Cyber Security

Training
By – Shreyash Shukla
What is Cybersecurity is the protection of digital systems,
networks, and data from unauthorized access, theft, or

CyberSecurity ? damages. It includes protection from threatning process

like malware attacks , phishing attacks dos and ddos
attacks advance persistence attacks ,men in the middle
attacks ,social engineering attacks etc.
 Cybersecurity
Vectors
Cybersecurity vectors refer to the various
methods and techniques that hackers use to
gain unauthorized access to computer
systems, networks, and data. These vectors
are constantly evolving and becoming more
sophisticated, making it increasingly
challenging for organizations to protect their
digital assets
Lets
 Anti-Viruses
Functions Of Antivirus
Scanning
When a new virus is detected in the
cyberspace, antivirus producers start
writing programs (updates) that scans
for similar signature strings.
Antivirus software is a program or set
of programs that are designed to
prevent, search for, detect, and remove
software viruses, and other malicious
software like worms, trojans, adware,
and more.

Integrity Checking
This method generally checks for
manipulated files in OS from the viruses.

Interception
This method is used basically to detect
Trojans and it checks the request made
by the operating system for network
access.
DOS & DDOS ATTACK

DOS is a denial of service attack, in this attack

a computer sends a massive amount of traffic
to a victim’s computer and shuts it down. Dos
attack is an online attack that is used to make
the website unavailable for its users when done
on a website. This attack makes the server of a
website that is connected to the internet by
sending a large number of traffic to it.

A DDoS attack is one of the most common types

of DoS attack in use today. During a DDoS
attack, multiple systems target a single system
with malicious traffic. By using multiple locations
to attack the system the attacker can put the
system offline more easily.
 CNC SERVERS & BOTNETS
A CNC (Command and
Control) server is a
type of server that is
used to issue
commands to
compromised
machines or devices.
Cybercriminals
typically use these
servers to control
malware, such as
viruses, worms, and
Trojans, which have
infected a large
number of machines or
devices. CNC servers
enable attackers to
remotely manage the
malware and use it to
launch attacks, steal
data, or engage in
other malicious
activities.
A botnet is a group of
computers or other
devices that have been
infected with malware
and are under the
control of a remote
attacker. These
compromised devices
are known as bots, and
the attacker can use
them to launch various
types of attacks, such as
distributed denial-of-
service (DDoS) attacks,
spam campaigns, and
credential stuffing
attacks. Botnets are
often controlled using
CNC servers.
 Steganography
What is steganography ?
Steganography is the practice of concealing a message or information
within another object, file, or message, in a way that is difficult to detect.
The goal of steganography is to hide the existence of the message or
information, rather than to encrypt its contents.
Audio Steganography
This type of
steganography involves
hiding information within
an audio file. This can be
done by altering the
frequency of certain
sounds or by adding
inaudible sounds to the
Video Steganography
file.
This type of
steganography involves
hiding information
within a video file. This
can be done by altering
the frames of the video
or by hiding
information within the
video's metadata.
Text Steganography
This type of
steganography involves
hiding information within a
text document. This can
be done by altering the
spacing between words or
by using invisible
characters to hide the
information.
Image Steganography
This type of
steganography involves
hiding information
within an image. This
can be done by altering
the color values of
pixels in the image or
by hiding information
within the image's
metadata.
 NETWORK
ATTACKS
WHAT ARE NETWORK ATTACKS ?
A network attack is a type of cyber attack that
targets a computer network or system in order to
gain unauthorized access, steal data, or cause
disruption. Network attacks can come from both
internal and external sources, and can range from
relatively simple attacks to highly sophisticated,
targeted attacks.
This module includes:
• Scanning Methods
• Man in the middle attack
• ARP poisoning
• DHCP Starvation
• LLMNR Attacks
• Offline Password bruteforce
• Working with Responders
 Scanning Methods
Network
Scanning
Scanning is a critical component of
network security that involves probing a
network or system for vulnerabilities,
weaknesses, and potential entry points.
Scanning methods are used to identify
potential security threats and to help
network administrators to take appropriate
measures to mitigate them. There are
several types of scanning methods that are
commonly used in network security,
including:

HOST Based Penetration

01 External Scans
This type of scan looks at your network
from the hacker’s perspective. It scans
external IP addresses and domains,
probing for vulnerabilities in internet-
facing infrastructure to determine which
ones can be exploited.
02 Internal Scans
This scan will discover and catalog
your core IP-connected endpoints,
such as laptops, servers, peripherals,
IoT-enabled machines, and mobile
devices.
03 Scans
Host-based agents monitor system
activity for signs of suspicious
behavior, including repeated failed
login attempts, changes to the system
registry, or backdoor installations.
04 Testing Scans
IT teams can go beyond passive
scanning with penetration testing
tools. In penetration testing (often
called pen tests) security experts
simulate how malicious hackers may
attempt to infiltrate your network.
Man In The Middle Attacks
A Man-in-the-Middle (MITM) attack is a type of cyber attack where an
attacker intercepts the communication between two parties, allowing the
attacker to eavesdrop, modify, or inject data into the communication. In this
type of attack, the attacker positions themselves between the two parties
and captures their data in transit.

To protect against MITM attacks, it is important to use secure

communication channels, such as encrypted connections, and to implement
strong authentication measures, such as two-factor authentication. It is also
important to regularly monitor network traffic for suspicious activity and to
implement network security measures, such as firewalls and intrusion
detection systems, to detect and prevent these types of attacks.
ARP Poisoning
ARP (Address Resolution Protocol) poisoning, also known as
ARP spoofing, is a type of cyber attack in which an attacker
sends falsified ARP messages over a local area network (LAN),
with the aim of linking the attacker's MAC address to the IP
address of another device on the network, such as a gateway
or a router.

In an ARP poisoning attack, the attacker sends fake ARP

messages to the other devices on the network, falsely
claiming to be the gateway or router. Once the attacker's
MAC address is associated with the IP address of the gateway
or router, network traffic intended for those devices is
redirected to the attacker's machine, allowing them to
intercept and manipulate the traffic.
To protect against ARP poisoning attacks, it is important to
use network security measures, such as implementing secure
ARP protocols, using encryption and authentication measures,
and monitoring network traffic for suspicious activity.
Additionally, using tools such as ARPwatch or Wireshark can
help in detecting ARP poisoning attacks.
 DHCP Starvation
DHCP (Dynamic Host Configuration Protocol) starvation, also known as DHCP exhaustion, is a
type of network attack where an attacker floods a DHCP server with requests for IP
addresses, causing the server to run out of available IP addresses to assign to new devices
on the network.

To protect against DHCP starvation attacks, it is important to implement network security

measures, such as limiting the number of DHCP requests that can be sent by a single device,
setting lease time limits on IP addresses, and monitoring network traffic for suspicious
activity. Additionally, implementing DHCP snooping, which is a security feature that
enables switches to filter and block DHCP traffic, can help in mitigating DHCP starvation
attacks.
LLMNR Attack
What is LLMNR attack ?
LLMNR (Link-Local Multicast Name Resolution) attack is a type of cyber attack that exploits the LLMNR
protocol, which is used in Windows operating systems to resolve the NetBIOS names of other devices on the
local network.
In an LLMNR attack, an attacker sends a spoofed LLMNR request to a target device on the network, asking for
the NetBIOS name of another device. If the target device is unable to resolve the requested name, it will send
a broadcast query to all other devices on the network, including the attacker's machine

LLMNR attacks can be used to steal sensitive information, such as login

credentials, or to launch further attacks on the target device or network. They
can also be used as a reconnaissance tool, allowing the attacker to gather
information about the target network and its devices.

How to protect against LLMNR Attacks ?

To protect against LLMNR attacks, it is recommended to disable the LLMNR protocol on all devices
on the network, as it is not required for normal network operations. Additionally, using security
measures such as firewalls, intrusion detection systems, and network segmentation can help in
detecting and preventing LLMNR attacks.
 Offline Password Bruteforce
Password
Bruteforce
01
Through Network Sniffing
When you connect to the shared drive to try to
access that file you need, you have to prove you have
permissions to view the file you are trying to access.
This is what prevents the marketing department from
reading the HR folder. The way that works over the
network is that the shared drive will send you a
challenge, and you will compute a new value using
your hashed password and the challenge, and send
that back to the server for authorization.
04
Dumping Memory Content
Once an attacker gains administrative access to a single
server or application, they can dump the contents of
memory, including the SAM file. Remember above how I
said that your computer saves a hash of your password
that it checks every time you login? Well, this is saved in the
SAM file (for Window’s computers), and an attacker with
admin level access can dump this file, revealing the hashes
of all local accounts on the system
02
Bruteforce Tools
Brute-force attacks can take place offline or
online. In case of an offline attack, the
attacker has access to the encrypted
material or a password hash and tries
different key without the risk of discovery or
interference. In an online attack, the attacker
needs to interact with a target system . We
03 use tools like John the ripper ,and hashcat.
Through NTDS File
If an attacker is able to get domain administrator
credentials and gain access to the domain
controller, they can gain access to the NTDS file.
This file holds the hashed password for every user
on the domain. This is obviously worst case
scenario for an organization and a pot of gold for
an attacker looking to launch offline password
attacks.
Working with Responder
What is Responder
Responder an LLMNR, NBT-NS and MDNS poisoner. It will
answer to specific NBT-NS (NetBIOS Name Service) queries
.By default, the tool will only answer to File Server Service
request, which is for SMB.
The concept behind this is to target our answers, and be
stealthier on the network. This also helps to ensure that we
don't break legitimate NBT-NS behavior. You can set the -r
option via command line if you want to answer to the
Workstation Service request name suffix

The basic command for Responder to run this tool in Linux is “responder -I
eth0 -w -r -f” or “responder -I eth0 -wrf”, both are the same command
function. And this is the result from Responder tool.
 Cyber Attack Practices
Cyber attack practices are malicious actions or techniques used by cybercriminals or hackers to gain
unauthorized access to computer systems, networks, or devices with the intention of stealing or
compromising sensitive information, disrupting services, or causing damage to the target.
 Infographic Style

Contents Title Contents Title

You can simply impress your audience You can simply impress your audience
and add a unique zing and appeal to your and add a unique zing and appeal to your
Presentations. Easy to change colors, Presentations. Easy to change colors,
photos and Text. photos and Text.

Contents Title Contents Title

You can simply impress your audience You can simply impress your audience
and add a unique zing and appeal to your and add a unique zing and appeal to your
Presentations. Easy to change colors, Presentations. Easy to change colors,
photos and Text. photos and Text.
 Payloads : Reverse Vs Bind
Payload refers specifically to the
part of a malware or virus that
carries out the malicious
actions. For example, a payload
in a ransomware attack might
be the encryption code that
locks the victim's files, while a
payload in a keylogger attack
might be the code that records
and sends keystrokes to a
remote attacker.
A reverse payload, also known as a
reverse shell, is a type of payload
used in a cyber attack that allows an
attacker to gain control of a victim's
computer or device by establishing a
connection from the victim's
computer to the attacker's computer.
A reverse payload typically involves a
command-and-control (C&C) server
that the attacker controls. The
attacker sends a payload to the
victim's computer or device, which
then establishes a connection back to
the C&C server. Once the connection
is established, the attacker can
execute commands on the victim's
computer or device, such as
accessing files, installing malware, or
taking other malicious action
Reverse payloads can be used in a
variety of cyber attacks, such as in
remote access trojans (RATs),
botnets, and other types of malware.
They are a common tool used by
hackers and cybercriminals to gain
unauthorized access to computer
systems and networks.
A bind payload, also known as a
bind shell, is a type of payload
used in a cyber attack that allows
an attacker to gain control of a
victim's computer or device by
creating a listening port on the
victim's computer or device and
waiting for the attacker to connect
to it.
In a bind payload attack, the
attacker sends a payload to the
victim's computer or device that
creates a listening port on a
specific network address and port
number. The attacker then
connects to this port from their
own computer, establishing a
connection with the victim's
computer.
The advantage of a bind payload
is that it allows the attacker to
gain control of a victim's
computer or device even if the
victim's network is behind a
firewall or other security
measures that block incoming
connections. By creating a
listening port on the victim's
computer, the attacker can
establish a connection from
outside the network, bypassing
THANK YOU
Regards : Shreyash Shukla