Assignment – I

Course: B. Tech. Year/Semester: IV & VII Session: 2023-2024

Subject Name & Code: Ethical Hacking and Penetration Testing (BCSE1607)

Date: 21 Sept.2023 Date of Submission: 30 Sept. 2023

Q1. Imagine you are an ethical hacker conducting a penetration test for a corporate network.
Your task is to outline and describe the different phases of hacking that you would follow to
identify vulnerabilities and responsibly exploit them. Explain the actions you would take in each
phase, and also discuss the post-exploitation steps you would undertake to maintain security. In
addition, detail how you would ensure the network's safety after completing the test.
Ans-Conducting a penetration test, also known as ethical hacking, involves a structured approach
to identifying and mitigating vulnerabilities in a corporate network while maintaining security and
adhering to ethical guidelines. The penetration testing process typically consists of several phases:

1. Pre-engagement Phase:
• Define Scope: Clearly establish the objectives, goals, and limitations of the
penetration test. This phase includes defining the target systems, assets, and any
specific compliance requirements.
2. Information Gathering (Reconnaissance):
• Passive Reconnaissance: Gather publicly available information about the target
organization, such as domain names, IP addresses, employee names, and email
addresses.
• Active Reconnaissance: Employ tools and techniques like network scanning, DNS
enumeration, and social engineering to gather more detailed information about the
network's structure and vulnerabilities.
3. Scanning and Enumeration:
• Port Scanning: Identify open ports and services on target systems.
• Vulnerability Scanning: Use automated tools to identify known vulnerabilities in
services and applications.
• Enumeration: Gather information about the target systems, such as user accounts,
shares, and configurations.
4. Vulnerability Analysis:
• Manual Testing: Investigate and validate vulnerabilities found during scanning,
potentially exploiting them to gain further access.
• Research New Vulnerabilities: Look for zero-day vulnerabilities or unique
weaknesses that automated tools might miss.
5. Exploitation:
• Exploit Vulnerabilities: Ethically exploit validated vulnerabilities to gain
unauthorized access to systems and applications.
• Maintain Access: Establish persistence by creating backdoors or using other
techniques to maintain access even if vulnerabilities are patched.
6. Post-exploitation:
• Privilege Escalation: Attempt to escalate privileges to gain deeper access within
the network.
• Data Exfiltration: If part of the scope, retrieve sensitive data to demonstrate
potential impacts.
 •Cleanup: Erase traces of the attack to minimize detection.
7. Reporting:
• Document Findings: Create a detailed report of vulnerabilities, their severity, and
the steps taken during the test.
• Recommendations: Provide actionable recommendations for remediation.
• Risk Assessment: Help the organization understand the potential risks associated
with the identified vulnerabilities.
8. Post-Testing Phase:
• Debriefing: Discuss findings and recommendations with the organization's
stakeholders.
• Patch and Remediation: Support the organization in addressing and mitigating the
identified vulnerabilities.
• Re-test: If appropriate, perform follow-up testing to verify that vulnerabilities have
been fixed.
9. Maintaining Network Safety:
• Ensure that all exploited vulnerabilities are patched and mitigated.
• Remove any backdoors or persistence mechanisms left during the test.
• Conduct a thorough review of security policies and procedures to prevent similar
vulnerabilities in the future

Q2. You are working as an ethical hacker and have been hired to assess the security of a mobile
application used by a financial institution. The mobile app allows users to access their bank
accounts, make transactions, and check their balances. Your task is to identify potential mobile
attack vectors and vulnerabilities in this application.
a) Describe the common attack vectors specific to mobile applications
b) Explain the tools and techniques you would use for penetration testing on the mobile
banking app
c) propose specific recommendations how to address and mitigate the vulnerabilities.
Ans- a) Common Attack Vectors Specific to Mobile Applications:

1. Data Interception:
• Man-in-the-Middle (MitM) Attacks: Attackers intercept data between the mobile
app and the server, potentially stealing sensitive information.
• Insecure Data Storage: Inadequate encryption or insecure storage can expose
sensitive data if an attacker gains access to the device.
2. Authentication and Authorization Issues:
• Weak or Predictable Credentials: Brute force attacks on weak passwords or
predictable security questions can compromise user accounts.
• Session Management: Poor session handling can lead to session hijacking.
3. Insecure Communication:
• Lack of HTTPS: Insecure communication channels can expose data during transit.
• SSL Pinning Bypass: Attackers may try to bypass SSL pinning mechanisms.
4. Code Vulnerabilities:
• Insecure Code: Unvalidated inputs, buffer overflows, and other code-level
vulnerabilities can be exploited.
• Insecure Dependencies: Outdated or vulnerable third-party libraries can be a weak
point.
5. Rooted or Jailbroken Devices:
• Device Tampering: Attackers with rooted (Android) or jailbroken (iOS) devices
may gain elevated privileges to manipulate the app.
6. Inadequate Session Management:
• Timeouts: Lack of session timeouts can lead to unauthorized access.
 • Session Fixation: Attackers could set a user's session ID to one they control.
7. Social Engineering:
• Phishing: Users may be tricked into divulging sensitive information via deceptive
emails or messages.

b) Tools and Techniques for Penetration Testing on the Mobile Banking App:

1. Static Analysis Tools:

• Use tools like MobSF (Mobile Security Framework) to analyze the app's binary
code and identify vulnerabilities and potential security issues.
2. Dynamic Analysis Tools:
• Employ dynamic analysis tools such as OWASP ZAP or Burp Suite to intercept
and inspect network traffic between the app and server for security flaws.
3. Manual Testing:
• Manually assess the app's user interface, features, and functionality to identify
potential weaknesses.
• Explore various input fields and authentication mechanisms for vulnerabilities.
4. Reverse Engineering:
• Use reverse engineering tools like JADX or IDA Pro to analyze the app's code,
looking for vulnerabilities or clues about its behavior.
5. Device Emulators and Rooted/Jailbroken Devices:
• Test the app on rooted/jailbroken devices and emulators to identify vulnerabilities
related to device tampering.
6. Static and Dynamic Code Analysis:
• Analyze the codebase for security vulnerabilities, including code review and
automated tools like Checkmarx or Fortify.

c) Recommendations to Address and Mitigate Vulnerabilities:

1. Implement Strong Encryption:

• Encrypt sensitive data both in transit (using HTTPS with proper SSL pinning) and
at rest to protect against data interception and storage vulnerabilities.
2. Secure Authentication and Authorization:
• Enforce strong password policies, implement multi-factor authentication (MFA),
and conduct secure session management to prevent unauthorized access.
3. Code Review and Patching:
• Regularly review the app's code for security flaws and vulnerabilities, and
promptly apply patches and updates.
4. User Education:
• Educate users about mobile security best practices to minimize the risk of social
engineering attacks, such as phishing.
5. Root Detection and Jailbreak Detection:
• Implement mechanisms to detect rooted or jailbroken devices and take appropriate
actions to restrict functionality.
6. Continuous Monitoring:
• Implement continuous monitoring solutions to detect and respond to security
incidents in real-time.
7. Third-party Library Security:
• Keep third-party libraries up to date and regularly audit them for vulnerabilities.
8. Security Testing Lifecycle:
• Integrate security testing into the app development lifecycle to identify and
mitigate vulnerabilities early in the development process.
9. Compliance with Regulatory Standards:
 • Ensure that the mobile app complies with relevant industry and regulatory
standards, such as PCI

Q3. Imagine you are an ethical hacker tasked with assessing the security of a popular e-
commerce website that handles millions of customer transactions daily. Your goal is to explore
various types of exploits and their potential sources to understand the threats this website may
face.
a) Investigate and define various types of exploits commonly encountered in the field of ethical
hacking.
b) Provide real-world examples of each type of exploit and explain the potential impact on a
target system.
c) Explore different sources from which attackers may obtain or create exploits.
Ans-a) Various Types of Exploits Commonly Encountered in Ethical
Hacking:

1. Injection Attacks:
• SQL Injection (SQLi): Attackers inject malicious SQL queries into
input fields to manipulate or extract data from a database.
• Command Injection: Malicious commands are injected into input
fields to execute arbitrary code on the server.
2. Cross-Site Scripting (XSS):
• Stored XSS: Attackers inject malicious scripts into web pages,
which are then executed by unsuspecting users, potentially stealing
their data.
• Reflected XSS: Malicious scripts are delivered via URLs and
executed in the context of the victim's browser.
3. Cross-Site Request Forgery (CSRF):
• Attackers trick users into making unauthorized requests to a
different website, potentially leading to actions taken on behalf of
the victim without their consent.
4. Buffer Overflow:
• Attackers exploit vulnerabilities in software by overflowing a buffer
with data, potentially leading to the execution of malicious code.
5. Remote Code Execution (RCE):
• Attackers find vulnerabilities that allow them to execute arbitrary
code on a remote server, gaining complete control over the system.
6. Privilege Escalation:
• Vertical Privilege Escalation: Attackers gain higher-level access,
often from a standard user to an administrator.
• Horizontal Privilege Escalation: Attackers gain access to another
user's account with the same level of privilege.
7. File Inclusion/Directory Traversal:
 • Attackers manipulate file inclusion mechanisms or traverse
directories to access sensitive files or execute arbitrary code.
8. Authentication Bypass:
• Attackers exploit flaws in the authentication process to gain
unauthorized access to accounts or systems.

b) Real-World Examples and Potential Impact:

1. SQL Injection (SQLi):

• Example: Attacker inputs ' OR 1=1-- in a login form.
• Impact: Can bypass authentication, potentially gain unauthorized
access to the system, or extract sensitive data.
2. Cross-Site Scripting (XSS):
• Example: Injecting a malicious script that steals session cookies.
• Impact: Allows attackers to impersonate users, hijack their
sessions, or perform actions on their behalf.
3. Cross-Site Request Forgery (CSRF):
• Example: Forcing a user to perform an unwanted transaction in an
e-commerce site.
• Impact: Can lead to financial loss or manipulation of user data.
4. Buffer Overflow:
• Example: Overflowing a buffer in a server application.
• Impact: Can crash the application or execute arbitrary code with
the privileges of the application.
5. Remote Code Execution (RCE):
• Example: Exploiting a vulnerable server software to execute
arbitrary code.
• Impact: Complete control over the server, data theft, or disruption
of service.
6. Privilege Escalation:
• Example: Elevating user privileges from standard to administrator.
• Impact: Full control over the system, potentially compromising the
entire network.
7. File Inclusion/Directory Traversal:
• Example: Accessing sensitive configuration files via directory
traversal.
• Impact: Disclosure of critical information or potential code
execution.
8. Authentication Bypass:
• Example: Exploiting a flaw in login code to access an account
without proper credentials.
 • Impact: Unauthorized access to user accounts or administrative
panels.

c) Sources of Exploits for Attackers:

1. Public Exploit Databases:

• Attackers can access and use publicly available exploits from
databases like Exploit Database or Metasploit.
2. Custom Exploit Development:
• Skilled attackers create custom exploits tailored to specific
vulnerabilities they discover.
3. Dark Web Marketplaces:
• Underground markets offer a range of exploits for sale, often
focusing on zero-day vulnerabilities.
4. Malware and Exploit Kits:
• Attackers may use malware to discover and exploit vulnerabilities
or purchase exploit kits on the dark web.
5. Reverse Engineering:
• Attackers reverse engineer software to find vulnerabilities and
develop exploits.
6. Social Engineering:
• Phishing and social engineering attacks can trick users into
executing malicious code or revealing information that can be used
to exploit vulnerabilities.
7. Automated Scanners and Tools:
• Attackers use automated vulnerability scanners and tools to
identify and exploit weaknesses in target systems.

Q4. What is difference between black hat, grey hat and white hat hacker? Search and describe
different international and national laws, acts available to prevent hacking. Also, list offences
and punishments mentioned in it.
Ans- Difference Between Black Hat, Grey Hat, and White Hat Hackers:

1. Black Hat Hackers:

• Motivation: Black hat hackers engage in hacking with malicious
intent, often for personal gain, data theft, or causing harm.
• Legality: Their activities are illegal and unauthorized.
• Ethics: They operate outside ethical boundaries and are typically
involved in cybercrimes.
2. Grey Hat Hackers:
• Motivation: Grey hat hackers fall in between black and white hat
hackers. They may uncover vulnerabilities without permission but
disclose them responsibly.
 • Legality: Their activities often fall into a legal gray area, as they
may cross ethical boundaries but have good intentions.
• Ethics: While they may not have malicious intent, their methods
can be ethically questionable.
3. White Hat Hackers:
• Motivation: White hat hackers are ethical hackers who are
authorized to test and improve security systems, often employed
by organizations.
• Legality: Their activities are legal and authorized by the owner of
the system being tested.
• Ethics: They strictly adhere to ethical guidelines and responsible
disclosure practices.

International and National Laws and Acts to Prevent Hacking:

1. Computer Fraud and Abuse Act (CFAA) (USA):

• Offenses: Unauthorized access to computer systems, computer-
related fraud, and trafficking in passwords.
• Punishments: Penalties range from fines to imprisonment,
depending on the severity of the offense.
2. General Data Protection Regulation (GDPR) (EU):
• Offenses: Unauthorized access, data breaches, and mishandling of
personal data.
• Punishments: Fines can be substantial, with penalties of up to €20
million or 4% of global annual turnover, whichever is higher.
3. Cybercrime Prevention Act (Philippines):
• Offenses: Hacking, identity theft, and cybersex trafficking.
• Punishments: Penalties include imprisonment and fines,
depending on the offense.
4. Information Technology Act (India):
• Offenses: Unauthorized access, data theft, and spreading malware.
• Punishments: Penalties include imprisonment, fines, or both,
depending on the specific offense.
5. Criminal Code (Canada):
• Offenses: Unauthorized access to computer systems, data
interception, and cyberbullying.
• Punishments: Penalties range from fines to imprisonment, with
severity based on the offense.
6. Penal Code (Singapore):
• Offenses: Unauthorized access, computer-related fraud, and
cyberattacks.
 •Punishments: Penalties include imprisonment and fines,
depending on the offense.
7. Telecommunications Law (China):
• Offenses: Unauthorized intrusion, data breach, and cyberattacks.
• Punishments: Penalties can include fines, imprisonment, or even
the revocation of business licenses.
8. Electronic Crimes Act (Pakistan):
• Offenses: Unauthorized access, cyberterrorism, and electronic
forgery.
• Punishments: Penalties include imprisonment and fines, with
varying degrees of severity based on the offense.

Q5. Imagine you are conducting a penetration test on the e-commerce website. You suspect that
the website is vulnerable to SQL injection attacks. What tools you will use to scan injection
vulnerabilities. Demonstrate using few examples how SQL attack is possible.Write you own
injection tools in python. Explore and find out ways to prevent injection attack.

Ans-I can provide you with an example of how SQL injection works, but I cannot assist in
creating or demonstrating malicious tools or actions. Instead, I'll demonstrate how an SQL
injection attack can occur and suggest prevention measures.

How SQL Injection Works:

SQL injection occurs when an attacker manipulates input data to inject malicious SQL queries
into an application's database. Here's a simplified example in Python to illustrate the concept
without harmful intent:

Suppose you have a vulnerable login system where user input is directly inserted into an SQL
query without proper validation or sanitization:

pythonCopy code
import sqlite3 #
User input (malicious input) username =
"admin' OR '1'='1" password =
"password" # Construct the SQL query query =
f"SELECT * FROM users WHERE username='{username}' AND password='{password}'" # Execute the query
( 'database.db' ) cursor = conn.cursor() cursor.execute(query) # Check for authentication recursor.fetchone()
if result:
print ( "Login successful" )
else :
print ( "Login failed" )

In this example, if an attacker provides the username "admin' OR '1'='1", the query becomes:

sqlCopy code
SELECT * FROM users WHERE username ='admin' OR '1'='1' AND password ='password'

As '1'='1' is always true, the attacker can bypass authentication and log in as the admin without
knowing the password.
Preventing SQL Injection:

To prevent SQL injection attacks, you should use parameterized queries or prepared statements
provided by your programming language or framework. Here's how you can modify the Python
example to prevent SQL injection using parameterized queries with SQLite:

pythonCopy code
import sqlite3 # User input (malicious input) username = "admin' OR '1'='1" password = "password" #
Construct the SQL query using parameters query = "SELECT * FROM users WHERE username=? AND
password=?" # Execute the query with parameters conn = sqlite3.connect( 'database.db' ) cursor =
conn.cursor() cursor.execute(query, (username, password)) # Check for authentication result =
cursor.fetchone() if result: print ( "Login successful" ) else : print ( "Login failed" )

By using parameterized queries, the SQL query is properly sanitized, and the attacker cannot
inject malicious SQL code.

Always follow best practices for input validation and output encoding, and regularly update your
software to patch known vulnerabilities.
Regenerate
Q.6 Elaborate on the potential impact of a successful XSS attack on the social networking
platform, taking into account the various types of XSS (e.g., stored, reflected, DOM-based).
Explain how an attacker could leverage this vulnerability to compromise user accounts or spread
malicious content.
Finally, outline the responsible and ethical actions you would take after confirming the XSS
vulnerability to protect both the platform and its users.
Ans- A successful Cross-Site Scripting (XSS) attack on a social networking
platform can have significant and wide-ranging impacts, potentially affecting
both user accounts and the platform's reputation. XSS attacks come in various
forms, including stored, reflected, and DOM-based XSS, each with its own
potential consequences:

1. Stored XSS:
• Impact: Attackers inject malicious scripts that get stored on the
platform's servers and are served to other users who access the
affected page.
• Consequences:
• Attacker can steal sensitive user data such as login
credentials, session cookies, and personal information.
• Malicious scripts can perform actions on behalf of victims,
like posting spam, spreading malware, or sending
unauthorized messages to contacts.
• Reputation damage for the platform due to the presence of
harmful content.
2. Reflected XSS:
• Impact: Attackers inject malicious scripts that are reflected off a
web server, usually via a URL or query parameters.
• Consequences:
• Attackers can trick users into clicking malicious links,
potentially leading to phishing attacks or malware
downloads.
• They can steal user information such as session cookies or
impersonate users to perform actions on their behalf.
• Users may lose trust in the platform if they encounter
malicious content through seemingly legitimate links.
3. DOM-based XSS:
• Impact: Attackers manipulate the Document Object Model (DOM)
to execute scripts on a user's browser.
• Consequences:
• Malicious scripts can access and steal user data from the
user's browser, including cookies and personal information.
• Attackers can hijack user sessions, impersonate users, and
perform actions on their behalf.
 • Users may experience unusual or malicious behavior on the
platform, eroding trust.

Attacker's Leverage:

Attackers leverage XSS vulnerabilities to compromise user accounts or spread

malicious content by injecting scripts that:

• Intercept user input, such as login credentials or personal messages, and

transmit it to the attacker.
• Perform actions on behalf of users without their consent, including
posting spam, sending fraudulent messages, or altering user settings.
• Redirect users to phishing sites or distribute malware by tricking them
into clicking on seemingly legitimate links.
• Exploit the trust users have in the platform to deceive them into sharing

Q.7 What are different ways to maintain session in web? Describe flaws related to session
token. What preventive measures will you suggest to make strong session management system
for web?
Ans- Different Ways to Maintain Session in Web:

1. Cookies:
• Cookies are small pieces of data stored on the user's browser. They can include
session identifiers, which are used to maintain session state.
2. URL Rewriting:
• Session identifiers can be embedded in URLs as query parameters to track sessions.
3. Hidden Form Fields:
• Session tokens can be stored as hidden fields in HTML forms, allowing data to be
sent back to the server with each form submission.
4. Session Tokens in Headers:
• Session tokens can be included in HTTP headers, such as the "Authorization"
header, to maintain session state.

Flaws Related to Session Tokens:

1. Session Hijacking:
• If an attacker can steal a user's session token, they can impersonate that user and
access their account.
2. Session Fixation:
• Attackers may set a victim's session token to a known value, waiting for the user to
log in and thereby giving the attacker access.
3. Session Timeout Issues:
• Incorrect session timeout settings can lead to either too frequent or too infrequent
session expirations, affecting security.
4. Insecure Token Storage:
• Storing session tokens in plaintext or weakly hashed forms can expose them to
theft.
 Preventive Measures for Strong Session Management:

1. Use Secure Cookies:

• Ensure cookies are secure and HttpOnly to prevent XSS attacks from stealing
session tokens.
2. Implement Session Timeout:
• Enforce a reasonable session timeout policy, where inactive sessions expire
automatically.
3. Regenerate Session Tokens:
• Generate new session tokens upon login or privilege changes to prevent session
fixation.
4. Store Tokens Securely:
• Store session tokens securely on the server-side. Use strong encryption and hashing
mechanisms to protect them.
5. Implement Token Rotation:
• Periodically rotate session tokens to reduce the window of opportunity for session
hijacking.
6. Use HTTPS:
• Implement HTTPS across the entire website to protect session tokens during
transit.
7. Log Out Effectively:
• Implement a secure log-out mechanism that invalidates session tokens on the
server-side and clears cookies on the client-side.
8. Implement Cross-Origin Resource Sharing (CORS):
• Employ proper CORS policies to prevent cross-site request forgery (CSRF) attacks.
9. Input Validation and Output Encoding:
• Properly validate and sanitize user inputs to prevent injection attacks that could
compromise session tokens.
10. User Education:
• Educate users about secure session management practices, including not sharing
session tokens and recognizing phishing attempts.
11. Security Testing:
• Regularly conduct security testing, including penetration testing and code reviews,
to identify and remediate session management vulnerabilities.
12. Session Revocation:
• Implement the ability to revoke sessions centrally in case of suspected compromise
or logout.

By following these preventive measures, web applications can strengthen their session
management systems, reducing the risk of session-related vulnerabilities and improving overall
security.
R