Ethical Hacking (MU-T.Y. B.Se-Comp-Sem-6) (Introduetion)...Page no (1-11) Ethical Hacking (Mi Syllabus Topic : Footprinting 11.9 FOOTPRINTING TARDa ‘as reconnaissance, is a method of computer systems and the Footprinting, often known acquiring information on organizations to which they belong. «Ibis the process of gathering data over time in order to launch a targeted cyberattack. «This information is the hacker's initial step toward breaking into a system. + Footprinting is the process of obtaining information about a target typically information about its network architecture, systems, and users without actually executing an attack. ‘Active footprinting and passive footprinting are the two forms of footprinting. ‘Active footprinting entails executing footprinting directly on the target machine. Passive footprinting refers to gathering information about a system that is placed at a great distance from the attacker. ee DoL_1.10 INFORMATION GATHERING METHODOLOGY Explain the methods to perform Information Gathering. ug. Gathering information, often known as reconnaissance, is an important stage in cthical hacking. It entails gathering as much knowledge on the target system or network as feasible. ‘The following are some phases in the information gathering process : (2) Gather Initial Information : This is the initial phase in which a hacker attempts to learn more about the target. This might contain information such as the domain name, IP address, network architecture, and so on. (New Sylabus wt academic year23-29 (80-14) _‘[alrech:too Publications entails determining (2) Determine the Network Range the target network's IP range. (8) Identify Active Machines : Once the network range has been determined, the following step is to identify active machines inside that range. (4) Find Open Ports and Access Points : This entails locating open ports and access points on active computers. (5) Fingerprinting the Operating System : entails establishing the operating system the target is using. (6) Discover Services on Ports : This entails determining whether services are running on any open ports. (2) Map the Network : The final stage is to create a map of the target network infrastructure. a DH 1.11 COMPETITIVE INTELLIGENCE * Competitive intelligence, also known as corporate intelligence, is the capacity to gather, evaluate, and use information gathered about rivals, consumers, and other market elements that contribute to a company’s competitive edge. It is significant because it assists firms in understanding their ‘competitive environment, as well as the possibilities and problems that it brings. Businesses examine data in order to develop effective and efficient business operations. Competitive intelligence is characterized as myopic, tactical, or Iong-term focused strategic intelligence. Data and information gathering is more complicated than a simple Internet search. * Competitive intelligence, information from a variety of publishes sources in an efficient and ethical manner. a (New Syllabus w.ed academic year 23-24) (BC-14) Tech-Neo Publications by definition, collects actionable d and unpublishedwhich e range of so demonstrates how be affected, as wi 1n's DNS servers and their accompanying entries. a may have both internal and external DNS can provide data like as users, computer names, ses of possible target systems. There are several tools () Dig = searching prominent DNS servers. This command @ to determine the IP address en domain name, Perl. a wosts and services that on a computer network. Nmap sive Script called dns-nsec-enum. ARIN * gathering IP addresses, ‘System Numbers (ASNs), and domain names. «Whois is a query and response protocol used to query databases containing registered users or assignees of an Internet resource. It is frequently referred to as "port 43” in reference to the TCP port number granted to the Whois protocol by the Internet granted Numbers Authority (IANA). + ARIN (American Registry for Internet Numbers) make Internet resource registration data available to the public through a variety of services, including Whois. * ARIN's Whois service provides access to information on IP number resources, companies, Points of Contact (POCs), customers, and other entities. ARIN's public Whois only publishes organizational information, including Contact (POC) data, linked with an Internet number resource. * ARIN also offers a Whois/RDAP (Registration Data ‘Access Protocol) service, which allows users to get information from ARIN and other Regional Internet Registries (RIRS), Internet Routing Registries (IRRs), and registries that implement RDAP. + RDAP, unlike conventional Whois services, allows users to search for and acquire information about resources handled not just by ARIN, but also by other RIRs, domain name registries, and registrars. ARIN homepage, put for into the search ARIN submits your query to search.ari depending on the type of search it believes you were attempting. (iow Sylabus wt academic yoar 2-24) (80-14) ee> cca! Hacking (MU-TY. B SoCome-S2n-6) Aintroduction)...Page no (1-14) eS ‘1.14 TVPES OF DNS RECORDS 1 DNS (Domain Name System) detailed information about a domain or hostname, most notably its current IP address. Here are some examples of popular DNS records. () ARecord (Address Mapping record) : This record connects 2 domain to the physical IP address of a machine that hosts the services of that domain. (2) AAAA Record (IP Version 6 Address Record) : Like an A. record, but with IPv6 addresses. (3) Canonical Name Record (CNAME) : This record makes one domain name an alias for another. The aliased domain inherits all of the original domain's sub domains and DNS inform: (4) The MX Record (Mail Exchange Record) directs mails to the appropriate mail server. offer records () NS Record (Name Server record) : This record instructs a DNS zone to utilize the authoritative name servers specified. (©) PTR (Pointer Record) : This records the domain name associated with an IP address. (@ SOA Record (Beginning of Authority) : This record contains information such as the name of the server that contributed the data for the zone, the zone administrator, the current version of the data file, and so on. a Dy_1.15 TRACEROUTE IN FOOTPRINTING ‘Traceroute is a popular command-line application that is ateessible on practically every operating system. It displays whole path to a given address. It also displays the amount of time (or delays) between intermediary routers, (lotroduction)...Page no (1-18) a network tool for tracing a path between a user and a destination system. This makes it ovident where a request is being routed and which devices are involved. + Traceroute transmits a large number of packets to the destination. The initial set of packets are delivered in such a way that they are lost by the first intermediate hop, and a received from the first intermediate node to get the first hop's time estimation. © The second batch of packets is transmitted in such a way that the second intermediate hop drops them, and a control received from the second intermediate node to e estimate for the first hop. ‘+ Traceroute does this by utilizing the TTL (Time to Live) field. ‘The TTL is set to one for the first packet(s), two for the next, and so on until the destination is reached. + When a packet is lost, the router returns to the source with an ICMP Time Exceeded report. That is how the source caleulates the total time. DL_1.16 E-MAIL TRACKING + The technique of monitoring activities made on sent emails is known as email tracking. + Email openings and clicks are the most often observed metrics1. Most email monitoring solutions report on the dates and times of events collected, and some also report on location. racking is a technique for determining whether or not an email message is viewed by the intended recipient. ‘+ Most tracking solutions employ some type of digitally time- stamped record to identify the precise time and date when an email is received or accessed, as well as the recipient's IP address. Now yas wo ee, le Breer (New Sylabus we.f academic year 23-2‘are various email tracking solutions available, Mailtrack, for example, is a free, unlimited email tracking tool for Gmail and Outlook that includes real-time notifications and link tracking. + Mail Tracker, another application, provides a comprehensive ‘email monitoring plugin for Chrome as well as a free version of their email tracker. ee ‘Syllabus Topic : Social Engineering SS es a eee DM 1.17 INTRODUCTION TO SOCIAL ENGINEERING 1.17.1 Common Types of Attacks ng attacks are a form of eyber security assault that rely on psychological manipulation of human behavior to get sensitive data, exchange credentials, gain access to a personal device, or undermine their digital security in other ways. Social engines Here are some examples of frequent social engineering attacks : 1. Phishing 2. Whaling 3, Baiting 4, Diversion Theft 5. Business Email Compromise (BEC) 6. Smishing 7. Honeytrap ——— Syllabus Topic : Scanning and Enumeration DH_1.18 INTRODUCTION SCANNING AND ENUMERATION hacking and eyber security, scanning enumeration are two crucial procedures, (Now Syabus wal eadamic year 22-24)(80-14) Ral recnavo Pubicatns ‘tnical Hacking (MU-T.Y. B Sc-Comp-Sem-6) + Scanning is a procedure that can assist detect vulnerabilities to some extent. It entails employing a variety of tools and strategies to gather data on how the target system or network responds to various intrusion attempts. The purpose is to identify potential entry suscepti sand analyze the system's n, on the other hand, is a procedure that allows us the facts about users, groups, and even s like routing table. + Enumer n is the extraction of legitimate users, machine ,, network resources, and other services from a system. It nam is an important part of ethical hacking and penetration testing since it provide: cers with a lot of information that may to exploit vulnerabilities. «It may also be characterized as gathering thorough knowledge fon the target systems, such as operational and network infrastructure specifications. ee DH _1.19 PORT SCANNING 21.19 PORT SCANNING Q. Port scanning is a technique for and services on network hosts. «Security engineers frequently use it to scan machines for weaknesses, while hackers use it to target vietims. + Sending ICMP echo-request packets with appropriate flags set in the packet headers that identify the sort of message being delivered can be used to do port scanning. empts to connect to all 65,535 ployed by hackers. Sweep, in eal port on many computers FTP Bounce, in which the irder to hide the source; es seanned computer ‘© Vanilla, in which the scanner att ports, is one type of port scan emy which the scanner pings an identi to determine whether one is active; scanner passes vin an FTP server in 0 Stealth, in which the scanner secu) records. (BhreenneoPusizavons (Now Sylatus w.e. academic yaar 23-24) (80-14)| Neteat, Zenmap, Advanced Port ap, Angry IP Scan, Nmap, come of the programs used in ‘Scanner, and MASSCAN are s port scanning. to discover the systems that are linked to a company's network. It describes the available systems, services, and resources on a target system. Identifying these activities’ principal purpose is to target tinely employ network Nien Often wes extort, yest Coe | creecouniy — (rentuoriiens techniques to discover flaws that can be used to plan assaults. ‘The main purpose of vulnerability scanning is to find possible points of access into a network or system. «Sending packets with specified flags set in the packet headers that identify the sort of communication being delivered can be used to do vulnerability scanning. Complete scans on wireless networks to detect vulneral vulnerabilities, and database scans to sean all databases for possible flaws are all types of vulnerability scans performed by hackers, «Firewall, password, logical bombing, and web hijacking are ‘examples of vulnerability models in ethical hacking. SSS DH_1.22 CEH SCANNING METHODOLOGY A hacker searches the network using the Certified Ethical Hacker (CEH) Scanning Methodology. It guarantees that no system or vulnerability is neglected, and that the hacker has formation required to carry out an attack. gathered all of th steps in the CEH Scanning wing are the Methodology : (1) Check for Live Systems : Ping scan checks for the presence of active systems by issuing ICMP echo request packets. If a it answers with an ICMP echo reply packet comprising information such as TTL, packet size, and so on. (2) Check for Open Ports : Port scanning allows us to discover open ports, services operating on them, and their versions, Tadeo Puicaons lew Syllabus w.e4 academic year 23-24) (BC-14)soe taiogs monn Reisonisineh is is mostly used among othes for this purpose: Grabbing formation suc! being used an Banner grabbing is the process of th as operating system data, the d its version number, and 59 (@) Banner @ gathering in! name of the service on. (4) Vulnerability Scanning + ‘Automated technologies are mostly vi for this purpose. These automated scanners sean the target to identify vulmerabiiies or weaknesses in the target organization that attackers can exploit. (6) Drave Network Diagrams : Using the information acquired, the attacker may create a network diagram that will provide him with knowledge about the target organization's network ‘and architecture, allowing him to quickly identify the target. : Proxies can be used to maintain the (6) Prepare Proxies attacker's anonymity by concealing the IP address. eS D1 1.23 PING SWEEP TECHNIQUES + Ping Sweep is a network scanning method used to detect which IP addresses belong to live hosts. It is also known as ICMP sweep or ping scan. + It entails simultaneously issuing ICMP (Internet Control Message Protocol) ECHO queries to various hosts. + Hasystemis al answers with an ICMP echo reply packet comprising information such as TTL, packet size, and so on. be done manually in an interface. In Windows, for her, type cmd in box, and then type the command: en fats wi wesceere ‘Automated Tools : Several automated solutions are available that can execute a ping sweep on a large number of IP addresses at once. Fping, Nmap, Zenmap, IOMPEnum, and ‘SuperScan are a few of these tools. eee JL124_ NMAP COMMAND SWITCHES Nmap is a robust network scanning program that to customize scans using command-line arguments. Here are some useful Nmap command switches. o -h : Generate a help summary page.l. Ss: Scan the TCP SYN port. ° o -sU: Runa UDP port scanl. -sV : Probe open ports for service/version information]. -O : Allow OS detection () ~v + Allows for verbosity. You may even choose the ‘amount of verbosity: -vv: Verbosity level 2. The recommended minimal degree of verbosity. -v3: Verbosity level 3. You may always determine the amount of verbosity by entering a number like this. (2) -oA : The same Nmap output in “normal”, XML, and grepable forms. You can, however, define the format of your choosing with: -oN: Redirect normal output to a specified filename. -oX: Generate output in a clean, XML format and save it to a specified file. -oG: Generate “grepable” output and save it to file. Deprecated format, as consumers are increasingly relying on XML outputs. (3) -A + Allows for “aggressive” scanning. This allows for OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (-traceroute) at the moment. (Hew Sytabus wes academic year 25-24) (BC-14) TectrNeo Pubicationsintroduction)...Page no (1.90) exhical Hac @ Indicates which ports to scan, It might be a single port or a group of ports. ©) F Fast port sean (100 ports) (@) -top-ports : Port scan the top x ports oo Do_1.25_SYN .d to transfer the connection in Ethic “GN is a TOP/P network packet used to establish a connection between two hosts in the context of ethical hacking, ‘This is part of the TCP three-way handshake procedure, which creates a data transfer connection. 'A device sends a SYN (synchronization) packet to another device to start the process. After that, the receiving device sends a SYN/ACK (synchronization acknowledged) packet back, Finally, the initiating device sends an ACK (acknowledged) packet, completing the connection. In the context of ethical hacking scanning techniques, a hacker sends a SYN packet to the victim, and if a SYN/ACK frame is received back, the target completes the connection and the port is ready to listen. + Ifthe target returns a RST (reset), it is presumed that the port is closed or not active. ‘ethical Hacking (MU-T.Y. B.Se-Comp-Sem-6) A “stealth scan” or “half-open scan” is a frequent stealth method. This form of scan is used to find open ports on a target, machine without going through the entire TCP handshake process, By failing to complete the handshake, the scan might frequently miss being reported by the target system, making detection more difficul To evade detection by intrusion detection systems, another stealth strategy includes carefully timing and of scan packets. eee Dy 1.27_XMAS Explain how XMAS Scanning technique is used in Et ‘An XMAS scan is a sort of port scanning technique used in ethical hacking. It transmits a packet with the flags URG (urgent), FIN (finish), and PSH (push). ‘There will be no response if the port is open; however, if the port is closed, the target will answer with a RST/ACK message. XMAS scans are another covert scanning technique that seldom appears in monitoring logs since they make use of FIN packets: packets sent by a server or client to terminate a TCP ‘+ This technique is also known as a “half-open” scan or SYN eee nt sean. SO rer «XMAS scans send packets to a server that include all required bo 1.26 STEALTH ‘TCP flags such as SYN and ACK. * Stealth” refers to tactics that allow a hacker to stay unnoticed eee seanning or attacking a system in the context of ethical jective is to avoid raisin informi 7 ising any alerts or inf g system dministrators about the hacker's activity, (ew Sylabus w.of aca 4 academic year23-24) (8-14) [Ral rech.ivoo Publications is the term NULL of sean known as a “null © “null” frequently refers to a form as an .d enumeration in ethical sean” in the context of scanning an¢ hacking. Brean tio Punenions (New Syllabus w.e academic year 23-24) (80-14)> ethical Hac + Todo‘ null sean, send a TOP header with no flag bit set. tng ‘answer is received, the port is open. The recoption of a RST message indicates that the port has been closed. Furthermore, in the SMB enumeration process, which is ‘ch we enumerate the host or target wus information such as hostnames, list shares, jes, and so on, system for variot null sessions, checking for vulneral might refer to checking for null sessions. ce omens ee ESS nel le of IDLE Scan in Ethical Ha‘ Gq tapan the In the domain of ethical hacking, the term “IDLE” frequently refers to a scanning technique known as a “IDLE Scan.” + An IDLE scan sends the SYN packet to the target using a spoofed or fake IP address. This is accomplished by calculating the port scan response and IP header sequence number. + The port is considered to be open or closed based on the scan's result + In some penetration testing settings when subtlety essential, this sort of scan might be beneficial. D1_1.30_FIN SCANS technique commonly employ in ethical hacking. During a FIN scan, packets containing the FIN flag are forwarded to the server. (2) The FIN flag is frequently used to terminate a previously formed session. (3) ae system's response might assist the attacker in inderstanding the volume of activity and providing information into the organization's firewall use. NewS abs wt academiyear yearz020) 0014 TEbreanticoPusictons ethical Hack ‘The server ignores the FIN flag if the port is open; however, if the port is closed, the server responds with a RST flag set. (5) This scan is particularly successful since it attempts to circumvent the methods used to detect SYN scans. 1 to note that this strategy will not function in environments where particular packet filters have been implemented. @ ‘Once an open port has been located, hackers can target it for attacks, — DH _1.31_ ANONYMIZERS aaeaer © Anonymizers are technologies used in ethical hacking and rity to protect the user's anonymity. eyberse «They function by concealing the user's original IP address, making it impossible to track the user's activity back to them. + Proxy servers, VPNs, and TOR networks are all examples of anonymizers. + ‘These programs route your internet traffic via many servers \e world, concealing your original IP address and look as if the traffic is originating from somewhere making else. © These technologies are critical in ethical hacking because they allow ethical hackers to conduct their actions without disclosing their identities, shielding them from retaliatory assaults. They must, however, be utilized carel ethically. ee Do1_1.32 HTTP TUNNELING TECHNIQUES ing is an ethical hacking ted le network protocols are wrapped using the HTTP protocol. [recto Putistons (New Syilabus we. academic year 23-24) (6C-14)ethical Hacking (MU-T v,Se-Comp-Sem-) (lroducton)..Page no (1.25 ‘The network protocols in question are often members of ty, e ‘TCPAP protocol family the HTTP protocol serves as a wrapper for a As a result, e network protocol being tunneleg channel via which th communicates. Because HTTP can be especiall communication are restricted by ne ‘Am ethical hacker can circumvent these constraints and resources that would otherwise be .g other protocols within HTTP. traffic is usually always allowed, this strategy ly beneficial in cases when some forms of work firewalls. acquire access to unavailable by tunneliny While HTTP tunneling may be used for legal objectives such as testing and strengthening network security, bad hackers ean also use it to gain unauthorized access to networks. ee Di _1.33_IP SPOOFING TECHNIQUES IP spoofing is a method that hackers employ to obtain unauthorized access to systems. The topic of IP spoofing was first addressed in academic circles around 1980. a @ — . ‘The following are some IP Spoofing techniques: Address Spoofing : Based on the implementation of the IP header, hackers can change the direction that an IP packet takes. Anyone with access to the IP header ean serve 9s ® routing device and decide where the packet should go. This is true for both the traffic's origin and destination. Hackers can then mimic another host's IP address on the network and cae packets that appear to come from this host. aa potas ene Prediction : This attack tries 1° eto tee selma number that is used to identify packets Heaters I hackers are successful, they will be ee Paal ‘ts destined for the target host on the ao arget host has no means of knowing that thes? packets are coming from a hostile host. Source information in the IP er can spoof IP addresses by altering the information in the IP header of the packets being transmitted. This makes determining the genuine source of the traffic difficult for the victim and allows the attacker to avoid detection and carry out the assault. ——— ‘SNMP ENUMERATION. (g) Manipulation of the leader : The attack “source” DL 1.34 Network Management Protocol) is an that maintains and manages + SNMP (Simple ‘application layer protocol renters, hubs, switches, and other network devices on an TP k by utilizing the UDP protocol. rotocol that is enabled on a wide including Windows Server, Linux, twork devices such as routers netw SNMP is a widely used pi range of operating systems, and UNIX servers, as well as nel and switches. On a target system, SNMP enumes accounts, passwords, groups, system names, made up of three primary parts : device is a device or a host (officially s the SNMP service switches, ration is used to list user and devices. It is () A managed referred to as a node) that ha: activated. These devices might include routers, hubs, bridges, PCs, and so on. of software that operates on a fal function is to transform pliant format for network (2) Agents : An agent isa piece controlled device. Its princip: into SNMP com| n using the SNMP protocol Systems (NMS) are software monitor network devices. wides read and information i administration (3) Network Managemen systems that are used to © Every SNMP device will have an agent that pro write access to a database. Eres Psion (Now Syllabus w.ef academic year 29-24) (801¢ database is known as th ea a virtual database id into two types: yws you to query the device ang view the information, but it does not allow you to make any changes to the setup. The “public” community string jg the mode's default. (2) Read Write : Changes to the device are authorized in this mode; 50, if we connect with this community string, we may even edit the distant device's se The community string for this mode is “private” by default, 1.35 STEPS INVOLVED IN ENUMERATION process since it aids in identifying security flaws in a network. ‘The following are the steps involved in enumeration : (2) Port Scanning is the process of sending client queries to a set of server port numbers on a host in order to locate an active (2) Service identification entails determining which services ere operating on open ports, (3) User Enumeration is the process of determining legitimate usernamies or user groups that may be used to get access to certain systems. (® Enumeration of Machine Names : Identifying the names of computers in a network. (5) Enumeration o} i numeration of Shared Names : This is the process of identifying shared reso : Fesources on a network, sui ¢ printers. fork, such as files 0} (New Sytabus wa ew Sao wat scam yar2s.29 00-14) [al recn eo puboatons Chapter Ende... oggSystem Hijacking CHAPTER 2. University Prescribed Syllabus system Hacking : Password-Cracking Techniques, Types of Passwords, Keyloggers and Other Spyware Technologies, Escalating Privileges, Rootkits Sniffers : Protocols Susceptible to Sniffing, Active and Passive Sniffing, ARP Poisoning, MAC Flooding, DNS ‘Spoofing Techniques, Sniffing Countermeasures Denial of Service : Types of DoS Attacks, Working of DoS Attacks, BOTs/BOTNETs, “Smurf Attack, “SYN” Flooding, DoS/DDoS Countermeasures Session Hijacking : Spoofing vs. Hijacking, Types, Sequence Pre tion, Steps, Prevention Hacking Web Servers : Web Server Vulnerabilities, Attacks against Web Servers, Patch Management Techniques, Web Server Hardening. Syllabus Topic : System Hacking >_2.1 INTRODUCTION TO SYSTEM HACKING 1 1GQ._Define Password-Cracking and their techniques. t 1 GQ. _Define the term : (a) Brute Force (b) Phishing t Password cracking is the process of recovering or guessing passwords. It can be properly used to assist a user in recovering a lost password or by system administrators in checking for weak passwords.D rnneinng mY BSCCEOP SEES Ki utilize it maliciously tg obtaiy aa ‘and resources. rd cracking methods, + He (a) Brute-force ‘attack : This approach entails testin, eter tions until the right passe red. It is time-consuming yet ata ir, solv against weak or popular passwords. ing is an online approach in which ations of characters ig (2) Password gues loys numerous com! \d error procedure. In this approach, an atta‘ passwords from encrypted forms. 1g is the practice of fooling a person into giving d, usually through fraudulent emails or wr attempts to decode plaintext passwort websites. () Using Trojans, spyware, and key loggers : These are malicious programs that secretly record keystrokes or other data without the user's awareness. (3) LLMNRINBENS Poisoning is a method in which an attacker poisons the network environment in order to get credentials jase sasnsrUeesESreesnTEsETn EEE SIESgETETmNRISS IO YH 2.2 TYPES OF PASSWORDS security precaution to authenticate user i security p nnticate user identification and prevent = rized access to personal data or system access. Taree typically classified as either weak or powerful. + Weak passwords are eas : real passwords are easy to guess, frequently contain date> ad ar orasinaly universal passwords, + Common words Common words, phrases, and dates are examples of bad essrords Some of the worst passwords might include SOM? eee @ common object or animal, or Your __ tray” MPF AE * men y sim Ac th (iow Stabs wet efacasemie yor eens [Fa recn too Pubtcaons | ‘strong passwords, on the other hand, are more difficult to squess. They are classifed into three major categories: passwords are made up of a combination of 1d lowercase) and numbers. letters (both uppercase anc swords are created at random and do not follow any based passwords These passwords follow a certain pattern them easier to remember but yet difficult to pattern, making guess. ya. KEYLOGGERS AND OTHER SPYWARE TECHNOLOGIES ‘Both keyloggers and spyware are forms of harmful software that can compromise «Keyloggers are a sort o you make on your Ke unaware your actions a information you write al messaging, emails, and other information. «The keyloggers log file can then be forwarded to a specific recipient, Some Keylogger apps will also capture your email addresses and internet URLS. and, is inten‘ ation. Spyware ™ your privacy and security. f malware that records every Keystroke invisibly so you are is includes any instant syboard, usually ire being recorded. Thi t any time, including ded to track user behavior fay gather & ‘Spyware, on the other bi personal ‘and collect personal inform variety of data kind: ding browser history an aformation, whereas Keyloggers only Pt0Fe typed data. ad without the user's knowledge, fy installed by the device owns but Spyware is install nee keyloggers are frequent! good reasons. ec) (ew Syabus wee academic year2324 (> 1 Hacking (MU-T.Y.B.Se-Come-Sem6) ethical GQ. Deine Privilege Escalating andits Kind. ‘A privilege escalation network attack is one that is used to ‘thorized access to computers within a security perimeterl. It entails gaining unauthorized access to resources that are normally limited to the application or user by exploiting a programming error, vulnerability, design fault, configuration t, or access control in an operating system or application, acquire una\ oversi ‘There are two kinds of privilege escalation attacks : (4) Horizontal Privilege Escalation occurs when an attacker acquires access to a normal user account with lower-level rights, The intruder may steal an employee's login and password, giving him or her access to email, files, and any online applications or sub networks to which they are assigned. (2) Vertical Privilege Escalation : An attacker gains higher-level access by exploiting a design defect or oversight in the operating system or application. Syllabus Topic ee a INTRODUCTION TO SNIFFERS 2H 25 INTRODUCTION TO SNIFFERS WW 25.1 Protocols Susceptible to Sniffing Several protocols, particularly those that transport data in an unencrypted manner, are vulnerable to sniffing attacks12, Here are a few examples + HTTP(Hyper-Text Transfer Protocol) + POP(Post Office Protocol) + SMTP(Simple Maail Transfer Protocol) + IMAPAnternet Message Access Protocol) + TELENET + _FIP@ile Transfer Protocol) Now Syabus wt academ (New Syabus wot academic year 23-24 (BC Tecnico Pubicatons ethical Hacking (MU-T.Y.8.Se-Comp-Sem-6) ___ (System tackng)..Page no (28) SS Dy 2.6 ACTIVE AND PASSIVE SNIFFING ae ees Sniffing is a network assault in which an attacker grabs packets sent via a wired or wireless connection Itis divided into two types : (D Active and (2) Passive smelling, (a) Active Sniffing : The attacker interacts with the target computer directly by sending packets and getting answers. This sniffing is accomplished by a switch. The attacker attempts to poison the switch by transmitting a false MAC address in this case. Active sniffer techniques include ARP spoofing, MAC flooding, HTTPS and SSH spoofing, DNS spoofing, and s0 on. @) Passive Sniffing : The attacker does not engage with the target in this kind. He or she simply connects to the network and collects packets sent and received by the network, as well fas packets exchanged between two devices. This sniffing is done through a hub. An attacker uses his or her PC to connect to the hub. Hub-based networks and wireless networks are examples of passive sniffing. ee 2.7 __RP POISONING ARP Poisoning WLI (D ARP Poisoning, poisoning, is a sort of cybel Resolution Protocol (ARP) flaws to interrupt, ret eavesdrop on network traffic. (2) The Address Resolution Protec support the layered approach thal early days of computer networking ‘also known as ARP spoofing or cache x attack that uses Address route, oF ‘ol (ARP) was developed to has been utilized from the fo Publications Corsi yetenansensoe 90s) Earanmefunetion i to convert between data Tink layer address, Oe ces, and network layer addresses, which known as MAC addres are commonly IP addresses. (4) An ARP poisoning attack involves an attacker sending fake [ARP messages to devices on a local network in Order to deceive ng the attacker's MAC address with a valig them into associati IP address. (5) This is conceivable becaus when ARP was launched in 1982, therefore the protocol's neorporated authentication procedures to ¢ security was not a top priority authors never it validate ARP packets. (©) The precise steps of an ARP Poisoning attack might vary, however they usually include at least the following. (1) The Assailant Selects a Vietim Machine or Machines: The first stage in planning and carrying out an ARP Poisoning attack is to choose a target. This might be an individual network endpoint, a set of network endpoints, or a network object such as a router. (8) Attacker delivers fraudulent ARP messages: A hacker sends bogus ARP packets that link the attacker's MAC address to the IP address of another computer on the LAN. (®) Attacker modifies the company's ARP table: Following successful ARP spoofing, a hacker modifies the company's ARP table to include fabricated MAC mappit 12.8 MAC FLOODING ‘+ MAC flooding is a form of network attack that attacks network switch security. The attack operates by delivering several Ethernet packets to the switch, each with a distinct source MAC address, ‘The purpose is to use the switeh's MAC address table. «The goal of this attack is to drive valid MAC addresses out of the MAC address table, resulting in large amounts of inbound frames flooding out on all ports. The MAC flooding assault derives its name from this flooding characteristic. «After successfully executing a MAC flooding attack, a icious user can utilize a packet analyzer to collect sensitive data being exchanged between other computers that would not be accessible if the switch was working normally. + After switches recover from the original MAC flooding assault, the attacker may follow up with an ARP spoofing attack to maintain access to privileged data, ee ee )M 2.9 _DNS SPOOFING TECHNIQUES. Oe DNS spoofing, also known as DNS cache poisoning, is a sort of attack in which an attacker modifies DNS records in order to redirect consumers to a false website. Here are some typical DNS spoofing techniques: (2) Compromising a DNS Server : In this approach, the attacker acquires access to the DNS server and modifies its records, redirecting traffic to a phony website. (2) DNS Cache Poisoning : This is accomplished by inserting tainted DNS data into the DNS resolver cache. Users are led to a bogus website when they seek the IP address of a certain website. (@) Man-in-the-Middle (MITM) Attack : This approach includes intercepting user connections with a DNS server and redirecting them to a different or malicious TP address. (Wew Sylabus we. academi vos netacaeneyee2324) e014) [Ehrecnteo Pusietons (Now Sylabus w.e academe year 29-24) (80-14) [Brecn-ieo pubtcatonssea VPN to safeguard + Virtual Private Network (VP? zy frees packet sniffers all Software : Ensure that all have proper antivirus and firewall | Network Mositoring Tools : Make use of network cecitorng tls to ceciter traffic and detect any strange ik Intrusion Detection Systems (IDS) : Install and use IDS to ideatfy and block Tegal acces & Limit Physical Access : To prevent unsuthorized users from cetaling packet exflers, Limit physical scores to network « 7. Use Static ARP TablewIP Addresses : This can help avoid AKP pasccung, which us a popular technique used in sniffing & Use IPV6 : IPV6 is more secure and difficult to forge than I 9% Disable Network Identification Broadcasts : This G2 make & more diffcuit for attackers to keate targets oa the 2 Fur sale consections, use secure prowocol ed SSLUTLS. Bhnneneoe Ore yin wat aca year 7524; C44) = Syllabus Topic : Denial of Services ee Fy 2.11 INTRODUCTION TO DENIAL OF SERVICES ‘PHizst INTRODUCTION TO DENIAL OF SERVICES 2 are a few examples of (a) Browser redirection occurs when you attempt to access a webpage but instead access another page with a different URL. (2) Closing Connections : There can be no communication between the sender (server) and the receiver (client) when the connection is closed. (3) Data Destruction : When a hacker destroys a resource, it becomes inaccessible. of Resources : This occurs when a hacker Jks access to a resouree, eventually overloading, mpts to make a computer or oth ed users by interfering with the device's by bombarding a targeted sy! ; requests until regular traffic is unable to be handled res ng in denial of service to further users. TBlrermo ruse (rw Gyhatnus w 0 scacdomac year 23-24) (86-14)+ Buffer Overflow Exploitation : A sort of attack in which memory buffer overflow cavses system to use all available hhard drive space, RAM, or CPU time. This type of exploit frequently causes slow behavior, system failures, oF other harmful server actions, culminating in denial-of-service, | lood Attacks : A malicious actor can over saturate server eT aie annie’ with an excessive ting in denial-of-servicel. Most Dos volume of packets, result aes erase) wed) toe) bad) act andwidth than the target. Di 2.13 _BOTS/BOTNETS | 7 Bots Gobots) are software applications that, when given instructions, conduct automated activities to imitate or replace humans, Bots account for more than half of all online traffic, ‘and the vast majority of them are malicious. Bots may do ‘automated online jobs since many of them are repetitive and programmed «© Botnets, on the other hand, are groups of infected computers. ‘They are networks made up of remote-controlled computers, oF “bots,” infected with malware that allows them to be controlled remotely, Some botnets have hundreds of thousands, if not ions, of computers. + Bots and botnets are intended to spread, coordinate, and accelerate a hacker's ability to carry out more severe assaults. me rogue programs may be disseminating spam. ious programs might be sending spam i? Partcpatng in a distributed denial of service (DDoS) assault at takes down entire websites, Batnets are classified according to their Channel. For example, Com Te aoe Chat (IRC) Botnet employs IRC as the unand and Control (C&C) Chi receive orders from a centralized IRC i nel, where bots (ew Satis w ‘Another Kind is a Peer-to-Peer (P2P) Botne : nodes. of jes erucial to remember that, while bots ean be dange they can also be useful. Search engines, for example, utilize pots to browse the web and categorize content from website. a 3.14 SMURF ATTACK peat SMURF ATTACK ‘Smurf attacks are types of distributed dé ‘attacks that happen at the network layer. The assaul after the software DDoS.Smurf, which allows hackers to carry it out. Because of their eapacity to take down larger foes by working together, the assaults are also named after the cartoon characters The Smurfs. «Large quantities of Internet Control Message Protocol (ICMP) packets with the faked source IP of the intended victim are Droadeast to a computer network using an IP broadcast address in a Smurf attack. «Most network devices will, by default, respond by sending 2 reply to the originating TP address. If there are a significant vranber of devices on the network that receive and reply to these packets, the victim's. «Dan Moschuk (alias Freak) created the first Smurf in 1997 One of the earliest assaults to employ this strategy occurred in 1998, and it first targeted the University of Minnesota. © The cyber assault resulted in @ cyber traffic bottleneck that also impacted the Minnesota Regional Network, a statewide internet service provider (ISP). Tt caused computers throughout the state to shut down, hindered networks, and contributed to data loss. + Smurf assaults are often classified into sophisticated. two types: basic and eb recnneorutetos (Wew Syllabus w.e academic year 28-24) (80-44)‘A simple Smurf attack happens when the attacker sends an smimber of ICMP request packets to the victim snl Packets contain a source address dat {8 sot to thy pervonks broadcast adaress, prompting any device on the etwork that receives the request to respond: generates a large quantity of trai, which finally brings + This the system down. ST Wl 2.15 SYN FLOODING ‘occurs during flooding using SYN. ASYN flood is a sort of denial-of-service (DDoS) attack that consumes all available server resources in order to render a server inaccessible to genuine traffic, The attacker bombards all accessible ports on a targeted server system with initial connection request (SYN) packets. This causes the targeted dovice to react slowly or not at all to valid traffic. SYN flood attacks take advantage of the handshake step of a ‘TCP connection. To create a connection, a TCP connection goes through three separate procedures under typical conditions : ant sends a SYN packet to 1. To begin the connection, the el the server. 2. The server acknowledges the communication by sending @ SYN/ACK packet, 8, Finally, the client sends an ACK packet to the server to acknowledge receipt of the packet. A SYN flood attack involves the attacker sending a large number of SYN packets to the targeted server, sometimes IP addresses1. The server answers to each of these g an open port waiting for the pared to transmit SYN packets1 while the now SYN , q last ACK packet, which never arrives: Packet forees the server to retain a new ope nto (WUT. BS2Comp Sem) (Sytem ice .Pape noe) port connection for a set amount of time, and afterall available ports have been used, the server is unable to function |. Bven high-capacity devices capable of handling millions of connections can be brought down by this form of DDoS attack. ‘This form of DDoS assault is commonly referred to as a "half. open’ attack since it keeps unsecured connections exposed and ending in a full server erash. available, Py 2.16 DOS/DDOS COUNTERMEASURES oe 1. Increase Capacity : This defense approach necessitates advance planning and more capacity to withstand or absorb the onslaught. 2, Degrade Services : services. 3. Service Shutdown attack is over. 4. Using Firewalls and Routers : Firewal set to refuse specific types of packets used in DDoS assaults, Identify and terminate non-essential services can be turned off until the and routers can be 5. Intrusion Detection Systems (IDS) : IDS may be used to identify an attack early on and respond promptly. 6. Traffic Engineering : This entails altering network traffic in order to avoid congestion and optimally distribute network resources, 72. Use of a Content Delivery Network (CDN) assist in traffic distribution and make it more difficult for an attacker to target a single server. 8. Use a Web Access Firewall (WAF) : A WAF cat filtering of harmful traffic. 9. Anti-DDoS Services : A variety of anti-DD: available to help guard against DDoS attacks. A CDN can in aid in the oS services are (Now Syllabus w.04 ace sityara96019 TEieawarasci ctNeo Pleats (ow Sylabus wes academic year 20-24) (80-14) Baber of ing| low is ey od of ve(System Hijacking)...Page no ecal Hacking (MU-TY. 8 Se-Come-SemO) 0, Download and install antivirus and anti-troja, software : Keep these updated. 11. Disable Unnecessary Services ? Uninstall unnecessary software and scan all externally obtained files. Syllabus Topic : Session Hijacking ee ———————————— AD GESIOIHIIACKING EEE 2.17 INTRODUCTION TO SESSION HIJACKING A217 kronor + exchange between two or more communicating devices, or between a computer and a user, in the context of computers and networking. * When a user checks in to or uses a specific computer, network, or software service, a session begins. It comes to an end when the user signs out of the service or turns off the computer. * During a session, information about the user' connected can be temporarily saved. * This might take the form of session variables, which hold temporary information and are sometimes used to retrieve and display data across several web pages, 's activity while 7% 2.17.2 Session Hijacking ‘This might take the form of session variables, which hold temporary information and are som isplay data across several web pages, + This sort of attack is es attacker to impersonat their behalf, pote sensitive informa es used to retrieve and ‘pecially dangerous since it allows the © the user and undertake activities on ly resulting in unauthorized access to and data breaches, ee (ew bus we casent yea zany gg ramen ect — Blracnnn putes er ing (MU-TY.B.Se-Comp-Sem6) (System Hijack enical Hacking jacking). Page no (24 Web applications, particularly those that employ cookies to retain the status of a user's session, are the primary targets of session hijacking. ‘Those cookies frequently include session IDs, which are unique keys used by the server to identify the client, «An attacker can impersonate the client and take over their session if they have these identifiers, —— syllabus Topic : Types of Session Hijacking ee OO Dy 2.18 TYPES OF SESSION HIJACKING a MM GQ. Explain the types of Session Hijacking. GQ. Expl Session hijacking can be categorized into three main types : 1. Active Session 2. Passive Session Hijacking 3. Hybrid Hijacking (1) Active Session Hijacking : The attacker gains control of the active session in this case. The genuine network user goes offline, and the attacker takes over as the authorized user. They can even take control of the client-server connection. @) Passive Session Hijacking : Instead than managing a targeted user's whole network session, the attacker monitors communication between a user and a server. The hacker's Primary goal is to listen to all data and capture it for future use, ®) Hybrid Hijacking : This technique combines Active Session Hijacking and Passive Session Hijacking. In this case, the attackers monitor the comm etwork traffic) and take control of the online session to carry out thei nefarious actions. en tte et Bbreensooreinons (New Sylabus v.04 ecademic yer 23-24 (BC-14) 3 of lt is shey yood 5 of sive tonst wring WITY.BSOCOOSES) Speer Tae cs _ sSecen Hack Pare 5 , =e ee 25 ss eee . 79. STEPS IN SESSION HIJACKING gor q) Monitoring and Intercepting : The attacker keeps a close cow — ese on the network traffic between the user and the server. A — packet sniffer can be used to do this. 7 2S. 2.18.1 Mechods of Session Hijacking ‘To perform these types of Session Hijacking attacks, attackers use various methods (1) Bruteforeing the Session ID : The attacker employs a .g end trial approach to determine the Session ID based caits duration. (2) Cross-Site Scripting (XSS) or Misdirected Trust : The attacker attempts to identify weaknesses and weak points in the web server before injecting its code into it. (3) Man-in-the-browser : This entails exploiting flaws in a web browser to acquire control of the victim's session. Malware infections : Malware can be used to steal a vietim's session cookies. (5) Session Fixation : An attacker in this attack changes a user's session ID before the user ever enters into a target server, removing the requirement to steal the user's session ID. (6) Session side-jacking : This exploits an open, unencrypted communications channel to check for a valid session ID in order to hijack it. Each type has its own unique approach but all aim at exploiting a valid session to gain unauthorized access. (ew Syabus wet academic yea'2324)(00-14) Rl recteeo Publications Capturing Session ID : To get access to the server, the @ attacker takes the victim's session ID. This can be accomplished through the use of numerous means such as packet sniffers or Cross-Site Scripting (XSS) assaults. (@) Using Captured Session ID : Once the attacker has obtained the session ID, he or she can impersonate the user and gain illegal access to their account. (4 Spoofing IP Address : In IP Spoofing, the attacker | impersonates someone else by utilizing an IP address of a | trusted host. The attacker injects their own packets into the TCP session that are faked with the client's IP address, deceiving the server into believing it is speaking with the actual host. (5) Executing Blind Attacks : If the attacker is unable to sniff packets and determine the proper sequence number required by the server, they can attempt brute force sequence number combinations. | (6) Taking Control of Sessi a the user's session while it is still active hijacking. (2) Eavesdropping : The attacker eavesdrops on netw | to capture the user's session ID in passive session hij : The attacker takes control of in active session twork traffic jacking. %. 2.19.1 Prevention in Session Hijacking (D Use complex passwords and two-factor authentication, (2) Only give out session IDs to trusted parties aa (Wow Sytabus w.04 academic year 23-24) (BC-14)1 login, regenerate the odary checks against the user's services do seco! ee DH 2.20 SPOOFING VS HIJACKING ing are both types of cyber attacks, but ferent ebjectives and methods = Hijacking they have (1) Spoofing tant in ion stored in the system, such as Passwords, PIN«, and so on. + For example, hackers may develop a clone of a ficial, but when the victim is forwarded to the hacker Oem Satan mnt nase yous 2324) (BC-14) —_— Syllabus Topic : Hacking Web Serv ae aS WH 2.21 INTRODUCTION TO HACKING WEB SERVERS is the act of co horized access to a computer system ta theft, oF 1s objectives, such as security ng, and correcting 2.21.2 Web Server * Aweb server is a software that receives Users and delivers files tha network requests from (ew Sytabus wet academe: yoar 25-24) (0-14)c.camp-Sem6)__ (System Hijack cio Hing TY. 8S2ome Sem eae eeae (A) Cross-Site Request Forgery (CSRF) : CSRF attacks 2 logged-on victim's browser to submit a forged HIPTP yeas? to a susceptible web application, containing the yey session cookie and any other automatically ims i authentication information. elude Miseonfiguations are the single most serious danger to cigyg and app security. Many application security technologie lve manual configuration, which can be error-prone ang time-consuming to a ister and update. (5) Unsecured APIs interfaces (APIs) can Unsecured application programming low attackers to get access, @ Insecure Design : This is a new category for 2021, with an emphasis on hazards connected to design defects. (D Security Misconfiguration : This is an increase from #6 in the previous edition; 90% of apps were evaluated for some type of misconfiguration. (8) Vulnerable and Outdated Components named Using Components with Known Vulnerabilities and is ranked second in the Top 10 community survey, but it also has enough data to rank in the Top 10 through data analysis @) ication and Authentication res : This was formerly Broken Authentication, and it is now falling from second place, and it now contains CWEs that are more connected to identity problems. DL_2.24 ATTACKS AGAINST WEB SERVERS 2.24.1 Attacks Attacks are legal and permitted attempts to uncover and exploit flaws in a computer system in order to make it more secure. + Operating appl examples. system assaults, misconfiguration attacks, level attacks, and shrink wrap code attacks are {New Syllabus w.ef academic year 23-24) (BC-14) [Bbrecir nico Pubieations urpose is to strengthen security ang Pr alicious USETS. Protect systems 3.982. Attacks Against Web Servers at . ers are an important part online servers: Part of the internet restructure since they host websites and online appt, ir users engage With on a regular ba imhey are, nonetheless, a major target for attackers looking to exploit flaws and compromise these systems, athe Denial of Service (DoS) or Distributed Denial of Service (DDoS) assault is a popular form of attack. |. The attacker floods the server with requests in thse assaults, gverloading its capacity to reply and forcing itto crash. | Thisis especially dangerous for firms that rely on web servers for online transactions or consumer interactions. eee Wy 2.25 PATCH MANAGEMENT TECHNIQUES 225 PATCH MANAG eer Ye 2.25.1 Patch «A patch is a piece of software meant to fix or improve @ computer program or its accompanying data. ravolves addressing security laws and other problems #5 well as enhancing usability and speed. Pteh management & subset of vulnerebility management, which is He So process of finding, categorizing, remediating, *™ vulneral yar data, and + Patches can help you battle malware, preser”e keep your syst soning smoothly. « cep your systems funct earning wep tnt + Ttis a necessary technique in ethic attackers from abusing known flaws- (New Sys wes academic year 2324) 60"4) isceurity a Hacking (MU-TY,BSOComp-Sem-6) i Suey 07 ' mi YS 2.25.2 Patch Management Patch management is an important component of hacking since it focuses on the software compat different versions for various devices, computers operating systems. Chapter Ends... goo + Ttentils comprehending the distinctions between each pau, and the ramifications for various sorts of devices, + Patches are snippets of software code generated yy programmers to repair and update an application or file, + They are designed to fix issues and improve the operation of computer programs and operating systems. 2.25.3 Types of Patches Include * General distribution release (GDR) : An update that includes fixes for reported and verified problems, + Security-only distribution release (SDR) : security patches are available in the GDR branch Update is released. Dy 2.26 WEB SERVER HARDENING When only Microsoft b Server Hardening ? Define Vulner 6Q. \e process of techniques, various considerably more secure server resulting in a * operating environment, ily protections are implemented ‘out the server hardening procedure. We attack surface by s) install systems, intrusion detection safeguards, Wovsiioueworaconsyen2s29@60 LElnaaango— ie your 29-24) (8 Tect- Neo Pubications ~~ _ aan