Ethical Hacking IMP

Module 3
1. Countermeasures and types of sniffing attack
the two main types of sniffing attacks: active sniffing and passive sniffing.
Passive Sniffing: In passive sniffing, the attacker intercepts and monitors network traffic
without actively altering it. The attacker captures data packets as they pass through the
network and analyzes the information contained within them. Passive sniffing is often
carried out using tools like packet sniffers or network analyzers. This type of sniffing is
effective in networks that use hub devices or networks where the traffic is sent to all the
ports, allowing any host on the network to see the traffic. However, with the widespread use
of switches instead of hubs in modern networks, passive sniffing has become less effective.

Active Sniffing: Active sniffing involves not only intercepting and monitoring network traffic
but also actively altering it for the attacker's purposes. This type of sniffing is commonly used
in switch-based networks where passive sniffing methods are ineffective. Active sniffing
techniques typically involve injecting packets or manipulating network protocols to redirect,
intercept, or modify traffic. Examples of active sniffing techniques include MAC flooding,
DHCP attacks, DNS poisoning, spoofing attacks, and ARP poisoning. Active sniffing allows
attackers to bypass the protections provided by switches and gain access to network traffic.
Countermeasures
To protect against sniffing attacks, it is crucial to implement proper countermeasures and
security practices. Here are some effective countermeasures to mitigate the risk of sniffing:
1. Encryption: Implement strong encryption protocols, such as SSL/TLS, for securing
sensitive data and communications. Encryption ensures that even if attackers
intercept the network traffic, they cannot decipher the encrypted information
without the encryption keys.
2. Switched Networks: Use switched networks instead of hubs. Unlike hubs that
broadcast traffic to all ports, switches direct traffic only to the intended recipient.
This prevents attackers from passively sniffing network traffic from other hosts.
3. VLAN Segmentation: Implement Virtual Local Area Network (VLAN) segmentation to
logically separate network traffic. VLANs create isolated network segments,
restricting the scope of sniffing attacks. This helps to contain any potential breaches
and prevent unauthorized access to sensitive information.
4. Network Monitoring: Regularly monitor and analyze network traffic for any signs of
abnormal or suspicious activity. Intrusion Detection Systems (IDS) and Intrusion
 Prevention Systems (IPS) can be deployed to detect and alert administrators about
sniffing attempts.
5. Network Access Control: Implement strong access control mechanisms, such as
authentication, authorization, and accounting (AAA) systems. This ensures that only
authorized users and devices can connect to the network, reducing the risk of sniffing
attacks by unauthorized individuals.

2. Countermeasures and types of mac spoofing

MAC spoofing refers to the practice of altering or forging the Media Access Control (MAC)
address of a network interface card (NIC) to impersonate a different device on a network. By
changing the MAC address, an attacker can disguise their device and potentially bypass
network security measures. Here are some types of MAC spoofing:
1. Local MAC Spoofing: This type of MAC spoofing involves changing the MAC address
of a device on a local network. Attackers modify the MAC address of their network
interface to mimic the MAC address of another device already present on the
network. This can help the attacker bypass MAC-based access controls or confuse
network monitoring tools.
2. Remote MAC Spoofing: Remote MAC spoofing occurs when an attacker spoofs the
MAC address of a remote device on a different network. By forging the MAC address
of a legitimate device, the attacker can trick network routers or switches into routing
traffic to their own device, enabling unauthorized access or interception of network
traffic.

Countermeasure
To protect against sniffing attacks, implementing the following countermeasures can help
enhance network security:
1. Encryption: Utilize strong encryption protocols, such as SSL/TLS, to encrypt sensitive
data transmitted over the network. Encryption ensures that even if network traffic is
intercepted, it remains unreadable and protected from unauthorized access.
2. Virtual Private Network (VPN): Use VPN technology to establish secure and
encrypted connections between remote users and the network. VPNs provide an
additional layer of protection by encrypting all traffic between the user's device and
the network, making it difficult for sniffers to intercept and decipher the data.
3. Network Segmentation: Implement network segmentation to create separate
subnetworks based on the sensitivity of the data or the trust level of connected
 devices. By segmenting the network, you can limit the reach of sniffing attacks and
contain potential breaches.
4. Intrusion Detection and Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions to
monitor network traffic for suspicious activity, including sniffing attempts. These
systems can detect and alert administrators about potential sniffing attacks, enabling
them to take appropriate action.
5. Network Monitoring: Implement robust network monitoring tools and techniques to
detect abnormal network traffic patterns or unauthorized devices. Continuous
monitoring helps identify potential sniffing activities and allows for a quick response.

3. Port mirroring
port mirroring is a technique used on network switches to duplicate network packets from
one switch port or an entire VLAN and send them to a network monitoring connection on
another switch port. Here are some key points about port mirroring:
1. Purpose: Port mirroring is commonly used to facilitate network monitoring and
analysis. It allows network appliances like intrusion detection systems (IDS), passive
probes, or real user monitoring (RUM) technology to capture and analyze network
traffic without disrupting the normal flow of data.
2. Network Traffic Duplication: Port mirroring creates a copy of network traffic and
directs that copy to a designated port, where it can be captured and analyzed. This
allows monitoring tools or devices to inspect the mirrored traffic for security threats,
performance issues, or other purposes.
3. Elimination of Separate Physical Devices: Port mirroring eliminates the need for
installing separate physical devices, such as network splitters, to duplicate and
capture network traffic. Instead, the switch itself is configured to duplicate and
forward the desired traffic to the monitoring port.
4. Configuration: Administrators can configure the switch to mirror specific traffic based
on various criteria, such as source or destination addresses, protocols, or VLANs. This
flexibility allows for targeted monitoring based on specific requirements.
5. Data Delivery Point: The port designated as the data delivery point receives the
mirrored traffic. Monitoring devices connected to this port can collect and analyze
the packets for further inspection or analysis.
Port mirroring is a valuable tool for network administrators and security professionals as it
enables them to monitor network traffic in real-time, identify potential issues, and detect
any malicious activity. By capturing and analyzing the duplicated traffic, organizations can
gain insights into their network's performance, troubleshoot problems, and enhance overall
security.
 4. Countermeasures and types of social engineering

Social engineering refers to the manipulation and exploitation of human psychology to

deceive individuals or gain unauthorized access to sensitive information or systems. It
involves using psychological techniques, manipulation, and deception rather than technical
means to exploit human vulnerabilities.
Here are some common forms of social engineering:
1. Phishing: Phishing is a prevalent form of social engineering where attackers
impersonate trustworthy entities, such as banks, social media platforms, or email
providers, to trick individuals into revealing sensitive information like usernames,
passwords, or financial details.
2. Pretexting: Pretexting involves creating a fabricated scenario or pretext to deceive
individuals and gain their trust. Attackers might impersonate authority figures, such
as IT personnel, company executives, or government officials, to trick people into
divulging confidential information or performing certain actions.
3. Baiting: Baiting relies on offering something desirable or enticing to manipulate
individuals into taking certain actions. For example, an attacker might leave a USB
drive labeled as "Confidential" in a public place, hoping that someone picks it up and
plugs it into their computer, unknowingly installing malware.
4. Tailgating: Tailgating occurs when an attacker follows closely behind an authorized
person to gain unauthorized physical access to restricted areas. By exploiting
people's natural inclination to hold doors open for others, the attacker bypasses
security measures.
5. Impersonation: Impersonation involves posing as someone else to gain trust or
access to sensitive information. Attackers might pretend to be employees,
colleagues, or service providers to deceive individuals and convince them to share
confidential data.
6. Reverse Social Engineering: Reverse social engineering involves tricking individuals
into approaching the attacker and willingly providing information. The attacker may
create a persona or situation that entices the victim to seek help or assistance,
leading to the disclosure of sensitive data.
Countermeasures against social engineering include:
i) Human-based social engineering: Human-based social engineering relies on direct
interaction and manipulation of individuals to deceive them and extract sensitive
information. This can involve techniques such as:
 • Impersonation: The attacker pretends to be someone they're not, such as a co-
worker, IT technician, or authority figure, to gain trust and convince the victim to
disclose information or perform actions.
• Tailgating: The attacker follows closely behind an authorized person to gain physical
access to restricted areas or systems.
• Eavesdropping: The attacker listens in on conversations or intercepts communication
to gather information that can be used for further exploitation.
ii) Mobile-based social engineering: Mobile-based social engineering exploits vulnerabilities
or manipulates users through mobile devices and apps. Some common techniques include:
• SMS Phishing (Smishing): Attackers send deceptive text messages claiming to be from
legitimate sources, encouraging recipients to click on malicious links or provide
sensitive information.
• Malware-Infected Apps: Attackers create and distribute malicious mobile applications
that trick users into downloading them, leading to the compromise of personal data
or unauthorized access to the device.
• Caller ID Spoofing: Attackers manipulate caller ID information to make it appear as if
they are calling from a trusted source, increasing the likelihood of the victim
providing sensitive information over the phone.
iii) Computer-based social engineering: Computer-based social engineering exploits
vulnerabilities and manipulates users through various computer-mediated communication
channels. Some examples include:
• Phishing Emails: Attackers send deceptive emails impersonating legitimate
organizations, enticing recipients to click on malicious links, download attachments,
or disclose sensitive information.
• Malware Distribution: Attackers distribute malware through infected websites,
malicious downloads, or infected email attachments, tricking users into inadvertently
installing malware on their computers.
• Rogue Websites: Attackers create fake websites that resemble legitimate ones,
tricking users into entering their credentials or financial information, which is then
captured by the attacker.
• Fake Technical Support: Attackers pose as technical support personnel and contact
individuals, claiming that their computer is infected or experiencing issues. They
convince victims to grant remote access or provide sensitive information.
 5. ARP poisoning

ARP poisoning, also known as ARP spoofing or ARP cache poisoning, is an attack method
used to manipulate the Address Resolution Protocol (ARP) on a local area network (LAN). It
involves an attacker sending falsified ARP messages to associate their own MAC address with
the IP address of another device on the network. This allows the attacker to intercept,
redirect, or modify network traffic intended for the targeted device.
Here are the key points about ARP poisoning:
1. Attack Process: The attacker sends forged ARP request and reply packets, tricking the
target device into associating the attacker's MAC address with a legitimate IP address
on the network.
2. Man-in-the-Middle (MITM) Attack: In a MITM attack, the attacker sets up a position
between the victim device and the legitimate network device by manipulating ARP
tables. This allows the attacker to intercept and view network traffic between the
victim and the legitimate device without their knowledge.
3. Denial of Service (DoS) Attack: In a DoS attack, the attacker floods the network with a
large number of falsified ARP replies, associating the MAC address of a legitimate
network device with a single IP address. This causes network congestion and disrupts
the normal functioning of the targeted device.
4. Data Interception and Modification: By intercepting network traffic, the attacker can
view sensitive information such as login credentials, financial data, or confidential
communications. They can also modify the intercepted data before forwarding it to
the intended recipient, potentially leading to data integrity and privacy breaches.

6. DHCP starvation attack

DHCP starvation attack, also known as DHCP exhaustion attack, is a type of network attack
where an attacker consumes or exhausts all available IP addresses in a DHCP (Dynamic Host
Configuration Protocol) server's IP address pool. The purpose of this attack is to prevent
legitimate devices from obtaining IP addresses and disrupt network connectivity.
Here are the key points about DHCP starvation attacks:
1. DHCP Overview: DHCP is a network protocol used to automatically assign IP
addresses, subnet masks, and other network configuration parameters to devices on
a network. DHCP servers maintain a pool of available IP addresses to lease to
devices.
 2. Attack Process: The attacker sends a large number of DHCP discovery requests to the
DHCP server, requesting IP addresses. By continuously requesting IP addresses, the
attacker depletes the available IP address pool.
3. IP Address Exhaustion: As the attacker receives IP addresses from the DHCP server,
legitimate devices on the network may be unable to obtain IP addresses for their
network configuration. This can lead to a denial of service (DoS) situation, causing
connectivity issues and preventing devices from accessing the network.
4. Impact: The DHCP starvation attack disrupts network operations by preventing
devices from acquiring valid IP addresses. This can result in communication failures,
inability to access network resources, and general network instability.
Countermeasures against DHCP starvation attacks include:
1. DHCP Snooping: Enable DHCP snooping on network switches. DHCP snooping
monitors DHCP traffic and validates DHCP messages to ensure that only authorized
DHCP servers respond to client requests. It helps prevent rogue DHCP servers from
allocating IP addresses and mitigates DHCP starvation attacks.
2. DHCP Rate Limiting: Implement rate limiting mechanisms on DHCP servers or
network devices to restrict the number of DHCP requests allowed per unit of time.
This limits the impact of DHCP starvation attacks by preventing an excessive number
of requests from a single source.
3. DHCP Server Hardening: Secure DHCP servers by implementing access controls and
authentication mechanisms. Only authorized administrators should have access to
DHCP server configuration settings to prevent unauthorized manipulation of DHCP
settings.
4. DHCP Lease Time Management: Configure appropriate DHCP lease times to ensure
that IP addresses are not held indefinitely by inactive or malicious devices. Shorter
lease times reduce the impact of DHCP starvation attacks by reclaiming unused IP
addresses more quickly.
5. Network Segmentation: Divide the network into smaller subnets or VLANs to limit
the number of devices sharing the same DHCP server. This helps contain the impact
of DHCP starvation attacks to specific segments and prevents a single attack from
affecting the entire network.
Module 4
1. DOS attack methodology and defensive strategy
DOS Attack Methodology:
1. Denial of Service (DoS) attacks aim to disrupt the availability of a network, system, or
service by overwhelming it with a flood of illegitimate traffic or by exploiting
vulnerabilities to exhaust system resources.
2. Common types of DoS attacks include:
a. Flooding Attacks: These attacks involve overwhelming the target with a high volume of
traffic, such as ICMP flood, UDP flood, SYN flood, or HTTP flood. The target's resources
become consumed by processing the flood of requests, rendering it inaccessible to
legitimate users.
b. Application Layer Attacks: These attacks exploit vulnerabilities in application layer
protocols, such as HTTP, DNS, or SMTP, to exhaust server resources. Examples include HTTP
GET/POST floods, DNS amplification attacks, or SMTP header attacks.
c. Distributed Denial of Service (DDoS) Attacks: In DDoS attacks, multiple compromised
devices called a botnet are used to launch a coordinated attack, amplifying the volume of
traffic and making it difficult to mitigate. It overwhelms the target's resources and often
requires specialized mitigation techniques.
Defensive Strategies against DoS Attacks:
1. Network Monitoring: Implement network monitoring tools and Intrusion
Detection/Prevention Systems (IDS/IPS) to detect and mitigate DoS attacks. These
systems can monitor network traffic for abnormal patterns and trigger alerts or take
automated actions to block malicious traffic.
2. Traffic Filtering: Utilize firewalls, routers, or dedicated DoS protection solutions to
filter out illegitimate traffic. Configure rules and access control lists (ACLs) to block or
limit traffic from suspicious sources or with unusual characteristics.
3. Bandwidth Management: Employ bandwidth management techniques, such as traffic
shaping or rate limiting, to prioritize legitimate traffic and prevent network
congestion during an attack.
4. Load Balancing: Distribute incoming network traffic across multiple servers or
resources to prevent a single point of failure. Load balancing helps distribute the
impact of a DoS attack, making it harder for the attacker to overwhelm a specific
resource.
 2. Permanent DOS attack
Permanent Denial-of-Service (PDoS) Attack, also known as "Phlashing," is a type of attack
that aims to cause irreversible damage to system hardware or firmware, rendering it
permanently inoperable. Unlike traditional DoS attacks that target software vulnerabilities or
network resources, PDoS attacks focus on destroying the underlying hardware components.
Here are some key aspects of PDoS attacks:
1. Phlashing: PDoS attacks often involve the technique known as phlashing. In
phlashing, the attacker exploits vulnerabilities in the firmware or hardware of a
device, such as routers, switches, or embedded systems. By sending malicious
firmware updates or reprogramming the device, the attacker causes it to become
permanently corrupted or bricked.
2. Hardware Sabotage: PDoS attacks differ from other DoS attacks as they aim to
physically sabotage the targeted system's hardware components. This sabotage can
be achieved through various means, such as overloading electrical circuits,
manipulating voltage levels, or causing physical damage to critical components.
3. Bricking a System: "Bricking" refers to the state in which a device becomes as useful
as a brick due to irreversible damage. In PDoS attacks, the attacker deliberately
manipulates the firmware or hardware in such a way that the device becomes
permanently non-functional or unrecoverable. This requires victims to replace or
reinstall the affected hardware, resulting in significant costs and downtime.
4. Firmware Exploitation: PDoS attacks often exploit vulnerabilities in device firmware,
which is responsible for controlling the hardware operations. By injecting malicious
firmware or exploiting insecure firmware update mechanisms, attackers can
permanently disable or alter critical functions, rendering the device unusable.
Countermeasures against PDoS Attacks:
1. Secure Firmware Updates: Implement secure procedures for firmware updates, such
as digitally signed updates and secure distribution channels. Verify the integrity and
authenticity of firmware before applying updates to mitigate the risk of malicious
firmware installation.
2. Firmware Security Hardening: Ensure the firmware running on devices is developed
with security best practices, such as code reviews, vulnerability scanning, and strict
access controls. Regularly update firmware with security patches and fixes provided
by the manufacturer.
3. Network Segmentation: Separate critical devices and systems into isolated network
segments to limit the impact of a PDoS attack. This can prevent the lateral movement
of an attacker across the network and contain the damage to specific segments.
 3. SYN flooding

SYN flooding is a type of network-based Denial-of-Service (DoS) attack that exploits a

vulnerability in the way hosts implement the TCP three-way handshake. The attack takes
advantage of the fact that when a host receives a SYN request (the initial step in establishing
a TCP connection), it allocates resources to track the partially-opened connection in a "listen
queue" for a certain period of time, typically 75 seconds.
In a SYN flooding attack, a malicious host sends a large number of SYN requests to the target
host but intentionally fails to respond to the SYN/ACK packets sent by the target host to
complete the three-way handshake. This results in the target host's listen queue getting
quickly overwhelmed with partially-opened connections that consume system resources.
By repeatedly sending such SYN requests without completing the handshake, the attacker
effectively exhausts the target host's available resources, preventing it from accepting
legitimate connection requests. This results in a Denial-of-Service condition where legitimate
users are unable to establish connections or access the targeted service.
SYN flooding attacks can be particularly effective because they exploit the finite capacity of
the listen queue and the time it takes for incomplete connections to time out. The attacker
can continuously flood the target host with SYN requests, keeping the listen queue full and
preventing the host from servicing legitimate connection requests.
To mitigate SYN flooding attacks, various techniques can be employed:
1. SYN cookies: Implementing SYN cookies on the target host can help mitigate SYN
flooding attacks. SYN cookies allow the host to respond to SYN requests without
allocating resources for incomplete connections until the handshake is completed
successfully.
2. Firewalls and rate limiting: Network firewalls and rate-limiting mechanisms can be
deployed to detect and block excessive incoming SYN requests from suspicious
sources. This helps to filter out the malicious traffic and protect the targeted system.
3. Load balancers: Using load balancers can distribute incoming connection requests
across multiple backend servers, which helps to distribute the impact of SYN flooding
attacks and prevent a single server from being overwhelmed.

4. TCP, RST, UDP network level hijacking

TCP Session Hijacking: TCP session hijacking, also known as TCP session hijacking or TCP/IP
hijacking, is a type of attack where an attacker intercepts and takes control of an ongoing
TCP session between two communicating parties. The attacker aims to gain unauthorized
access, manipulate the session, or extract sensitive information.
The process of TCP session hijacking typically involves the following steps:
1. Passive Monitoring: The attacker intercepts network traffic and observes the ongoing
TCP session between the victim and the target server. This can be done through
techniques like packet sniffing or ARP poisoning.
2. Session Identification: The attacker identifies the TCP session they want to hijack by
analyzing the sequence and acknowledgment numbers exchanged between the
victim and the server.
3. Spoofing: The attacker spoofs the IP address and sequence numbers to make it
appear as if they are the legitimate party involved in the TCP session.
4. Connection Reset (RST): The attacker sends a forged TCP RST (Reset) packet to both
the victim and the target server, causing them to terminate the session abruptly.
5. Session Hijacking: With the session terminated, the attacker initiates a new TCP
session using the spoofed IP address and sequence numbers. This allows them to
impersonate the victim and gain unauthorized access or perform malicious activities.
Countermeasures against TCP Session Hijacking:
1. Encryption: Implementing strong encryption mechanisms, such as SSL/TLS, can help
protect the confidentiality and integrity of the TCP session, making it more difficult
for attackers to intercept and manipulate the session.
2. Firewalls and Intrusion Detection Systems (IDS): Deploying firewalls and IDS/IPS
solutions can help detect and block suspicious network traffic, including forged TCP
packets used in session hijacking attempts.
3. Secure Network Architecture: Implementing secure network architecture, such as
segregating critical systems into separate subnets or VLANs, can limit the impact of
session hijacking by containing the attacker's access within a restricted network
segment.
UDP Session Hijacking: Unlike TCP, UDP (User Datagram Protocol) is connectionless and does
not have a built-in mechanism for session establishment and termination. This makes UDP
sessions more susceptible to hijacking as there is no sequence of packets or handshake to
track.
UDP session hijacking involves an attacker intercepting and manipulating UDP packets
exchanged between the victim and the target server. The attacker can modify the content of
the packets, inject malicious payloads, or impersonate the sender or receiver.
Countermeasures against UDP Session Hijacking:
 1. Authentication and Encryption: Implementing strong authentication mechanisms and
encrypting UDP payloads can help prevent unauthorized access and manipulation of
UDP sessions.
2. Access Control: Restricting access to critical UDP services and implementing proper
access controls can minimize the risk of session hijacking.
3. Network Monitoring: Regularly monitoring network traffic and analyzing patterns can
help detect anomalies and potential session hijacking attempts.
4. Packet Filtering: Deploying packet filtering mechanisms, such as firewalls or intrusion
prevention systems, can help filter out malicious UDP packets and block
unauthorized access.

5. Man in middle and man in browser attack

Man-in-the-Middle (MitM) Attack: In a Man-in-the-Middle attack, an attacker intercepts and

manipulates the communication between two parties who believe they are directly
communicating with each other. The attacker positions themselves between the sender and
the receiver, allowing them to eavesdrop on the communication, capture sensitive
information, and even modify the data being transmitted. The attack typically involves three
main steps:
1. Interception: The attacker gains access to the communication path between the
sender and the receiver. This can be achieved through various means, such as
compromising network devices, exploiting vulnerabilities, or creating rogue access
points.
2. Eavesdropping and Modification: Once in the middle, the attacker can intercept and
monitor the communication between the two parties. They can capture sensitive
information, such as login credentials or financial data, and even modify the data in
transit without the knowledge of the sender or the receiver.
3. Impersonation: In some cases, the attacker may impersonate one or both parties,
making them believe they are still directly communicating with each other. This
allows the attacker to manipulate the communication, inject malicious content, or
perform unauthorized actions on behalf of the legitimate parties.
Man-in-the-Browser (MitB) Attack: A Man-in-the-Browser attack is a specific type of Man-in-
the-Middle attack that focuses on web browsers. In this attack, the attacker injects malicious
code into the victim's web browser, usually through malware or browser extensions, giving
them control and visibility over the browser's activities. The attack typically involves the
following steps:
 1. Malware Infection: The attacker infects the victim's computer or device with
malware, often through social engineering techniques or drive-by downloads.
2. Browser Control: The malware gains control over the victim's web browser, allowing
the attacker to manipulate and monitor the browser's activities.
3. Manipulation of Web Sessions: The attacker can intercept and modify web pages,
inject malicious scripts, capture login credentials, and perform unauthorized actions
within the browser session. This enables them to carry out fraudulent transactions,
steal sensitive information, or compromise the security of online accounts.
Mitigation and Countermeasures: Mitigating Man-in-the-Middle (MitM) attacks and Man-in-
the-Browser (MitB) attacks requires a combination of technical measures and user
awareness:
1. Encryption: Implement strong encryption protocols, such as SSL/TLS, to secure
communication channels and protect against eavesdropping and data manipulation.
2. Certificate Validation: Verify the authenticity of digital certificates used for secure
connections, ensuring they are issued by trusted Certificate Authorities (CAs).
3. Web Security Best Practices: Employ secure coding practices, such as input validation
and output encoding, to prevent web application vulnerabilities that could be
exploited in MitB attacks.
4. Endpoint Security: Install and regularly update antivirus software, firewalls, and
intrusion detection systems to detect and prevent malware infections that can lead
to MitB attacks.
5. User Education: Raise awareness among users about the risks of MitM and MitB
attacks, encourage them to practice good cybersecurity habits, and advise against
downloading suspicious software or clicking on untrusted links.
6. Multi-Factor Authentication: Implement multi-factor authentication mechanisms to
add an extra layer of security, reducing the impact of compromised credentials in
MitB attacks.
 6. Steps involved in session hijacking

Session hijacking, also known as session stealing or session sidejacking, refers to the
unauthorized takeover of a user's session in a network communication. Here are the steps
involved in a typical session hijacking attack:
1. Network Monitoring: The attacker monitors the network traffic to identify active
sessions and the associated session tokens or cookies used for session management.
2. Session Identification: The attacker selects a target session to hijack based on the
captured session tokens or cookies. This can be done by analyzing the network traffic
or using techniques like sniffing or packet interception.
3. Session Theft: The attacker steals the session token or cookie of the target session.
This can be accomplished through various methods, such as capturing the session
token from unsecured HTTP connections, exploiting session vulnerabilities, or
leveraging cross-site scripting (XSS) attacks to extract session information.
4. Session Injection: The attacker injects the stolen session token or cookie into their
own browser or session management tool to impersonate the legitimate user. This
allows them to bypass authentication mechanisms and gain unauthorized access to
the target user's account or session.
5. Unauthorized Actions: With the hijacked session, the attacker can perform various
unauthorized actions on behalf of the legitimate user. This may include accessing
sensitive information, modifying account settings, making fraudulent transactions, or
carrying out malicious activities within the compromised session.
6. Covering Tracks: To avoid detection, the attacker may attempt to cover their tracks by
clearing logs, deleting evidence of the session hijack, or modifying activity records to
make it appear as if the compromised session was legitimate.
 7. Countermeasure for session hijacking

Mitigating Session Hijacking Attacks: To protect against session hijacking attacks, consider
implementing the following security measures:
1. Encryption: Utilize strong encryption protocols (e.g., SSL/TLS) to secure the
communication channels and protect session data from eavesdropping or
interception.
2. Session Management: Implement secure session management practices, including
robust session token generation, token rotation, and regular expiration.
3. Transport Layer Security: Enable secure connections and enforce the use of HTTPS for
sensitive transactions to prevent the interception of session tokens or cookies.
4. Client-Side Security: Implement security measures on the client-side, such as secure
cookie flags (e.g., HttpOnly and Secure) and utilizing SameSite attribute to prevent
cross-site scripting (XSS) attacks.
5. User Authentication: Employ strong authentication mechanisms, such as multi-factor
authentication (MFA), to add an extra layer of security and reduce the impact of
session hijacking.
6. Intrusion Detection/Prevention Systems: Deploy intrusion detection or prevention
systems that can detect and block suspicious activities associated with session
hijacking attempts.
7. User Education: Educate users about the risks of session hijacking and promote good
security practices, such as avoiding unsecured Wi-Fi networks, using VPNs, and being
cautious of phishing or social engineering attempts.
Module 5
1. Effects of web server mis configuration

2. Technique to crack web server password

3. Vulnerabilities of web server and applications

Web servers and applications can have various vulnerabilities that can be exploited by
attackers. Here are some common vulnerabilities:
1. Injection Attacks: Injection vulnerabilities occur when untrusted data is sent to an
interpreter as part of a command or query, allowing attackers to execute malicious
commands. Examples include SQL injection, OS command injection, and LDAP
injection.
2. Cross-Site Scripting (XSS): XSS vulnerabilities allow attackers to inject malicious scripts
into web pages viewed by other users. This can lead to unauthorized access, session
hijacking, and data theft.
3. Cross-Site Request Forgery (CSRF): CSRF vulnerabilities allow attackers to trick
authenticated users into performing unwanted actions on a website without their
knowledge or consent. This can lead to unauthorized actions being performed on
behalf of the victim.
4. Server Misconfigurations: Misconfigurations in web servers or applications can
expose sensitive information, grant excessive permissions, or allow unauthorized
access. Examples include directory traversal, file inclusion vulnerabilities, and
insecure default configurations.
5. Security Misconfigurations: Improperly configured security settings, weak
authentication mechanisms, inadequate access controls, or outdated software
versions can create vulnerabilities that can be exploited by attackers.
 6. Session Management Issues: Weak session management can lead to session
hijacking, session fixation, or session replay attacks. This occurs when session tokens
are not properly protected, invalidated, or rotated.
7. File Upload Vulnerabilities: Insecure file upload mechanisms can allow attackers to
upload malicious files, leading to remote code execution or unauthorized access to
the server or other users' data.

4. Defensive strategy for cross site scripting attack

Defending against cross-site scripting (XSS) attacks requires implementing a combination of

preventive measures and best practices. Here are some defensive strategies to mitigate XSS
vulnerabilities:
1. Input Validation and Sanitization: Implement strict input validation and sanitization
techniques to filter and validate user-supplied data. This includes validating input
formats, encoding or escaping special characters, and rejecting or removing
potentially harmful input.
2. Output Encoding: Encode user-generated content appropriately before displaying it
in web pages. Use context-aware output encoding techniques such as HTML entity
encoding, JavaScript encoding, or URL encoding to prevent interpreted content from
being executed.
3. Content Security Policy (CSP): Implement a Content Security Policy that specifies the
allowed sources of content and restricts the execution of unsafe inline scripts,
external scripts, and other resources. This helps prevent unauthorized code
execution and limits the impact of XSS attacks.
4. Secure Coding Practices: Follow secure coding practices, such as avoiding the use of
eval() or document.write() functions, properly validating and escaping data used in
dynamic content, and using framework-specific security features.
5. HTTP-only Cookies: Set the HTTP-only flag on cookies to prevent client-side scripts
from accessing sensitive cookie information, reducing the risk of session hijacking
through XSS attacks.
 5. Different types of password attack

6. Different approaches used by the web server architecture

7. Merits and demerits of client-server network
8. Justify the following statement
a. Errors messages reveals a lot of information about their
webserver and applications

Error messages generated by web servers and applications can provide valuable information
to potential attackers. Here are some reasons why error messages can reveal sensitive
information:
1. Detailed Error Descriptions: Error messages often provide specific details about the
nature of the error that occurred. This can include information about the server
configuration, database connection details, file paths, and even snippets of code.
Attackers can leverage this information to identify vulnerabilities or misconfigurations
that can be exploited.
2. Stack Traces and Debugging Information: In some cases, error messages can include
stack traces or debugging information. These details can give insights into the
underlying code structure, the modules or libraries being used, and potential
weaknesses that attackers can exploit.
3. Version and Software Information: Error messages may disclose the version numbers
of the web server, application frameworks, or software components being used. If a
known vulnerability exists in a specific version, attackers can target the system with
exploits designed for that version.
4. Infrastructure and Architecture Details: Error messages can inadvertently reveal
information about the network infrastructure, server architecture, or third-party
services being used. This knowledge can aid attackers in crafting targeted attacks or
identifying potential weak points in the system.