
3. Find indicators of compromise (IOCs): Indicators of compromise (IOCs) are pieces of
forensic data, such as system log entries, system files or network traffic that identify potentially
malicious activity on a system or network. information security professionals use indicators of
compromise to detect data breaches, malware infections and other security incidents. By
monitoring for indicators of compromise, security teams can detect cyber-attacks and act quickly
to prevent security breaches from occurring, limit damages and improve incident response.

Malware:
Malware are computer programs designed to infiltrate and damage computers without the user’s
consent.
 Malware is the short for Malicious Software
 This is any program or file that is harmful to a computer user.
 The term refers to software that is deployed with malicious intent.
 Malware can be deployed even remotely, and tracking the source of malware is hard.
 It can take the form of executable code, scripts, active content, and other software.
 These malicious programs can perform a variety of functions, including stealing, encrypting
or deleting sensitive data, altering or hijacking core computing functions and monitoring
users’ computer activity without their permission.

Malware is typically used:

 To steal information that can be readily monetized, such as login credentials, credit card and
bank account numbers,
 And intellectual property such as computer software, financial algorithms, and trade secrets.
 Spy on computer users for an extended period without their knowledge, for example, Reign
Malware.

List of Common Malware types:

 Virus:

A virus is a contagious program or code that attaches itself to another piece of software, and
then reproduces itself when that software is run. Most often this is spread by sharing software
or files between computers.

A virus on a computer is a specific type of malware that self-replicates, like the

similarly-named infectious agents in humans and animals. Like a living virus, computer
viruses attach themselves to hosts in order to move around and reproduce. The term virus
indicates the means of replication, not the way the malware acts on a computer. Viruses used
TYCS Semester VI Ethical Hacking

to travel on floppy disks and CD-ROMs; now they move around over the Internet, hiding
inside files and applications, or spread via infected USB sticks. The term virus is often used
as a blanket term, while the word malware is generally more appropriate. And, because
historically viruses were the first type of malware that attacked personal computers, the
security industry often uses the term "anti-virus" for software that detects and eradicates
malware.

 Spam: Spamming is a method of flooding the Internet with copies of the same message.
Most spam are commercial advertisements which are sent as an unwanted email to users or
junk newsgroup postings. These spam emails are very annoying as it keeps coming every day
and keeps your mailbox full.

 Worm:
A program that replicates itself and destroys data and files on the computer. Worms work to
“eat” the system operating files and data files until the drive is empty.
On a computer, a worm is similar to a virus, in that it replicates itself. But unlike viruses,
worms don't need to be attached to other files. They often replicate over networks, rendering
them particularly dangerous.

 Trojan:
A Trojan horse, or simply Trojan, is a type of malware that is disguised as a useful piece of
software or data file. It may actually perform actions on a computer that are or seem
legitimate, but will install malware or perform malicious actions. A Trojan horse may also be
legitimate software that has been altered to install malware. The name comes from the
wooden horse that the Greeks made to attack the city of Troy. Obviously, the people in that
city didn't know that they shouldn't open unsolicited attachments.

 Key loggers:
Records everything you type on your PC in order to gain your log-in names, passwords, and
other sensitive information, and send it on to the source of the keylogging program.
A key logger is a type of malware that records all keystrokes that a user types on their
computer. A key logger can also be a hardware device, connected somewhere between a
keyboard and a computer. Key loggers can record all sorts of personal information, such as
user names, passwords, credit card numbers, and personal documents such as emails and
reports. Key loggers can be useful to obtain information that can be later used to access a
user's online accounts, or for espionage.

 Ransomware:
Ransomware is a type of malware that locks a computer or hijacks a user's files until a
ransom is paid. It can be installed by a Trojan horse, or downloaded when visiting a
malicious website. Ransomware is big business, with cyber-criminals making a lot of money
from users who need to access their files. These people often have sophisticated fulfillment
setups, with call centers and customer support to take payments. The best prevention against
ransomware, other than using anti-malware software, is to regularly back up your files, so
you always have a copy of them available.
TYCS Semester VI Ethical Hacking

 Rootkit:
A rootkit is software that gives a malicious user "root access," or total control over a
computer. It can be installed via a Trojan horse, through a phishing attack, or in other ways.
A rootkit is a virtual backdoor, and when installed on a computer, malicious users can control
the computer and access all its files. Rootkits often mask their presence, or the presence of
other malware.

 Backdoor:
A backdoor is a way to access a computer or device without authentication. It may provide
access to encrypted files without requiring a user's password or passcode, or it may offer a
means of accessing all the files on a computer. In some cases, manufacturers or developers
create intentional backdoors so they can restore access to users who are locked out of a
system, or to reset a device to factory settings.

 Spyware:
Spyware is malicious software that spies on a user, recording keystrokes (i.e. key logger),
such as user names and passwords, tracking user activity on the internet, or activating the
microphone or camera on a computer to record physical activity.

 Adware
Adware is software that causes advertisements to be displayed on a computer's desktop or in
a web browser, in order to generate income from these ads being shown. Some free software
displays ads, and is technically not adware; the term is generally used for malicious software,
which users cannot remove easily.

 Botnet:
A botnet is a network of computers whose access has been compromised, and that are
controlled remotely. These individual computers are often called bots or zombies. Botnets
are generally used to send spam emails, or to launch denial of service attacks, where
thousands of computers block a website or server by flooding that server with more requests
than it can handle.

Types of virus
1. Boot sector virus: A boot sector virus is a type of virus that infects the boot sector of floppy
disks or the Master Boot Record (MBR) of hard disks. The infected code runs when the system is
booted from an infected disk, but once loaded it will infect other floppy disks when accessed in
the infected computer. These viruses are most commonly spread using physical media. An
infected floppy disk or USB drive connected to a computer will transfer this virus then modify or
replace the existing boot code. The next time a user tries to boot their desktop, the virus will be
loaded and run immediately as part of the master boot record.
TYCS Semester VI Ethical Hacking

2. Direct action virus: When a virus attaches itself directly to a .exe file and enters the device
while its execution is called a direct action virus. If it gets installed in the memory it keeps itself
hidden. it is also known as non - resident virus.

3. Resident virus: It hides and stores itself within the computer memory which then allows it to
infect any file that is run by the computer. Since it is stored in memory virus can spread easier
because it has more access to other parts of the computer.

* Resident virus is deployed and resides in computer RAM whereas nonresident virus can be
deployed in RAM but they do not reside in RAM.

4. Multipartite virus: A multipartite virus is a type of fast-acting malware that attacks a device's
boot sector and executable files simultaneously. Multipartite viruses are often considered more
problematic than traditional computer viruses due to their ability to spread in multiple ways.
They are considered to be much more destructive than other viruses. Multipartite viruses infect
computer systems multiple times, at varying times. It is also known as hybrid virus.

5. Polymorphic virus: Polymorphic viruses are complex file infectors that can create modified
versions of itself to avoid detection yet retain the same basic routines after every infection. To
vary their physical file makeup during each infection, polymorphic viruses encrypt their codes
and use different encryption keys every time.

Security, Functionality and Usability Triangle:

There is an inter dependency between these three attributes. When security goes up, usability
and functionality come down. Any organization should balance between these three qualities to
arrive at a balanced information system.

Functionality: purpose that something is designed

Security: all the measures taken to protect a system

Usability: the level to which something is able

TYCS Semester VI Ethical Hacking

Some important terms to consider in hacking are

Threat: Anything that has potential to cause harm. There are various threats available to system
threats, Network threats, application threats, cloud threats, malicious files threats etc.
Vulnerability: A weakness or a flaw in the system which an attacker may find and exploit. An
updated OS, Default Passwords, Unencrypted protocols are all good examples of vulnerabilities.
Attack: Method followed by a hacker/Individual to break into the system. Denial of service
attack, Misconfiguration attacks, operating system attacks, Virus, and Worms are all example of
Attacks.
Attack vectors: Path or means by an attacker gains access to an information system to perform
malicious activities.

Types of vulnerabilities: OWASP Top 10

OWASP- Open Web Application Security Project
International Non-profit business organization where the white hat / certified / non-certified
comes together and look / try to find the solution for the attacking problems.
X type ---M company --- find the solution (mention Attack type OWASP)—it might be an old
attack which already reported in OWASP community—then if solution is available ---then I will
install the tool in M company

But if this is first attack—then i will register – OWASP team will check and try to find the
solution.

Cross-site scripting(XSS)

Cross-site scripting (XSS) is a type of injection security attack in which an attacker injects data,
such as a malicious script, into content from otherwise trusted websites.

Cross-site scripting attacks happen when an untrusted source is allowed to inject its own code
into a web application, and that malicious code is included with dynamic content delivered to a
victim's browser.
Cross-site scripting allows an attacker to execute malicious scripts in another user's browser.
However, the attacker doesn't attack the victim directly; rather, the attacker exploits a
vulnerability in a website the victim visits and gets the website to deliver the malicious script for
the attacker.
TYCS Semester VI Ethical Hacking

Cross site request forgery(CSRF/XSRF)

Cross-site request forgery (XSRF or CSRF) is a method of attacking a Web site in which an
intruder masquerades as a legitimate and trusted user. An XSRF attack can be used to
modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial
transactions.
An XSRF attack can be executed by stealing the identity of an existing user and then hacking
into a Web server using that identity.
Difference between XSS and CSRF
Key Difference: XSS and CSRF are two types of computer security vulnerabilities. XSS stands
for Cross-Site Scripting. CSRF stands for Cross-Site Request Forgery. In XSS, the hacker takes
advantage of the trust that a user has for a certain website. On the other hand, in CSRF the
hacker takes advantage of a website’s trust for a certain user’s browser.

 A site that is vulnerable to XSS attacks is also vulnerable to CSRF attacks.

 A site that is completely protected from XSS types of attacks is still most likely
vulnerable to CSRF attacks.

SQL Injection

SQL injection is a code injection technique that might destroy your database.
SQL injection is one of the most common web hacking techniques.
SQL injection is the placement of malicious code in SQL statements, via web page input.
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries
that an application makes to its database. It generally allows an attacker to view data that they are
TYCS Semester VI Ethical Hacking

not normally able to retrieve. This might include data belonging to other users, or any other data
that the application itself is able to access. In many cases, an attacker can modify or delete this
data.
Input Parameter Manipulation

The Web Parameter Tampering attack is based on the manipulation of parameters exchanged
between client and server in order to modify application data, such as user credentials and
permissions, price and quantity of products, etc. Usually, this information is stored in cookies,
hidden form fields, and is used to increase application functionality and control.
Example:
An attacker can tamper with URL parameters directly. For example, consider a web application that
permits a user to select their profile from a combo box and debit the account:
http://www.attackbank.com/default.asp?profile=741&debit=1000
In this case, an attacker could tamper with the URL, using other values for profile and debit:
http://www.attackbank.com/default.asp?profile=852&debit=2000

Broken Authentication
These types of weaknesses can allow an attacker to either capture or bypass the authentication
methods that are used by a web application.

1. User authentication credentials aren’t protected when stored using hashing or encryption.
2. Credentials can be guessed or overwritten through weak account management functions
(e.g., account creation, change password, recover password, weak session IDs).
3. Session IDs are exposed in the URL (e.g., URL rewriting).
4. Session IDs are vulnerable to session fixation attacks.
5. Session IDs don’t timeout, or user sessions or authentication tokens, particularly single
sign-on (SSO) tokens, aren’t properly invalidated during logout.
6. Session IDs aren’t rotated after successful login.
7. Passwords, session IDs, and other credentials are sent over unencrypted connections.

Sensitive information disclosure

Sensitive Data Exposure occurs when an application does not adequately protect sensitive
information. The data can vary and anything from passwords, session tokens, credit card data to
private health data and more can be exposed.

The first thing you have to determine is which data is sensitive enough to require extra
protection. For example, passwords, credit card numbers, health records, and personal
information should be protected. For all such data:
TYCS Semester VI Ethical Hacking

1. Is any of this data stored in clear text long term, including backups of this data?
2. Is any of this data transmitted in clear text, internally or externally?
3. Are any old / weak cryptographic algorithms used?

XML External Entities

An XML External Entity attack is a type of attack against an application that parses XML input.
This attack occurs when XML input containing a reference to an external entity is processed by a
weakly configured XML parser. This attack may lead to the disclosure of confidential data,
denial of service, server side request forgery, port scanning from the perspective of the machine
where the parser is located, and other system impacts.

Broken access control

Broken Authentication involves all kinds of flaws that are caused by error in implementations of
authentication and/or session management. The category includes everything from login lacking
timeout, meaning that users who forget to logout on a public computer can get hijacked, to more
technical vulnerabilities such as session fixation.

Security Misconfiguration
Security misconfiguration vulnerabilities could occur if a component is susceptible to attack due
to an insecure configuration option. These vulnerabilities often occur due to insecure default
configuration, poorly documented default configuration, or poorly documented side-effects of
TYCS Semester VI Ethical Hacking

optional configuration. This could range from failing to set a useful security header on a web
server, to forgetting to disable default platform functionality that could grant administrative
access to an attacker.
Tool: DAST – Dynamic Application Security Testing detecting misconfiguration, such as leaky
APU.
Using components with known vulnerabilities
This kind of threat occurs when the components such as libraries and frameworks used within
the app almost always execute with full privileges. If a vulnerable component is exploited, it
makes the hacker’s job easier to cause a serious data loss or server takeover.
Tool: up-to-date versions of the components.

Insufficient logging and monitoring

Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident.
Attackers rely on the lack of monitoring and timely response to achieve their goals without being
detected.

Insufficient logging, detection, monitoring and active response occurs any time:

● Auditable events, such as logins, failed logins, and high-value transactions are not logged.
● Warnings and errors generate no, inadequate, or unclear log messages.
● Logs of applications and APIs are not monitored for suspicious activity.
● Logs are only stored locally.
● The application is unable to detect, escalate, or alert for active attacks in real time or near
real time.

OWASP Mobile Top 10

It includes security vulnerabilities in mobile applications and provides best practices to help
remediate and minimize these security concerns. This list highlights the security flaws and
vulnerabilities from which developers need to protect their applications. The threats to mobile
application can be malicious apps, apps with weak security, poor password security.
TYCS Semester VI Ethical Hacking

1. Improper platform usage: This risk covers the misuse of an operating system feature or a
failure to use platform security controls properly. This may include Android intents, platform
permissions, or other security controls that are part of the platform. Its occurrence is common,
with average detectability, and can cause a severe impact on the affected apps.

2. Insecure data storage: This risk informs the developer community about easy ways in which
an adversary can access insecure data in a mobile device. An adversary can either gain physical
access to a stolen device or enter into it using a malware. In the case of physical access to the
device, the device’s file system can be accessed after attaching it to a computer. Many freely
available software allows the adversary to access third-party application directories and the
personally identifiable data contained in them.

3. Insecure communication: It is a mobile application vulnerability where sensitive data is

intercepted while its transmission. Data transmission to and from a mobile app generally takes
place through a telecom carrier and/or over the internet. Hackers intercept data either as an
adversary sitting in the local area network of users through a compromised Wi-Fi network,
tapping into the network through routers, cellular towers, proxy servers, or exploiting the
infected app through a malware.

4. Insecure authentication: This problem occurs when a mobile device fails to recognize the user
correctly and allows an adversary to log into the app with default credentials. This typically
happens when an attacker fakes or bypasses the authentication protocols, which are either
missing or poorly implemented, and interacts directly with the server using either malware which
sits in the mobile device or botnets, thus establishing no direct communication with the app.
TYCS Semester VI Ethical Hacking

5. Insufficient cryptography: Data in mobile apps become vulnerable due to weak

encryption/decryption processes or infirmities in the algorithms that trigger
encryption/decryption processes. Hackers can gain physical access to the mobile device, spy on
network traffic, or use malicious apps in the device to access encrypted data. Using flaws in the
encryption process, its aim is to decrypt data to its original form in order to steal it or encrypt it
using an adversarial process and thus render it useless for the legitimate user.

6. Insecure authentication: Insecure authorization involves the adversary taking advantage of

vulnerabilities in the authorization process to log in as a legitimate user, unlike insecure
authentication, in which the adversary tries to bypass the authentication process by logging in as
an anonymous user.

7. Client code quality: This risk emerges from poor or inconsistent coding practices, where each
member of the development team follows a different coding practice and creates inconsistencies
in the final code or does not create enough documentation for others to follow.

8. Code tampering: Hackers alter an app's code to create a modified or fake version of it to use
for their own purpose. Hackers prefer code tampering of apps over other forms of manipulations,
as it allows them to gain unrestricted access to the app, the user behavior, or even the whole
mobile device. They tend to push users to download tampered versions of popular apps from
third-party app stores through phishing attacks and misleading advertisements.

9. Reverse engineering: Reverse engineering mobile applications is the process of disassembling

/ dismantling an app to reveal its code and internal logic, components, and so on. Hackers tend to
use external, commonly available binary inspection tools, like IDA Pro, Hopper, otool, etc., to
study the original app’s code patterns and its links with server processes. Some languages – like
Java, .NET, Objective C, Swift – are more susceptible to reverse engineering than others. Among
other damages, reverse engineered code can impact the security of servers and data contained in
mobile devices.

10. Extraneous functionality: Extraneous functionality is any feature or code that isn't directly
exposed to users. As the name suggests, extraneous functionality are functions or secrets hidden
inside the app. Those functionalities allow an attacker to perform unintended actions such as:
accessing administrative or debug functions. Before an app is ready for production, the
development team often keeps code in it to have easy access to the backend server, create logs to
analyse errors or carry staging information and testing details. This code is extraneous to the
functioning of the app, i.e. it has no use for the intended user once the app is in production and is
required only during the development cycle.
TYCS Semester VI Ethical Hacking

CVE Database
CVE stands for Common Vulnerabilities and Exposures. It is a program launched in 1999 by
MITRE, a nonprofit that operates research and development centers sponsored by the federal
government, to identify and catalog vulnerabilities in software or firmware into a free
“dictionary” for organizations to improve their security.
The dictionary’s main purpose is to standardize the way each known vulnerability or
exposure is identified. Standard IDs allow security administrators to access technical
information about a specific threat across multiple CVE-compatible information sources.
CVE isn't just another vulnerability database. It is designed to allow vulnerability databases and
other capabilities to be linked together, and to facilitate the comparison of security tools and
services. A CVE listing only contains the standard identifier number with status indicator, a brief
description and references to related vulnerability reports and advisories. It does not include risk,
impact, fix or detailed technical information.

What is a CVE Identifier?

CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are
unique, common identifiers for publicly known information security vulnerabilities.
Format: CVE + year + at least 4-digit sequence no

Comparison between vulnerability and exposures:

Vulnerability
 Weakness in a system, something that has potential for being exploited.
 Allows the hacker to intrude a system or network due to an error in the software code.
Exposures
 Known incident in which the vulnerability was acted upon. Exposure exists when a
vulnerability is known to an attacker.
 Provides the hacker access to the data that can be misused.

Types of attacks and their common prevention mechanisms

Keystroke Logging
A key logger (keystroke logging) is a type of surveillance software that once installed on a
system, has the capability to record every keystroke made on that system. The Recording is
saved in a log file.
TYCS Semester VI Ethical Hacking

Key logger types

1. software-based
2. hardware-based key loggers.
The most commonly used key logger is a software-based tool. It is often installed as part of a
larger piece of malware, such as a Trojan or rootkit. Such a key logger is easier to get onto a
target machine, since it typically doesn’t require physical access to the machine.

Hardware-based key loggers are less common, as they are more difficult to implement on the
target machine. Hardware key loggers often require the attacker to have physical access to the
target machine. This can be done either during the manufacturing process or after deployment.

Protect yourself from a key logger

Following are some of the tips against key logger and how to protect your device

1. Use anti key loggers

2. Maintain a password-change schedule (for e.g. every 3 weeks)
3. Install anti-virus program
4. Use on-screen keyboards
5. Back-up your data, to avoid data loss in case of account compromises
6. Use 2-factor authentication on your accounts, as it will protect your account even if your
password gets compromised.

Distributed Denial of Service (DDoS)

A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised

computer systems attack a target, such as a server, website or other network resource, and cause
a denial of service for users of the targeted resource. The flood of incoming
messages, connection requests or malformed packets to the target system forces it to slow down
or even crash and shut down, thereby denying service to legitimate users or systems.

Types of DDoS Attacks

There are many types of DDoS attacks. Common attacks include the following:
 TYCS Semester VI Ethical Hacking

● Traffic attacks: Traffic flooding attacks send a huge volume of TCP, UDP and ICPM packets to
the target. Legitimate requests get lost and these attacks may be accompanied by malware
exploitation.
● Bandwidth attacks: This DDoS attack overloads the target with massive amounts of junk data.
This results in a loss of network bandwidth and equipment resources and can lead to a complete
denial of service.
● Application attacks: Application-layer data messages can deplete resources in the application
layer, leaving the target's system services unavailable.

DDoS counter measures

 Application front end hardware – placed on the network before traffic reach the servers.
Analyze data packets and categorize as priority, regular or dangerous.
 IPS (Intrusion Prevention System) based prevention – effective if the attacks have
signature associated with them. Use previously defined attack signature of known threats.
 Firewalls – deny all incoming packets from attackers, based on port no or ip address.
 Routers – have ACL (Access Control List) capability.

Waterhole attack

A watering hole attack is a malware attack in which the attacker observes the websites often
visited by a victim or a particular group, and infects those sites with malware. A watering hole
attack has the potential to infect the members of the targeted victim group. In a watering hole
attack, the attacker first profiles its targets -- who are typically employees of large enterprises,
human rights groups or government offices -- to determine the type of websites they frequent.
The attacker then looks for vulnerabilities in the websites and injects
malicious JavaScript or HTML code that redirects the target to a separate site where the malware
is hosted.

Counter measures

 Software update
 Use network security tools
 Hide online activities by using private browsing feature.

Brute Force
A brute force attack is a trial-and-error method used to obtain information such as a user
password or personal identification number (PIN). In a brute force attack, automated software is
used to generate a large number of consecutive guesses as to the value of the desired data.
One example of a type of brute force attack is known as a dictionary attack, which might try all
the words in a dictionary. Other forms of brute force attack might try commonly-used passwords
or combinations of letters and numbers.
TYCS Semester VI Ethical Hacking

Countermeasures

● Requiring users to create complex passwords

● Frequent password change
● Password Length.
● Limit Login Attempts. (Limiting the number of times a user can unsuccessfully attempt
to log in)
● Two Factor Authentication.
● Unique password for each account.

Phishing and fake WAP

 Phishing: to obtain sensitive information by sending fake emails to the users.

 WAP – Wireless Access Pont – to create local area network.

An evil twin, in the context of network security, is a rogue or fake wireless access point (WAP)
that appears as a genuine hotspot offered by a legitimate provider.
This type of attack has a number of nicknames associated with it: AP Phishing, Wi-Fi Phishing,
Hot spotter, Evil Twins, and Honeypot AP. All of these are associated with creating a fake
Wi-Fi connection that people log into, and whose goal is to steal credentials, logins, and
passwords. To accomplish this, hackers simply use a piece of software, or app, that is designed to
capture data that is sent over a wireless connection.

A large percentage of these hacks take place with a fake wireless point that requires a login and
password. Once that information is put into the login, hackers will take it and use it to sign into
popular websites, assuming that you use the same login and password for multiple sites.

Countermeasures
 Verify with the Wi-Fi provider
TYCS Semester VI Ethical Hacking

 Use different login details and passwords for public Wi-Fi

 Anti-phishing
 Filtering out phishing mails
 User training

Eavesdropping
Eavesdropping is as an electronic attack where digital communications are intercepted by an
individual whom they are not intended. This is done in two main ways: Directly listening to
digital or analog voice communication or the interception or sniffing of data relating to any form
of communication.
What is Eavesdropping Attack?
An attack where someone tries to steal information transmitted through digital devices. The
attacker takes advantage of unsafe network communications and accesses sent and received data.
It is also known as sniffing or snooping attack.

Countermeasures

 Encryption – only use system which use strong encryption.

 Network segmentation – divide a network into smaller, distinct networks. Unique
security controls to each sub network.
 Network access control- restricts the availability of network resource to the users.

Man-in-the-middle
A man-in-the-middle attack is a type of cyber-attack where a malicious actor inserts
him/herself into a conversation between two parties, impersonates both parties and gains access
to information that the two parties were trying to send to each other. Man-in-the-middle is a type
of eavesdropping attack that occurs when a malicious actor inserts himself as a relay/proxy into a
communication session between people or systems.
TYCS Semester VI Ethical Hacking

Countermeasures

 Browse HTTPS Sites - Make sure that you are browsing the HTTPS version of the
website.
 Be Cautious with Public Wi-Fi Networks - Avoid connecting to open Wi-Fi networks,
especially if they are not protected by a password.

 Invest in A Good Antivirus.

 Pay attention to certificate warnings.

Session Hijacking
Exploitation of a valid session to gain unauthorized access to user data.

Session hijacking is defined

as taking over an active
TCP/IP communication
session without the user’s
permission. When
implemented successfully,
attackers assume the identity
of the compromised user,
enjoying the same access to
resources as the compromised
user.

There are two types of

session hijacking depending
on how they are done. If the
attacker directly gets
involved with the target, it is called active hijacking, and if an attacker just passively monitors
the traffic, it is passive hijacking.
TYCS Semester VI Ethical Hacking

Active: The attacker will silence one of the machines, usually the client computer, and
take over the clients’ position in the communication exchange between the workstation
and the server.
Passive: In Passive session hijacking attack, the attacker monitors the traffic between the
workstation and server.

First step in session hijacking is locating a target user. Attacker first look for networks that have
a high level of utilization. Secondly, identify users who use insecure network protocols.

1. Sniffing into active session: Attacker finds an active session between the target and another
machine and places himself between them. Using a sniffer, he captures the traffic and tries to
gather information about the session.

2. Monitor: He then monitor the traffic for vulnerable protocols and tries to find any valid
authentication packets passing through.

3. Session ID retrieval: Tries to predict the session ID using available information. Since a target
has been chosen, the next step in the session hijacking is predicting sequence no. it is a critical
step, because, if the attacker fails to predict the correct sequence no, it will result in server
terminating the connection attempt.

4. Stealing: Session ID is steeled. (Man in the middle, cross site scripting, sniffing used to steal
session id)

5. Take one of the parties offline: Once a session is chosen and sequence no is predicted, one of
the targets has to be silenced. It is done with DoS attack. Attacker ensure that the client computer
remains offline during the attack or the client computer will transmit the data on network,
causing workstation and server repeatedly attempt to synchronize their connection.

6. Take over the session and maintain the connection: Taking over the communication session
between the workstation and server. The attacker will spoof the client IP address to avoid
detection and include a sequence no that was predicted earlier. If the server accepts this
information, the attacker has successfully attacked.

Countermeasures

 Secure socket layer(SSL) – provides end to end encryption.

 Use secure shell(SSH) – also known as Secure Socket Shell. Provides strong way of
authentication and more strong way of encryption.
 Complex and strong session ID.
 Random session ID.
TYCS Semester VI Ethical Hacking

Clickjacking
Clickjacking attack is a malicious technique of tricking a Web user into clicking on something
different from what the user perceives they are clicking on.

An attacker builds a CJ attack in three steps:

 The attacker creates a web page (called a displayed page or DP) including parts that look
like the usual clickable objects, such as text hyperlinks or buttons.

 The attacker then creates a malicious page (called a hidden page or HP) including
clickable objects whose position on the page fits perfectly with the previous ones.

 The attacker then displays the DPs on top of the HPs so that visitors to the page might
decide to click on the DP’s fake hyperlink, thus clicking on a real HP hyperlink, which
could be the starting point of an attack on the system.

Countermeasures

Client side:

 No script adds on- prevent users from clicking invisible or modified page.
 Guarded ID – protection for users of internet explorer and Firefox. It forces all frames to
be visible.
TYCS Semester VI Ethical Hacking

Server side:

 Frame killer – techniques used by websites and web applications to prevent their
webpages from being displayed within a frame. Used to prevent website from being
loaded without permission.
 X- frame options – defines whether or not a browser should be allowed to render a page
in a frame.

Cookie Theft

Cookie hijacking is also called session hijacking or cookie theft.

The cookies of a browser keep out data –username, password, browser history etc. that we access
time to time. Hacker tries to get an access to this cookie data, he can even get credential data
which has been stored within cookie

Cookie theft occurs when a third party copies unencrypted session data and uses it to
impersonate the real user. Cookie theft most often occurs when a user accesses trusted sites over
an unprotected or public Wi-Fi network. Although the username and password for a given site
will be encrypted, the session data travelling back and forth (the cookie) is not.

Countermeasures

 Google’s safe browsing API – look for unsafe websites and display warnings.
 Set a session time out.
 Invalidate each session.

URL Obfuscation

An obfuscated URL is a web address that has been obscured or concealed and has been made to
imitate the original URL of a legitimate website. It is done to make users access a spoof website
rather than the intended destination. Obfuscated URLs are one of the many phishing attacks that
can fool internet users. Attackers usually use a common misspelling technique where they
misspell a domain name to trick users into visiting. These obfuscated URLs can be a cause of
malware entering a user’s computer system.

Countermeasures

 Local anti-virus / firewall

 Desktop protection technologies
 Validation of email
 Any downloads can’t be automatically run by the browser.
TYCS Semester VI Ethical Hacking

Buffer overflow

A buffer is a temporary area for data storage. When more data (than was originally allocated to
be stored) gets placed by a program or system process, the extra data overflows. It causes some
of that data to leak out into other buffers, which can corrupt or overwrite whatever data they
were holding.
If an attacker knows the memory layout of a program, they can intentionally feed data, that the
buffer can’t store and data will be overwritten. So, these overwrite areas are replaced by
attacker’s own code.

Countermeasures

 Avoid using library files – any weakness found by a hacker in a library file will also exist
in all applications that use that library file.
 Choice of programming language – C, C++ are more vulnerable to buffer overflow.
Python, Java prevent buffer overflow.
 Buffer overflow protection

DNS Poisoning

Domain Name Server (DNS) spoofing (DNS cache poisoning) is an attack in which altered DNS
records are used to redirect online traffic to a fraudulent website that resembles its intended
destination.

DNS Cache poisoning, also called domain name system (DNS) poisoning or DNS cache
poisoning. DNS cache poisoning is the process of corrupting an Internet server's domain name
system table by replacing an Internet address with that of another, malicious address. When a
user seeks the page with that address, the request is redirected by the malicious entry in the table
to a different address.
TYCS Semester VI Ethical Hacking

Countermeasures
 Use secure DNS – cryptographic digital signature to determine the authenticity of data.
 Use of latest version of DNS – uses port randomization with transaction ID so it’s hard
for attacker to guess for the port.

ARP Poisoning
ARP spoofing attack is an attack in which an attacker sends falsified ARP (Address Resolution
Protocol) messages over LAN. As a result, the attacker can link his MAC address with the IP
address of a legitimate computer (or server) on the network.

How does it work?

If the attacker manages to link his MAC address to an authentic IP address, he starts receiving
any data that can be accessed by that IP address. ARP spoofing allows malicious attackers to
intercept, modify or even stop data which is in-transit. ARP spoofing attacks can only occur on
local area networks that utilize Address Resolution Protocol.

Countermeasures

 Packet filtering
 Use ARP spoofing detection software
 Use cryptographic network protocols

Identity Theft

Identity theft, also known as identity fraud, is a crime in which an imposter obtains key pieces
of personally identifiable information, such as Social Security or driver's license numbers, in
order to impersonate someone else.
TYCS Semester VI Ethical Hacking

Identity theft involves acquiring key pieces of someone's identifying information, such as
name, address, date of birth, social security number, etc., in order to impersonate them.

This information enables the identity thief to commit numerous forms of fraud, which may
include:
•Taking over the victim's financial accounts or obtaining fraudulent financial accounts;
•Making purchases in the victim's name;
•Applying for loans, credit cards, social security benefits, etc.;
•Establishing services with utility and phone companies.

Countermeasures

 Check your credit report regularly.

 Monitor your account statements for unauthorized transactions.
 Keep your social security card and number in a safe location.
 Do not respond to spam email.

IoT attacks

An attack that gain access to user’s sensitive data with the help of any IoT device. Attacker will
install malware on the device. These attacks can originate from the channels that connect IoT
components with one another, or protocols used in IoT systems can have security issues.

Different types of IoT attacks: physical tampering, eavesdropping, brute force password attack,
DDoS, man in the middle, malicious code injection, privilege escalation.

Countermeasures

 Enable 2 factor authentication.

 Back up data to a secondary device
 Encrypt the data between IoT device and server.
 Password for IoT device should be unique per device.
 Give users limited access to data and device.

BOTs and BOTNETs

BOTs: BOT are computer programs or software applications designed to execute a series of
operations automatically. There are several useful bots (good bots) that crawl websites and
create visibility on search engines and social media channels. There are bad bots also created to
TYCS Semester VI Ethical Hacking

cause / harm to websites and online businesses. Bots are created to illegally scrape content
from websites and post them elsewhere.
BOTNETs: BOTNET is a group of BOT systems. BOTNETs serve various purposes,
including DDoS attacks; creation or misuse of Simple Mail Transfer Protocol (SMTP) mail
relays for spam; Internet marketing fraud; and the theft of application serial numbers, login
IDs, and financial information such as credit card numbers.

Countermeasures

 Blacklisting – used to block all traffic and to filter website with malicious context.
 Packet filtering
 Port blocking – reduce the amount of spam mails traveling through the network.