UNIT5

PROXY SERVERS AND ANONYMIZERS

Proxy server is a computer on a network which acts as an intermediary for
connection with other computers on that network.
• The attacker first connects to a proxy server and establishes a connection with
the target system through existing connection with proxy.
• This enables an attacker to surf on the Web anonymously and/or hide the
attack.
• A client connects to the proxy server and requests some services (such as a
file, webpage) available from a different server.
• The proxy server evaluates the request and provides the resource by
establishing the connection to the respective server and/or requests the
required service on behalf of the client.
• Using a proxy server can allow an attacker to hide ID (i.e., become anonymous
on the network).
A proxy server has the following purposes:
1. Keep the systems behind the curtain (mainly for security reasons).
2. Speed up access to a resource (through “caching”). It is usually used to cache
the web pages from a web server.
3. Specialized proxy servers are used to filter unwanted content such as
advertisements.
4. Proxy server can be used as IP address multiplexer to enable to connect
number of computers on the Internet, whenever one has only one IP address
• One of the advantages of a proxy server is that its cache memory can serve all
users.
• If one or more websites are requested frequently, maybe by different users, it
is likely to be in the proxy’s cache memory, which will improve user response
time.
• An anonymizer or an anonymous proxy is a tool that attempts to make activity
on the Internet untraceable. It accesses the Internet on the user’s behalf,
protecting personal information by hiding the source computer’s identifying
information.
• Anonymizers are services used to make Web surfing anonymous by utilizing
a website that acts as a proxy server for the web client
Phishing
“Phishing” refers to an attack using mail programs to deceive Internet users into
disclosing confidential information that can be then exploited for illegal purposes.
• While checking electronic mail (E-Mail) one day a user finds a message from
the bank threatening to close the bank account if he/she does not reply
immediately.
• Although the message seems to be suspicious from the contents of the
message, it is difficult to conclude that it is a fake/false E-Mail.
• This message and other such messages are examples of Phishing – in addition
to stealing personal and financial data – and can infect systems with viruses
and a method of online ID theft in various cases.
• These messages look authentic and attempt to get users to reveal their personal
information.
• It is believed that Phishing is an alternative spelling of “fishing,” as in “to fish
for information.”
• The first documented use of the word “Phishing” was in 1996.
How Phishing Works?
Phishers work in the following ways:
1. Planning: Criminals, usually called phishers, decide the target.
2. Setup: Once phishers know which business/business house to spoof and who their
victims.
3. Attack: the phisher sends a phony message that appears to be from a reputable
source.
4. Collection: Phishers record the information of victims entering webpages or pop-
up windows.
5. Identity theft and fraud: Phishers use the information that they have gathered to
make illegal purchases or commit fraud.
Nowadays, more and more organizations/institutes provide greater online access for
their customers and hence criminals are successfully using Phishing techniques to
steal personal information and conduct ID theft at a global level
Password Cracking
• Password is like a key to get an entry into computerized systems like a lock.
• Password cracking is the process of recovering passwords from data that have
been stored in or transmitted by a computer system.
• Usually, an attacker follows a common approach – repeatedly making
guesses for the password.
The purpose of password cracking is as follows:
1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily crack
able passwords.
3. To gain unauthorized access to a system.
Manual password cracking is to attempt to log on with different passwords. The
attacker follows the following steps:
1. Find a valid user account such as an Administrator or Guest;
2. create a list of possible passwords;
3. rank the passwords from high to low probability;
4. key-in each password;
5. try again until a successful password is found.
Passwords can be guessed sometimes with knowledge of the user’s personal
information. Examples of guessable passwords include:
1. Blank (none);
2. the words like “password,” “passcode” and “admin”;
3. series of letters from the “QWERTY” keyboard, for example, qwerty, asdf or
qwertyuiop;
4. user’s name or login name;
5. name of user’s friend/relative/pet;
6. user’s birthplace or date of birth, or a relative’s or a friend’s;
7. user’s vehicle number, office number, residence number or mobile number;
8. name of a celebrity who is an idol (e.g., actors, actress, spiritual gurus) by the
user;
• An attacker can also create a script file (i.e., automated program) which will
be executed to try each password in a list.
• This is still considered manual cracking, is time-consuming and not usually
effective.
• Passwords are stored in a database and password verification process is
established into the system when a user attempts to login or access a restricted
resource.
• To ensure confidentiality of passwords, the password verification data is
usually not stored in a clear text format.
• For example, a one-way function (which may be either an encryption function
or a cryptographic hash) is applied to the password, possibly in combination
with other data, and the resulting value is stored.
• When a user attempts to login to the system by entering the password, the
same function is applied to the entered value and the result is compared with
the stored value. If they match, the user gains access; this process is called
authentication.
The most used hash functions can be computed rapidly, and the attacker can test
these hashes with the help of passwords cracking tools (see Table 4.3) to get the
plain text password.
Password cracking attacks can be classified under three categories as follows:
1. Online attacks;
2. offline attacks;
3. non-electronic attacks (e.g., social engineering, shoulder surfing and dumpster
diving).
Online Attacks
• An attacker can create a script file that will be executed to try each password
in a list and when matches, an attacker can gain access to the system.
• The most popular online attack is man-in-the middle (MITM) attack, also
termed as “bucket- brigade attack” or sometimes “Janus attack.”
• It is a form of active stealing in which the attacker establishes a connection
between a victim and the server to which the victim is connected.
 • When a victim client connects to the fraudulent server, the MITM server
intercepts the call, hashes the password and passes the connection to the
victim server (e.g., an attacker within reception range of an unencrypted Wi-
Fi wireless access point can insert himself as a man-in- the-middle).
• This type of attack is used to obtain the passwords for E-Mail accounts on
public websites such as Yahoo, Hotmail and Gmail and can also be used to
get the passwords for financial websites that would like to gain access to
banking websites.
Offline Attacks
• Mostly offline attacks are performed from a location other than the target
(i.e., either a computer system or while on the network) where these
passwords reside or are used.
• Offline attacks usually require physical access to the computer and copying
the password file from the system onto removable media.
Password guidelines
1. Passwords used for business E-Mail accounts, personal E-Mail accounts and
banking/financial user accounts should be kept separate.
2. Passwords should be of a minimum of eight alphanumeric characters (common
names or phrases should be phrased).
3. Passwords should be changed every 30/45 days (about 1 and a half months)
4. Passwords should not be shared with relatives and/or friends.
5. Password used previously should not be used while renewing the password.
6. Passwords of personal E-Mail accounts and banking/financial user accounts
should be changed from a secured system, within couple of days, if these E-Mail
accounts have been accessed from public Internet facilities such as
cybercafes/hotels/libraries.
7. Passwords should not be stored under mobile phones/PDAs, as these devices are
also prone to cyberattacks.
8. In case E-Mail accounts/user accounts have been hacked, respective
agencies/institutes should be contacted immediately.
KEYLOGGERS AND SPYWARES
• Keystroke logging, often called keylogging, is the practice of noting (or
logging) the keys struck on a keyboard, typically in a covert manner so that
the person using the keyboard is unaware that such actions are being
monitored.
• Keystroke logger or keylogger is quicker and easier way of capturing the
passwords and monitoring the victims’ IT savvy behavior. It can be classified
as software keylogger and hardware keylogger.
Software Keyloggers
• Software keyloggers are software programs installed on the computer
systems which usually are located between the OS and the keyboard
hardware, and every keystroke is recorded.
• Software keyloggers are installed on a computer system by Trojans or viruses
without the knowledge of the user.
• Cybercriminals always install such tools on the insecure computer systems
available in public places (i.e., cybercafés, etc) and can obtain the required
information about the victim very easily.
• A keylogger usually consists of two files that get installed in the same
directory: a dynamic link library (DLL) file and an EXEcutable (EXE) file
that installs the DLL file and triggers it to work. DLL does all the recording
of keystrokes.
Some Important Keyloggers are as follows

Hardware Keyloggers
• Hardware keyloggers are small hardware devices.
• These are connected to the PC and/or to the keyboard and save every
keystroke into a file or in the memory of the hardware device.
• Cybercriminals install such devices on ATM machines to capture ATM
Cards’ PINs.
 • Each keypress on the keyboard of the ATM gets registered by these
keyloggers.
• These keyloggers look like an integrated part of such systems; hence, bank
customers are unaware of their presence.
Anti keylogger
• Anti keylogger is a tool that can detect the keylogger installed on the
computer system and can remove the tool.
Advantages of using Anti keylogger are as follows:
1. Firewalls cannot detect the installations of keyloggers on the systems; hence, anti
keyloggers can detect installations of keylogger.
2. This software does not require regular updates of signature bases to work
effectively such as other antivirus and Anti spy programs; if not updated, it does not
serve the purpose, which puts the users at risk.
3. Prevents Internet banking fraud. Passwords can be easily gained with the help of
installing keyloggers.
4. It prevents ID theft
5. It secures E-Mail and instant messaging/chatting

SPYWARES
Spyware is a type of malware (i.e., malicious software) that is installed on
computers which collects information about users without their knowledge.
• The presence of Spyware is typically hidden from the user; it is secretly
installed on the user’s personal computer.
• Sometimes, however, Spywares such as keyloggers are installed by the owner
of a shared, corporate or public computer on purpose to secretly monitor other
users. Some Important Spywares are as follows:
VIRUS AND WORMS
• A computer virus is a program that can “infect” legitimate programs by
modifying them to include a possibly “evolved” copy of itself.
• Viruses spread themselves, without the knowledge or permission of the users,
to potentially large numbers of programs on many machines.
• A computer virus passes from computer to computer in a similar manner to a
biological virus passes from person to person.
• Viruses may also contain malicious instructions that may cause damage or
annoyance; the combination of possibly Malicious Code with the ability to
spread is what makes viruses a considerable concern.
• Viruses can often spread without any readily visible symptoms.
• A virus can start on event-driven effects (e.g., triggered after a specific
number of executions), time-driven effects (e.g., triggered on a specific date,
such as Friday the 13th) or can occur at random.
Viruses can take some typical actions:
1. Display a message to prompt an action which may set of the virus;
2. delete files inside the system into which viruses enter;
3. scramble data on a hard disk;
4. cause erratic screen behavior;
5. halt the system (PC);
6. just replicate themselves to propagate further harm.
 • Computer viruses can copy themselves and infect the system.
• The term virus is also commonly but erroneously used to refer to other types
of malwares, Adware and Spyware programs that do not have reproductive
ability.
• A true virus can only spread from one system to another (in some form of
executable code) when its host is taken to the target computer; for instance,
when a user sent it over the Internet or a network or carried it on a removable
media such as CD, DVD or USB drives.
• Viruses can increase their chances of spreading to other systems by infecting
files on a network file system or a file system that is accessed by another
system.
• Malware includes computer viruses, worms, Trojans, most Rootkits,
Spyware, dishonest Adware, crimeware and other malicious and unwanted
software as well as true viruses.
• Viruses are sometimes confused with computer worms and Trojan Horses,
which are technically different (see Table 4.7 to understand the difference
between computer virus and worm).
• A worm spreads itself automatically to other computers through networks by
exploiting security vulnerabilities, whereas a Trojan is a code/program that
appears to be harmless but hides malicious functions. Worms and Trojans,
such as viruses, may harm the system’s data or performance.
• Some viruses and other malware have noticeable symptoms that enable
computer users to take necessary corrective actions, but many viruses are
surreptitious or simply do nothing for users to take note of them.
• Some viruses do nothing beyond reproducing themselves.
Types of Viruses
1. Boot sector viruses: It infects the storage media on which the OS is stored (e.g.,
hard drives) and which is used to start the computer system.
2. Program viruses: These viruses become active when the program file (usually
with extensions .bin, .com,.exe, .ovl, .drv) is executed
3. Multipartite viruses: It is a hybrid of a boot sector and program viruses. It infects
program files along with the boot record when the infected program is active.
4. Stealth viruses: It hides itself and so detecting this type of virus is very difficult.
It can hide itself in such a way that antivirus software also cannot detect it. Example
for Stealth virus is “Brain Virus”.
5. Polymorphic viruses: It acts like a “chameleon” that changes its virus signature
(i.e., binary pattern) every time it spreads through the system (i.e., multiplies and
infects a new file). Hence, it is always difficult to detect polymorphic viruses with
the help of an antivirus program.
6. Macro viruses: Many applications, such as Microsoft Word and Microsoft Excel,
support MACROs (i.e., macrolanguages). These macros are programmed as a macro
embedded in a document. Once macro virus gets onto a victim’s computer then every
document, he/she produces will become infected.
7. Active X and Java Control: All the web browsers have settings about Active X
and Java Controls.

TROJAN HORSES AND BACKDOORS

• Trojan Horse is a program in which malicious or harmful code is contained
inside apparently harmless programming or data in such a way that it can get
control and cause harm, for example, ruining the file allocation table on the
hard disk.
• A Trojan Horse may get widely redistributed as part of a computer virus.
• The term Trojan Horse comes from Greek mythology about the Trojan War.
• Like Spyware and Adware, Trojans can get into the system in several ways,
including from a web browser, via E-Mail.
• It is possible that one could be forced to reformat USB flash drive or other
portable device to eliminate infection and avoid transferring it to other
machines.
• Unlike viruses or worms, Trojans do not replicate themselves, but they can
be equally destructive.
• On the surface, Trojans appear benign and harmless, but once the infected
code is executed, Trojans kick in and perform malicious functions to harm the
computer system without the user’s knowledge.
Some typical examples of threats by Trojans are as follows:
1. They erase, overwrite or corrupt data on a computer.
2. They help to spread other malware such as viruses (by a dropper Trojan).
3. They deactivate or interfere with antivirus and firewall programs.
4. They allow remote access to your computer (by remote access Trojan).
5. They upload and download files without your knowledge.
6. They gather E-Mail addresses and use them for Spam.
7. They log keystrokes to steal information such as passwords and credit card
numbers.
8. They copy fake links to false websites, display porno sites, play sounds/videos
and display images.
9. They slow down, restart or shutdown the system.
10. They reinstall themselves after being disabled.
11. They disable the task manager.
12. They disable the control panel.

BACKDOOR
• A backdoor is a means of access to a computer program that bypasses security
mechanisms. A programmer may sometimes install a backdoor so that the
program can be accessed for troubleshooting or other purposes.
• However, attackers often use backdoors that they detect or install themselves
as part of an exploit.
• In some cases, a worm is designed to take advantage of a backdoor created by
an earlier attack.
• A backdoor works in the background and hides from the user.
• It is very similar to a virus and, therefore, is quite difficult to detect and
completely disable.
• A backdoor is one of the most dangerous parasites, as it allows a malicious
person to perform any possible action on a compromised system.
Following are some functions of backdoor:
1. It allows an attacker to create, delete, rename, copy or edit any file, execute
various commands; change any system settings; alter the Windows registry; run,
control and terminate applications; install arbitrary software and parasites.
2. It allows an attacker to control computer hardware devices, modify related
settings, shutdown or restart a computer without asking for user permission.
3. It steals sensitive personal information, valuable documents, passwords, login
names, ID details; logs user activity and tracks web browsing habits
4. It records keystrokes that a user types on a computer’s keyboard and captures
screenshots.
5. It sends all gathered data to a predefined E-Mail address, uploads it to a
predetermined FTP server or transfers it through a background Internet connection
to a remote host.
6. It infects files, corrupts installed applications and damages the entire system.
The following are a few examples of backdoor Trojans:
1. Back Orifice
2. Bifrost:
3. SAP backdoors
4. Onapsis Bizploit:
Follow the following steps to protect your systems from Trojan Horses and
backdoors:
1. Stay away from suspect websites/weblinks
2. Surf on the Web cautiously
3. Install antivirus/Trojan remover software

STEGANOGRAPHY
• Steganography is the practice of concealing (hiding) a file, message, image,
or video within another file, message, image, or video. The word
steganography combines the Greek words steganos , meaning "covered,
concealed, or protected", and graphein meaning "writing".
• It is a method that attempts to hide the existence of a message or
communication.
• Steganography is always misunderstood with cryptography
• The different names for steganography are data hiding, information hiding and
digital watermarking.
 • Steganography can be used to make a digital watermark to detect illegal
copying of digital images. Thus, it aids confidentiality and integrity of the
data.
• Digital watermarking is the process of possibly irreversibly embedding
information into a digital signal.
• The Digital signal may be, for example, audio, pictures or video
• If the signal is copied, then the information is also carried in the copy.
• In other words, when steganography is used to place a hidden “trademark” in
images, music and software, the result is a technique referred to as
“watermarking”

Steganalysis
Steganalysis is the art and science of detecting messages that are hidden in images,
audio/video files using steganography.
• The goal of steganalysis is to identify suspected packages and to determine
whether they have a payload encoded into them, and if possible, recover it.
• Automated tools are used to detect such steganographed data/information
hidden in the image and audio and/or video files.

SNIFFERS
• A sniffer, also known as a packet analyzer or network analyzer, is a tool used
to capture and analyze network traffic. It is a software or hardware tool that
intercepts and records data packets transmitted between computers or devices
on a network.
• Packet sniffers are commonly used for network troubleshooting, security
analysis, and network optimization. They can be used to identify network
problems such as congestion, packet loss, or improper configurations, and
they can also be used to detect security threats such as network intrusions or
unauthorized access attempts.
• Packet sniffers work by capturing packets of data as they are transmitted on
the network. These packets are then analyzed and displayed to the user in a
human-readable format, allowing them to examine the contents of the packets
and extract information from them.
 • Packet sniffers can be used on both wired and wireless networks, and they can
capture data from a variety of network protocols, including TCP/IP, HTTP,
FTP, and SMTP.
• However, it is important to note that packet sniffers can also be used for
malicious purposes, such as intercepting sensitive information such as
passwords, credit card numbers, or personal information. Therefore, the use
of packet sniffers should be regulated and used only for legitimate purposes
with appropriate consent and legal authority.
A Sniffer is a program or tool that captures information over a network. There are 2
types of Sniffers: Commercial Sniffers and Underground Sniffers.

1. Commercial Sniffers –
Commercial sniffers are used to maintain and monitor information over the
network. These sniffers are used to detect network problems. Network
General Corporation (NGC) is a company that offers commercial sniffers.
These can be used for:
a. Fault analysis to detect problems in a network.

b. Performance analysis to detect network bottlenecks.

2. Underground Sniffers –
Underground sniffers are malicious programs used by hackers to capture
information over a network. When underground sniffers are installed on the
router, it can breach the security of any network that passes through the router.
It can capture:
a. Confidential messages like email.

b. Financial data like debit card details.

Components of a Sniffer:
To capture the information over the network sniffer uses the following components:

1. Hardware –
Sniffers use standard network adapters to capture network traffic.

2. Capture Driver –
Capture Driver captures network traffic from Ethernet wire, filters that
 network traffic for information that you want, and then stores the filtered
information in a buffer.

3. Buffer –
When a sniffer captures data from a network, it stores data in a buffer. There
are 2 ways to store captured data –
a. You can store data until the buffer is filled with information

b. It is the round-robin method in which data in the buffer is always

replaced by new data that is captured.

4. Decoder –
The information that travels over the network is in binary format, which is not
readable. You can use a decoder to interpret this information and display it in
a readable format. A decoder helps you analyze how information is passed
from one computer to another.

Placement of Sniffer:
The most common places where you can place sniffers are:
1. Computer
2. Cable wires
3. Routers
4. Network segments connected to the internet

SPOOFING
Spoofing is a completely new beast created by merging age-old deception strategies
with modern technology. Spoofing is a sort of fraud in which someone or something
forges the sender’s identity and poses as a reputable source, business, colleague, or
other trusted contact to obtain personal information, acquire money, spread malware,
or steal data.
Types of Spoofing:
• IP Spoofing
• ARP Spoofing
• Email Spoofing
• Website Spoofing Attack
• DNS Spoofing
IP Spoofing:
IP is a network protocol that allows you to send and receive messages over the
internet. The sender’s IP address is included in the message header of every email
message sent (source address). By altering the source address, hackers and scammers
alter the header details to hide their original identity. The emails then look to have
come from a reliable source. IP spoofing can be divided into two categories.

• Man in the Middle Attacks: Communication between the original sender of

the message and the intended recipient is intercepted, as the term implies. The
message’s content is then changed without the knowledge of either party. The
attacker inserts his own message into the packet.
• Denial of Service (DoS) Attacks: In this technique, the sender and recipient’s
message packets are intercepted, and the source address is spoofed. The
connection has been seized. The recipient is thus flooded with packets in
excess of their bandwidth or resources. This overloads the victim’s system,
effectively shutting it down.

ARP Spoofing:
ARP spoofing is a hacking method that causes network traffic to be redirected to a
hacker. Sniffing out LAN addresses on both wired and wireless LAN networks is
known as spoofing. The idea behind this sort of spoofing is to transmit false ARP
communications to Ethernet LANs, which can cause traffic to be modified or
blocked entirely.
The basic work of ARP is to match the IP address to the MAC address. Attackers
will transmit spoofed messages across the local network. Here the response will map
the user’s MAC address with his IP address. Thus, the attacker will gain all
information from the victim machine.
Email Spoofing:
The most common type of identity theft on the Internet is email spoofing. Phishers
send emails to many addresses and pose as representatives of banks, companies, and
law enforcement agencies by using official logos and headers. Links to dangerous
or otherwise fraudulent websites, as well as attachments loaded with malicious
software, are included in the emails they send.
Attackers may also utilize social engineering techniques to persuade the target to
voluntarily reveal information. Fake banking or digital wallet websites are
frequently created and linked to in emails. When an unknowing victim clicks on
that link, they are brought to a false site where they must log in with their
information, which is then forwarded to the fake user behind the fake email.
Website Spoofing Attack:
Attackers employ website/URL spoofing, also known as cybersquatting, to steal
credentials and other information from unwary end-users by creating a website that
seems almost identical to the actual trustworthy site. This is frequently done with
sites that receive a lot of traffic online. The cloning of Facebook is a good example.

DNS Spoofing:
Each machine has a unique IP address. This address is not the same as the usual
“www” internet address that you use to access websites. When you type a web
address into your browser and press enter, the Domain Name System (DNS)
immediately locates and sends you to the IP address that matches the domain name
you provided. Hackers have discovered a technique to infiltrate this system and
redirect your traffic to harmful sites. This is known as DNS Spoofing.

SESSION HIJACKING
TCP session hijacking is a security attack on a user session over a protected network.
The most common method of session hijacking is called IP spoofing, when an
attacker uses source-routed IP packets to insert commands into an active
communication between two nodes on a network and disguises itself as one of the
authenticated users. This type of attack is possible because authentication typically
is only done at the start of a TCP session.
Another type of session hijacking is known as a man-in-the-middle attack, where the
attacker, using a sniffer, can observe the communication between devices and collect
the data that is transmitted.
Different ways of session hijacking:
There are many ways to do Session Hijacking. Some of them are given below –
• Using Packet Sniffers

• In the above figure, attack captures the victim’s session ID to gain access to
the server by using some packet sniffers.
Cross Site Scripting (XSS Attack)
Attacker can also capture victim’s Session ID using XSS attack by using java script.
If an attacker sends a crafted link to the victim with the malicious JavaScript, when
the victim clicks on the link, the JavaScript will run and complete the instructions
made by the attacker.
IP Spoofing
Spoofing is pretending to be someone else. This is a technique used to gain
unauthorized access to the computer with an IP address of a trusted host. In
implementing this technique, the attacker must obtain the IP address of the client
and inject his own packets spoofed with the IP address of client into the TCP session,
to fool the server that is communicating with the victim i.e. the original host.
Blind Attack
If the attacker is not able to sniff packets and guess the correct sequence number
expected by the server, brute force combinations of sequence number can be tried.

DoS and DDoS Attacks

A denial-of-service attack (DoS attack) or distributed denial-of-service attack
(DDoS attack) is an attempt to make a computer resource (i.e., information systems)
unavailable to its intended users.
DoS Attacks
• In this type of criminal act, the attacker floods the bandwidth of the victim’s
network or fills his E-Mail box with Spam mail, depriving him of the services
he is entitled to access or provide.
• The attackers typically target sites or services hosted on high-profile web
servers such as banks, credit card payment gateways, mobile phone networks
and even root name servers.
• Buffer overflow technique is employed to commit such kind of criminal attack
known as Spoofing.
• The term IP address Spoofing refers to the creation of IP packets with a forged
(spoofed) source IP address with the purpose of concealing the ID of the
sender or impersonating another computing system.
• A packet is a formatted unit of data carried by a packet mode computer
network.
• The attacker spoofs the IP address and floods the network of the victim with
repeated requests.
 • As the IP address is fake, the victim machine keeps waiting for response from
the attacker’s machine for each request.
• This consumes the bandwidth of the network which then fails to serve the
legitimate requests and ultimately breaks down.
• The United States Computer Emergency Response Team defines symptoms
of DoS attacks to include:
1. Unusually slow network performance (opening fi les or accessing websites);
2. unavailability of a particular website;
3. inability to access any website;
4. dramatic increase in the number of Spam E-Mails received (this type of DoS attack
is termed as an E-Mail bomb).
The goal of DoS is not to gain unauthorized access to systems or data, but to prevent
intended users (i.e., legitimate users) of a service from using it.

A DoS attack may do the following:

1. Flood a network with traffic, thereby preventing legitimate network traffic.
2. Disrupt connections between two systems, thereby preventing access to a service.
3. Prevent a particular individual from accessing a service.
4. Disrupt service to a specific system or person.

Classification of DoS Attacks

1. Bandwidth attacks: Loading any website takes a certain amount of time. Loading
means a complete webpage appearing on the screen and the system is awaiting user’s
input.
2. Logic attacks: These kinds of attacks can exploit vulnerabilities in network
software such as web servers or TCP/IP stacks.
3. Protocol attacks: Protocols here are rules that are to be followed to send data
over network.
4. Unintentional DoS attack: This is a scenario where a website ends up denied not
due to a attack by a single individual or group of individuals, but simply due to a
sudden enormous spike in popularity.

Types or Levels of DoS Attacks

There are several types or levels of DoS attacks as follows:
1. Flood attack: This is the earliest form of DoS attack and is also known as ping
food. It is based on an attacker simply sending the victim an overwhelming number
of ping packets, usually by using the “ping” command, which results in more traffic
than the victim can handle.
2. Ping of death attack: The ping of death attack sends oversized Internet Control
Message Protocol (ICMP) packets, and it is one of the core protocols of the IP Suite.
It is mainly used by networked computers’ OSs to send error messages indicating
(e.g., that a requested service is not available or that a host or router could not be
reached) datagrams (encapsulated in IP packets) to the victim.
3. SYN attack: It is also termed TCP SYN Flooding. In the TCP, handshaking of
network connections is done with SYN and ACK messages.
• An attacker initiates a TCP connection to the server with an SYN. The
server replies with an SYN-ACK.
• The client then does not send back an ACK, causing the server to allocate
memory for the pending connection and wait.
• This fills up the buffer space for SYN messages on the target system,
preventing other systems on the network from communicating with the target
system.
4. Teardrop attack: The teardrop attack is an attack where fragmented packets are
forged to overlap with each other when the receiving host tries to reassemble them.
IP’s packet fragmentation algorithm is used to send corrupted packets to confuse the
victim and may hang the system. This attack can crash various OSs due to a bug in
their TCP/IP fragmentation reassembly code.
5. Smurf attack: This is a type of DoS attack that floods a target system via spoofed
broadcast ping messages. This attack consists of a host sending an echo request
(ping) to a network broadcast address.
6. Nuke: Nuke is an old DoS attack against computer networks consisting of
fragmented or invalid packets sent to the target. Tools Used to Launch DoS Attack
1. Jolt2: The vulnerability allows remote attackers to cause a DoS attack against
Windows-based machines – the attack causes the target machine to consume of the
CPU time on processing of illegal packets.
2. Nemesy: This program generates random packets of spoofed source IP to enable
the attacker to launch DoS attack.
3. Targa: It is a program that can be used to run eight different DoS attacks. The
attacker has the option to launch either individual attacks or try all the attacks until
one is successful.
4. Crazy Pinger: This tool could send large packets of ICMP (Internet Control
Message Protocol) to a remote target network.
5.SomeTrouble: It is a remote flooder and bomber. It is developed in Delphi. DDoS
Attacks
 • In a DDoS attack, an attacker may use your computer to attack another
computer. By taking advantage of security vulnerabilities or weaknesses, an
attacker could take control of your computer.
• He/she could then force your computer to send huge amounts of data to a
website or send Spam to E-mail addresses.
• The attack is “distributed” because the attacker is using multiple computers,
including yours, to launch the DoS attack.
• A DDoS attack is a distributed DoS wherein many zombie systems are
synchronized to attack a particular system.
• The zombie systems are called “secondary victims”, and the main target is
called “primary victim.” Malware can carry DDoS attack mechanisms –
one of the better-known examples of this is My Doom.
• Botnet is a popular medium to launch DoS/DDoS attacks.
• Attackers can also break into systems using automated tools that exploit flaws
in programs that listen for connections from remote hosts.

How to Protect from DoS/DDoS Attacks

Computer Emergency Response Team Coordination Center (CERT/CC) offers

many preventive measures from being a victim of DoS attack.
1. Implement router filters. This will lessen your exposure to certain DoS attacks. 2.
If such filters are available for your system, install patches to guard against TCP
SYN flooding.
3. Disable any unused or inessential network service.
4. Enable quota systems on your OS if they are available.
5. Observe your system’s performance and establish baselines for ordinary activity.
6. Routinely examine your physical security regarding your current needs.
7. Use Tripwire or a similar tool to detect changes in configuration information or
other files.
8. Invest in and maintain “hot spares” – machines that can be placed into service
quickly if a similar machine is disabled.
9. Invest in redundant and fault-tolerant network configurations.
10. Establish and maintain regular backup schedules
11. Establish and maintain appropriate password policies

SQL INJECTION
 • Structured Query Language (SQL) is a database computer language designed
for managing data in relational database management systems (RDBMS).
• SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application
• SQL injection attacks are also known as SQL insertion attacks.
• Attackers target the SQL servers – common database servers used by many
organizations to store confidential data.
• The prime objective behind SQL injection attack is to obtain the information
while accessing a database table that may contain personal information such
as credit card numbers, social security numbers or passwords.
• During an SQL injection attack, Malicious Code is inserted into a web form
field or the website’s code.
• For example, when a user logs in with username and password, an SQL query
is sent to the database to check if a user has valid name and password.
• With SQL injection, it is possible for an attacker to send crafted username
and/or password field that will change the SQL query.
Steps for SQL Injection Attack Following are some steps for SQL injection attack:

1. The attacker looks for the webpages that allow submitting data, that is, login page,
search page, feedback, etc. The attacker also looks for the webpages that display the
HTML commands such as POST or GET by checking the site’s source code.
2. To check the source code of any website, right click on the webpage and click on
“view source” – source code is displayed in the notepad. The attacker checks the
source code of the HTML and looks for “FORM” tag in the HTML code. Everything
between the and have potential parameters that might be useful to find the
vulnerabilities.

3. The attacker inputs a single quote under the text box provided on the webpage to
accept the username and password. This checks whether the user-input variable is
interpreted literally by the server. If the response is an error message such as use “a”
= “a” then the website is found to be susceptible to an SQL injection attack
4. The attacker uses SQL commands such as SELECT statement command to
retrieve data from the database or INSERT statement to add information to the
database. Here are few examples of variable field text the attacker uses on a webpage
to test for SQL vulnerabilities:
1. Blah’ or 1=1--
2. Login: blah’ or 1=1--
3. Password: blah’ or 1=1--
4. http://search/index.asp?id=blah’ or 1=1--
Similar SQL commands may allow bypassing of a login and may return many rows
in a table or even an entire database table because the SQL server is interpreting the
terms literally. The double dashes near the end of the command tell SQL to ignore
the rest of the command as a comment.

Blind SQL Injection

• Blind SQL injection is used when a web application is vulnerable to an SQL
injection, but the results of the injection are not visible to the attacker.
• The page with the vulnerability may not be the one that displays data;
however, it will display differently depending on the results of a logical
statement injected into the legitimate SQL statement called for that page.
• This type of attack can become time-intensive because a new statement must
be crafted for each bit recovered.
• There are several tools that can automate these attacks once the location of the
vulnerability and the target information have been established.
How to Prevent SQL Injection Attacks

SQL injection attacks occur due to poor website administration and coding. The
following steps can be taken to prevent SQL injection.
1. Input validation
• Replace all single quotes with two single quotes.
• Sanitize the input: User input needs to be checked and cleaned of any
characters or strings that could possibly be used maliciously. For example,
character sequences such as; --, select, insert and xp_ can be used to perform
an SQL injection attack.
• Numeric values should be checked while accepting a query string value.
Function – Is Numeric () for Active Server Pages (ASP) should be used to
check these numeric values.
• Keep all text boxes and form fields as short as possible to limit the length of
user input.
2. Modify error reports: SQL errors should not be displayed to outside users
3. Other preventions:
• The default system accounts for SQL server 2000 should never be used.
• Isolate database server and web server.
BUFFER OVERFLOW
• Buffer overflow, or buffer overrun, is an anomaly where a process stores data
in a buffer outside the memory the programmer has set aside for it.
• This may result in unreliable program behavior, including memory access
errors, incorrect results, program termination (a crash) or a breach of system
security.
• Buffer overflows can be triggered by inputs that are designed to execute code
or alter the way the program operates.
• They are, thus, the basis of many software vulnerabilities and can be
maliciously exploited. Bound checking can prevent buffer overflows.
• Programming languages commonly associated with buffer overflows include
C and C++, which provide no built-in protection against accessing or
overwriting data in any part of memory and do not automatically check that
data written to an array.
• Buffer overflow occurs when a program or process tries to store more data in
a buffer (temporary data storage area) than it was intended to hold.
• Although it may occur accidentally through programming error, buffer
overflow is an increasingly common type of security attack on data integrity.
• The knowledge of C, C++ or any other high-level computer language (i.e.,
assembly language) is essential to understand buffer overflow. int main () {int
buffer [10]; buffer [20] = 10;}
• This C program is a valid program, and every compiler can compile it without
any errors.
• However, the program attempts to write beyond the allocated memory for the
buffer, which might result in an unexpected behavior.
Types of Buffer Overflow
Stack-Based Buffer Overflow

Stack buffer overflow occurs when a program writes to a memory address on the
program’s call stack outside the intended data structure – usually a fixed length
buffer. Here are the characteristics of stack-based programming:
1. “Stack” is a memory space in which automatic variables (and often function
parameters) are allocated.
2. Function parameters are allocated on the stack and are not automatically
initialized by the system, so they usually have garbage in them until they are
initialized.
3. Once a function has completed its cycle, the reference to the variable in the stack
is removed.
The attacker may exploit stack-based buffer overflows to manipulate the program in
various ways by overwriting:
1. A local variable that is near the buffer in memory on the stack to change the
behavior of the program that may benefit the attacker.
2. The return address in a stack frame. Once the function returns, execution will
resume at the return address as specified by the attacker, usually a user input-filled
buffer.
3. A function pointer, or exception handler, which is subsequently executed.
The factors that contribute to overcoming the exploits are
1. Null bytes in addresses;
2. Variability in the location of shell code;
3. Differences between environments.
A shell code is a small piece of code used as a payload in the exploitation of software
vulnerability.
It is called “shell code” because it starts with command shell from which the attacker
can control the compromised machine.
NOPs
NOP or NOOP (short form of no operation) is an assembly language instruction/
command that effectively does nothing at all.
Heap Buffer Overflow
Heap buffer overflow occurs in the heap data area and may be introduced
accidentally by an application programmer, or it may result from a deliberate exploit.
The characteristics of stack based, and heap-based programming are as follows:
1. “Heap” is a “free store” that is a memory space, where dynamic objects are
allocated.
2. The heap is the memory space that is dynamically allocated to new (), malloc ()
and calloc() functions; it is different from the memory space allocated for stack and
code.
3. Dynamically created variables (i.e., declared variables) are created on the heap
before the execution program is initialized to zero.

Memory on the heap is dynamically allocated by the application at run-time and

normally contains program data. Exploitation is performed by corrupting this data
in specific ways to cause the application to overwrite internal structures such as
linked list pointers.
ATTACKS ON WIRELESS NETWORKS
• Wireless technologies have become increasingly popular in day-to-day
business and personal lives.
• Hand-held devices such as PDAs allow individuals to access calendars, E-
Mail addresses, phone number lists and the Internet.
• Wireless networks extend the range of traditional wired networks by using
radio waves to transmit data to wireless-enabled devices such as laptops and
PDAs.
• Wireless networks are generally composed of two basic elements of access
points (APs) and other wireless-enabled devices, such as laptops radio
transmitters and receivers to communicate or “connect” with each other.
• APs are connected through physical wiring to a conventional network, and
they broadcast signals with which a wireless device can connect.
• Wireless access to networks has become very common by now in India – for
organizations and for individuals.

The following are different types of “mobile workers”:

1. Tethered/remote worker: This is an employee who generally remains at a single
point of work but is remote to the central company systems.
2. Roaming user: This is either an employee who works in an environment (e.g.,
warehousing, shop floor, etc.) or in multiple areas (e.g., meeting rooms).
3. Nomad: This category covers employees requiring solutions in semi-tethered
(connected) environments where modems are used frequently.
4. Road warrior: This is the ultimate mobile user and spends little time in the office;

Important components of wireless network

1. 802.11 networking standards: Institute of Electrical and Electronics Engineers

(IEEE)- 802.11 is a family of standards for wireless local area network (WLAN),
stating the specifications and/or requirements for computer communication.
2. Access points: It is also termed AP. It is a hardware device and/or software that
acts as a central transmitter and receiver of WLAN radio signals. Users of wireless
devices, such as laptops/PDAs, get connected with these APs, which in turn get
connected with the wired LAN. An AP acts as a communication hub for users to
connect with the wired LAN.
3. Wi-Fi hotspots: A hotspot is a site that offers Internet access by using Wi-Fi
technology over a WLAN. Hotspots are found in public areas (such as coffee shops,
public libraries, hotels and restaurants) and are commonly offered throughout much
of North America and Europe.
• Free Wi-Fi hotspots: Wireless Internet service is offered in public areas, free
of cost and without any authentication.
• Commercial hotspots: The users are redirected to authentication and online
payment to avail themselves of the wireless Internet service in public areas.
4. Service Set Identifier (SSID): It is the name of 802.11i WLAN and all wireless
devices on a WLAN must use the same SSID to communicate with each other. While
setting up WLAN, the user (or WLAN administrator) sets the SSID, which can be
up to 32 characters long so that only the users who knew the SSID will be able to
connect the WLAN. It is always advised to turn OFF the broadcast of the SSID.
5. Wired equivalence privacy (WEP): Wireless transmission is susceptible to
eavesdropping and to providing confidentiality, WEP was introduced as part of the
original 802.11i Protocol in 1997. It is always termed as deprecated security
algorithm for IEEE 802.11i WLANs. SSID along with WEP delivers a fair amount
of secured wireless network.
6. Wi-Fi protected access (WPA and WPA2): WPA was introduced as an interim
standard to replace WEP to improve upon the security features of WEP. WPA2
provides a stronger encryption mechanism through Advanced Encryption Standard
(AES), which is a requirement for some corporate and government agencies.
7. Media access control (MAC): It is a unique identifier for each node (i.e., each
network interface) of the network and it is assigned by the manufacturer of a network
interface card (NIC) stored in its hardware. MAC address filtering allows only the
devices with specific MAC addresses to access the network.

IDENTITY THEFT (ID THEFT)

• This term is used to refer to fraud that involves someone pretending to be
someone else to steal money or get other benefits.
 • ID theft is a punishable offense under the Indian IT Act (Section 66C and
Section 66D).
• The statistics on ID theft proves the severity of this fraud and hence a non-
profit organization was found in the US, named as Identity Theft Resource
Center (ITRC), with the objective to extend the support to the society to spread
awareness about this fraud
• The Federal Trade Commission (FTC) has provided statistics about each
identity fraud mentioning prime frauds presented below.
1. Credit card fraud (26%):
2. Bank fraud (17%): Besides credit card fraud, cheque theft and Automatic Teller
Machines (ATM) pass code theft have been reported as possible with ID theft
3. Employment fraud (12%): In this fraud, the attacker borrows the victim’s valid
SSN to obtain a job.
4. Government fraud (9%): This type of fraud includes SSN, driver license and
income tax fraud.
5. Loan fraud (5%): It occurs when the attacker applies for a loan on the victim’s
name, and this can occur even if the SSN does not match the name exactly.

It is important to note the various usage of ID theft information.

1. 66% of victims’ personal information is used to open a new credit account in their
name.
2. 28% of victims’ personal information is used to purchase cell phone service.
3. 12% of victims end up having warrants issued in their name for financial crimes
committed by the identity thief.

Personally Identifiable Information (PII)

The fraudsters attempt to steal the elements mentioned below, which can express the
purpose of distinguishing individual identity:
1. Full name;
2. national identification number (e.g., SSN);
3. telephone number and mobile phone number;
4. driver’s license number;
5. credit card numbers;
6. digital identity (e.g., E-Mail address, online account ID and password);
7. birth date/birthday;
8. birthplace;
9. face and fingerprints

The information can be further classified as

a. non-classified and
b. classified.
1. non-classified information
Public information:
• Personal information:
• Routine business information:
• Private information:
2. Classified information
• Confidential: Information that requires protection and unauthorized
disclosure could damage national security (e.g., information about strength of
armed forces and technical information about weapons).
• Secret: Information that requires substantial protection and unauthorized
disclosure could seriously damage national security (e.g., national security
policy, military plans or intelligence operations).
• Top secret: Information that requires the highest degree of protection and
unauthorized disclosure could severely damage national security (e.g., vital
defense plans and cryptologic intelligence systems).
ID theft fraudsters and/or industrial/international spies target to gain access to
private, confidential, secret and top-secret information.

Types of Identity Theft

1. Financial identity theft;
2. criminal identity theft;
3. identity cloning;
4. business identity theft;
5. medical identity theft;
6. synthetic identity theft;
7. child identity theft.
Techniques of ID Theft
1. Human-based methods:
• Direct access to information:
• Dumpster diving:
• Theft of a purse or wallet:
• Mail theft and rerouting:
 • Shoulder surfing:
• Dishonest or mistreated employees:
• Telemarketing and fake telephone calls:
2. Computer-based technique:
• Backup theft:
• Hacking, unauthorized access to systems and database theft:
• Phishing:
• Pharming:
• Hardware
FOOT PRINTING
Foot printing means gathering information about a target system that can be used to
execute a successful cyber-attack. To get this information, a hacker might use
various methods with variant tools. This information is the first road for the hacker
to crack a system. There are two types of foot printing as follows below.
• Active Foot printing: Active foot printing means performing foot printing by
getting in direct touch with the target machine.
• Passive Foot printing: Passive foot printing means collecting information
about a system located at a remote distance from the attacker.
Different kinds of information that can be gathered from Foot printing are as
follows:
• The operating system of the target machine
• Firewall
• IP address
• Network map
• Security configurations of the target machine
• Email id, password
• Server configurations
• URLs
• VPN
Sources are as follows:
• Social Media: Most people have the tendency to release most of their
information online. Hackers use this sensitive information as a big deal. They
may create a fake account for looking real to be added as friends or to follow
 someone’s account for grabbing their information.

• JOB websites: Organizations share some confidential data on many JOB

websites like monsterindia.com. For example, a company posted on a website:
“Job Opening for Lighttpd 2.0 Server Administrator”. From this, information
can be gathered that an organization uses the Lighttpd web server of version
2.0.

• Google: Search engines such as Google can perform more powerful searches
than one can think, and one had gone through. It can be used by hackers and
attackers to do something that has been termed Google hacking.
Basic search techniques combined with advanced operators can do great damage.
Server operators exist like “inurl:”,”allinurl:”,”filetype:”, etc.
• For example, devices connected to the Internet can be found. A search string such as
inurl: “ViewerFrame?Mode=” will find public web cameras. “The “link:” search
operator that Google used to have, has been turned off by now (2017)”.
• Google can be used to uncover many pieces of sensitive information that shouldn’t
be revealed. A term even exists for the people who blindly post this information on
the internet, they are called “Google Dorks”.

• Social Engineering: There are various techniques that fall in this category. A
few of them are:

• Eavesdropping: The attacker tries to record the personal conversation of the

target victim with someone that’s being held over communication mediums
like the Telephone.
• Shoulder Surfing: In this technique, Attacker tries to catch the personal
information like email id, password, etc.; of the victim by looking over the
victim’s shoulder while the same is entering(typing/writing) his/her personal
details for some work.

• Archive.org: The Archived version refers to the older version of the website
which existed a time before and many features of the website have been
changed. archive.org is a website that collects snapshots of all the websites at
a regular interval of time. This site can be used to get some information that
does not exist now but existed before on the site.
 • An Organization’s Website: It’s the best place to begin for an attacker. If an
attacker wants to look for open-source information, which is information
freely provided to clients, customers, or the public then simply the best option
is: “ORGANISATION’s WEBSITE”.

• Using Neo Trace: Neo Trace is a powerful tool for getting path information.
The graphical display displays the route between you and the remote site,
including all intermediate nodes and their information. NeoTrace is a well-
known GUI route tracer program. Along with a graphical route, it also
displays information on each node such as IP address, contact information,
and location.

• Who is: This is a website that serves a good purpose for Hackers. Through
this website information about the domain name, email-id, domain owner,
etc.; a website can be traced. Basically, this serves as a way for Website Foot
printing.

SOCIAL ENGINEERING
Social engineering is a range of malicious activities undertaken by cybercriminals
intended to psychologically manipulate someone into giving out sensitive
information and data. Social engineering attacks generally occur when there is
well-established communication between attackers and victims. The attacker
prompts and motivates the user into compromising sensitive information, rather
than explicitly employing a brute force attack for breaching the user’s data. The
social engineering attack life cycle provides criminals a reliable process that can
easily deceive the victim. The steps involved in the social engineering life cycle
include:
Step 1. Target research: Preparation for an attack requires pre-planning from the
perpetrator. Research time is invested in identifying the target’s name, personal
details, and background information. Based on this information, the attack
methods/ channels are selected

Step 2. Target hook: In this step, the attacker engages the target victim with a
fabricated story that would be convincing, based on the information collected in
the first step. The goal of the attacker here is to win the confidence of the victim.

Step 3. The attack: Once the target has obtained the necessary trust, the goal now
shifts to extracting the information which is the real goal. Based on the intention,
the attacker then uses the information or sells it.

Step 4. Exit: Once the attack’s objective is complete, the window of engagement
is then closed by the attacker, typically with the goal of avoiding any detection or
suspicion. The attacker then attempts to cover their tracks and disappear to the best
of their ability.

Types of social engineering

 Social engineering attacks can be classified into two main categories:

1. Technology-based attacks

• A technology-based approach tricks a user into believing that he is

interacting with a ‘real’ computer system and convinces him to provide
confidential information. For example, the user will get a popup window
informing him that the computer application has had a problem and needs
immediate fixing.
• It will tell the user to reauthenticate a computer application to proceed. As
the user proceeds to reauthenticate, the user provides his ID and password on
the popup window itself. Once they enter the necessary credentials for
authentication, the harm is done.
• The hacker or the criminal who created the popup window now has access to
the user’s ID and password and can, therefore, access their network and
computer system.

2. Human interaction-based attacks

In a human interaction-based approach, the victim’s unawareness is exploited to
attack the system or network. This is typically accomplished whereby the attacker
pretends to be a person or authority the victim already knows while hiding their
identity.

PORT SCANNING
Port Scanning is done to try to determine which services we can connect to. Each
listening service provides attack surface which could potentially be abused by
attackers. As such it is important to learn which ports are open.
➢ Attackers are interested in knowing which applications are listening to on the
network. These applications represent opportunities for attackers.
➢ There might be vulnerabilities enabling them to attack successfully the
organization.
➢ Port Scanning works by sending packets to an application and looking for
any replies.
➢ This is exceptionally easy for TCP, as if a TCP service is available, it will
always reply with a SYN/ACK packet. For UDP however it is more difficult.
➢ To detect if the service is available or not, in most cases the attacker must
send specific input which forces the application to reply.
➢ Most applications hosted in UDP will not reply unless the Clients sends
exactly the input required to engage in communications.

TCP Port Scanning

TCP is an easy protocol to scan because the TCP standard dictates that systems
should reply with a SYN/ACK when receiving a SYN. We can send a SYN packet
to all 65536 ports and record all SYN/ACK's coming back and conclude the ports
which are opened based on the reply of a SYN/ACK. When no reply is received,
we can assume the port is closed or filtered by for example a Firewall.
With the SYN/ACK on port 445 we have identified the port is open.

UDP Port Scanning

With UDP it is harder to determine if a port is up or not. For UDP ports the scanner
cannot rely on a SYN/ACK. In fact, the scanner must almost always rely on
making the service listening cause some sort of reply.
With so many ports potentially open and different services only replying to the
correct kind of data, it becomes time-consuming and hard to scan all ports in a
reasonable time.
Consider the following conversation where Eve tries to figure out if a UPD port is
open:

Eve needs to talk the correct protocol, and make sure the packets reach their
destination, e.g. no packet loss. Otherwise, Eve might not discover the port is open.
Because of this UDP scanning can be very time consuming if we want to scan all
ports.

ENUMERATION
 • Enumeration is the process of systematically probing a target for information,
and it remains an essential tool in the hacker’s arsenal.
• Enumeration can provide attackers with a roadmap to enter a system by
identifying open ports, usernames, and passwords.
• When it comes to network security, enumeration is key. By enumerating a
system, you can gain a better understanding of that system and how it works.
• This knowledge can then be used to exploit vulnerabilities and gain access to
sensitive data.
• Several techniques can be used for enumeration, and your method will depend
on the type of system you are targeting.
• The most common methods include email IDs and usernames, default
passwords, and DNS zone transfer.
• Enumeration is the process of identifying all hosts on a network. This can be
done in several ways, but active and passive scanning is the most common
method.
• Active scanning involves sending out requests and analyzing the responses to
determine which hosts are active on the network.
• Passive scanning involves listening to traffic and then analyzing it to identify
hosts.
Types of Enumeration
There are many different types of enumeration. The most appropriate type will
depend on the situation and the required information:
• NetBIOS Enumeration: NetBIOS is a protocol that allows devices on a
network to share resources and communicate with each other. NetBIOS
enumeration is querying a device to identify what NetBIOS resources are
available. This can be done using tools like nbtstat and net view.
• SNMP Enumeration: SNMP is a protocol that allows devices to be managed
and monitored remotely. SNMP enumeration is querying a device to identify
what SNMP resources are available. This can be done using tools like SNMP-
check and SNMP walk.
• LDAP Enumeration: LDAP is a protocol that allows devices on a network
to share information about users and resources. LDAP enumeration is
querying a device to identify what LDAP resources are available. This can be
done using tools like ldapsearch and ldapenum.
• NTP Enumeration: NTP is a protocol that allows devices on a network to
synchronize their clocks with each other. NTP enumeration is querying a
device to identify what NTP resources are available. This can be done using
tools like Nmap and PRTG Network Monitor