CRYPTOGRAPHY AND NETWORK SECURITY

UNIT-3
1. Discuss the following about ElGamal algorithm
i) Encryption ii) Efficiency.

ElGamal Algorithm Overview

The ElGamal algorithm is an asymmetric key encryption algorithm used for secure communication. It is
based on the principles of the Diffie-Hellman key exchange and operates over modular arithmetic in a
cyclic group. It comprises three main components: key generation, encryption, and decryption.

Elgamal Cryptographic Algorithm

The ElGamal cryptographic algorithm is an asymmetric key encryption scheme based on the Diffie-
Hellman key exchange. It was invented by Taher ElGamal in 1985. The algorithm is widely used for secure
data transmission and has digital signatures and encryption applications. Here’s an overview of its
components and how it works:

Components of the ElGamal Algorithm

1. Key Generation:

• Public Parameters: Select a large prime number p and a generator g of the multiplicative
group Z*p.

• Private Key: Select a private key x such that 1 ≤ x ≤p −2.

• Public Key: Compute h=gx mod p. The public key is (p,g,h) and the private key is x.

2. Encryption:

• To encrypt a message M:

o Choose a random integer k such that 1 ≤ k ≤ p−2.

o Compute C1 = gk mod p.

o Compute C2 =M⋅hk mod p.

o The ciphertext is (c1,c2).

ii) Efficiency of ElGamal

Strengths

1. Asymmetric Security: Provides strong security against eavesdropping due to the DLP.
 2. Randomization: The use of a random ephemeral key kkk ensures that the same plaintext
encrypts differently every time, enhancing security.

3. Flexibility: ElGamal can be adapted for encryption, digital signatures, and key exchange.

Drawbacks

1. Computation Overhead:

o Modular Exponentiation: Both encryption and decryption involve multiple modular

exponentiations, which are computationally intensive, especially for large primes.

o Multiple Outputs: The ciphertext size is twice that of the plaintext since it comprises
(c1,c2)(c_1, c_2)(c1,c2), increasing bandwidth requirements.

2. Inefficiency in Small Messages: Encrypting small messages leads to significant overhead because
of the additional ciphertext components and padding requirements.

3. Key Management: The need to securely generate and manage large primes and random
ephemeral keys adds complexity.

4. Not Deterministic: The same plaintext encrypted multiple times produces different ciphertexts
due to randomization, which can be a computational overhead for certain applications.

2. What is digital signature? Explain the approaches for digital signature based on public key encryption.

A digital signature is information that is attached to data to assure the recipients of the data that it has
not been altered and has originated from the signer of the message. Digital signatures perform an
equivalent function to a handwritten signature on a paper document.

Approaches for Digital Signatures based on Public Key Encryption:

1.Direct Signature:

Process:

The sender encrypts the entire message using their private key.

The recipient uses the sender's public key to decrypt the message.

If decryption is successful, it verifies that the message originated from the sender.

Limitations:

Can be computationally expensive, especially for large messages.

Doesn't provide message integrity (protection against tampering).

2.Hash-and-Sign Approach:
Process:

The sender calculates a hash of the message using a cryptographic hash function (e.g., SHA-256).

The sender encrypts the hash using their private key. This encrypted hash is the digital signature.

The sender transmits the original message and the digital signature to the recipient.

The recipient calculates a hash of the received message.

The recipient uses the sender's public key to decrypt the digital signature.

The recipient compares the decrypted signature (the original hash) with the hash they calculated. If they
match, the message is verified as authentic and unaltered.

Advantages:

More efficient than direct signature, as only the hash (a small fixed-size value) is signed.

Provides both authentication (verification of sender) and integrity (ensures message hasn't been
tampered with).

3. Describe signing and verification in Digital Signature Algorithm.

Signing Process:

1. Key Generation: The sender generates a pair of keys: a private key (x) and a public key (y). The public
key is shared with the receiver.

2. Hash Function: The sender applies a hash function (H) to the message (m) to produce a message
digest (h).

3. Random Number Generation: The sender generates a random number (k) for each signature.

4. Signature Generation: The sender uses the private key (x), the message digest (h), and the random
number (k) to generate a signature (r, s).

- r = (g^k mod p) mod q

- s = (k^-1 * (h + x*r)) mod q

5. Signature Transmission: The sender transmits the signature (r, s) and the message (m) to the receiver.

Verification Process:

6. Hash Function: The receiver applies the same hash function (H) to the received message (m) to
produce a message digest (h').
7. Signature Verification: The receiver uses the public key (y), the message digest (h'), and the signature
(r, s) to verify the signature.

- w = s^-1 mod q

- u1 = (h' * w) mod q

- u2 = (r * w) mod q

- v = ((g^u1 * y^u2) mod p) mod q

8. Verification Result: If v = r, the signature is valid, and the receiver can trust the message. Otherwise,
the signature is invalid.

Security:

The DSA algorithm relies on the difficulty of the discrete logarithm problem (DLP) in a finite field. The
security of the algorithm depends on the size of the keys and the difficulty of the DLP.

Advantages:

1. High Security: DSA provides high security due to the difficulty of the DLP.

2. Efficient Signature Generation: DSA signature generation is relatively fast compared to other digital
signature algorithms.

3. Small Signature Size: DSA signatures are relatively small, making them suitable for applications with
limited bandwidth.

Disadvantages:

4. Complexity: DSA is a complex algorithm, requiring a good understanding of number theory and
cryptography.

5. Key Size: DSA requires large key sizes to ensure security, which can be a limitation in some
applications.

6. Patent Issues: DSA was patented by the National Institute of Standards and Technology (NIST), which
may limit its use in some applications.

4. Write and explain the digital signature algorithm.

The DSA (Digital Signature Algorithm) approach involves using of a hash function to create a hash code,
same as RSA. This hash code is combined with a randomly generated number k as an input to a signature
function. The signature function depends on the sender private key (PRa) as well as a set of parameters
that are known to a group of communicating principals. This set can be considered as a global public key
(PUG). The output of the signature function is a signature with two components, s and r. When an
incoming message is received, a hash code is generated for the message. This hash code is then
combined with the signature and input into a verification function. The verification function depends on
the global public key as well as the sender's public key (PUa) which is paired with the sender's private
key. The output of the verification function returns a value equal to the signature's component r, if the
signature is valid. The signature function is designed in such a way that only the sender, with knowledge
of the private key, can produce a valid signature.
You can refer below diagram for DSA, where,
• M = Message or Plaintext
• H = Hash Function
• || = Group the plantext and hash function (hash digest)
• E = Encryption Algorithm
• D = Decryption Algorithm
• PUa = Public key of sender
• PRa = Private key of sender
• Sig = Signature function
• Ver = Verification function
• PUG = Global public Key

DSA Approach
Primary Termologies
• User Private Key (PR): This key is publicly known and can be shared with anyone. It's used to
verify digital signatures created with a corresponding private key.
• User Public Key (PU): A top-secret cryptographic key only possessed by the user is used in DSA
algorithm’s digital signature generation. As it is, the private key must be kept secret and secure
because it proves that a given user is genuine.
• Signing (Sig): Signing involves creating a digital signature with the help of a user's private key. In
case of DSA, this process requires mathematical operations to be performed on the message
that should be signed using a given private key in order to generate a unique signature for that
message.
• Verifying (Ver): Verifying is the process of verifying whether or not a digital signature has been
forged using its corresponding public key. In DSA, this involves comparing the messages hash
 against the verification value through mathematical operations between two binary strings – one
representing an encrypted data and another one representing plain-text original message.

5. Write down the steps involved in Elgamal Digital Signature Scheme used for authenticating a
person.
ElGamal Signature Scheme is a Digital Signature Algorithm based on the premise that it is
challenging to perform calculations of discrete logarithmic order.
In this article, we are going to discuss the ElGamal Signature Scheme. However, this signature
scheme is not famous for implementation practically. The NSA (National Security Agency of USA)
developed an algorithm called the Digital Signature Algorithm using ElGamal Signature Scheme.
The ElGamal Signature Scheme has been the base for developing various Digital Signature
Schemes. Still, the Digital Signature Algorithm developed by the NSA is one of the most popular.
The ElGamal Signature Scheme can share a signature over an insecure channel. This would help
determine the message's originality at the receiver end.
Parameters of the ElGamal Signature Scheme
• H is a Collision Resistant Hash Function.

• p is a large prime number, so calculating discrete logarithms modulo p is tough.

• g is a randomly chosen generator for a multiplicative group of integers that are modulo p.

These are parameters that are shared between users.

Key Generation
• x is a randomly generated secret key where 1 < x < p-1.
• y = (g^x) mod p
• Public key = (p, g, y)
• Secret key = x

These parameters are generated by the signer.

Signature Generation
For the message to be signed, the following steps are involved:
• k is a random number such that 0 < k < p-1 and gcd(k,p-1)=1
• r ≅ (g^k) mod p
• s ≅ ((H(m) - xr)k^(-1)) mod (p-1)
• Do the generation process till s==0

Here the pair (r,s) is a digital signature for message m. These steps are repeated by the signer for
every signature.
Signature Verification
The signature for the message m is (r,s) and is verified as follows:
• 0<r<p
• 0 < s < p-1
 • g^(H(m)) ≅ (y^r)(r^s) mod p

The receiver accepts a signature if all the conditions mentioned above are satisfied and rejects it
otherwise.
Correctness of Algorithms
The verifier always accepts the signature generated by the signing algorithm.
The generated signature implies:
H(m) = (xr + sk)mod(p-1)
From Fermat’s Little Theorem, we know that:
g ^(H(m)) ≅ (g^xr)(g^ks)
≅ ((g^x)^r)((g^k)^s)
≅ ((y^r)(r^s)) mod p

UNIT-4
1.Classify cybercrimes. Describe various cybercrimes against Society?

Classification Of Cyber Crimes Cyber crimes can be classified in to 4 major categories as the
following: (1) Cyber crime against Individual
(2) Cyber crime Against Property
(3) Cyber crime Against Organization
(4) Cyber crime Against Society

1) Against Individuals (i) Email spoofing : A spoofed email is one in which the e-mail header is forged so
that the mail appears to originate from one source but actually has been sent from another source.

(ii) Spamming : Spamming means sending multiple copies of unsolicited mails or mass e-mails such as
chain letters.

(iii) Cyber Defamation : This occurs when defamation takes place with the help of computers and/or the
Internet. E.g. someone publishes defamatory matter about someone on a website or sends e-mails
containing defamatory information.

(iv) Harassment & Cyber stalking : Cyber Stalking Means following an individual's activity over internet. It
can be done with the help of many protocols available such as e- mail, chat rooms, user net groups.

(2) Against Property (i) Credit Card Fraud : As the name suggests, this is a fraud that happens by the use
of a credit card. This generally happens if someone gets to know the card number or the card gets
stolen.

(ii) Intellectual Property crimes : These include Software piracy: Illegal copying of programs, distribution
of copies of software. Copyright infringement: Using copyrighted material without proper permission.
Trademarks violations: Using trademarks and associated rights without permission of the actual holder.
Theft of computer source code: Stealing, destroying or misusing the source code of a computer.

(iii) Internet time theft : This happens by the usage of the Internet hours by an unauthorized person
which is actually paid by another person. (3) Against Organisations (i) Unauthorized Accessing of
Computer: Accessing the computer/network without permission from the owner. It can be of 2 forms: a)
Changing/deleting data: Unauthorized changing of data. b) Computer voyeur: The criminal reads or
copies confidential or proprietary information, but the data is neither deleted nor changed. (ii) Denial Of
Service : When Internet server is flooded with continuous bogus requests so as to denying legitimate
users to use the server or to crash the server. (iii) Computer contamination / Virus attack : A computer
virus is a computer program that can infect other computer programs by modifying them in such a way
as to include a (possibly evolved) copy of it. Viruses can be file infecting or affecting boot sector of the
computer. Worms, unlike viruses do not need the host to attach themselves to. (iv) Email Bombing :
Sending large numbers of mails to the individual or company or mail servers thereby ultimately resulting
into crashing. (v) Salami Attack : When negligible amounts are removed & accumulated in to something
larger. These attacks are used for the commission of financial crimes. (vi) Logic Bomb : It is an event
dependent program. As soon as the designated event occurs, it crashes the computer, release a virus or
any other harmful possibilities. (vii) Trojan Horse : This is an unauthorized program which functions from
inside what seems to be an authorized program, thereby concealing what it is actually doing. (viii) Data
diddling : This kind of an attack involves altering raw data just before it is processed by a computer and
then changing it back after the processing is completed. (4) Against Society (i) Forgery : Currency notes,
revenue stamps, mark sheets etc. can be forged using computers and high quality scanners and printers.
(ii) Cyber Terrorism : Use of computer resources to intimidate or coerce people and carry out the
activities of terrorism. (iii) Web Jacking : Hackers gain access and control over the website of another,
even they change the content of website for fulfilling political objective or for money.

2.Describe the role of cybercafes in cybercrime?

Cybercafes, or internet cafes, have played a significant role in cybercrime, both historically and in some
ongoing contexts. While they provide essential internet access to individuals who might not have it
otherwise, their public and often anonymous nature can be exploited by malicious actors. Here's how
cybercafes contribute to cybercrime:

1. Anonymity and Lack of Accountability

• Limited User Verification: Many cybercafes do not require users to provide

identification, allowing criminals to perform illegal activities without leaving a traceable
identity.

• Shared Infrastructure: The use of shared computers makes it challenging to attribute

malicious activities to a specific individual.

2. Use for Illegal Activities

 • Cyberattacks and Hacking: Criminals may use cybercafes to launch Distributed Denial of
Service (DDoS) attacks, hacking attempts, or other cyberattacks, leveraging the
anonymity they provide.

• Fraud and Scams: Cybercafes can be used to send phishing emails, set up fake websites,
or commit online fraud without risking identification.

• Identity Theft: Some users in cybercafes have been known to install keyloggers or
malicious software on public machines to capture personal information from
unsuspecting users.

3. Data Privacy Risks

• Insecure Connections: Many cybercafes lack secure networks, making it easier for
cybercriminals to intercept data via techniques like packet sniffing.

• Malware Distribution: Public computers in cybercafes can be infected with malware,

which then spreads to users who unknowingly connect their USB drives or log in to
sensitive accounts.

4. Facilitating Organized Crime

• Coordination and Communication: Cybercafes often serve as hubs for criminal groups to
communicate and coordinate their activities using encrypted emails or chat rooms.

• Illegal Content Sharing: They are sometimes used to distribute or access illegal content
such as pirated software, movies, or explicit materials.

5. Challenges in Law Enforcement

• Tracing Activities: It is difficult for authorities to trace cybercrimes back to individuals in

a cybercafe due to the shared and transient nature of usage.

• Jurisdiction Issues: Cybercafes in regions with weak cybersecurity laws may act as safe
havens for criminals.

Preventive Measures

• Mandatory User Identification: Requiring valid ID for accessing cybercafe services can
deter criminal activities.

• Surveillance Systems: Installing CCTV cameras can help track and identify users if a
crime occurs.
 • Regular System Monitoring: Cybercafes should update antivirus software, monitor for
suspicious activities, and prevent unauthorized software installation.

• Public Awareness: Educating users about safe online practices can reduce the risk of
them becoming victims or unintentional accomplices.

3.Write a short note on Attack Vector. How it alters the system state?

An attack vector refers to the method or pathway used by cybercriminals to gain unauthorized access to
a system, network, or application. It represents the point of entry that an attacker exploits to execute
malicious activities, such as stealing data, installing malware, or disrupting operations.

Common Attack Vectors

1. Phishing: Fraudulent emails or messages trick users into revealing sensitive information.

2. Malware: Malicious software infects systems to cause harm or steal data.

3. Unpatched Software: Exploiting vulnerabilities in outdated or unpatched systems.

4. Weak Passwords: Brute force attacks on poorly secured credentials.

5. Social Engineering: Manipulating individuals to bypass security measures.

6. Network Exploits: Attacks on insecure Wi-Fi or network configurations.

7. Zero-Day Vulnerabilities: Exploiting unknown or unpatched software flaws.

How Attack Vectors Alter the System State

1. System Compromise:
Attackers gain control of the system by exploiting vulnerabilities, altering permissions, or
installing backdoors.

2. Data Breach:
Sensitive information is accessed, modified, or stolen, leading to compromised confidentiality
and integrity.

3. Service Disruption:
Attackers use vectors like DDoS attacks to overwhelm and crash systems, disrupting availability.

4. Unauthorized Modifications:
Critical system settings, files, or configurations are altered, compromising functionality or
security.
 5. Propagation of Malicious Software:
Malware spreads through networks or attached devices, further escalating the scope of the
attack.

Mitigation Measures

• Regularly update and patch software.

• Use robust authentication mechanisms.

• Employ firewalls, intrusion detection systems, and antivirus tools.

• Educate users about identifying and avoiding potential threats.

By understanding attack vectors and their impact, organizations can better protect their systems and
maintain a secure state.

3.Write a short note on Attack Vector. How it alters the system state? 10 marks

Attack Vector

An attack vector is the method or pathway used by cybercriminals to gain unauthorized access to a
system, network, or application. It represents the entry point that attackers exploit to compromise
security and perform malicious activities, such as data theft, malware installation, or system disruption.
Common attack vectors include phishing, malware, weak passwords, unpatched vulnerabilities, and
social engineering.

How It Alters the System State

1. Unauthorized Access: Attackers exploit vulnerabilities to bypass authentication and gain control
over the system.

2. Data Breach: Confidential information is accessed, modified, or stolen, compromising the

system's integrity and privacy.

3. Service Disruption: Attackers can disrupt system availability, such as through Denial-of-Service
(DoS) attacks.

4. Malware Deployment: Malicious software can alter files, damage system functionality, or spread
across networks.

5. System Manipulation: Critical settings, configurations, or permissions are modified, leading to

further vulnerabilities.

4. Explain the following terms related to cyber crimes:

i) Spamming
ii) Salami technique

iii) Hacking

iv) Password sniffing

i) Spamming
Spamming involves sending unsolicited and often irrelevant bulk messages, typically via email, to a large
number of recipients. These messages often include advertisements, phishing links, or malware.
Spamming disrupts communication, consumes network resources, and can be a precursor to more
severe cybercrimes like phishing or ransomware attacks.

ii) Salami Technique

The Salami technique refers to a type of financial fraud in which small amounts of money are siphoned
from numerous accounts without being noticed. The amounts are so small that they often go
undetected by victims. Cybercriminals use this method in banking or payroll systems to accumulate
substantial funds over time.

iii) Hacking
Hacking is the act of gaining unauthorized access to computer systems, networks, or data. Hackers
exploit vulnerabilities to compromise security for various purposes, such as data theft, espionage, or
system disruption. While "black hat" hackers engage in illegal activities, "white hat" hackers use their
skills to improve security.

iv) Password Sniffing

Password sniffing is the act of intercepting and capturing passwords transmitted over a network.
Cybercriminals use tools or software to monitor and analyze network traffic to obtain login credentials.
This technique is often employed on insecure or unencrypted networks, compromising user accounts
and sensitive information.

5. What is Cyber Stalking? Explain various types of Stalkers with a case study.

Cyberstalking is the use of the internet or digital tools to repeatedly harass, threaten, or stalk someone.
It includes sending unwanted messages, hacking accounts, or spreading lies online. The goal is often to
scare or distress the victim. Cyberstalkers often use social media, email, or other online platforms.
Cyberstalking involves using digital platforms to intimidate or control someone by continuously
monitoring or harassing them online, they can track the victim’s online activity.

Types of Cyber Stalking

• Webcam Hijacking: Internet stalkers would attempt to trick you into downloading and putting in
a malware-infected file that may grant them access to your webcam. the method is therefore
sneaky in that it’s probably you wouldn’t suspect anything strange.
 • Observing location check-ins on social media: In case you’re adding location check-ins to your
Facebook posts, you’re making it overly simple for an internet stalker to follow you by just
looking through your social media profiles.

• Catfishing: Catfishing happens via social media sites, for example, Facebook, when internet
stalkers make counterfeit user-profiles and approach their victims as a companion of a
companions.

• Visiting virtually via Google Maps Street View: If a stalker discovers the victim’s address, then it
is not hard to find the area, neighbourhood, and surroundings by using Street View. Tech-savvy
stalkers don’t need that too.

• Installing Stalkerware: One more method which is increasing its popularity is the use of
Stalkerware. It is a kind of software or spyware which keeps track of the location, enable access
to text and browsing history, make an audio recording, etc. And an important thing is that it runs
in the background without any knowledge to the victim.

• Looking at geotags to track location: Mostly digital pictures contain geotags which is having
information like the time and location of the picture when shot in the form of metadata. Geotags
comes in the EXIF format embedded into an image and is readable with the help of special
apps. In this way, the stalker keeps an eye on the victim and gets the information about their
whereabouts.

6. Explain about Vishing and Smishing in detail.

Vishing, or voice phishing, is another variation of phishing where attackers use phone calls instead of
emails or text messages to deceive their victims. Vishing attacks often involve impersonating trusted
entities such as banks, tech support, or government agencies to extract sensitive information. The
attacker may claim that there is an urgent issue with the victim's bank account or that they need to
verify their identity, creating a sense of urgency that pressures the victim to provide confidential
information over the phone.

Vishing can be particularly convincing because it leverages the power of human interaction. Unlike
phishing or smishing, which rely on digital communication, vishing exploits the trust that people often
place in voice communication. Attackers may use spoofed phone numbers to make the call appear
legitimate, adding another layer of deception.

Smishing is a variation of phishing that targets victims through SMS or other messaging platforms. The
term smishing is a combination of "SMS" and "phishing," and it shares many similarities with email
phishing. However, instead of email, smishing uses text messages to deliver a phishing campaign. These
messages often include scam links that lead to phishing pages designed to steal information or install
malware.
Smishing can be particularly dangerous because people are generally more trusting of text messages
than emails. The messages might appear to be from banks, delivery services, or even friends, making it
harder to detect the scam. The consequences of smishing can be as severe as traditional phishing,
leading to financial loss or identity theft

7. Explain the following terms related to cyber crimes:

i) Cyber defamation

ii) Data Diddling

iii) Software Piracy

iv) Identity Theft

v) E-mail Bombing/ Mail Bombs

i. Cyber defamation refers to the act of harming a person's or organization's reputation through false,
malicious, or derogatory statements made online. These statements can be posted on social media
platforms, blogs, websites, forums, or through other digital communication methods. Cyber defamation
is a form of libel (written defamation) when done online and is punishable under various legal
frameworks worldwide.

ii. Data diddling involves changing data prior or during input into a computer. In other words, information
is changed from the way it should be entered by a person typing in the data, a virus that changes data,
the programmer of the database or application, or anyone else involved in the process of having
information stored in a computer file. The culprit can be anyone involved in the process of creating;
recording, encoding, examining, checking, converting, or transmitting data.

iii. Software piracy is the unauthorized copying, distribution, or use of software without proper licensing
or permission from the copyright owner. It violates intellectual property rights and is a form of digital
theft. Software piracy undermines the software industry by causing financial losses, discouraging
innovation, and exposing users to security risks.

iv. Identity theft is a cybercrime in which an individual’s personal information, such as name, social
security number, credit card details, or other sensitive data, is stolen and misused without their consent.
The stolen identity is often used to commit fraud, such as financial theft, opening fraudulent accounts, or
gaining unauthorized access to resources.

v. In internet usage, an e-mail bomb is a form of net abuse consisting of sending huge volumes of e-mail
to an address in an attempt to overflow the mailbox or overwhelms the server. Mail bombing is the act
of sending an email bomb, a term shared with the act of sending actual exploding devices. Mail bombing
is sometimes accomplished by giving the victim’s e-mail address to multiple spammers.

8. Discuss in detail about the Botnets.

Network of compromised computers is called a botnet. Compromised computers are also
called Zombies or Bots. This software is mostly written in C++ & C. The main motive of botnet is that it
starts with the dark side of the internet which introduced a new kind of Crime called Cybercrime.

Among the malware (malicious software) botnet is the most widespread and severe threat. Several
large institutions, government organizations, and almost every social networking website Facebook,
Twitter, Instagram, etc, e-commerce website Amazon, and Flipkart, etc, in short, every firm associated
with the internet became the victim of this malware. This kind of malicious software is freely available in
the market for lease. It can be used in DDoS attacks (Smurf Attacks), Phishing, Extortion, etc.

Botnets

Botnet Communication

At first, those who want to be botmaster finds the target system (here target system means finding the
vulnerable system), then use popular social engineering techniques like phishing, click fraud, etc to
install a small (Kbs) executable file into it. A small patch has been included in the code, making it not
visible even with the running background process. A naive user won’t even come to know that his/her
system became part of a bot army. After infection, the bot looks for the channel through which it can
communicate with its master. Mostly Channel (command and Control channel) uses the existing protocol
to request the command and receive updates from the master, so if anyone tries to look at the traffic
behavior then it will be quite difficult to figure it out. Botmaster is used to write scripts to run an
executable file on different OS.

For Windows: Batch Program

For Linux: BASH Program

The following are the major things that can be performed on bots:

• Web-Injection: Botmaster can inject snippets of code to any secured website that which bot
used to visit.

• Web filters: Here on use a special symbol like:”!” for bypassing a specific domain, and “@” for
the screenshot used.

• Web-fakes: Redirection of the webpage can be done here.

• DnsMAP: Assign any IP to any domain which the master wants to route to the bot family.

Types of Botnet

Here are the types of botnets mentioned below based on the Channel.

Internet Relay Chat (IRC) Botnet

Internet Relay Chat (IRC) acts as the C&C Channel. Bots receive commands from a centralized IRC server.
A command is in the form of a normal chat message. The limitation of the Internet Relay Chat(IRC)
Botnet is that the Entire botnet can be collapsed by simply shutting down the IRC Server.

Peer-to-Peer (P2P) Botnet

It is formed using the P2P protocols and a decentralized network of nodes. Very difficult to shut down
due to its decentralized structure. Each P2P bot can act both as the client and the server. The bots
frequently communicate with each other and send “keep alive” messages. The limitation of Peer-to-Peer
Botnets is that it has a higher latency for data transmission.

Hyper Text Transfer Protocol (HTTP) Botnet

Centralized structure, using HTTP protocol to hide their activities. Bots use specific URLs or IP addresses
to connect to the C&C Server, at regular intervals. Unlike IRC bots, HTTP bots periodically visit the C&C
server to get updates or new commands.

9. Discuss the attacks on mobile phones in detail.

Wireless and mobile devices have become ubiquitous in today’s society, and with this increased usage
comes the potential for security threats. Wireless and mobile device attacks are a growing concern for
individuals, businesses, and governments.

Below are some of the most common types of Wireless and Mobile Device Attacks:

SMiShing: Smishing become common now as smartphones are widely used. SMiShing uses Short
Message Service (SMS) to send fraud text messages or links. The criminals cheat the user by calling.
Victims may provide sensitive information such as credit card information, account information, etc.
Accessing a website might result in the user unknowingly downloading malware that infects the device.

War driving : War driving is a way used by attackers to find access points wherever they can be. With the
availability of free Wi-Fi connection, they can drive around and obtain a very huge amount of
information over a very short period of time.

WEP attack: Wired Equivalent Privacy (WEP) is a security protocol that attempted to provide a wireless
local area network with the same level of security as a wired LAN. Since physical security steps help to
protect a wired LAN, WEP attempts to provide similar protection for data transmitted over WLAN with
encryption. WEP uses a key for encryption. There is no provision for key management with Wired
Equivalent Privacy, so the number of people sharing the key will continually grow. Since everyone is using
the same key, the criminal has access to a large amount of traffic for analytic attacks.

WPA attack: Wi-Fi Protected Access (WPA) and then WPA2 came out as improved protocols to replace
WEP. WPA2 does not have the same encryption problems because an attacker cannot recover the key by
noticing traffic. WPA2 is susceptible to attack because cyber criminals can analyze the packets going
between the access point and an authorized user.

Bluejacking: Bluejacking is used for sending unauthorized messages to another Bluetooth device.
Bluetooth is a high-speed but very short-range wireless technology for exchanging data between desktop
and mobile computers and other devices.

Replay attacks: In a Replay attack an attacker spies on information being sent between a sender and a
receiver. Once the attacker has spied on the information, he or she can intercept it and retransmit it
again thus leading to some delay in data transmission. It is also known as playback attack.

Bluesnarfing : It occurs when the attacker copies the victim’s information from his device. An attacker
can access information such as the user’s calendar, contact list, e-mail and text messages without leaving
any evidence of the attack.

RF Jamming: Wireless signals are susceptible to electromagnetic interference and radio-frequency

interference. Radio frequency (RF) jamming distorts the transmission of a satellite station so that the
signal does not reach the receiving station.

There are several types of attacks that target these devices, each with its own advantages and
disadvantages:

Wi-Fi Spoofing: Wi-Fi spoofing involves setting up a fake wireless access point to trick users into
connecting to it instead of the legitimate network. This attack can be used to steal sensitive information
such as usernames, passwords, and credit card numbers. One advantage of this attack is that it is
relatively easy to carry out, and the attacker does not need sophisticated tools or skills. However, it can
be easily detected if users are aware of the legitimate network’s name and other details.
Packet Sniffing: Packet sniffing involves intercepting and analyzing the data packets that are transmitted
over a wireless network. This attack can be used to capture sensitive information such as email
messages, instant messages, and web traffic. One advantage of this attack is that it can be carried out
without the user’s knowledge. However, the attacker needs to be in close proximity to the victim and
must have the technical skills and tools to intercept and analyze the data.

Bluejacking: Bluejacking involves sending unsolicited messages to Bluetooth-enabled devices. This attack
can be used to send spam, phishing messages, or malware to the victim’s device. One advantage of this
attack is that it does not require a network connection, and the attacker can be located anywhere within
range of the victim’s Bluetooth signal. However, it requires the attacker to have the victim’s Bluetooth
device’s address and is limited to devices that have Bluetooth capabilities.

10. Discuss in detail about different types of cyber criminals

Types of Cyber Criminals

Hackers

The term hacker may refer to anyone with technical skills, however, it typically refers to an individual
who uses his or her skills to achieve unauthorized access to systems or networks to commit crimes. The
intent of the burglary determines the classification of those attackers as white, grey, or black hats. White
hat attackers burgled networks or PC systems to get weaknesses to boost the protection of those
systems. The owners of the system offer permission to perform the burglary, and they receive the results
of the take a look at. On the opposite hand, black hat attackers make the most of any vulnerability for
embezzled personal, monetary, or political gain. Grey hat attackers are somewhere between white and
black hat attackers. Grey hat attackers could notice a vulnerability and report it to the owners of the
system if that action coincides with their agenda.

• Gray Hat Hackers- These hackers carry out violations and do seemingly deceptive things
however not for individual addition or to cause harm. These hackers may disclose
a vulnerability to the affected organization after having compromised their network and they
may exploit it.

• Black Hat Hackers- These hackers are unethical criminals who violate network security for
personal gain. They misuse vulnerabilities to bargain PC frameworks. These hackers always
exploit the information or any data they get from the unethical pen-testing of the network.

Organized Hackers

These criminals embody organizations of cyber criminals, hacktivists, terrorists, and state-sponsored
hackers. Cybercriminals are typically teams of skilled criminals targeted on control, power, and wealth.
These criminals are extremely subtle and organized, and should even give crime as a service. These
attackers are usually profoundly prepared and well-funded.

Internet Stalkers
Internet stalkers are people who maliciously monitor the web activity of their victims to acquire personal
data. This type of cybercrime is conducted through the use of social networking platforms and malware,
that can track an individual’s PC activity with little or no detection.

The Rogue Employees

Rogue/Disgruntled employees become hackers with a particular motive and also commit cyber crimes. It
is hard to believe that dissatisfied employees can become such malicious hackers. In the previous time,
they had the only option of going on strike against employers. But with the advancement of technology,
there is an increase in work on computers and the automation of processes, it is simple for disgruntled
employees to do more damage to their employers and organizations by committing cyber crimes. The
attacks by such employees bring the entire system down. Please refer to: Cyber Law (IT Law) in India.

UNIT-5
1.What are the types of Buffer Overflow? How to minimize it?

Attackers exploit buffer overflow issues by overwriting the memory of an application. This
changes the execution path of the program, triggering a response that damages files or exposes
private information. For example, an attacker may introduce extra code, sending new
instructions to the application to gain access to IT systems.

Types of Buffer Overflow Attacks

Stack-based buffer overflows are more common, and leverage stack memory that only exists
during the execution time of a function.
Heap-based attacks are harder to carry out and involve flooding the memory space allocated
for a program beyond memory used for current runtime operations.

How to Prevent Buffer Overflows

Developers can protect against buffer overflow vulnerabilities via security measures in their
code, or by using languages that offer built-in protection.
In addition, modern operating systems have runtime protection. Three common protections
are:
• Address space randomization (ASLR)—randomly moves around the address space
locations of data regions. Typically, buffer overflow attacks need to know the locality of
executable code, and randomizing address spaces makes this virtually impossible.
• Data execution prevention—flags certain areas of memory as non-executable or
executable, which stops an attack from running code in a non-executable region.
• Structured exception handler overwrite protection (SEHOP)—helps stop malicious code
from attacking Structured Exception Handling (SEH), a built-in system for managing
hardware and software exceptions. It thus prevents an attacker from being able to make
use of the SEH overwrite exploitation technique. At a functional level, an SEH overwrite
is achieved using a stack-based buffer overflow to overwrite an exception registration
record, stored on a thread’s stack.
2.Explain about Trojan Horses and Backdoors in detail with examples.

A Trojan Horse is a type of malware that disguises itself as legitimate software or files to trick users into
downloading or executing it. Unlike viruses, Trojans do not replicate themselves; instead, they rely on
user interaction to spread. Once inside the system, Trojans can perform various malicious activities,
including data theft, surveillance, or creating backdoors.

Characteristics of Trojan Horses

1. Deceptive Nature: Delivered as seemingly harmless files or applications.

2. Dependence on User Action: Requires the user to install or open the infected file.

3. Payload: Executes malicious activities such as stealing data, deleting files, or installing other
malware.

Examples of Trojan Horses

• Zeus Trojan: Aimed at stealing banking information by logging keystrokes and capturing user
credentials.

• Emotet: Initially a banking Trojan, later evolved into a malware distribution tool.

Backdoors

A Backdoor is a hidden method or vulnerability that allows attackers to bypass normal authentication
processes and gain unauthorized access to a system or application. Backdoors can be intentionally
installed by developers for troubleshooting or maliciously inserted by attackers.

Characteristics of Backdoors

1. Hidden Entry Point: Operates in the background without user knowledge.

2. Remote Access: Enables attackers to control the system remotely.

3. Persistence: Often designed to remain undetected and active over time.

Examples of Backdoors

• RATs (Remote Access Trojans): Tools like DarkComet or njRAT allow attackers to control systems
remotely.

• SUNBURST: A backdoor linked to the SolarWinds cyberattack, used to infiltrate government and
private systems.

Relationship Between Trojan Horses and Backdoors

• Trojans are often used as delivery mechanisms to install backdoors on a system.

 • Example: A user downloads a fake software update (Trojan), which then installs a backdoor,
granting attackers persistent access to the system.

Case Study: WannaCry Ransomware Attack (2017)

• Trojan Component: Spread through phishing emails with malicious attachments.

• Backdoor Component: Exploited a Windows vulnerability (EternalBlue) to create backdoor

access for encryption payloads.

• Impact: Infected over 200,000 systems in 150 countries, causing billions in damages.

Preventive Measures

1. Antivirus Software: Detects and removes Trojans and backdoors.

2. Regular Updates: Patch vulnerabilities to prevent exploitation by malware.

3. User Awareness: Avoid opening suspicious emails or downloading unknown files.

4. Firewall and IDS: Monitor network activity to detect unauthorized access.

3. Define Social Engineering? Describe the classification of Social Engineering with examples.
Social engineering is a manipulative technique used by cybercriminals to exploit human psychology
and trick individuals into divulging sensitive information, such as passwords, financial details, or personal
data. Instead of directly attacking systems, attackers focus on the weakest link in security: the human
element.
Classification of Social Engineering
Social engineering attacks can be broadly classified into two categories based on the method of
execution:
1. Human-Based Social Engineering
This involves direct interaction between the attacker and the victim, relying on psychological
manipulation.
Examples:
• Impersonation: An attacker pretends to be someone trustworthy, like a bank employee
or IT support, to extract sensitive details.
Example: Calling a user and claiming to be from their bank to collect account details.
• Tailgating (Piggybacking): Gaining physical access to a secure area by following an
authorized person.
Example: An attacker follows an employee into a restricted area, pretending they forgot
their ID badge.
• Dumpster Diving: Searching through discarded documents or materials to find
confidential information.
Example: Recovering sensitive data from shredded documents or disposed hard drives.
2. Technology-Based Social Engineering
This involves using digital methods to manipulate victims.
Examples:
 • Phishing: Sending deceptive emails or messages to trick users into revealing credentials
or downloading malware.
Example: Receiving an email claiming to be from PayPal, asking to "verify your account"
by entering your login details.
• Spear Phishing: A targeted phishing attack aimed at a specific individual or organization.
Example: A CEO receives a customized email appearing to be from a business partner,
asking for sensitive financial data.
• Vishing (Voice Phishing): Using phone calls to deceive victims into sharing information.
Example: A scammer calls pretending to be tech support, asking for remote access to fix
a “virus.”
• Smishing (SMS Phishing): Sending fraudulent text messages to trick victims into clicking
malicious links.
Example: A message claims you’ve won a lottery and requests clicking a link to claim the
prize.
• Baiting: Leaving physical or digital bait, such as infected USB drives, to lure victims into
compromising their systems.
Example: An attacker leaves a USB labeled “Confidential” in a public place, tempting a
victim to plug it in.
Hybrid Social Engineering Techniques
Many attacks combine human and technology-based methods for greater effectiveness.
• Example: A phishing email might contain a phone number that leads to a vishing attack
when called.
Case Study: The Target Data Breach (2013)
Attackers used social engineering to compromise Target’s third-party HVAC vendor. By sending a
phishing email, they obtained credentials that allowed access to Target’s network, leading to the
theft of 40 million credit card details.
Preventive Measures
1. Educate users about identifying and avoiding social engineering attacks.
2. Implement strong security policies and multi-factor authentication.
3. Use spam filters, firewalls, and intrusion detection systems.
4. Regularly update and patch systems to minimize vulnerabilities.

4. Discuss about the SQL Injection in detail.

SQL Injection is a security flaw in web applications where attackers insert harmful SQL code through
user inputs. This can allow them to access sensitive data, change database contents or even take control
of the system. It’s important to know about SQL Injection to keep web applications secure.
In this article, We will learn about SQL Injection by understanding How to detect SQL injection
vulnerabilities, the impact of a successful SQL injection attack and so on.
What is SQL Injection?
• SQLi or SQL Injection is a web page vulnerability that lets an attacker make queries with
the database.
• Attackers take advantage of web application vulnerability and inject an SQL command
via the input from users to the application.
 • Attackers can SQL queries like SELECT to retrieve confidential information which
otherwise wouldn’t be visible.
• SQL injection also lets the attacker to perform a denial-of-service (DoS) attacks by
overloading the server requests.

What is the impact of a successful SQL injection attack?

• A successful SQL injection attack can have severe consequences, including unauthorized
access to sensitive data, such as personal information and financial records.
• Attackers may manipulate or delete critical data, compromising its integrity and causing
operational disruptions.
• They can also bypass authentication mechanisms, gaining unauthorized access to user
accounts, including administrative privileges.
• This can lead to the exposure of confidential information, identity theft, and significant
financial losses.
• Additionally, SQL injection attacks can result in service downtime and damage to the
organization’s reputation.
How to Detect SQL injection Vulnerabilities?
• To detect SQL injection vulnerabilities, you can start by performing input validation
testing, where special characters like ' or " are inserted into inputs to see if they cause
errors.
• Automated tools like SQLMap or Burp Suite can scan for vulnerabilities by simulating
attacks.
• Reviewing the source code helps identify insecure practices, such as using dynamic SQL
queries without proper parameterization.
• Monitoring for unexpected database error messages can reveal potential issues.
• Finally, conducting thorough penetration testing, including both black-box and white-box
methods, provides a comprehensive assessment of security weaknesses.
Use of SQL Injection in Web Applications
 • Web servers communicate with database servers anytime they need to retrieve or store
user data.
• SQL statements by the attacker are designed so that they can be executed while the web
server is fetching content from the application server.
1. SQL in Web Pages
• SQL injection typically occurs when you ask a user for input, such as their username/user
ID and instead of their name/ID, the user inputs an SQL statement that will be executed
without the knowledge about your database.
For example,
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users
WHERE UserId = " + txtUserId;
The above code is constructing an SQL query by directly concatenating a user input (txtUserId)
into the query string. Attackers can easily exploit this by giving an input that is always true, like
x=x,1=1, etc.
If the attacker gave input as ” 105 OR 1=1 ” in the UserId field, the resulting SQL will be:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;
This resulting query will return data of all users, not just the user with UserId =”105″.
Example of SQL Injection
For a better understanding of how attackers do a SQL injection attack, let’s learn how to do an
SQL injection attack ourselves. In this example, we will perform a basic SQL injection attack and
learn the process behind it.
Suppose we have an application based on student records. Any student can view only his or her
records by entering a unique and private student ID.
Suppose we have a field like the one below:
Student id: The student enters the following in the input field: 12222345 or 1=1.
Query:
SELECT * FROM STUDENT WHERE
STUDENT-ID == 12222345 or 1 = 1
SQL Injection based on 1=1 is always true. As you can see in the above example, 1=1 will return
all records for which this holds true. So basically, all the student data is compromised. Now the
malicious user can also similarly use other SQL queries.
Consider the following SQL query.
Query 1:
SELECT * FROM USER WHERE
USERNAME = “” AND PASSWORD=””
Now the malicious attacker can use the ‘=’ operator cleverly to retrieve private and secure user
information. So following query when executed retrieves protected data, not intended to be
shown to users.
Query 2:
SELECT* FROM User WHERE
(Username = “” OR 1=1) AND
(Password=”” OR 1=1).
Since 1=1 always holds true, user data is compromised.
SQL Injection Types
There are different types of SQL injection attacks:
1. In-band SQL Injection
• It involves sending malicious SQL queries directly through the web application’s
interface.
• It allows attackers to extract sensitive information or modify the database itself.
2. Error-based SQL Injection
• Attackers exploit error messages generated by the web application by analyzing error
messages to gain access to confidential data or modify the database.
3. Blind SQL Injection
• Attackers send malicious SQL queries and observe the application’s response.
• By analyzing the application’s behavior, attackers can determine the success of the
query.
4. Out-of-band SQL Injection
• Uses a different channel to communicate with the database.
• Allows attackers to exfiltrate sensitive data from the database.
5. Inference-based SQL Injection
• Uses statistical inference to gain access to confidential data.
• Attackers create queries that return the same result regardless of input values

5. Discuss in detail about

i.Identity Theft (ID theft).
ii.Foot printing.

i.Identity theft refers to the criminal act of obtaining and misusing someone else's personal
information—such as name, social security number, credit card details, or other sensitive data—
without their consent. The stolen identity is often used for fraudulent purposes, such as
opening bank accounts, committing financial fraud, or applying for credit cards or loans. The
impact of identity theft can be significant, both for the victim and the perpetrator.
Types of Identity Theft
1. Financial Identity Theft:
The most common form, where the attacker uses stolen identity details to gain access to
financial resources, such as opening new credit accounts, making unauthorized
purchases, or withdrawing funds from bank accounts.
o Example: Using a stolen credit card number to make purchases online or apply
for a loan in the victim's name.
2. Medical Identity Theft:
Using someone’s personal information to obtain medical services or prescription drugs.
o Example: A thief uses a stolen insurance number to get medical treatment,
leaving the victim with fraudulent medical bills.
3. Criminal Identity Theft:
A criminal uses another person’s identity when arrested or involved in illegal activities to
avoid detection.
 o Example: A thief gets arrested but gives someone else's identity to law
enforcement, leaving the victim with a criminal record.
4. Child Identity Theft:
Children’s identities are often targeted since their credit files are not active, making the
theft harder to detect.
o Example: Using a child’s social security number to open credit accounts that
remain undetected until the child reaches adulthood.
Methods of Identity Theft
1. Phishing:
Fraudulent attempts to obtain sensitive information through email, phone calls, or text
messages. Attackers often impersonate trusted institutions, such as banks or
government agencies.
2. Skimming:
Using devices (skimmers) to collect information from the magnetic stripes on debit or
credit cards during legitimate transactions.
3. Data Breaches:
Cyberattacks that expose sensitive personal data through hacking into databases of
businesses, social media platforms, or government agencies.
4. Social Engineering:
Manipulating individuals into revealing confidential information by posing as legitimate
representatives or service providers.
5. Dumpster Diving:
Going through discarded documents or hard drives to retrieve personal information such
as bank statements, tax records, or other identifying information.
Preventive Measures Against Identity Theft
1. Monitor Financial Statements:
Regularly checking bank accounts and credit card statements for any unauthorized
transactions.
2. Use Strong Passwords and Authentication:
Using complex passwords and enabling two-factor authentication to protect online
accounts.
3. Shred Sensitive Documents:
Shredding financial records, old tax forms, and documents containing personal data
before disposal.
4. Freeze Credit Reports:
Requesting a credit freeze from credit bureaus to prevent unauthorized access to credit
reports.
5. Be Cautious Online:
Avoiding sharing personal information via untrusted websites, public Wi-Fi, or
unsolicited communications.

ii.Footprinting
Footprinting is the process of gathering as much information as possible about a target
organization or individual, usually as a precursor to a cyberattack. It is a form of reconnaissance
where attackers identify vulnerabilities and weaknesses by collecting data from publicly
available resources.
Types of Footprinting
1. Active Footprinting:
Involves directly interacting with the target network or systems to gather information.
The attacker may send queries or probe servers to extract data.
o Example: Performing DNS lookups, ping sweeps, or port scans on the target
system.
2. Passive Footprinting:
The attacker gathers information without directly interacting with the target’s network,
making it less detectable. Information is collected from publicly available sources such as
websites, social media, and domain registrations.
o Example: Reviewing the target’s website to find employee names, email
addresses, and organizational structure.
Techniques Used in Footprinting
1. Domain Name System (DNS) Queries:
The attacker may query DNS servers to gather information about the target domain,
such as IP addresses, mail servers, and subdomains.
2. WHOIS Lookups:
Attacker uses WHOIS databases to retrieve publicly available information about domain
registration, including the owner’s name, contact details, and address.
3. Network Scanning:
Tools like Nmap or Netcat are used to scan the target network for open ports, active
services, and potential vulnerabilities.
4. Social Media Mining:
Examining the target’s social media profiles to gather personal details, organizational
roles, and possible entry points for social engineering.
5. Public Information and Databases:
Searching public databases such as government records, business registrations, or news
articles that provide valuable details about the target

6. Define Steganography? Explain it’s working in detail

Steganography is the practice of concealing a message, image, or file within another file, such that the
existence of the hidden information is not apparent. Unlike encryption, which transforms the content of
a message to hide its meaning, steganography hides the message itself, making it invisible to
unauthorized parties. The word "steganography" comes from the Greek words steganos (meaning
"covered" or "hidden") and graphia (meaning "writing").

Working of Steganography
Steganography works by embedding secret information (called the payload) into a cover
medium (like an image, audio, or video file). The process is designed to ensure that the changes
made to the cover file are minimal, so that the hidden message is imperceptible to the human
senses. Here's a detailed explanation of how steganography works:
1. Selection of Cover Medium
The first step in steganography is selecting a cover medium in which to hide the secret
information. Commonly used cover mediums include:
• Images (JPEG, PNG, BMP)
• Audio files (MP3, WAV)
• Video files (MP4, AVI)
• Text files (using specific encoding techniques)
Images are the most commonly used medium due to their large size and inherent redundancy.
2. Encoding the Secret Message
The secret message is encoded or embedded into the cover medium using various algorithms.
These algorithms work by altering the least significant bits (LSB) of the pixels or audio samples
to encode the hidden data. The alteration of the LSB does not significantly change the overall
appearance of an image or the quality of audio, making the presence of the hidden message
undetectable.
• For Image Steganography:
Each pixel in an image is typically represented by 24 bits (8 bits for red, 8 bits for green,
and 8 bits for blue). The secret message can be encoded by modifying the least
significant bit of each pixel's RGB value.
For example, an image pixel with RGB values (110, 150, 200) might have the binary
representation:
o Red: 110 (in binary: 01101110)
o Green: 150 (in binary: 10010110)
o Blue: 200 (in binary: 11001000)
By altering the least significant bit, the encoded message might slightly change the values, but
the change is too small to be visible to the human eye. This process is called Least Significant Bit
(LSB) insertion.
• For Audio Steganography:
In audio files, similar to images, the least significant bits of each sample are modified to
embed the hidden message. Audio steganography might also involve slightly changing
the amplitude of the sound waves.
3. Transmission of Stego Medium
Once the message has been encoded, the resulting file, which now contains the secret
information, is referred to as a stego medium. This stego file can be transmitted over networks
or stored, just like the original cover file, without raising suspicion.
4. Extraction of the Hidden Message
When the intended recipient receives the stego file, they use the corresponding decryption or
extraction tool to retrieve the hidden message. The extraction process involves reversing the
encoding procedure:
• In the case of an image, the extraction tool reads the least significant bits of the pixels
and reconstructs the hidden message.
• In the case of audio, it retrieves the hidden message by analyzing the altered bits or
samples.
The hidden information is recovered and can be decoded into its original form.
Types of Steganography
 1. Image Steganography
Hiding data within the pixels of an image file, as discussed above. Popular tools for
image steganography include Steghide and OpenStego.
2. Audio Steganography
Embedding secret messages within audio files, often by altering the least significant bits
of the audio samples. Examples include the use of tools like DeepSound or AudioStego.
3. Video Steganography
Embedding information into video files by modifying the pixels of individual frames or
the audio track of the video. This technique is often used for larger payloads due to the
size of video files.
4. Text Steganography
Embedding data in text files through encoding methods like whitespace manipulation,
capitalizing letters, or using invisible characters like spaces and tabs.
5. Network Steganography
Hiding data within network traffic or protocols, such as manipulating the headers or
unused bits in the packets of network data.
Applications of Steganography
1. Confidential Communication:
Steganography is often used in scenarios where encrypted communication is too
conspicuous. By embedding a message within a seemingly harmless file, the
communication remains hidden from third parties.
2. Digital Watermarking:
It is used for watermarking copyrighted digital content, like images or videos, to track
and prevent unauthorized distribution while protecting the creator’s intellectual
property.
3. Covert Data Transmission:
In sensitive contexts such as intelligence or military operations, steganography allows for
covert communication without triggering suspicion from authorities or adversaries.
4. Malware Delivery:
Cybercriminals sometimes use steganography to deliver malware or malicious payloads
in a way that avoids detection by antivirus programs or network monitoring tools.
Example of Steganography in Practice
Imagine a scenario where two individuals wish to send a confidential message to each other
without anyone else knowing. They could take an innocent-looking image of a landscape (the
cover file) and embed the secret message into the image using steganography tools. The result
is a "stego-image" that looks identical to the original image. The recipient, knowing the secret
method to extract the hidden message, can retrieve the original text message without anyone
else being able to detect it.
Advantages of Steganography
1. Covert Communication:
Messages are hidden in plain sight, making them difficult to detect compared to
traditional encryption methods.
 2. Data Integrity:
Since the message is embedded in a cover file, its integrity remains intact during
transmission or storage.
3. Unobtrusive:
Steganography can be used with many different types of media, such as images, audio,
and video, without attracting attention.

7. Explain about password cracking mechanism in detail

Password cracking refers to the process of attempting to gain unauthorized access to an account or
system by guessing or deriving the password. This process is typically performed by attackers to break
weak passwords or to exploit vulnerabilities in a system’s security. Password cracking can be done
through various techniques, depending on the method used to store and protect the passwords, as well
as the attacker's resources and knowledge.

Types of Password Cracking Attacks

1. Brute Force Attack
A brute force attack involves systematically trying every possible combination of characters until
the correct password is found. This is a straightforward approach where the attacker uses a
program that generates all possible password combinations for a given length, starting from the
simplest (e.g., "a", "b", "c") and continuing until the right one is discovered.
• How it works:
The attacker chooses a target password length and character set (letters, numbers,
symbols) and generates all possible combinations.
o For example, for a 4-character password using lowercase letters, there are 26^4
(456,976) possible combinations.
• Drawback:
Brute force attacks are time-consuming, especially for longer and more complex
passwords. However, given enough time and computing power, they are guaranteed to
succeed. The time required increases exponentially as the length and complexity of the
password grow.
2. Dictionary Attack
A dictionary attack uses a predefined list of potential passwords, usually words from a
dictionary, common phrases, or leaked passwords from previous breaches. The attacker tries
each of these words (or combinations of them) against the system.
• How it works:
o The attacker uses a list (dictionary) of common passwords, variations, and real
words (e.g., "12345", "password", "admin").
o This method is faster than brute force since it relies on the high likelihood that
many users choose simple or common passwords.
• Drawback:
Dictionary attacks are ineffective against strong passwords that don’t contain easily
guessable words or phrases. However, they are successful when users select weak,
commonly used passwords.
3. Hybrid Attack
A hybrid attack is a combination of brute force and dictionary attacks. It starts by using a
dictionary of common passwords and then modifies them by appending numbers, special
characters, or changing letter casing (e.g., "Password123", "1234password").
• How it works:
o The attacker uses dictionary-based words and adds additional characters to the
base word, trying variations of common passwords.
• Drawback:
It’s more time-efficient than brute force since it focuses on likely combinations, but still
may take significant time if the passwords are complex or long.
4. Rainbow Table Attack
A rainbow table attack uses precomputed tables of hashed passwords and their corresponding
plaintext versions. Rainbow tables are essentially large sets of hash values (typically MD5, SHA1)
for different passwords. The attacker can compare the hash of a password stored in the system
to entries in the table to find the original password.
• How it works:
o The attacker uses a table of hashes to match the hashed value of the password to
a precomputed value in the rainbow table.
o If a match is found, the attacker knows the plaintext password.
• Drawback:
This method works effectively for hashed passwords that are not salted. However,
systems that use salted hashes (adding a random value to the password before hashing)
make rainbow table attacks ineffective.
5. Keylogger Attack
A keylogger attack involves the use of malicious software or hardware to record keystrokes on a
target system. By logging the user’s typed input, keyloggers can capture passwords and other
sensitive information as the user types it.
• How it works:
o The keylogger software runs in the background, recording all keystrokes made by
the user.
o It can capture passwords as the user enters them on login screens, online forms,
or other websites.
• Drawback:
Keyloggers can be detected by antivirus software, and users may recognize abnormal
system behavior (e.g., slow performance). Additionally, keyloggers require physical
access or the ability to install malware on the target system.
6. Man-in-the-Middle (MitM) Attack
A man-in-the-middle attack occurs when an attacker intercepts communication between a user
and a legitimate website or system, capturing login credentials as they are transmitted over the
network.
• How it works:
o The attacker positions themselves between the user and the legitimate site,
intercepting login credentials during transmission.
 o This method is commonly used when users log into websites over unsecured
(HTTP) connections, without encryption.
• Drawback:
MitM attacks can be mitigated by using secure communication protocols such as HTTPS,
which encrypts data in transit.
Password Hashing and Cracking Defenses
1. Salting
Salting involves adding a random value (a "salt") to the password before hashing it. This makes
rainbow table attacks ineffective because the hash for each password will be unique, even if two
users have the same password.
• How it works:
o A random salt is generated and added to the password.
o The password and salt are hashed together, creating a unique hash value that
cannot be precomputed in a rainbow table.
2. Using Strong Hash Functions
Using strong cryptographic hash functions (e.g., bcrypt, Argon2, or PBKDF2) can significantly
increase the difficulty of password cracking. These algorithms are designed to be
computationally expensive, meaning that brute force or dictionary attacks would take
significantly longer.
3. Multi-Factor Authentication (MFA)
By requiring additional forms of authentication (such as one-time passwords, biometrics, or
hardware tokens), MFA can prevent attackers from gaining access even if they successfully crack
the password.

8. Define spyware and Illustrate its impact on mobile devices

Spyware is a type of malicious software (malware) designed to secretly monitor and collect
information from a device or network without the user’s consent or knowledge. The information
gathered by spyware can include personal data, browsing habits, passwords, financial information, and
even tracking the user’s location. Spyware can also affect the device’s performance by consuming
resources and causing system instability.
Spyware often works in the background, making it difficult for users to detect. It can be installed
through infected websites, email attachments, malicious apps, or third-party software
downloads.
How Spyware Affects Mobile Devices
Mobile devices, such as smartphones and tablets, are prime targets for spyware due to their
widespread use for communication, online transactions, and storing sensitive information.
Here’s how spyware affects mobile devices:
1. Privacy Invasion
Spyware on mobile devices can compromise the privacy of the user by accessing and
transmitting personal data without consent. This may include:
• Contacts: Spyware can collect contact lists, leading to identity theft or fraud.
• Messages: Text messages, emails, and even WhatsApp or Messenger conversations can
be accessed.
 • Location: GPS data may be used to track the user’s movements, which could be used for
stalking or other malicious purposes.
• Call Logs: Detailed records of incoming and outgoing calls, including phone numbers and
call duration, could be harvested.
2. Financial Loss
Spyware can facilitate financial fraud by capturing sensitive information, such as bank account
details, credit card numbers, or login credentials for online banking or payment apps. This can
result in unauthorized transactions, draining the victim's accounts or making fraudulent
purchases.
• Example: A user installs a malicious app that contains spyware, and the spyware records
their banking login credentials, allowing attackers to steal funds from their accounts.
3. Unauthorized Surveillance
Spyware, especially Remote Access Trojans (RATs), can give an attacker full control over the
mobile device. This allows the attacker to:
• Turn on the microphone to listen in on conversations.
• Activate the camera to secretly capture photos or videos.
• Monitor real-time activities without the user’s knowledge.
• Control device functions, such as installing apps or changing settings.
4. Performance Degradation
Spyware consumes system resources, such as CPU and memory, which can slow down the
device and affect its performance. The device may exhibit:
• Increased battery drain due to the background processes.
• Lagging or freezing as the spyware uses up processing power.
• High data usage as the spyware continuously sends collected information to the
attacker’s server.
5. Unauthorized Access to Sensitive Data
Spyware can infiltrate mobile devices through malicious apps, websites, or phishing attacks.
Once installed, it may extract sensitive data such as:
• Photos and Videos: Personal media stored on the device may be taken and sold or
distributed without the user’s knowledge.
• App Data: Spyware may access app data stored locally, like passwords saved in a
password manager or cached login details for social media accounts.
6. Compromise of Security
Spyware can weaken the overall security of a mobile device, allowing further attacks to occur.
For example:
• Spyware might disable or bypass the device’s security mechanisms (e.g., firewalls,
antivirus software, or password protection).
• It may grant attackers elevated privileges on the device, allowing them to perform
additional malicious actions like installing ransomware, stealing encryption keys, or
modifying system files.
7. Data Breaches and Legal Implications
For businesses and individuals handling sensitive or regulated data, spyware can lead to severe
legal and regulatory consequences:
 • Data breaches: The collection of sensitive personal or organizational data could result in
breaches of confidentiality agreements, exposing the data to malicious actors.
• Violations of data protection laws: If spyware collects data without the user’s consent,
the company or individual behind it could face penalties under laws like GDPR (General
Data Protection Regulation) or CCPA (California Consumer Privacy Act).

Examples of Spyware Attacks on Mobile Devices

1. FinSpy (also known as FinFisher)
FinSpy is a spyware tool designed for surveillance and monitoring. It is capable of infiltrating
mobile devices and extracting sensitive information, such as call logs, messages, and emails.
FinSpy is used by government agencies and law enforcement, but has also been exploited by
cybercriminals.
2. Pegasus Spyware
Pegasus is one of the most notorious spyware tools, developed by the NSO Group. It targets
both Android and iOS devices, exploiting vulnerabilities in mobile operating systems to gain full
access to the device. Once installed, Pegasus can:
• Monitor calls and messages.
• Track the device’s location.
• Activate the camera and microphone.
• Steal sensitive data, including passwords and financial information.
Pegasus has been linked to targeted attacks on journalists, activists, and political figures, making
it one of the most powerful tools for mobile surveillance.
3. Joker Malware
Joker is a type of spyware that primarily targets Android devices. It has been found in apps on
the Google Play Store, often disguised as legitimate apps (e.g., photo editors or fitness trackers).
Once installed, Joker can:
• Steal SMS messages and contacts.
• Subscribe users to premium services without their knowledge.
• Gather sensitive data, including location and device information.
9. Differentiate between computer Virus and Worms with two examples each.

Basis of
Comparison Worms Viruses

A Virus is a malicious executable

A Worm is a form of malware that
code attached to another
replicates itself and can spread to
executable file that can be harmless
different computers via a Network.
Definition or can modify or delete data.

The main objective of worms is to eat

The main objective of viruses is to
the system’s resources. It consumes
modify the information.
Objective system resources such as memory and
Basis of
Comparison Worms Viruses

bandwidth and makes the system slow

in speed to such an extent that it stops
responding.

It doesn’t need a host to replicate It requires a host is needed for

Host from one computer to another. spreading.

Harmful It is less harmful as compared. It is more harmful.

Detection
Worms can be detected and removed Antivirus software is used for
and
by the Antivirus and firewall. protection against viruses.
Protection

Viruses can’t be controlled by

Worms can be controlled by remote.
Controlled by remote.

Worms are executed via weaknesses Viruses are executed via executable
Execution in the system. files.

Worms generally come from the

Viruses generally come from shared
downloaded files or through a
or downloaded files.
Comes from network connection.

Boot sector viruses, Direct

Internet worms, Instant messaging Actionvirusess,
worms, Email worms, File sharing Polymorphicvirusess, Macro
worms, and Internet relay chat (IRC) viruses, Overwritevirusess, and File
worms are different types of worms. Infector viruses are different types
Types of viruses

Examples of worms include Morris Examples of viruses include

Examples worm, storm worm, etc. Creeper, Blaster, Slammer, etc.

It does not need human action to

It needs human action to replicate.
Interface replicate.
Basis of
Comparison Worms Viruses

Its spreading speed is slower as

Its spreading speed is faster.
Speed compared to worms.

10. Explain about i) Port Scanning ii) Enumeration

i. Port scanning is a technique used by network administrators, as well as cybercriminals, to identify

open ports and services available on a networked system or device. Open ports are points of entry
through which data can flow between the device and other systems over a network (such as the
internet). Port scanning is often the first step in identifying vulnerabilities that can be exploited in
network security attacks.
How Port Scanning Works
When a device or server is connected to a network, it listens for incoming traffic on certain
ports. Each port corresponds to a specific service or application (for example, port 80 is used for
HTTP traffic, port 443 is used for HTTPS). A port scan involves sending packets to a range of
ports on a target machine to determine which ones are open or closed.
• Open Ports: These ports accept and respond to traffic. They could represent active
services or applications.
• Closed Ports: These ports are not open for communication and do not respond to
scanning requests.
• Filtered Ports: These ports are either blocked by a firewall or are not reachable due to
network restrictions.

ii. Enumeration is a more advanced phase of network reconnaissance that occurs after an initial scan.
During enumeration, attackers attempt to gather detailed information about a target system or network,
including the list of users, shares, services, and other resources, as well as vulnerabilities that can be
exploited. Unlike passive scanning techniques (like port scanning), enumeration involves active queries
to the target system to retrieve specific data.
How Enumeration Works
Enumeration involves sending queries to a network or device to extract information such as:
• Usernames: The list of user accounts on a system or domain.
• Groups and Roles: Information on user groups, roles, and privileges.
• Shared Resources: Information on shared folders, printers, or other networked
resources.
• Service Information: Details on running services, service versions, and associated
vulnerabilities.
• Operating System Information: Details about the target machine’s operating system,
version, and patch level.
In this phase, an attacker may use protocols like SMB (Server Message Block), SNMP (Simple
Network Management Protocol), or NetBIOS to extract this data.
Common Enumeration Techniques
1. DNS Enumeration:
Querying DNS servers to gather information about a target domain, including
subdomains, mail servers, and name servers. Tools like nslookup and DNSenum can be
used for this purpose.
2. SNMP Enumeration:
Using SNMP to gather network information such as device configurations, usernames,
and system statistics. Tools like snmpwalk can be used for this type of enumeration.
3. NetBIOS Enumeration:
Querying systems that use the NetBIOS protocol (often on Windows networks) to gather
information about the machine, including its name, shared resources, and users. Tools
like nbtstat and NetView can be used for NetBIOS enumeration.
4. SMB Enumeration:
SMB enumeration targets Windows networks to identify shares, users, groups, and other
resources. Tools like enum4linux are often used to query Windows systems over SMB.
5. LDAP Enumeration:
Using the LDAP protocol to retrieve information from directory services like Active
Directory. This can include user accounts, groups, and other directory data.
6. SMTP Enumeration:
Attackers can query mail servers via the SMTP protocol to enumerate valid email
addresses. Tools like Telnet and Nmap can be used to test for valid user emails on a mail
server.
7. Banner Grabbing:
Attackers collect version information of services or operating systems by interacting with
ports on a system (often HTTP, FTP, or SMTP). Banner grabbing helps identify
vulnerabilities in specific versions of services. Tools like Netcat and Nmap can help grab
banners.