Week 11 – Ethical Hacking: An Analysis of the Associated Procedures

1. List down and then briefly elaborate the phases of an ethical hacking process.
The phases of an ethical hacking process are listed and briefly explained below:
 Phase 1: Footprinting
Footprinting is the process of gathering information about a target system or
network in order to identify its vulnerabilities and potential points of attack. The
goal of footprinting is to gather as much information about a target organization
as possible, such as its network architecture, hardware and software
configurations, operating systems, applications, users, and security measures.
 Phase 2: Scanning
The scanning phase focuses on active engagement of the target with the
intention of obtaining more information. Scanning the network will ultimately
locate active hosts that can then be target in a later phase.
 Phase 3: Enumeration
It is the systematic probing of a target with the goal of obtaining user lists, routing
tables and protocols from the system. This process moves us from outside to
inside network to gather system data.
 Phase 4: System Hacking
It is a process which cannot be complete single pass. This process becomes
much more complex. It involves a methodical approach that includes cracking
passwords, privilege escalations, executing and hiding applications, etc.

2. Briefly elaborate the process of footprinting(reconnaissance).

Footprinting or Reconnaissance is a method of observing and collecting information
about a potential target with the intention of finding a way to attack the target.
Footprinting generally involves the following steps to ensure proper information retrieval:
Step 1: Collecting information that is publicly available about a target.
Step 2: Determine the operating system(s) being used by the target including web
server and web application data where possible.
Step 3: Issue queries such as Whois, DNS, network and organizational queries.
Step 4: Locate existing or potential vulnerabilities and exploits that exists in the current
infrastructure that may be conductive to launch later attacks.
3. What types of data and information can be gathered through the process of
footprinting?

The types of data and information that can be gathered through the process of
footprinting include:

 Network topology and architecture: Footprinting can help to identify the layout
and structure of the target network, including its IP addresses, subnets, and
domains.
 Operating systems and software: Footprinting can reveal the types of
operating systems and software running on the target network, as well as their
versions and patch levels.
 Services and ports: Footprinting can identify the services and ports that are
open and available on the target network, providing potential entry points for
attackers.
 User accounts and passwords: Footprinting can reveal the names of user
accounts on the target network, as well as the strength of passwords and other
authentication mechanisms.
 Social engineering targets: Footprinting can identify potential targets for social
engineering attacks, such as key personnel, employees with elevated privileges,
and third-party vendors.
 Security measures: Footprinting can help to identify the security measures in
place on the target network, such as firewalls, intrusion detection and prevention
systems, and access controls.
 Publicly available information: Footprinting can also gather information about
the target organization that is available through public sources, such as social
media, news articles, and public records. This information can be used to build a
profile of the target and identify potential vulnerabilities or weak points in their
security posture.

4. List down some important information related to computer networks which can be
gathered, via reconnaissance.
Information related to computer networks which can be gathered via footprinting, or
reconnaissance are below:
  IP address and domain names: Reconnaissance can be used to identify IP
address and domain names associated with a network or website.
 Network Topology: Reconnaissance can help identify the structure and layout
of a network, including the number and location of nodes.
 Network Services: Network services such as FTP, HTTP, and SSH can be
identified through reconnaissance.
 Network Security Measures: It can help identify the security measure in place
on network such as firewalls, intrusion detection systems, and antivirus software
which can plan their attacks more effectively.
 Network Configuration: Reconnaissance can identify network configurations,
including IP addresses, subnet masks, DNS servers, and other details. This
information can be used to identify potential targets for further attacks.

5. List down some important information related to operating systems which can be
gathered, via reconnaissance.

The information related to operating systems that can be gathered via reconnaissance
are listed below:

 Operating system type and version: Reconnaissance can identify the

operating system running on a target system such as Windows, Linux, or macOS
along with the version of the operating system.
 Installed software and applications: Reconnaissance can identify the software
and applications installed on a target system, including version numbers and
other relevant details. This information can be used to identify vulnerabilities
associated with specific software or applications.
 User accounts and permissions: Reconnaissance can help identify user
accounts on the target system, including their permissions and roles. This
information can be used to gain unauthorized access to the system.
 File system structure and permissions: Reconnaissance can help identify the
structure of the file system on the target system, as well as the permissions
associated with various files and directories. This information can be used to
identify sensitive files and potential attack vectors.
6. List down some important information related to organization data which can be
gathered, via reconnaissance.
The important information related to organization data which can be gathered, via
reconnaissance are:
 Company name and contact information.
 Employee names and contact details.
 Organizational structure (Hierarchy of departments).
 Partners and third-party vendors
 Social media presence (employee accounts that are publicly linked with
organization)
 Publicly available documents (Annual report, press releases, job postings)
 Organization’s information security policies and practices.

7. List down the differences between active information gathering and passive
information gathering process.
The differences between active information gathering and passive information gathering
process are given below:

Active Information Gathering Passive Information Gathering

Requires direct interaction with the target
system or network.
Can generate more detailed and accurate
information.
Can be more time consuming and resource-
intensive.
Can be more easily detected by security
measures, such as intrusion detection
system.
Examples include port scanning, vulnerability
scanning, and brute-force attacks.
Does not require direct interaction with the
target system or network.
Can generate less detailed and accurate
information.
Can be less time-consuming and resource
intensive.
Can be more difficult to detect by security
measures.
Examples include social engineering,
dumpster diving, and search engine queries.

8. Write down some threats which can be possibly introduced into an enterprise’s
network system through the process of footprinting.
 The threats introduced into enterprise’s network system through the process of
footprinting are:

 Brute Force attacks

 Exploitation of known vulnerabilities
 Zero-day exploits
 Denial-of-Service (DoS)

9. List down the type of information that can be gathered when we carry out
reconnaissance using the following types of dataset:
a. Search Engines
Using search engine, we can find a lot of information, some of it completely
unexpected or something a defender never considers, such as technology platforms,
employee details, login pages, intranet portals, and so on. A search can easily
provide even more details such as names of security personnel, brand and type of
firewall, and antivirus protection.
b. Public and Restricted Website
Websites that are intended not to be public but to be restricted to a few can provide
you with valuable information. Because restricted websites such as
technet.microsoft.com and developer.apple.com are not intended for public
consumption, they are kept in a subdomain that is either not publicized or that has a
login page.
c. Location and geography
With this type of dataset, we can get information regarding the physical location of
offices and personnel. Knowing a company’s physical location can aid in dumpster
diving, social engineering and other efforts.
d. Social Networking
Social networking has proven not only extremely prolific but also incredibly useful as
an information-gathering tool. You can learn not only what an individual is doing but
also all the relationships, both personal and professional, that they have. Data such
as project data, vacation information, working relationships and location information
can be collected through social networking.
e. Financial Services
 Popular financial services such as Yahoo! Finance, Google Finance, and CNBC
provide information that may not be available via other means. This data includes
company officers, profiles, shares, competitor analysis, and many other pieces of
data. This data contributes in attacks such as phishing.
f. Job Portals
A valuable method of gathering information about a target is through job sites and
job postings. It is a statement of desired skills. It is not uncommon to find information
such as infrastructure data, operating system information, and other useful facts.
g. Computer Networks
This dataset includes information regarding computer networks. The information we
can get through this dataset are:
 Domain names
 Internal domain name information
 IP address of available system
 VPN information
 Authentication mechanism and systems
 IDS/IPS and firewalls
 TCP/UDP services that are running.
 Rouge or unmonitored websites that are used for testing or other purposes
 Access Control mechanisms.
10. In detail, elaborate what the process of Scanning refers to.
Scanning is the process of engaging and probing a target network with the intention of
revealing useful information. The gathered information is used for the later phases of the
penetration testing process.

The scanning process typically involves the following steps:

 Identify the target: The first step in scanning is to identify the target system or
network that you want to scan. This could be a single device, a range of IP
addresses, or an entire network.
 Determine the scanning methodology: The next step is to determine the scanning
methodology that you will use. This could include port scanning, vulnerability
scanning, or service scanning.
  Select the scanning tool: Once you have determined the scanning methodology,
you need to select the appropriate scanning tool. There are many scanning tools
available, both free and commercial, that can be used to perform scanning.
 Configure the scanning tool: Once you have selected the scanning tool, you need
to configure it according to the scanning methodology that you have chosen. This
could include setting the scan type, port range, or vulnerability database.
 Run the scan: After configuring the scanning tool, you can run the scan. This will
typically involve the scanning tool sending packets to the target system or
network and analyzing the responses to identify potential vulnerabilities or
weaknesses.
 Analyze the results: Once the scan is complete, you need to analyze the results
to identify any potential vulnerabilities or weaknesses. This could include open
ports, outdated software, or other issues that could be exploited by attackers.

11. What are the three types of scans? List then down and then elaborate those
scanning techniques in detail.
The three categories of scan are Port Scan, Network Scan, Vulnerability Scan.

a. Port Scan
 Sending carefully crafted messages or packets to a target.
 These probes are typically associated with well-known port numbers
(<=1024).
 We can learn about the services that a system offers to the network domain.
 We can hence find out mail servers, domain controllers and web servers and
differentiate one from the other.
b. Network Scan
 This is designed to locate the live (active) hosts on a network.
 This scan can help identify the systems which may be attacked later.
 This helps us identify devices which we may need to scan more closely.
 Ping sweeps can be used for rapidly scanning an IP range.
 Nmap or Angry IP scanner are generally used in this process.
c. Vulnerability Scan
 Used to identify weaknesses or vulnerabilities on a target system.
 This scan is typically done as a proactive measure.
  Goal is to catch and identify vulnerabilities in a system before an attacker can
locate those same
 vulnerabilities.
 A typical vulnerability scan will discover hosts, access points, open ports and
services and generate reports.

12. Provide differences between penetration testing process and vulnerability

scanning.
Penetration testing and vulnerability scanning are two methods for detecting security
flaws in a system. While there is some overlap, the two processes are fundamentally
different. Here are some of the key distinctions:

1. Objectives

Penetration testing is a simulated attack on a system used to identify and exploit flaws in
the system's security measures. Its goal is to determine whether a system can be
breached and how far an attacker can penetrate.

Vulnerability scanning, on the other hand, is the process of identifying known

vulnerabilities in a system, such as outdated software, misconfigurations, and weak
passwords. Its goal is to provide a list of known vulnerabilities that must be addressed.

2. Methodology
Penetration testing simulates a real-world attack by attempting to exploit flaws in a
system's defenses. This is accomplished by combining automated and manual testing
techniques, such as network and application-level attacks, social engineering, and
physical security testing.
In contrast, vulnerability scanning employs automated tools to search a system for
known flaws. This is typically a non-intrusive process that identifies vulnerabilities for
further investigation rather than exploiting them.
3. Scope
Penetration testing is typically limited to a single system, application, or network
segment. It is intended to provide a detailed analysis of the targeted system's security
posture.
 Vulnerability scanning, on the other hand, can be done on a much larger scale, with
multiple systems, applications, and networks covered. It is frequently used as the first
step in a more comprehensive security assessment process.
4. Deliverables

Penetration testing results in a comprehensive report that includes a detailed analysis of

the vulnerabilities discovered as well as remediation recommendations. The report also
includes information on the testing techniques used as well as an assessment of the
effectiveness of the system's security controls.

Vulnerability scanning typically results in a list of identified vulnerabilities, as well as

information on the severity of the vulnerability, recommended remediation steps, and
links to additional resources for more information.

In conclusion, while both penetration testing and vulnerability scanning are critical for
identifying security flaws, they differ in their objectives, methodology, scope, and
deliverables. Penetration testing is a more comprehensive and targeted method of
simulating a real-world attack, whereas vulnerability scanning is a more automated and
broad process of identifying known vulnerabilities for remediation.

13. How can Ping be used for the process to check for live systems in a computer
network domain? What makes it useful in a prolonged scanning phase when it
comes to ethical hacking?
Ping is a simple network utility that sends a small data packet to a network device and
waits for a response. The goal of this utility is to determine whether a device is reachable
on the network and to calculate response latency. Ping can be used to detect live
systems in a computer network domain as follows:

Determine the network's IP range: Before performing a Ping scan, you must first
determine the network's IP range. This can be accomplished by using network scanning
tools like Nmap or by inspecting the network configuration settings.

Ping scan: Once you've determined the IP range, use the Ping utility to send ICMP
(Internet Control Message Protocol) packets to each IP address in the range. If a device
responds to a Ping request and is alive, it will send an ICMP echo reply packet back to
the sender.
 Analyze the results: Once the Ping scan is finished, you can examine the results to see
which IP addresses are still active on the network. This data can be used to pinpoint
potential targets for additional scanning and penetration testing.

14. What can the category of applications that can be used to modify the header
contents of the packets be called as? Provide two examples of such applications.
Packet crafting or packet injection tools are a class of applications that can be used to
modify the header contents of packets. Users can use these tools to change the
contents of network packets, such as the source and destination IP addresses, port
numbers, and protocol headers. Here are two tools for creating packets:
Scapy is an advanced packet manipulation tool that allows users to create, send, and
capture network packets. It supports many protocols, including TCP, UDP, ICMP, and
DNS, and allows users to change packet headers and payloads. Custom packets can be
created with Scapy for network testing, analysis, and penetration testing.
Hping is a command-line utility that allows users to send custom TCP/IP packets to
specific hosts. It can be used for a number of tasks such as firewall testing, network
mapping, and denial-of-service attacks. Hping supports a variety of packet types,
including SYN, ACK, FIN, and RST, and allows users to customize packet headers and
payloads.

15. List down the six types of TCP header flags and then provide short descriptions of
each.
The six types of TCP header flags are:

URG (Urgent Pointer): Specifies that the Urgent pointer field is valid and points to the
end of urgent data. Urgent data is data that should be given priority processing by the
receiving TCP.

ACK (Acknowledgement): This code indicates that the Acknowledgement field is

legitimate and contains an acknowledgment number. The acknowledgment number is
the next predicted sequence number that the segment sender is expecting.

PSH (Push): This specifies that the receiving TCP should push the data to the receiving
application as fast as feasible, without buffering it.

RST (Reset): This command is used to reset a connection in the event of an error or to
reject an invalid segment.
 SYN (Synchronize): This command is used to link two TCP endpoints by synchronizing
their sequence numbers.

FIN (Finish): Signals that the transmitting TCP has completed its data transmission and
is ready to close the connection. The receiver will send an acknowledgment and then
terminate the connection.

16. Write short notes on:

 Full Open Scans
A Complete Open Scan is a port scanning technique that is used to detect open
ports on a target system. By sending a SYN packet to each port and waiting for a
response, this strategy attempts to create a full TCP connection with the target
system.
 Half Open Scans
A SYN scan, or Half Open Scan, is a port scanning technique that only
completes the first part of the three-way handshake. The scanner transmits a
SYN packet to the target system and awaits a response. The scanner can
determine if the port is open if the system answers with a SYN-ACK packet.
 Xmas Tree Scans
An Christmas Tree Scan is a port scanning technique that delivers packets to the
target system with the FIN, URG, and PSH flags set. The port is deemed closed
if the system answers with a RST packet. If no response is received from the
system, the port is regarded open or filtered.
 FIN Scans
A FIN Scan is a port scanning technique that sends packets to the target system
with only the FIN flag set. The port is deemed closed if the system answers with
a RST packet. If no response is received from the system, the port is regarded
open or filtered.
 NULL Scans
A NULL Scan is a port scanning technique that delivers packets to the target
system with no flags set. The port is deemed closed if the system answers with a
 RST packet. If no response is received from the system, the port is regarded
open or filtered.

17. How would the UDP ports respond to a port scan?

The response of a UDP port scan differs from that of a TCP port scan. UDP, unlike TCP,
is a connectionless protocol, which means there is no handshake between the client and
server. This means that if a scanner sends a UDP packet to a port, it should not expect a
response because the target system will not acknowledge receipt of the packet.
The target system will respond with an ICMP Destination Unreachable message if the
UDP port is closed. This message indicates that the port has been closed and that the
packet could not reach its destination. When the UDP port is open, the target machine
does not respond with an ICMP packet, and the scanning tool assumes the port is open.
It is crucial to emphasize, however, that this assumption is not always correct. UDP
packets can be dropped or lost, resulting in a false positive result in which the scanner
believes the port is open when it is not. Furthermore, certain systems may be set to drop
UDP packets completely, rendering it difficult to detect whether the port is open or
closed. As a result, scanning UDP ports is typically thought to be more difficult and less
reliable than searching TCP ports.
18. What does the process of Enumeration refer to with respect to ethical hacking and
penetration testing?
Enumeration is the practice of gathering information about a target system or network
systematically in order to uncover vulnerabilities that can be exploited during an attack. It
is an important stage in ethical hacking and penetration testing since it helps the tester
understand the target system's security posture.
Enumeration normally entails the use of numerous tools and procedures to acquire data
about the target system or network. This data may include information about the
operating system, installed software, running services, network architecture, user
accounts, and other things.
After gathering the data, the tester might evaluate it to find potential weaknesses and
devise an attack strategy. Enumeration is an important phase in the ethical hacking and
penetration testing process since it helps to uncover weak places in the target system's
security that attackers could exploit. Nonetheless, it is critical to undertake enumeration
ethically and with permission, as improper enumeration is prohibited and can result in
serious penalties.
19. List down the types of information which can be obtained via the process of
Enumeration.
The types of information which can be obtained via the process of Enumeration are:

 Operating System Information

 Network Services Information
 Open Ports
 User accounts
 Network Topology
 Application information
 Vulnerabilities
 Shared resources

20. What typically involves in the process of System Hacking?

System hacking is the process of gaining unauthorized access to a computer system or
network by exploiting flaws or vulnerabilities in its security safeguards. The following are
some of the steps involved in the system hacking process:
a. Reconnaissance: The attacker acquires information about the target machine or
network, such as its operating system, network topology, and running services, in
order to detect potentially exploitable flaws.
b. Scanning and enumeration: The attacker scans the target system or network for
open ports, services, and vulnerabilities using various tools and techniques.
Enumeration entails identifying and collecting detailed system information such as
user accounts, passwords, and file sharing.
c. Gaining access: After identifying vulnerabilities and flaws, the attacker employs a
variety of tactics to gain unauthorized access to the system, such as exploiting
unpatched software, brute-force password attempts, or social engineering attacks.
d. Privilege Escalation: After gaining access, the attacker attempts to escalate their
privileges in order to get higher-level access to the system, allowing them to execute
more powerful commands and access more sensitive information.
e. Covering Tracks: To escape detection and keep access, the attacker deletes logs,
modifies system files, or employs other means to conceal their activities.

21. In detail, explain the concepts involved in password cracking.

 Password cracking is the process of obtaining the credentials of a given account in order
to utilize the account to gain illegal access to the system while masquerading as a valid
user. Password cracking can be used by system administrators to audit and test a
system for vulnerabilities in order to reinforce it. A password is intended to be something
that an individual can easily remember while also being difficult to guess or break. This
is the issue: humans tend to choose passwords that are easy to remember, which
makes them easier to guess.

22. Elaborate different password cracking techniques.

Some of the password cracking techniques are:

 Dictionary Attacks
This type of attack consists of a password-cracking application with a dictionary
file put into it. The dictionary file is a text file that contains a list of known terms
that extends all the way to the end of the dictionary. This list is used by the
application to test different words in an effort to recover the password.
 Brute Force Attacks
In this form of attack, every potential character combination is tried until the
correct one is discovered.
 Packet Sniffing
A sniffer, also known as a packet analyzer, is a tool (usually software) designed
to capture packets as they travel through a network. In general, sniffing attacks
are most effective when carried out on a network with a hub between the attacker
and the victim, or when the two parties are on the same segment of the collision
domain.
 Man-in-the-middle:
With this form of assault, two parties are conversing when a third party enters the
conversation and attempts to manipulate or eavesdrop on the conversations.
 Malware
Malware such as Trojans, spyware, and keyloggers can be extremely valuable
during an attack by allowing the attacker to collect all types of information,
including passwords.
23. Explain the importance of escalating privilege level during the process of system
hacking.
Escalating privilege levels is a critical phase in the system hacking process. It entails
getting access to a computer system or network at a higher level than is ordinarily
permitted for a certain user or account. Here are some of the reasons why raising
access levels is critical in system hacking:

Get access to more sensitive information: Gaining higher-level access to a system or

network frequently allows an attacker to gain access to more sensitive information, such
as user data, financial information, or confidential documents. This data can be used in
future assaults or sold on the black market.

Higher-level access also allows an attacker to execute more powerful commands and do
operations that would otherwise be confined to normal users. An attacker with
administrator capabilities, for example, can install software, edit system files, or establish
new user accounts.

Avoid detection: Escalating privileges can assist an attacker in evading detection by

providing access to administrative tools that can be used to mask their tracks, erase
logs, and eliminate proof of their activities.

Persist on the system: Escalating privileges can also assist an attacker in maintaining
long-term access to a system or network. An attacker can make it more difficult for
system administrators to detect and remove their presence by creating new user
accounts, installing backdoors or rootkits, or changing system data.

24. Why are backdoors relevant during the process of system hacking?
Backdoors are useful during the system hacking process because they allow attackers
to bypass standard authentication and acquire access to a system or network even if
their initial attack vector has been turned off or patched. Backdoors are important in
system hacking for the following reasons:

Persistence: After installing a backdoor on a system, an attacker can keep access to

the system even if other security measures are put in place. This enables the attacker to
continue gathering information, stealing data, or launching new attacks.
 Evasion: Backdoors are often used to avoid detection by security software or system
administrators. An attacker can use a backdoor to bypass conventional authentication
protocols and avoid generating alerts or alarms.

Control: Backdoors can be used to take complete control of a system, allowing an

attacker to modify files, install software, or change system settings.

Reconnaissance: Backdoors can also be used for reconnaissance, allowing an attacker

to learn more about a system or network before launching a more targeted attack.

Bibliography
Anon., 2022. What is Enumeration in Ethical Hacking?. [Online]
Available at: https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/enumeration-ethical-
hacking/#:~:text=Enumeration%20is%20the%20process%20of,ports%2C%20usernames%2C%20and
%20passwords.
[Accessed 24 2 2023].

Arora, S., 2023. Explore The 5 Phases of Ethical Hacking. [Online]

Available at: https://www.simplilearn.com/phases-of-ethical-hacking-article
[Accessed 24 2 2023].

Gillis, A. S., 2023. Password Cracking. [Online]

Available at: https://www.techtarget.com/searchsecurity/definition/password-
cracker#:~:text=Password%20cracking%20is%20the%20process,obtain%20unauthorized%20access
%20to%20resources.
[Accessed 24 2 2023].