Course Title: Cyber Security and Digital Forensics

(Course Code: 4361601)

4.1. Concept of Hacking Types of Hackers

Hacker is a person who is intensely interested in the mysterious workings of any

computer operating system. Hackers are most often programmers. They gather
advanced knowledge of operating systems and programming languages and
discover loopholes within systems and the reasons for such loopholes.

White Hat Hackers

White hat hackers are the one who is authorized or certified hackers who work for
the government and organizations by performing penetration testing and identifying
loopholes in their cybersecurity. They also ensure the protection from the malicious
cyber crimes. They work under the rules and regulations provided by the government,
that’s why they are called Ethical hackers or Cybersecurity experts.

Black Hat Hackers

They are often called Crackers. Black Hat Hackers can gain unauthorized access to
your system and destroy your vital data. The method of attack they use common
hacking practices they have learned earlier. They are considered to be criminals and
can be easily identified because of their malicious actions.

Gray Hat Hackers

Gray hat hackers fall somewhere in the category between white hat and black hat
hackers. They are not legally authorized hackers. They work with both good and bad
intentions, they can use their skills for personal gain. It all depends upon the hacker.
If a gray hat hacker uses his skill for his personal gains, he/she is considered as
black hat hackers.

4.2. Basics of Ethical Hacking

Ethical hacking involves the probing and testing of computer systems, networks, and
applications purposely to identify and make amends on security vulnerabilities, an
ethical hacker alias white-hat or pen tester, is mandated with similar goals to
enhance security within an organization. The proactive approach of ethical hacking
ensures the strength of organizational defenses against cyberattacks, protection of
sensitive information, and compliance with security standards and regulations, this
understanding and subsequent simulation of techniques used by cybercriminals
make ethical hackers pivotal in maintaining a good state of cybersecurity and the
protection of digital assets.

Key aspects of ethical hacking include:

Reporting: Ethical hackers report back to the organization with the results of the
tests.

Permission-Based: This permission becomes necessary to differentiate their job

from criminal hacking jobs

Objective: The main goal is to find the holes before hostile attackers can penetrate
them. This includes discovering system, application, and network vulnerabilities that
an attacker could exploit.

Methodology: Ethical hackers perform these steps using a variety of tools and
techniques, similar to criminal hackers. It includes scanning for vulnerabilities testing
to break in, and accessing control measures available.

Importance of Ethical Hacking

Ethical hacking contributes significantly to contemporary cybersecurity, ethical

hackers are able to identify and address vulnerabilities before they are exploited by
simulating the strategies and tactics utilized by cybercriminals. This proactive
methodology serves to:

Enhance Security: Identify and address flaws to stop data breaches and cyberattacks.

Compliance: Meet security standards set by the industry and regulatory

requirements.

Management of risk: Assess and reduce potential threats to the assets of the
organization

Occurrence Reaction: Enhance the company’s capacity to respond to security

incidents and recover from them.

Phases of Ethical Hacking

Ethical hacking typically involves the following key phases:

Preparation and planning: Characterize the extent of the test, acquire fundamental
authorizations, and accumulate data about the objective framework.
Reconnaissance: Gather in-depth data about the target system, including information
about its network structure, IP addresses, and potential security holes.

Scanning: Scan the target system using a variety of tools and methods to look for
vulnerable services, open ports, and vulnerabilities.

Obtaining Entry: Attempt to gain access to the system by mimicking potential real-
world attacks by taking advantage of identified vulnerabilities.

Keeping Access Open: Test the capacity to keep up with access inside the
framework and survey ingenuity components that could be utilized by assailants.

Reporting and Analysis: Produce a comprehensive report to the organization,

document findings, and offer suggestions for reducing vulnerabilities.

Benefits of Ethical Hacking

Ethical hacking has advantages that go beyond just enhancing security, They consist
of:

Preventing Data Breach: Organizations can avoid costly data breaches by identifying
vulnerabilities before attackers do.

Protecting Private Information: safeguards vital data from misuse and unauthorized
access.

Enhancing the System’s Resilience: makes applications and systems stronger and
more resistant to attacks.

Developing Trust: demonstrates a commitment to data security and improves the

company’s reputation.

4.3. The terminology of Hacking (Vulnerability, Exploit, 0-Day)

Vulnerabilities are weaknesses in a system that gives threats the opportunity to

compromise assets. All systems have vulnerabilities. Even though the technologies
are improving but the number of vulnerabilities are increasing such as tens of
millions of lines of code, many developers, human weaknesses, etc. Vulnerabilities
mostly happened because of Hardware, Software, Network and Procedural
vulnerabilities.

1. Hardware Vulnerability:

A hardware vulnerability is a weakness which can used to attack the system

hardware through physically or remotely.

For examples: Old version of systems or devices

Unprotected storage

Unencrypted devices, etc.

 2. Software Vulnerability:

A software error happen in development or configuration such as the execution of it

can violate the security policy. For examples:

Lack of input validation

Unverified uploads

Cross-site scripting

Unencrypted data, etc.

3. Network Vulnerability:

A weakness happen in network which can be hardware or software.

For examples:

Unprotected communication

Malware or malicious software (e.g.:Viruses, Keyloggers, Worms, etc)

Social engineering attacks

Misconfigured firewalls

4. Procedural Vulnerability:

A weakness happen in an organization operational methods.

An exploit is a piece of software, a set of commands, or a data sequence designed

to take advantage of a vulnerability in a system. Exploits are used by attackers to
perform unauthorized actions, such as installing malicious software, accessing
sensitive information, or taking control of systems. Exploits can also be used by
security researchers to demonstrate the existence of vulnerabilities and to develop
protective measures.

Advantages of Exploits

Security Research: Exploits can be used to identify weaknesses in systems and

improve security measures by demonstrating how they can be attacked.

Training and Awareness: They are used in cybersecurity training to help

professionals understand potential attack vectors and defensive strategies.

Disadvantages of Exploits

Malicious Use: Exploits can be used by attackers to cause damage, steal data, or
gain unauthorized access.
Ethical Concerns: The creation and distribution of exploits pose ethical concerns,
especially when used for malicious purposes.

Zero-day exploit is a type of cyber security attack that occurs on the same day the
software, hardware, or firmware flaw is detected by the manufacturer. As it’s been
zero days since the security flaw was last exploited, the attack is termed a zero-day
exploit or zero-day attack. This kind of cyber-attack is considered dangerous
because the developer has not had the chance to fix the flaw yet. Zero-day exploits
typically target large organizations, government departments, firmware, hardware
devices, IoT, users having access to valuable business data, etc.

Zero day exploit

The Zero-Day Lifecycle

The lifecycle of a zero-day exploit involves several critical stages:

Discovery: A hacker or a researcher discovers a bug in programming code, in the

design of installed products or applications, or in firmware, which is not known by
the installer.

Exploitation: The attacker finds a way to utilize the weakness before the vendor
comes up with a way of fixing it.

Attack: The exploit is activated, and depending on the vulnerability, one may result in
leakage of important information, freezing or destruction of the operating system, or
access to restricted areas.

Disclosure: It becomes discovered or disclosed to the public or the vendor, normally

when the damage has already been made. It has been done through ethical
disclosure by the researchers or through the fact that the attack has been identified
in the first place.

Patch and Update: In the case of the vendor the individual releases a patch to
counter the vulnerability thus preventing future users from being exploited.

4.4 Five Steps of Hacking (Information Gathering, Scanning, Gaining Access,

Maintaining Access, Covering Tracks)

1. Information Gathering (Reconnaissance) : This is the first phase where the Hacker
tries to collect information about the target. It may include Identifying the Target,
finding out the target’s IP Address Range, Network, DNS records, etc. Let’s assume
that an attacker is about to hack a websites’ contacts.

He may do so by using a search engine like maltego, researching the target say a
website (checking links, jobs, job titles, email, news, etc.), or a tool like HTTPTrack to
download the entire website for later enumeration, the hacker is able to determine
the following: Staff names, positions, and email addresses.

2. Scanning: This phase includes the usage of tools like dialers, port scanners,
network mappers, sweepers, and vulnerability scanners to scan data. Hackers are
now probably seeking any information that can help them perpetrate attacks such as
computer names, IP addresses, and user accounts. Now that the hacker has some
basic information, the hacker now moves to the next phase and begins to test the
network for other avenues of attacks. The hacker decides to use a couple of
methods for this end to help map the network (i.e. Kali Linux, Maltego and find an
email to contact to see what email server is being used). The hacker looks for an
automated email if possible or based on the information gathered he may decide to
email HR with an inquiry about a job posting.

3. Gaining Access: In this phase, the hacker designs the blueprint of the network of
the target with the help of data collected during Phase 1 and Phase 2. The hacker
has finished enumerating and scanning the network and now decides that they have
some options to gain access to the network.

For example, say a hacker chooses a Phishing Attack. The hacker decides to play it
safe and use a simple phishing attack to gain access. The hacker decides to
infiltrate the IT department. They see that there have been some recent hires and
they are likely not up to speed on the procedures yet. A phishing email will be sent
using the CTO’s actual email address using a program and sent out to the techs.
The email contains a phishing website that will collect their login and passwords.
Using any number of options (phone app, website email spoofing, Zmail, etc) the
hacker sends an email asking the users to log in to a new Google portal with their
credentials. They already have the Social Engineering Toolkit running and have sent
an email with the server address to the users masking it with a bitly or tinyurl.

Other options include creating a reverse TCP/IP shell in a PDF using Metasploit
( may be caught by spam filter). Looking at the event calendar they can set up an
Evil Twin router and try to Man in the Middle attack users to gain access. A variant
of Denial of Service attack, stack-based buffer overflows, and session hijacking may
also prove to be great.

4. Maintaining Access: Once a hacker has gained access, they want to keep that
access for future exploitation and attacks. Once the hacker owns the system, they
can use it as a base to launch additional attacks.

In this case, the owned system is sometimes referred to as a zombie system. Now
that the hacker has multiple e-mail accounts, the hacker begins to test the accounts
on the domain. The hacker from this point creates a new administrator account for
themselves based on the naming structure and tries and blends in. As a precaution,
the hacker begins to look for and identify accounts that have not been used for a
long time. The hacker assumes that these accounts are likely either forgotten or not
used so they change the password and elevate privileges to an administrator as a
secondary account in order to maintain access to the network. The hacker may also
send out emails to other users with an exploited file such as a PDF with a reverse
shell in order to extend their possible access. No overt exploitation or attacks will
occur at this time. If there is no evidence of detection, a waiting game is played
letting the victim think that nothing was disturbed. With access to an IT account, the
hacker begins to make copies of all emails, appointments, contacts, instant
messages and files to be sorted through and used later.

5. Clearing Tracks (so no one can reach them): Prior to the attack, the attacker would
change their MAC address and run the attacking machine through at least one VPN
to help cover their identity. They will not deliver a direct attack or any scanning
technique that would be deemed “noisy”.

Once access is gained and privileges have been escalated, the hacker seeks to cover
their tracks. This includes clearing out Sent emails, clearing server logs, temp files,
etc. The hacker will also look for indications of the email provider alerting the user
or possible unauthorized logins under their account.
4.5. Information Gathering (Active, Passive)

Information gathering is also known as reconnaissance. The answer to the question

what is information gathering is, it is the first phase of a cyberattack, where
attackers collect data about their target.

This data can include information about the target's network architecture, system
configurations, employee details, and potential vulnerabilities. In the hands of
malicious actors, this information can be a precursor to a successful cyberattack.

However, in the realm of cybersecurity, information gathering serves a noble purpose

– to identify and address weaknesses in an organization's security posture before
attackers can exploit them.

The first stage in any professional penetration test is cyber reconnaissance. Getting
as much information as you can on the target is the aim of this phase. Technical
details on its systems and network structure are included in this.

However, it also contains data on the company and its personnel that could be
helpful later on in the penetration test. Your chances of success in the following
stages of the penetration test increase with the amount of information you obtain
during the reconnaissance phase.

Active information gathering and passive information gathering are the two forms
of cyber reconnaissance.

Active information gathering in the context of information gathering in cybersecurity

refers to a set of techniques and methods used to collect data and information
about a target system, network, or organization by directly interacting with it.

This active approach involves sending requests or probes to the target to elicit
responses and gain insights into its configuration, vulnerabilities, and potential
weaknesses. Active information gathering techniques are typically conducted with
the goal of assessing the security of a system or network and identifying
vulnerabilities.

Key components and techniques involved in active information gathering may

include:

Port Scanning:
Port scanning tools like Nmap are commonly used to identify open ports and
services running on a target system. Knowing which ports are open can provide
insights into potential entry points for attackers or areas that require security
hardening.

Vulnerability Scanning:

Vulnerability scanners, such as Nessus or OpenVAS, actively search for known

vulnerabilities in the target system or network. These tools attempt to exploit known
weaknesses to assess the system's security posture.

DNS Enumeration:

Active information gathering may involve querying the Domain Name System (DNS)
to discover information about a target's domain names, subdomains, and associated
IP addresses.

Banner Grabbing:

Banner grabbing involves connecting to network services, such as web servers, and
retrieving information from banners or headers that disclose details about the
software and versions in use.

Brute Force Attacks:

Brute force attacks actively attempt to guess login credentials by systematically

trying various combinations of usernames and passwords. This is a common
technique used in active reconnaissance to gain unauthorized access to systems.

Active Scanning and Ping Sweeps:

These techniques involve sending ICMP echo requests (ping) or other network
probes to determine the online/offline status of target hosts and devices.

Social Engineering and Phishing:

While not technically network-based, social engineering and phishing attacks can be
considered active information gathering methods. They rely on manipulating
individuals to divulge sensitive information.

Passive information gathering, in the context of information gathering in

cybersecurity, refers to the collection of data and information about a target system,
network, or organization without directly interacting with the target.

Unlike active information gathering, which involves making deliberate queries or

requests to the target to obtain specific information, passive techniques rely on the
observation of publicly available data, information that is inadvertently leaked, or
network traffic monitoring.
Key components and techniques involved in passive information gathering may
include:

Open-Source Intelligence (OSINT):

Passive reconnaissance often begins with OSINT, which involves collecting publicly
available information from various sources, such as websites, social media, public
databases, and online forums. This can include information about an organization's
employees, contact details, software versions, and other details.

Network Traffic Analysis:

Passive techniques may involve monitoring network traffic, such as network packet
captures or log analysis, to gather information about the target's infrastructure,
devices, and services.

Search Engine Queries:

Using search engines, passive information gathering can include conducting queries
to find sensitive or confidential information accidentally exposed on the internet, like
unsecured directories, login pages, or documents.

Passive DNS Analysis:

Passive DNS analysis involves reviewing historical DNS data to understand domain
name resolutions and track the evolution of a target's online presence. This can
provide insights into changes and associations.

Passive Social Engineering:

This technique doesn't involve direct interaction with individuals but rather relies on
the information willingly shared by employees or users on social media or public
platforms.

Wi-Fi Network Scanning:

Passive scanning of Wi-Fi networks can help identify network names (SSIDs),
encryption methods, and potentially open networks in the vicinity, revealing potential
security risks.

4.6. Introduction to Kali Linux OS

• Configuration of Kali Linux

https://www.kali.org/docs/installation/hard-disk-install/

• Basic Commands Kali Linux

https://www.geeksforgeeks.org/kali-linux-command-line-essentials/

• Vulnerability Scanning/ Vulnerability Based Hacking

Vulnerability Scanning Process

Step 1: Defining the Scope of the scanning process

Clearly defining the scope of the vulnerability scanning process involves recognizing
the systems, networks, and applications that will be included in the scan's scope.
Establish the goal of the scanning process and take organizational priorities and risk
management into account.

Step 2: Identification and Mapping of the Assets

The assets have to be located and mapped inside the boundaries that were created
in the previous phase. This mapping includes servers, networks, databases, web-
based applications, network devices, etc. This phase is crucial since improper
mapping and identification of the assets could leave certain vulnerable assets
undiscovered and unfixed.

Step 3: Stratification of the Assets

It's time to profile the assets to gain a thorough understanding of their configuration,
services, and operating system after they have been identified and mapped. To
perform a specific type of vulnerability scanning on all of the assets, this profiling
assists in classifying and grouping related asset types.
Step 4: Select the Vulnerability Scanning Tool

It's time to select the vulnerability scanning tool after profiling. The requirements of
the organization, the configuration of the asset, and the desired level of detail are all
important considerations when choosing the right scanning tool.

Step 5: Configure the Scanning Tool properly

It's time to feed the scanner with asset information and configure it according to its
specifications after choosing the scanner based on the requirements. Setting the
scanning parameter and defining the scanning targets are included in the
configuration. If the scanning is going to be more thorough, there may be some
authentication configuration that is needed.

Step 6: Initiation of the Scan and Vulnerability Detection

It's time to start scanning the assets for vulnerabilities after everything has been set
up. The scanner establishes whether the system has any vulnerabilities at all by
contrasting its properties with a database of known flaws. The database is updated
regularly so that it can recognize and detect new vulnerabilities.

Step 7: Risk Assessment and Report Generation

Vulnerabilities are identified and then given a risk level to indicate how serious they
are. This risk level aids the team in setting priorities for the remediation process
according to the possible consequences and likelihood that those vulnerabilities will
be exploited. There are four severity levels: low, medium, high, and critical.

Working Procedure of Vulnerability Scanning

The process of Vulnerability Scanning involves multiple systematic steps. All of them
are explained below in brief:

Finding and Creating an Asset Inventory: The first step of the scanning is to identify
the assets of the system that will be scanned and then their details such as the
Operating System, Network, Servers, Ports, Workstation, etc are mapped within the
scope of the scanning.

Initiating the Scanning: The next step is the initiation step, here the scanning tool i.e.
scanner starts scanning the assets that were marked and gathered in the previous
step for the known vulnerabilities. Various scanning techniques like Port Scanning,
Service Identification Vulnerability detection, etc are being used by them.

Detection of Vulnerability: Now the scanner detects vulnerabilities by comparing the

characteristics of the target asset with a database of known vulnerabilities stored in
them. If the match is found, it means that there is a known vulnerability present in
that particular asset. The vulnerabilities database is regularly updated so that it
doesn't become outdated and can detect updated vulnerabilities too.

Risk Assessment: After detection of vulnerability, the scanner assigns a score to

each of the systems where vulnerability has been detected, this score signifies the
level of risk the asset currently has. This number helps in prioritizing the mitigation
process as those with higher risks are considered earlier. The assigned number is
calculated and assigned based on the impact of that vulnerability and how much it
can be exploited by the hacker.

Report Generation: A detailed report is generated at the last depending on the

explored vulnerabilities, their severity, and some recommendations to remove them.
This report is useful for understanding the entire security scenario of the system or
the applications by the security teams, using this report they can plan the next
process which is to mitigate those vulnerabilities.

Remediation Planning: Based on the Vulnerability Report, the security team of the
organization develops the step-by-step process to mitigate the identified vulnerability.
This may include applying and developing the patches, reconfiguring the settings of
those applications, and implementing additional security controls.

a. Foot printing

Footprinting means gathering information about a target system that can be used to
execute a successful cyber attack. To get this information, a hacker might use
various methods with variant tools. This information is the first road for the hacker
to crack a system. There are two types of footprinting as following below.

Active Footprinting: Active footprinting means performing footprinting by getting in

direct touch with the target machine.

Passive Footprinting: Passive footprinting means collecting information about a

system located at a remote distance from the attacker.

Different kinds of information that can be gathered from Footprinting are as follows:
The operating system of the target machine

Firewall

IP address

Network map

Security configurations of the target machine

Email id, password

Server configurations

URLs

VPN

Sources are as follows:

Social Media: Most people have the tendency to release most of their information
online. Hackers use this sensitive information as a big deal. They may create a fake
account for looking real to be added as friends or to follow someone’s account for
grabbing their information.

JOB websites: Organizations share some confidential data on many JOB websites
like monsterindia.com. For example, a company posted on a website: “Job Opening
for Lighttpd 2.0 Server Administrator”. From this, information can be gathered that
an organization uses the Lighttpd web server of version 2.0.

Google: Search engines such as Google have the ability to perform more powerful
searches than one can think and one had gone through. It can be used by hackers
and attackers to do something that has been termed Google hacking. Basic search
techniques combined with advanced operators can do great damage. Server
operators exist like “inurl:”,”allinurl:”,”filetype:”, etc.

For example, devices connected to the Internet can be found. A search string such
as inurl: “ViewerFrame?Mode=” will find public web cameras. “The “link:” search
operator that Google used to have, has been turned off by now (2017)”.

Google can be used to uncover many pieces of sensitive information that shouldn’t
be revealed. A term even exists for the people who blindly post this information on
the internet, they are called “Google Dorks”.
Social Engineering: There are various techniques that fall in this category. A few of
them are:

Eavesdropping: The attacker tries to record the personal conversation of the target
victim with someone that’s being held over communication mediums like the
Telephone.

Shoulder Surfing: In this technique, Attacker tries to catch the personal information
like email id, password, etc; of the victim by looking over the victim’s shoulder while
the same is entering(typing/writing) his/her personal details for some work.

Archive.org: The Archived version refers to the older version of the website which
existed a time before and many features of the website have been changed.
archive.org is a website that collects snapshots of all the websites at a regular
interval of time. This site can be used to get some information that does not exist
now but existed before on the site.

An Organization’s Website: It’s the best place to begin for an attacker. If an attacker
wants to look for open-source information, which is information freely provided to
clients, customers, or the general public then simply the best option is:
“ORGANISATION’s WEBSITE”.

Using Neo Trace: NeoTrace is a powerful tool for getting path information. The
graphical display displays the route between you and the remote site, including all
intermediate nodes and their information. NeoTrace is a well-known GUI route tracer
program. Along with a graphical route, it also displays information on each node
such as IP address, contact information, and location.

Who is: This is a website that serves a good purpose for Hackers. Through this
website information about the domain name, email-id, domain owner, etc; a website
can be traced. Basically, this serves as a way for Website Footprinting.

Advantages:

Footprinting allows Hackers to gather the basic security configurations of a target

machine along with network route and data flow.
Once the attacker finds the vulnerabilities he/she focuses on a specific area of the
target machine.

It allows the hacker to identify as to which attack is handier to hack the target
system.

b. Scanning

Scanning in ethical hacking is a network exploration technique used to identify the

systems connected to an organization’s network. It provides information about the
accessible systems, services, and resources on a target system. Some may refer to
this type of scan as an active scan because it can potentially disrupt services on
those hosts that are susceptible. Scanning is often used during vulnerability
assessment when probing weaknesses in existing defenses.

There are two ways of scanning:

Active Scanning

Passive Scanning

Scanning is more than just port scanning, but it is a very important part of this
process. Scanning allows you to identify open ports on the target system and can be
used for port mapping, performing an interactive session with the operating system
via those ports, or even redirecting traffic from these open ports. There are many
tasks that can be performed with a scanning tool.

Scanning can be as simple as creating a list of IP addresses and netmasks to scan

all the active addresses on the network. This is called a ping sweep. Another method
is performing a syn port scan, which is an active scan that sends TCP SYN packets
to ports on the target system waiting for a reply. A syn port scan sends TCP SYN
packets to ports that are open and waiting for replies, and an RST packet when it
grants an RST/ACK (meaning that the port is closed). An example of open ports
could be telnet and FTP, which are used by default.

Types of Scanning Techniques:

TCP connect scan: This is a scan that sends TCP SYN packets to each port on the
target system, waiting for an RST/ACK. This is a steal their type of scan because it
does not show the open ports on the target system. The last port that responds is its
open port, and you can use this to your advantage to determine which ports are open.

TCP syn port scan: This is a similar type of scan, but the packets are TCP SYN
packets and not TCP ACK. This type of scan sends packets to ports that are open
and waiting for a reply.

Network Scanning: Network scanning is used to identify the devices and services
that are running on a target network, determine their operating systems and
software versions, and identify any potential security risks or vulnerabilities. Network
scanning can be performed manually or automated using software tools, and can
target specific systems or an entire network.

Vulnerability Scanning: Vulnerability scanning is a process of identifying, locating,

and assessing the security vulnerabilities of a computer system, network, or
application. This process is performed using automated software tools that scan for
known vulnerabilities, as well as weaknesses in the configuration or implementation
of the system being tested.

Active scanning is a type of network scanning technique that is used to gather

information about a target system or network. Unlike passive scanning, which only
gathers information that is readily available, active scanning actively interacts with
the target system to gather information.

It involves sending requests or packets to a target system and analyzing the

responses to gather information about the target. This type of scanning is more
aggressive and intrusive than passive scanning and is often used to identify
vulnerabilities and weaknesses in a target system or network.

Passive scanning is a type of network scanning technique that is used to gather

information about a target system or network without actively interacting with the
target. Unlike active scanning, which sends requests or packets to the target and
analyzes the responses, passive scanning only gathers information that is readily
available, such as information transmitted over the network or stored in system logs.

It is used to gather information about a target system or network for a variety of

purposes, including network mapping, vulnerability assessment, and compliance
testing. By analyzing network traffic and system logs, passive scanning can provide
valuable information about a target’s infrastructure, servers, and devices, as well as
the types of services and applications that are running.

c. Password Cracking

Password cracking is the process of attempting to find the password by trying many
possible combinations. It's guessing attacks, rainbow attacks, and dictionary attacks.
One of the techniques hackers use to gain access to sensitive data, financial
information, or a person's account.

Password cracking is unauthorized access to data that should be confidentially kept

to a computer system, online account, or any personal account by way of decrypting
the passwords.

A password-cracking attack is an attack that involves gaining unauthorized access

to a secured system or data source by attempting to decipher the passwords or
guess them. Such forms of attacks can be carried out in the scenarios listed below:
Online Attacks: An attacker attempts to log in at the closet interface via guessed
passwords. This can be the use of common passwords, character combinations, or
an automated tool that can be checked out on a fast scale. Online attacks will trigger
the security mechanism, and this might include account lockout or CAPTCHA,
among other failed enabled actions.

Offline Attacks: Basically, in an offline attack, a hacker gains access to a hashed or

encrypted password file and then tries to crack the passwords either by reversing the
process of hashing or through the use of different possible passwords until they get
a match. This mostly makes an offline attack more dangerous because it can allow
unlimited attempts without any detection.

Social Engineering Attacks: These are processes of getting a user's password in

various ways that are not very straightforward. The method might be via phishing
emails, phony websites, or other means of direct manipulation. After that, this can be
used to log in and gain unauthorized access.

d.Brute Force Attacks

A Brute force attack is a well known breaking technique, by certain records, brute
force attacks represented five percent of affirmed security ruptures. A brute force
attack includes ‘speculating’ username and passwords to increase unapproved
access to a framework. Brute force is a straightforward attack strategy and has a
high achievement rate.

A few attackers use applications and contents as brute force devices. These
instruments evaluate various secret word mixes to sidestep confirmation forms. In
different cases, attackers attempt to get to web applications via scanning for the
correct session ID. Attacker inspiration may incorporate taking data, contaminating
destinations with malware, or disturbing help.

While a few attackers still perform brute force attacks physically, today practically all
brute force attacks are performed by bots. Attackers have arrangements of usually
utilized accreditations, or genuine client qualifications, got through security breaks or
the dull web. Bots deliberately attack sites and attempt these arrangements of
accreditations, and advise the attacker when they obtain entrance.

Types of Brute Force Attacks:

Dictionary attacks – surmises usernames or passwords utilizing a dictionary of
potential strings or phrases.

Rainbow table attacks – a rainbow table is a precomputed table for turning around
cryptographic hash capacities. It very well may be utilized to figure a capacity up to a
specific length comprising of a constrained arrangement of characters.

Reverse brute force attack – utilizes a typical password or assortment of passwords

against numerous conceivable usernames. Focuses on a network of clients for
which the attackers have recently acquired information.

Hybrid brute force attacks – begins from outer rationale to figure out which
password variety might be destined to succeed, and afterward proceeds with the
simple way to deal with attempt numerous potential varieties.

Simple brute force attack – utilizes an efficient way to deal with ‘surmise’ that
doesn’t depend on outside rationale.

Credential stuffing – utilizes beforehand known password-username sets,

attempting them against numerous sites. Adventures the way that numerous clients
have the equivalent username and password across various frameworks.

To protect your organization from brute force password hacking, enforce the use of
strong passwords.

Passwords should:

Never use information that can be found online (like names of family members).

Have as many characters as possible.

Combine letters, numbers, and symbols.

Avoid common patterns.

Be different for each user account.

Change your password periodically

Use strong and long password

Use multifactor authentication

e. Injection Attacks

Injection attacks can include calls to the operating system via system calls, the use
of external programs via shell commands or calls to backend databases using SQL.
Whenever an application uses an interpreter, it risks introducing an injection
vulnerability. Scripts written in Perl, Python and other languages can be injected into
a poorly designed application and then executed, giving the attacker control over its
behavior.

Key injection attack types to know:

Code injection — Code injection is the term used to describe attacks that inject code
into an application. That injected code is then interpreted by the application,
changing the way a program executes.

CRLF injection — CRLF stands for carriage return line feeds. According to OWASP, “a
CRLF Injection attack occurs when a user manages to submit a CRLF into an
application. This is most commonly done by modifying an HTTP parameter or URL.”

Cross-site scripting — Verifies that no untrusted data is used in generated HTML

pages. "Cross-site scripting (XSS)" originally referred to loading the attacked, third-
party web application from an unrelated attack site, executing JavaScript in the
security context of the targeted domain where cross-site data theft was the focus.
These are also sometimes referred to as host header injection attacks.

Email header injection — Also sometimes known as a mail header injection, email
header injections function similarly to header injections but target emails and email-
based forms to send spam or phishing emails.

LDAP injection — Verifies that no untrusted data is used in dynamic LDAP queries.

SQL injection — Verifies that no untrusted data is used in dynamic database queries.
An SQL injection attack consists of an insertion or injection of a SQL query via the
input data from the client to the application.

XPath injection — Verifies that no untrusted data is used in an XPath expression

used to retrieve data from an XML database.

Expression Language injection — Verifies that untrusted data is not used in the
evaluation of JSP Expression Language. Expression Language Injection (aka EL
Injection) enables an attacker to view server-side data and other configuration
details and variables, including sensitive code and data (passwords, database
queries, etc.).

Hibernate injection — Verifies that no untrusted data is appended to dynamically

constructed hibernate queries.

JNDI injection — Verifies that no untrusted data is used in a Java Naming and
Directory Interface (JNDI) lookup.

Log injection — Verifies that no untrusted data is put into log files.

NoSQL injection — Verifies that no untrusted data is used in dynamic database

queries.

NoSQL injection DynamoDB —mVerifies that no untrusted data is used in dynamic

database queries.
Command injection — With a command injection attack, the goal is to hijack a
vulnerable application in order to execute arbitrary commands on the host operating
system.

OS command injection — Verifies that no untrusted data is used in commands sent

to the operating system.

Reflection injection — Verifies that untrusted data is not used in a reflection API.

SMTP injection — Verifies that untrusted data is not used in sensitive parts of a
SMTP message

XML External Entity injection (XXE) — Verifies that external entities aren't processed
during XML.

OGNL injection — Object-Graph Navigation Language is an open-source Expression

Language (EL) for Java objects. OGNL expression injection attacks enable
evaluation of invalidated expressions against the value stack, allowing an attacker to
modify system variables or execute arbitrary code.

f. Phishing Attacks

Phishing is another type of cyber attack. Phishing got its name from “phish” meaning
fish. It’s a common phenomenon to put bait for the fish to get trapped. Similarly,
phishing works. It is an unethical way to dupe the user or victim to click on harmful
sites. The attacker crafts the harmful site in such a way that the victim feels it to be
an authentic site, thus falling prey to it. The most common mode of phishing is by
sending spam emails that appear to be authentic and thus, taking away all
credentials from the victim. The main motive of the attacker behind phishing is to
gain confidential information like:

Password

Credit card details

Social security numbers

Date of birth

The attacker uses this information to further target the user impersonate the user
and cause data theft. The most common type of phishing attack happens through
email. Phishing victims are tricked into revealing information that they think should
be kept private. The original logo of the email is used to make the user believe that it
is indeed the original email. But if we carefully look into the details, we will find that
the URL or web address is not authentic.

Types of Phishing Attacks

There are several types of Phishing Attacks, some of which are mentioned below.
Below mentioned attacks below are very common and mostly used by attackers.
Email Phishing: The most common type where users are tricked into clicking
unverified spam emails and leaking secret data. Hackers impersonate a legitimate
identity and send emails to mass victims. Generally, the goal of the attacker is to get
personal details like bank details, credit card numbers, user IDs, and passwords of
any online shopping website, installing malware, etc. After getting the personal
information, they use this information to steal money from the user’s account or
harm the target system, etc.

Spear Phishing: In spear phishing a phishing attack, a particular user(organization or

individual) is targeted. In this method, the attacker first gets the full information of
the target and then sends malicious emails to his/her inbox to trap him into typing
confidential data. For example, the attacker targets someone(let’s assume an
employee from the finance department of some organization). Then the attacker
pretends to be like the manager of that employee and then requests personal
information or transfers a large sum of money. It is the most successful attack.

Whaling: Whaling is just like spear-phishing but the main target is the head of the
company, like the CEO, CFO, etc. A pressurized email is sent to such executives so
that they don’t have much time to think, therefore falling prey to phishing.

Smishing: In this type of phishing attack, the medium of phishing attack is SMS.
Smishing works similarly to email phishing. SMS texts are sent to victims containing
links to phished websites or invite the victims to call a phone number or to contact
the sender using the given email. The victim is then invited to enter their personal
information like bank details, credit card information, user ID/ password, etc. Then
using this information the attacker harms the victim.

Vishing: Vishing is also known as voice phishing. In this method, the attacker calls
the victim using modern caller ID spoofing to convince the victim that the call is from
a trusted source. Attackers also use IVR to make it difficult for legal authorities to
trace the attacker. It is generally used to steal credit card numbers or confidential
data from the victim.

Clone Phishing: Clone Phishing this type of phishing attack, the attacker copies the
email messages that were sent from a trusted source and then alters the
information by adding a link that redirects the victim to a malicious or fake website.
Now the attacker sends this mail to a larger number of users and then waits to
watch who clicks on the attachment that was sent in the email. It spreads through
the contacts of the user who has clicked on the attachment.

g. Block chain Attacks

A "blockchain attack" in cybersecurity refers to a malicious attempt to exploit

vulnerabilities within a blockchain network, often targeting the cryptographic keys,
consensus mechanisms, or smart contracts to manipulate or steal data, disrupt
transactions, or gain unauthorized control over funds, with common types including
"51% attacks," "eclipse attacks," "private key theft," "Vector76 attacks," and attacks
on multi-signature wallets, where attackers exploit weaknesses in the
implementation to gain access to funds; all while leveraging the decentralized nature
of blockchain technology to make identification and mitigation challenging.

Key points about blockchain attacks:

Vulnerability in Private Keys:

One of the biggest risks is the security of private keys, which can be compromised
through phishing, malware, or poor key management practices, allowing attackers to
gain access to funds.

51% Attack:

This attack occurs when a malicious entity gains control of over 50% of the
network's mining power, enabling them to manipulate transactions or even reverse
completed transactions.

Eclipse Attack:

An attacker isolates a target node by controlling all connections to it, effectively

cutting it off from the network and preventing it from verifying transactions.

Vector76 Attack:

Exploits vulnerabilities in transaction confirmation mechanisms, allowing attackers

to potentially reverse transactions even with a single confirmation.

Parity Multisig Wallet Attack:

A well-known example where a vulnerability in the implementation of a multi-

signature wallet allowed attackers to steal significant funds.

Social Engineering Attacks:

Attackers often target human vulnerabilities, such as phishing emails, to trick users
into revealing their private keys.

4.7. Port Scanning

Port Scanning is done to try determine which services we can connect to. Each
listening service provides attack surface which could potentially be abused by
attackers. As such it is important to learn which ports are open.

Attackers are interested in knowing which applications are listening on the network.
These applications represent opportunities for attackers. There might be
vulnerabilities enabling them to attack successfully the organization.
Port Scanning works by sending packets to an application and looking for any replies.
This is exceptionally easy for TCP, as if a TCP service is available it will always reply
with a SYN/ACK packet. For UDP however it is more difficult. In order to detect if the
service is available or not, in most cases the attacker must send specific input which
forces the application to reply. Most applications hosted in UDP will not reply unless
the Clients sends exactly the input required to engage in communications.

TCP Port Scanning

TCP is an easy protocol to scan because the TCP standard dictates that systems
should reply with a SYN/ACK when receiving a SYN. We can send a SYN packet to all
65536 ports and record all SYN/ACK's coming back and conclude the ports which
are opened based on the reply of a SYN/ACK. When no reply is received, we can
assume the port is closed or filtered by for example a Firewall.

UDP Port Scanning

With UDP it is harder to determine if a port is up or not. For UDP ports the scanner
can not rely on a SYN/ACK. In fact, the scanner must almost always rely on making
the service listening cause some sort of reply.

With so many ports potentially open and different services only replying to the
correct kind of data, it becomes time consuming and hard to scan all ports in a
reasonable time.
4.8. Remote Administration Tool (RAT)

Remote administration means controlling or getting access to any device from

another location remotely. Software that allows remote administration is known as
Remote Administration Tools. So RAT gives someone access to remotely access
your device as you are doing it physically but from any other location. With these
tools, another person can access your files, camera, and can even turn off your
device. It is based on server and client technology. The server is the main computer
that accesses the clients using this software.

Sometimes when our system has a fault then a technical guy accesses our computer
remotely through the internet and removes the fault.

But many of these remote administration tools are used by hackers to get access to
your computer and steal important information from it and harm your data. Usually,
hackers attach a malicious code with some kind of game or movie which when
downloaded by you comes in your system, and then hackers can easily access your
system.

Connection Using RAT

If you have to access a system remotely basic requirement is that both of the
devices should be connected to the internet.

The user can connect to the host system that is over any other location using RAT
software remotely.

Hackers make this connection when you are connected to the internet and do some
malicious tasks like adding some data, stealing data, corrupting files, shut down the
device, etc.

Installation of RAT

Manually: You can install legitimate RAT manually to your system, or someone who
knows how to install it. Whereas hackers have their own techniques to install RAT on
your system.

Stealthy: Hackers attach these programs with a file on the internet like movie or
game. When you download it the malicious software also gets installed to your
System and can be accessed.

Activities that can be done using Remote Administration Tool

Hackers use RAT only for illegal activities, such as the ones given below:
Hackers can create, delete, rename, copy, or edit any file.

The attacker can also use RAT for executing various commands, changing system
settings, running, and controlling applications on the victim’s PC.M

Hackers can install optional software or worms.

Hackers can control hardware, shutdown, or restart a computer without asking the
user’s permission.

Hackers can steal passwords, login names, personal documents, and other
credentials.

Hackers can capture screenshots and track a user’s activity.

Hackers can get access to the Camera of the victim’s system.

Top Remote Administration Tools

DarkComet: Dark Comet is the best RAT and a free RAT as well as the old one as
well. This tool has astounding graphical UI that causes the client to control the
system. It is best used on windows and can control any windows device very
smoothly.

BlackShades: This is the super RAT shockingly better than DarkComet and it is
steady, reliable, and easy to use It’s likewise the speediest RAT at any point made on
.net and helps Windows.

JSpy: Jspy Rat is the same as Pussy RAT as created by the same person, with some
improvements and in 2013 this was free. It is a decent RAT and one of the safest
RAT.

NJRat: It is an amazing RAT to hack into different systems. It gives us a large

number of choices that make it different from others. It is very simple to use. It has
the malware to use the camera, microphones getting and deleting files, and many
more.

Plasma Remote Administration Tools: Plasma RAT is a capable remote

administration tool(RAT) which is a customer service application. It’s not just a
conventional standard remote administrator tool, it is intended to control a mass
measure of PCs without a moment’s delay.

4.9. Protect System from RAT

Be careful when you are using the internet and downloading files online.

Be careful when taking a P2P file from other users.

Always Enable your Anti-Viruses.

Don’t allow any malicious file to your system.

Update your anti-virus from time to time.

Runtime Application Self-Protection (RASP) – Real-time attack detection and

prevention from your application runtime environment goes wherever your
applications go. Stop external attacks and injections and reduce your vulnerability
backlog.

API Security – Automated API protection ensures your API endpoints are protected
as they are published, shielding your applications from exploitation.

Advanced Bot Protection – Prevent business logic attacks from all access points –
websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic
to stop online fraud through account takeover or competitive price scraping.

DDoS Protection – Block attack traffic at the edge to ensure business continuity with
guaranteed uptime and no performance impact. Secure your on premises or cloud-
based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public
Cloud.

Attack Analytics – Ensures complete visibility with machine learning and domain
expertise across the application security stack to reveal patterns in the noise and
detect application attacks, enabling you to isolate and prevent attack campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript code to
reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.

4.10. What is Sniffing and Mechanism of Sniffing Session Hijacking

Sniffing can refer to the act of breathing in through the nose, or to a cyberattack
technique.

Sniffing as breathing

Sniffing is the act of taking short breaths through the nose.

It can also refer to the behavior of changing the depth or frequency of inhalation.

For example, you might sniff at a cheese, or sniff perfume.

You might also sniffle when you have a cold or are crying.

Sniffing as a cyberattack
Sniffing is a cyberattack technique that involves intercepting and reading data
transmitted over a network.

Attackers can use packet sniffers to gain access to sensitive information like login
credentials, financial information, and email messages.

Attackers can also use sniffers to inject malicious code into target systems.

A sniffing attack can also be used in an attempt to recover a passphrase, such as

when an SSH private key has been compromised. The sniffer captures SSH packets
containing encrypted versions of the password being typed by the user at their
terminal, which can then be cracked offline using brute force methods.

The term “sniffing” is defined in RFC 2301 as: “Any act of capturing network traffic
and replaying it, usually for the purpose of espionage or sabotage.”

This definition is not accurate for UNIX-based systems, since any traffic can be
sniffed as long as either the attacker has access to network interfaces (NIC) or
modifies packets that could not be altered in transit. Sniffing can be performed using
a special program like tcpdump, tcpflow, or LanMon that is connected to a port over
which the packets can be inspected remotely.

Another sniffing attack called ARP spoofing involves sending forged Address
Resolution Protocol (ARP) messages to the Ethernet data link layer. These
messages are used to associate a victim machine’s IP address with a different MAC
address, leading the targeted machine to send all its traffic intended for the victim
through an attacker-controlled host.

This is used to both hijack sessions and also cause flooding of the network via a
denial-of-service attack (see Smurf attack).

Every IP packet contains, in addition to its payload, two fields: an IP header, and an
Ethernet header encapsulating it.

The combination of these two headers is often referred to as a “packet” by those

who work with internet communications. An attacker can, therefore, view and modify
an IP packet’s IP header without having to see its payload.

The Ethernet header contains information about the destination MAC address (the
hardware address of the recipient machine) and the Ether Type field contains a value
indicating what type of service is requested (e.g., precedence or flow control).

The Ether type could be “0xFFFF”, indicating that no service fields were included for
the Ethernet frame. This was used in Cisco’s implementation prior to version 8.0.

TCP session hijacking is a security attack on a user session over a protected

network. The most common method of session hijacking is called IP spoofing, when
an attacker uses source-routed IP packets to insert commands into an active
communication between two nodes on a network and disguise itself as one of the
authenticated users. This type of attack is possible because authentication typically
is only done at the start of a TCP session.

Another type of session hijacking is known as a man-in-the-middle attack, where the

attacker, using a sniffer, can observe the communication between devices and
collect the data that is transmitted.

Different ways of session hijacking :

There are many ways to do Session Hijacking. Some of them are given below –