Unit 5

IP Sec
IP Sec (Internet Protocol Security) is an Internet Engineering Task Force (IETF) standard
suite of protocols between two communication points across the IP network that provide data
authentication, integrity, and confidentiality. It also defines the encrypted, decrypted, and
authenticated packets. The protocols needed for secure key exchange and key management
are defined in it.
Uses of IP Security
IPsec can be used to do the following things:
 To encrypt application layer data.
 To provide security for routers sending routing data across the public internet.
 To provide authentication without encryption, like to authenticate that the data originates
from a known sender.
 To protect network data by setting up circuits using IPsec tunneling in which all data
being sent between the two endpoints is encrypted, as with a Virtual Private
Network(VPN) connection.
Components of IP Security
It has the following components:
1. Encapsulating Security Payload (ESP)
2. Authentication Header (AH)
3. Internet Key Exchange (IKE)
1. Encapsulating Security Payload (ESP): It provides data integrity, encryption,
authentication, and anti-replay. It also provides authentication for payload.
2. Authentication Header (AH): It also provides data integrity, authentication, and anti-
replay and it does not provide encryption. The anti-replay protection protects against the
unauthorized transmission of packets. It does not protect data confidentiality.

IP Header

3. Internet Key Exchange (IKE): It is a network security protocol designed to dynamically

exchange encryption keys and find a way over Security Association (SA) between 2 devices.
The Security Association (SA) establishes shared security attributes between 2 network
entities to support secure communication. The Key Management Protocol (ISAKMP) and
Internet Security Association provides a framework for authentication and key exchange.
ISAKMP tells how the setup of the Security Associations (SAs) and how direct connections
between two hosts are using IPsec. Internet Key Exchange (IKE) provides message content
protection and also an open frame for implementing standard algorithms such as SHA and
MD5. The algorithm’s IP sec users produce a unique identifier for each packet. This identifier
then allows a device to determine whether a packet has been correct or not. Packets that are
not authorized are discarded and not given to the receiver. 
 Unit 5

Packets in Internet Protocol

IP Security Architecture
IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow. These
protocols are ESP (Encapsulation Security Payload) and AH (Authentication Header). IPSec
Architecture includes protocols, algorithms, DOI, and Key Management. All these
components are very important in order to provide the three main services:
 Confidentiality
 Authenticity
 Integrity

IP Security Architecture

Working on IP Security
 Unit 5

 The host checks if the packet should be transmitted using IPsec or not. This packet traffic
triggers the security policy for itself. This is done when the system sending the packet
applies appropriate encryption. The incoming packets are also checked by the host that
they are encrypted properly or not.
 Then IKE Phase 1 starts in which the 2 hosts( using IPsec ) authenticate themselves to
each other to start a secure channel. It has 2 modes. The Main mode provides greater
security and the Aggressive mode which enables the host to establish an IPsec circuit
more quickly.
 The channel created in the last step is then used to securely negotiate the way the IP
circuit will encrypt data across the IP circuit.
 Now, the IKE Phase 2 is conducted over the secure channel in which the two hosts
negotiate the type of cryptographic algorithms to use on the session and agree on secret
keying material to be used with those algorithms.
 Then the data is exchanged across the newly created IPsec encrypted tunnel. These
packets are encrypted and decrypted by the hosts using IPsec SAs.
 When the communication between the hosts is completed or the session times out then the
IPsec tunnel is terminated by discarding the keys by both hosts.

Features of IPSec
1. Authentication: IPSec provides authentication of IP packets using digital signatures or
shared secrets. This helps ensure that the packets are not tampered with or forged.
2. Confidentiality: IPSec provides confidentiality by encrypting IP packets, preventing
eavesdropping on the network traffic.
3. Integrity: IPSec provides integrity by ensuring that IP packets have not been modified or
corrupted during transmission.
4. Key management: IPSec provides key management services, including key exchange
and key revocation, to ensure that cryptographic keys are securely managed.
5. Tunneling: IPSec supports tunneling, allowing IP packets to be encapsulated within
another protocol, such as GRE (Generic Routing Encapsulation) or L2TP (Layer 2
Tunneling Protocol).
6. Flexibility: IPSec can be configured to provide security for a wide range of network
topologies, including point-to-point, site-to-site, and remote access connections.
7. Interoperability: IPSec is an open standard protocol, which means that it is supported by
a wide range of vendors and can be used in heterogeneous environments.

Advantages of IPSec
1. Strong security: IPSec provides strong cryptographic security services that help protect
sensitive data and ensure network privacy and integrity.
2. Wide compatibility: IPSec is an open standard protocol that is widely supported by
vendors and can be used in heterogeneous environments.
3. Flexibility: IPSec can be configured to provide security for a wide range of network
topologies, including point-to-point, site-to-site, and remote access connections.
4. Scalability: IPSec can be used to secure large-scale networks and can be scaled up or
down as needed.
5. Improved network performance: IPSec can help improve network performance by
reducing network congestion and improving network efficiency.

Disadvantages of IPSec
1. Configuration complexity: IPSec can be complex to configure and requires specialized
knowledge and skills.
 Unit 5

2. Compatibility issues: IPSec can have compatibility issues with some network devices
and applications, which can lead to interoperability problems.
3. Performance impact: IPSec can impact network performance due to the overhead of
encryption and decryption of IP packets.
4. Key management: IPSec requires effective key management to ensure the security of the
cryptographic keys used for encryption and authentication.
5. Limited protection: IPSec only provides protection for IP traffic, and other protocols
such as ICMP, DNS, and routing protocols may still be vulnerable to attacks.

FIREWALL

A firewall is a network security device, either hardware or software-based, which monitors

all incoming and outgoing traffic and based on a defined set of security rules it accepts,
rejects or drops that specific traffic. Accept : allow the traffic Reject : block the traffic but
reply with an “unreachable error” Drop : block the traffic with no reply A firewall
establishes a barrier between secured internal networks and outside untrusted network, such
as the Internet. 

Types of Firewall

Firewall is a network device that isolates organization’s internal network from larger outside
network/Internet. It can be a hardware, software, or combined system that prevents
unauthorized access to or from internal network.
All data packets entering or leaving the internal network pass through the firewall, which
examines each packet and blocks those that do not meet the specified security criteria.
 Unit 5

Deploying firewall at network boundary is like aggregating the security at a single point. It is
analogous to locking an apartment at the entrance and not necessarily at each door.
Firewall is considered as an essential element to achieve network security for the following
reasons −
 Internal network and hosts are unlikely to be properly secured.
 Internet is a dangerous place with criminals, users from competing companies,
disgruntled ex-employees, spies from unfriendly countries, vandals, etc.
 To prevent an attacker from launching denial of service attacks on network resource.
 To prevent illegal modification/access to internal data by an outsider attacker.
Firewall is categorized into three basic types −

 Packet filter (Stateless & Stateful)

 Application-level gateway
 Circuit-level gateway
These three categories, however, are not mutually exclusive. Modern firewalls have a mix of
abilities that may place them in more than one of the three categories.

Stateless & Stateful Packet Filtering Firewall

In this type of firewall deployment, the internal network is connected to the external
network/Internet via a router firewall. The firewall inspects and filters data packet-by-packet.
Packet-filtering firewalls allow or block the packets mostly based on criteria such as source
and/or destination IP addresses, protocol, source and/or destination port numbers, and various
other parameters within the IP header.
The decision can be based on factors other than IP header fields such as ICMP message type,
TCP SYN and ACK bits, etc.
 Unit 5

Packet filter rule has two parts −

 Selection criteria − It is a used as a condition and pattern matching for decision
making.
 Action field − This part specifies action to be taken if an IP packet meets the selection
criteria. The action could be either block (deny) or permit (allow) the packet across the
firewall.
Packet filtering is generally accomplished by configuring Access Control Lists (ACL) on
routers or switches. ACL is a table of packet filter rules.
As traffic enters or exits an interface, firewall applies ACLs from top to bottom to each
incoming packet, finds matching criteria and either permits or denies the individual packets.

Stateless firewall is a kind of a rigid tool. It looks at packet and allows it if its meets the
criteria even if it is not part of any established ongoing communication.
Hence, such firewalls are replaced by stateful firewalls in modern networks. This type of
firewalls offer a more in-depth inspection method over the only ACL based packet inspection
methods of stateless firewalls.
Stateful firewall monitors the connection setup and teardown process to keep a check on
connections at the TCP/IP level. This allows them to keep track of connections state and
determine which hosts have open, authorized connections at any given point in time.
They reference the rule base only when a new connection is requested. Packets belonging to
existing connections are compared to the firewall's state table of open connections, and
decision to allow or block is taken. This process saves time and provides added security as
well. No packet is allowed to trespass the firewall unless it belongs to already established
connection. It can timeout inactive connections at firewall after which it no longer admit
packets for that connection.

Application Gateways

An application-level gateway acts as a relay node for the application-level traffic. They
intercept incoming and outgoing packets, run proxies that copy and forward information
across the gateway, and function as a proxy server, preventing any direct connection between
a trusted server or client and an untrusted host.
 Unit 5

The proxies are application specific. They can filter packets at the application layer of the
OSI model.
Application-specific Proxies

An application-specific proxy accepts packets generated by only specified application for

which they are designed to copy, forward, and filter. For example, only a Telnet proxy can
copy, forward, and filter Telnet traffic.
If a network relies only on an application-level gateway, incoming and outgoing packets
cannot access services that have no proxies configured. For example, if a gateway runs FTP
and Telnet proxies, only packets generated by these services can pass through the firewall.
All other services are blocked.
Application-level Filtering
An application-level proxy gateway, examines and filters individual packets, rather than
simply copying them and blindly forwarding them across the gateway. Application-specific
proxies check each packet that passes through the gateway, verifying the contents of the
packet up through the application layer. These proxies can filter particular kinds of
commands or information in the application protocols.
Application gateways can restrict specific actions from being performed. For example, the
gateway could be configured to prevent users from performing the ‘FTP put’ command. This
can prevent modification of the information stored on the server by an attacker.
Transparent
Although application-level gateways can be transparent, many implementations require user
authentication before users can access an untrusted network, a process that reduces true
transparency. Authentication may be different if the user is from the internal network or from
the Internet. For an internal network, a simple list of IP addresses can be allowed to connect
to external applications. But from the Internet side a strong authentication should be
implemented.
An application gateway actually relays TCP segments between the two TCP connections in
the two directions (Client ↔ Proxy ↔ Server).
 Unit 5

For outbound packets, the gateway may replace the source IP address by its own IP address.
The process is referred to as Network Address Translation (NAT). It ensures that internal IP
addresses are not exposed to the Internet.

Circuit-Level Gateway

The circuit-level gateway is an intermediate solution between the packet filter and the
application gateway. It runs at the transport layer and hence can act as proxy for any
application.
Similar to an application gateway, the circuit-level gateway also does not permit an end-to-
end TCP connection across the gateway. It sets up two TCP connections and relays the TCP
segments from one network to the other. But, it does not examine the application data like
application gateway. Hence, sometime it is called as ‘Pipe Proxy’.
SOCKS
SOCKS (RFC 1928) refers to a circuit-level gateway. It is a networking proxy mechanism
that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side
without requiring direct IP reachability. The client connects to the SOCKS server at the
firewall. Then the client enters a negotiation for the authentication method to be used, and
authenticates with the chosen method.
The client sends a connection relay request to the SOCKS server, containing the desired
destination IP address and transport port. The server accepts the request after checking that
the client meets the basic filtering criteria. Then, on behalf of the client, the gateway opens a
connection to the requested untrusted host and then closely monitors the TCP handshaking
that follows.
The SOCKS server informs the client, and in case of success, starts relaying the data between
the two connections. Circuit level gateways are used when the organization trusts the internal
users, and does not want to inspect the contents or application data sent on the Internet.

Firewall Deployment with DMZ

A firewall is a mechanism used to control network traffic ‘into’ and ‘out’ of an organizational
internal network. In most cases these systems have two network interfaces, one for the
external network such as the Internet and the other for the internal side.
The firewall process can tightly control what is allowed to traverse from one side to the other.
An organization that wishes to provide external access to its web server can restrict all traffic
arriving at firewall expect for port 80 (the standard http port). All other traffic such as mail
traffic, FTP, SNMP, etc., is not allowed across the firewall into the internal network. An
example of a simple firewall is shown in the following diagram.
 Unit 5

In the above simple deployment, though all other accesses from outside are blocked, it is
possible for an attacker to contact not only a web server but any other host on internal
network that has left port 80 open by accident or otherwise.
Hence, the problem most organizations face is how to enable legitimate access to public
services such as web, FTP, and e-mail while maintaining tight security of the internal
network. The typical approach is deploying firewalls to provide a Demilitarized Zone (DMZ)
in the network.
In this setup (illustrated in following diagram), two firewalls are deployed; one between the
external network and the DMZ, and another between the DMZ and the internal network. All
public servers are placed in the DMZ.
With this setup, it is possible to have firewall rules which allow public access to the public
servers but the interior firewall can restrict all incoming connections. By having the DMZ,
the public servers are provided with adequate protection instead of placing them directly on
external network.

CYBER FORENSICS
Cyber forensics is a process of extracting data as proof for a crime (that involves electronic
devices) while following proper investigation rules to nab the culprit by presenting the
evidence to the court. Cyber forensics is also known as computer forensics. The main aim
of cyber forensics is to maintain the thread of evidence and documentation to find out who
did the crime digitally. Cyber forensics can do the following:
 It can recover deleted files, chat logs, emails, etc
 It can also get deleted SMS, Phone calls.
 It can get recorded audio of phone conversations.
 It can determine which user used which system and for how much time.
 It can identify which user ran which program.
 Unit 5

Why is cyber forensics important?

The importance of cyber forensics is immense. Technology combined with forensic

forensics paves the way for quicker investigations and accurate results. Below are the
points depicting the importance of cyber forensics:
 Cyber forensics helps in collecting important digital evidence to trace the criminal.
 Electronic equipment stores massive amounts of data that a normal person fails to see.
For example: in a smart house, for every word we speak, actions performed by smart
devices, collect huge data which is crucial in cyber forensics.
 It is also helpful for innocent people to prove their innocence via the evidence collected
online.
 It is not only used to solve digital crimes but also used to solve real-world crimes like
theft cases, murder, etc.
 Businesses are equally benefitted from cyber forensics in tracking system breaches and
finding the attackers.

The Process Involved in Cyber Forensics

Cyber forensics takes a systematic interpretation, sorting it out concisely.

Obtaining a digital copy of the under inspection system

This method entails producing a copy of the system’s data to avoid harm from being done to
the actual system, which might lead to file confusion with the files already present on the
computer. Cloning a hard disc entails replicating the hard drive’s files and folders. The
duplicate is present on another disc by copying every small piece of data for analysis.
 Unit 5

Authenticating and confirming the replica

After copying the files, experts verify that the copied data is consistent and exactly as it exists
in the real system. 

Determining that the copied data is forensically acceptable

It is possible to change the format of the data while duplicating it from a device, resulting in
discrepancies in the operating systems of the investigators and the one from which the data
was copied. To avoid this, detectives ensure that the structure stays constant and that the data
is forensically acceptable and is written on the hard disk drive in a format that is adequately
used in the computer.

Recovering deleted files

Criminals think of innovative ways of deleting the scene and often remove some data that
could indicate their misconduct; it is the work of the investigators to recover and reconstruct
deleted files with state-of-the-art software.

Forensics specialists can recover files erased by the user from a computer; the files are not
permanently wiped from the computer, and forensics specialists can recover them.

Finding the necessary data with keywords

Researchers use specific high-speed tools to get appropriate information by employing

buzzwords in the instance document.

The OS perceives vacant space in the hard disc as room for storing new files and directories;
however, temporary files and documents that were erased years ago will be stored there until
new data is entered. Forensics specialists look for these files using this free space.
Forensics specialists utilize tools that can access and produce pertinent information
throughout all data for phrases.
 Unit 5

Establishing a technical report

The last phase will be to produce a technical report that is relevant and easily understood
regardless of the background of the individual. The result of this report is to state clearly the
crime, possible culprits, and innocent individuals.

The technical report must be straightforward for everyone to grasp, irrespective of their
background. It should focus mostly on who the culprit is and what techniques they used to
commit the crime and how.

How did Cyber Forensics Experts work?

Cyber forensics is a field that follows certain procedures to find the evidence to reach
conclusions after proper investigation of matters. The procedures that cyber forensic
experts follow are:
 dentification: The first step of cyber forensics experts are to identify what evidence is
present, where it is stored, and in which format it is stored.
 Preservation: After identifying the data the next step is to safely preserve the data and
not allow other people to use that device so that no one can tamper data.
 Analysis: After getting the data, the next step is to analyze the data or system. Here the
expert recovers the deleted files and verifies the recovered data and finds the evidence
that the criminal tried to erase by deleting secret files. This process might take several
iterations to reach the final conclusion.
 Documentation: Now after analyzing data a record is created. This record contains all
the recovered and available(not deleted) data which helps in recreating the crime scene
and reviewing it.
 Presentation: This is the final step in which the analyzed data is presented in front of
the court to solve cases.

Types of computer forensics

There are multiple types of computer forensics depending on the field in which digital
investigation is needed. The fields are:
 Network forensics: This involves monitoring and analyzing the network traffic to and
from the criminal’s network. The tools used here are network intrusion detection
systems and other automated tools.
 Email forensics: In this type of forensics, the experts check the email of the criminal
and recover deleted email threads to extract out crucial information related to the case.
 Malware forensics: This branch of forensics involves hacking related crimes. Here, the
forensics expert examines the malware, trojans to identify the hacker involved behind
this.
 Memory forensics: This branch of forensics deals with collecting data from the
memory(like cache, RAM, etc.) in raw and then retrieve information from that data.
 Unit 5

 Mobile Phone forensics: This branch of forensics generally deals with mobile phones.
They examine and analyze data from the mobile phone.
 Database forensics: This branch of forensics examines and analyzes the data from
databases and their related metadata.
 Disk forensics: This branch of forensics extracts data from storage media by searching
modified,  active, or deleted files.

Techniques that cyber forensic investigators use

Cyber forensic investigators use various techniques and tools to examine the data and some
of the commonly used techniques are:
 Reverse steganography: Steganography is a method of hiding important data inside the
digital file, image, etc. So, cyber forensic experts do reverse steganography to analyze
the data and find a relation with the case.
 Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct digital
activity without using digital artifacts. Here, artifacts mean unintended alterations of
data that occur from digital processes.
 Cross-drive analysis: In this process, the information found on multiple computer
drives is correlated and cross-references to analyze and preserve information that is
relevant to the investigation.
 Live analysis: In this technique, the computer of criminals is analyzed from within the
OS in running mode. It aims at the volatile data of RAM to get some valuable
information.
 Deleted file recovery: This includes searching for memory to find fragments of a
partially deleted file in order to recover it for evidence purposes.

Advantages

 Cyber forensics ensures the integrity of the computer.

 Through cyber forensics, many people, companies, etc get to know about such crimes,
thus taking proper measures to avoid them.
 Cyber forensics find evidence from digital devices and then present them in court,
which can lead to the punishment of the culprit.
 They efficiently track down the culprit anywhere in the world.
 They help people or organizations to protect their money and time.
 The relevant data can be made trending and be used in making the public aware of it.

What are the required set of skills needed to be a cyber forensic expert?

The following skills are required to be a cyber forensic expert: 

 As we know, cyber forensic based on technology. So, knowledge of various
technologies, computers, mobile phones, network hacks, security breaches, etc. is
required.
 The expert should be very attentive while examining a large amount of data to identify
proof/evidence.
 The expert must be aware of criminal laws, a criminal investigation, etc.
 Unit 5

 As we know, over time technology always changes, so the experts must be updated with
the latest technology.
 Cyber forensic experts must be able to analyse the data, derive conclusions from it and
make proper interpretations.
 The communication skill of the expert must be good so that while presenting evidence
in front of the court, everyone understands each detail with clarity.
 The expert must have strong knowledge of basic cyber security.

Hacking is the activity of identifying weaknesses in a computer system or a network to

exploit the security to gain access to personal data or business data. An example of computer
hacking can be: using a password cracking algorithm to gain access to a computer system.
Computers have become mandatory to run a successful businesses. It is not enough to have
isolated computers systems; they need to be networked to facilitate communication with
external businesses. This exposes them to the outside world and hacking. System hacking
means using computers to commit fraudulent acts such as fraud, privacy invasion, stealing
corporate/personal data, etc. Cyber crimes cost many organizations millions of dollars every
year. Businesses need to protect themselves against such attacks.

Types of Hackers:
To elaborate on the aforementioned hacking aims, it is vital to understand the various sorts
of hackers that exist in the cyber segment in order to distinguish between their
responsibilities and objectives. The types of hackers are:
1. Black Hat Hackers: These types of hackers, often known as crackers and always have
a malicious motive and gain illegal access to computer networks and websites.  Their
goal is to make money by stealing secret organizational data, stealing funds from online
bank accounts, violating privacy rights to benefit criminal organizations, and so on. In
today’s world, the majority of hackers fall into this category and conduct their business
in a murky manner. Black hat hackers are nefarious individuals who aim to utilize their
technical expertise to exploit and harm others. They usually have the expertise and
training to get into computer networks without the consent of the owners, attack
security holes, and circumvent security procedures. With the malevolent goal of gaining
unauthorized access to networks and systems, they attack to steal data, spread malware
causing damage to systems.
2. White Hat Hackers/Ethical Hackers: White hat hackers (sometimes referred to as
ethical hackers) are the polar opposites of black hat hackers. They employ their
technical expertise to defend the planet against malicious hackers. White hats are
employed by businesses and government agencies as data security analysts, researchers,
security specialists, etc. White hat hackers, with the permission of the system owner and
with good motives, use the same hacking tactics that the black hackers use. They can
work as contractors, freelancers, or in-house for the companies. They assist their
customers in resolving security flaws before they are exploited by criminal hackers.
3. Gray Hat Hackers: They fall somewhere between the above-mentioned types of
hackers, in that they gain illegal access to a system but do so without any malicious
intent. The goal is to expose the system’s weaknesses. Instead of exploiting
vulnerabilities for unlawful gains, grey hat hackers may offer to repair vulnerabilities
they’ve identified through their own unauthorized actions. Example: They may, for
example, infiltrate your website, application without your permission to seek
vulnerabilities. They rarely, if ever, try to harm others. Grey hats do this to obtain
notoriety and reputation in the cyber security industry, which helps them further their
 Unit 5

careers as security experts in the long run. This move, on the other hand, harms the
reputation of the organizations whose security flaws or exploits are made public.
4. Red Hat Hackers: Also known as eagle-eyed hackers. Red hat hackers want to stop
threat actors from launching unethical assaults. The red hat hackers aim the same as
ethical hackers, but their methods differ, the red hat hackers may utilize illegal or
extreme methods. Red hat hackers frequently use cyber attacks against threat actors’
systems.
5. Blue Hat Hackers: Safety experts that work outside of the organization are known as
blue hat hackers. Before releasing new software, companies frequently encourage them
to test it and uncover security flaws. Companies occasionally hold meetings for blue hat
hackers to help them uncover flaws in their critical internet systems. Money and fame
aren’t necessarily important to some hackers. They hack to exact personal vengeance on
a person, employer, organization, or government for a genuine — or perceived —
deception. To hurt their adversaries’ data, websites, or devices, blue hat hackers utilize
malicious software and various cyber threats on their rivals’ devices.
6. Green Hat Hackers: Green hat hackers aren’t familiar with safety measures or the
internal dynamics of the internet, but they’re quick learners who are driven (if not
desperate) to advance in the hacking world. Although it is unlikely that they want to
damage others, they may do so while “experimenting” with various viruses and attack
strategies. As a result, green hat hackers can be dangerous since they are frequently
unaware of the implications of their activities – or, even worse, how to correct them.

FOOTPRINTING

Footprinting is an ethical hacking technique used to gather as much data as possible about a

specific targeted computer system, an infrastructure and networks to identify opportunities to
penetrate them. It is one of the best methods of finding vulnerabilities.

The process of cybersecurity footprinting involves profiling organizations and collecting data
about the network, host, employees and third-party partners. This information includes
the OS used by the organization, firewalls, network maps, IP addresses, domain name
system information, security configurations of the target machine, URLs, virtual private
networks, staff IDs, email addresses and phone numbers.

There are two types of footprinting in ethical hacking:

1. active footprinting

2. passive footprinting

What is active footprinting?

Active footprinting describes the process of using tools and techniques, like using
the traceroute commands or a ping sweep -- Internet Control Message Protocol sweep -- to
 Unit 5

collect data about a specific target. This often triggers the target's intrusion detection system
(IDS). It takes a certain level of stealth and creativity to evade detection successfully.

What is passive footprinting?

As the name implies, passive footprinting involves collecting data about a specific target
using innocuous methods, like performing a Google search, looking through Archive.org,
using NeoTrace, browsing through employees' social media profiles, looking at job sites and
using Whois, a website that provides the domain names and associated networks fora specific
organization. It is a stealthier approach to footprinting because it does not trigger the target's
IDS.

How do you start footprinting?

Reconnaissance is similar to footprinting and is a crucial part of the initial hacking exercise.
It is a passive footprinting exercise where one collects data about the target's potential
vulnerabilities and flaws to exploit while penetration testing.

Footprinting can help ethical hackers find potential vulnerabilities to assess and test.

Footprinting processes start with determining the location and objective of an intrusion. Once
ethical hackers identify a specific target, they gather information about the organization using
nonintrusive methods, such as accessing the organization's own webpage, personnel directory
or employee bios.

Ethical hackers collect this information and initiate social engineering campaigns to identify

security vulnerabilities and achieve ethical hacking goals.
 Unit 5

Advantages

 Footprinting allows Hackers to gather the basic security configurations of a target

machine along with network route and data flow.
 Once the attacker finds the vulnerabilities he/she focuses on a specific area of the target
machine.
 It allows the hacker to identify as to which attack is handier to hack the target system.

Scanning is another essential step, which is necessary, and it refers to the package of
techniques and procedures used to identify hosts, ports, and various services within a
network. Network scanning is one of the components of intelligence gathering and
information retrieving mechanism an attacker used to create an overview scenario of the
target organization (target organization: means the group of people or organization which
falls in the prey of the Hacker). Vulnerability scanning is performed by pen-testers to detect
the possibility of network security attacks. This technique led hackers to identify
vulnerabilities such as missing patches, unnecessary services, weak authentication, or weak
encryption algorithms. So a pen-tester and ethical hacker list down all such vulnerabilities
found in an organization's network

Scanning is of three types:

 Network Scanning
 Port Scanning
 Vulnerability Scanning
Objectives of Network Scanning

1. To discover live hosts/computer, IP address, and open ports of the victim.

2. To discover services that are running on a host computer.
3. To discover the Operating System and system architecture of the target.
4. To discover and deal with vulnerabilities in Live hosts.

Scanning Methodologies

1. Hackers and Pen-testers check for Live systems.

2. Check for open ports (The technique is called Port Scanning, which will be discussed
below)
3. Scanning beyond IDS (Intrusion Detection System)
4. Banner Grabbing: is the method for obtaining information regarding the targeted
system on a network and services running on its open ports. Telnet and ID Serve are
the tools used mainly to perform a Banner-grabbing attack. This information may be
used by intruders/hackers to portray the lists of applicable exploits.
5. Scan for vulnerability
6. Prepare Proxies
 Unit 5

Port Scanning
It is a conventional technique used by penetration testers and hackers to search for open doors
from which hackers can access any organization's system. During this scan, hackers need to
find out those live hosts, firewalls installed, operating systems used, different devices
attached to the system, and the targeted organization's topology. Once the Hacker fetches the
victim organization's IP address by scanning TCP and UDP ports, the Hacker maps this
organization's network under his/her grab. Amap is a tool to perform port scanning.

TCP/IP Handshake
Before moving to the scanning techniques, we have to understand the 3-way TCP/IP
handshaking process. In computer terms, handshaking means the automated process used to
set dynamic parameters of a communication channel between two entities using some
protocols. Here, TCP (Transmission Control Protocol) and IP (Internet Protocol) are the two
protocols used for handshaking between a client and a server. Here first, the client sends a
synchronization packet for establishing a connection, and the server listens to and responds
with a syn/ack packet to the client. The client again responds to the server by sending an ack
packet. Here SYN denotes synchronization, which is used to initialize connections between
the client and the server in packets. ACK denotes acknowledgment, which is used to establish
a connection between two hosts.

Scanning techniques mainly used:

1. SYNScan: SYN scan or stealth doesn't complete the TCP three-way handshake
technique.  A hacker sends an SYN packet to the victim, and if an SYN/ACK frame is
received back, then the target would complete the connection, and the port is in a
position to listen. If an RST is retrieved from the target, it is assumed that the port is
closed or not activated. SYN stealth scan is advantageous because a few IDS systems
log this as an attack or connection attempt.
2. XMASScan: XMAS scan send a packet which contains URG (urgent), FIN (finish)
and PSH (push) flags. If there is an open port, there will be no response; but the target
responds with an RST/ACK packet if the port is closed. (RST=reset).
3. FINScan: A FIN scan is similar to an XMAS scan except that it sends a packet with
just the FIN (finish) flag and no URG or PSH flags. FIN scan receives the same
response and has the same limitations as XMAS scans.
4. IDLEScan: An IDLE scan uses a spoofed/hoax IP to send the SYN packet to the
target by determining the port scan response and IP header sequence number.
Depending on the response of the scan, the port is determined, whether open or
closed.
5. Inverse TCP Flag Scan: Here, the attacker sends TCP probe packets with a TCP flag
(FIN, URG PSH) or no flags. If there is no response, it indicates that the port is open,
and RST means it is closed.
6. ACK Flag Probe Scan: Here, the attacker sends TCP probe packets where an ACK
flag is set to a remote device, analyzing the header information (TTL and WINDOW
field). The RST packet signifies whether the port is open or closed. This scan is also
used to check the target's/victim's filtering system.
 Unit 5

Vulnerability Scanning
It is the proactive identification of the system's vulnerabilities within a network in an
automated manner to determine whether the system can be exploited or threatened. I this
case, the computer should have to be connected to the internet.

Tools and Steps Used

If a hacker wants to perform ICMP (Internet Control Message Protocol) scanning, it can be
done manually. The steps are:

 Open Windows OS
 Press Win+R (Run) buttons in combination
 In the Run, type- cmd
 Type the command: ping IP Address or type:  ping DomainName

Tools that can are used to scan networks and ports are:

 Nmap: extract information such as live hosts on the network, services, type of packet
filters/firewalls, operating systems, and OS versions.
 Angry IP Scanner: scans for systems available in a given input range.
 Hping2/Hping3: are command-line packet crafting and network scanning tools used
for TCP/IP protocols.
 Superscan: is another powerful tool developed by Mcafee, which is a TCP port
scanner, also used for pinging.
 ZenMap: is another very powerful Graphical user interface (GUI) tool to detect the
type of OS, OS version, ping sweep, port scanning, etc.
 Net Scan Tool Suite Pack: is a collection of different types of tools that can perform a
port scan, flooding, webrippers, mass emailers; and This tool is a trial version, but
paid versions are also available.
 Wireshark and Omnipeak are two powerful and famous tools that listen to network
traffic and act as network analyzers.
 Names of other famous PCs tools are Advanced Port Scanner, Net Tools, MegaPing,
CurrPorts, PRTG Network Monitor, SoftPerfect Network Scanner, Network Inventory
Explorer, etc.
 There are various other scanners available free and inbuilt in Kali Linux OS.
 Tools and software that are used in mobiles as scanners include the names such as
Umit Network Scanner, Fing, IP network Scanner, PortDroid network Analysis, Panm
IP Scanner, Nessus Vulnerability Scanner, Shadow Sec Scanner, etc.

System Hacking Cycle

The process of legal and authorized attempts to discover and successfully exploiting the
computer system in an attempt to make the computer system more secure is called Ethical
Hacking. This process includes a probe for vulnerability and providing proof of concept
(POC) attacks to visualize that vulnerabilities are actually present in the system. A Good
Penetration tester always provides a specific recommendation to remove the flaws in the
system discovered during the penetration test. Penetration testing is also known by some
other terms like
 Penetration testing
 PT
 Unit 5

 Hacking
 Pen Testing
 White Hat Hacking

There is a term called Vulnerability Assessment which is quite similar to Penetration

Testing. Vulnerability Assessment means reviewing services and systems for security
issues. Many people use pen testing and vulnerability assessment interchangeably for each
other but they are not the same. The penetration testing process is a step ahead of
vulnerability assessment. Vulnerability Assessment only discovers flaws in the system but
PT provides a way to remove those flaws as well.
1. Reconnaissance: This is the first phase where the Hacker tries to collect information
about the target. It may include Identifying the Target, finding out the target’s IP Address
Range, Network, DNS records, etc. Let’s assume that an attacker is about to hack a
websites’ contacts. 
He may do so by using a search engine like maltego, researching the target say a website
(checking links, jobs, job titles, email, news, etc.), or a tool like HTTPTrack to download
the entire website for later enumeration, the hacker is able to determine the following:   Staff
names, positions, and email addresses.
2. Scanning:  This phase includes the usage of tools like dialers, port scanners, network
mappers, sweepers, and vulnerability scanners to scan data. Hackers are now probably
seeking any information that can help them perpetrate attacks such as computer names, IP
addresses, and user accounts. Now that the hacker has some basic information, the hacker
now moves to the next phase and begins to test the network for other avenues of attacks.
The hacker decides to use a couple of methods for this end to help map the network (i.e.
Kali Linux, Maltego and find an email to contact to see what email server is being used).  
The hacker looks for an automated email if possible or based on the information gathered
he may decide to email HR with an inquiry about a job posting.
3. Gaining Access: In this phase, the hacker designs the blueprint of the network of the
target with the help of data collected during Phase 1 and Phase 2. The hacker has finished
enumerating and scanning the network and now decides that they have some options to gain
access to the network. 
For example, say a hacker chooses a Phishing Attack. The hacker decides to play it safe and
use a simple phishing attack to gain access.  The hacker decides to infiltrate the IT
department.  They see that there have been some recent hires and they are likely not up to
speed on the procedures yet.  A phishing email will be sent using the CTO’s actual email
address using a program and sent out to the techs.  The email contains a phishing website
that will collect their login and passwords.  Using any number of options (phone app,
 Unit 5

website email spoofing, Zmail, etc) the hacker sends an email asking the users to log in to a
new Google portal with their credentials.  They already have the Social Engineering Toolkit
running and have sent an email with the server address to the users masking it with a bitly
or tinyurl. 
Other options include creating a reverse TCP/IP shell in a PDF using  Metasploit ( may be
caught by spam filter).  Looking at the event calendar they can set up an Evil Twin router
and try to Man in the Middle attack users to gain access.  A variant of Denial of Service
attack , stack-based buffer overflows, and session hijacking  may also prove to be great.
4. Maintaining Access: Once a hacker has gained access, they want to keep that access for
future exploitation and attacks. Once the hacker owns the system, they can use it as a base
to launch additional attacks. 
In this case, the owned system is sometimes referred to as a zombie system . Now that the
hacker has multiple e-mail accounts, the hacker begins to test the accounts on the domain.  
The hacker from this point creates a new administrator account for themselves based on the
naming structure and tries and blends in. As a precaution, the hacker begins to look for and
identify accounts that have not been used for a long time.   The hacker assumes that these
accounts are likely either forgotten or not used so they change the password and elevate
privileges to an administrator as a secondary account in order to maintain access to the
network.  The hacker may also send out emails to other users with an exploited file such as
a PDF with a reverse shell in order to extend their possible access.   No overt exploitation or
attacks will occur at this time.  If there is no evidence of detection, a waiting game is
played letting the victim think that nothing was disturbed.  With access to an IT account,
the hacker begins to make copies of all emails, appointments, contacts, instant messages
and files to be sorted through and used later.
5. Clearing Tracks (so no one can reach them): Prior to the attack, the attacker would
change their MAC address and run the attacking machine through at least one VPN to help
cover their identity.  They will not deliver a direct attack or any scanning technique that
would be deemed “noisy”. 
Once access is gained and privileges have been escalated, the hacker seeks to cover their
tracks.  This includes clearing out Sent emails, clearing server logs, temp files, etc.   The
hacker will also look for indications of the email provider alerting the user or possible
unauthorized logins under their account.
Most of the time is spent on the Reconnaissance process. Time spend gets reduced in
upcoming phases. The inverted triangle in the diagram represents a time to spend in
subsequent phases that get reduced.