Summer 2023 Paper Solutions

Q1.

(a) Define System and Web Vulnerability. (3 Marks)

System Vulnerability:
A system vulnerability is a weakness or flaw in a computer system’s hardware, software, or network
that can be exploited by attackers to compromise security. These vulnerabilities may arise from
outdated software, misconfigurations, or unpatched systems, allowing attackers to gain
unauthorized access, disrupt operations, or steal sensitive information. Examples include
unpatched operating system vulnerabilities and insecure network configurations.

Web Vulnerability:
A web vulnerability is a security flaw within a web application or website that allows attackers to
exploit it, often targeting users or data within the web environment. Common web vulnerabilities
include SQL Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). These
vulnerabilities can lead to data breaches, unauthorized access, or manipulation of website content.

(b) Explain Metasploit and OpenVAS. (4 Marks)

Metasploit

● Purpose: An open-source penetration testing framework used to identify and exploit

vulnerabilities.
● Features:
○ Includes modules like exploits, payloads, and encoders to simulate attacks.
○ Contains an extensive exploit database, allowing testing against known
vulnerabilities.
○ Supports automation of attack simulations, making it popular among security
professionals.
● Use Case: Ideal for ethical hacking and security testing to evaluate network defenses.

OpenVAS

● Purpose: An open-source vulnerability scanner focused on detecting security vulnerabilities

in systems, networks, and applications.
● Features:
 ○ Maintains a comprehensive database with thousands of known vulnerabilities,
regularly updated.
○ Provides detailed reports on vulnerabilities with recommendations for mitigation.
○ Offers customizable scanning options to meet specific security needs.
● Use Case: Used for vulnerability assessment, compliance checks, and regular security
audits.

(c) Describe Nmap. Explain different functionalities with its commands in detail. (7
Marks)

Nmap (Network Mapper) is an open-source tool used for network discovery and security auditing.
It is widely used by network administrators, security professionals, and attackers to scan networks,
discover hosts, and detect open ports or vulnerabilities. Nmap helps in identifying active devices on
a network, their IP addresses, and the services running on them.

1. Host Discovery (Ping Scan)

● Command: nmap -sn [target]

○ Example: nmap -sn 192.168.1.0/24
○ Purpose: Identify which devices are online without scanning ports.

2. Port Scanning

● TCP Connect Scan:

○ Command: nmap -sT [target]
○ Example: nmap -sT 192.168.1.1
○ Purpose: Establish a full TCP connection to scan for open ports.
● SYN Scan (Stealth Scan):
○ Command: nmap -sS [target]
○ Example: nmap -sS 192.168.1.1
○ Purpose: Stealth scan using SYN packets to detect open ports without completing
connections.
● UDP Scan:
○ Command: nmap -sU [target]
○ Example: nmap -sU 192.168.1.1
○ Purpose: Scan for open UDP ports.

3. Service Version Detection

● Command: nmap -sV [target]

 ○ Example: nmap -sV 192.168.1.1
○ Purpose: Detect versions of services running on open ports.

4. Operating System Detection

● Command: nmap -O [target]

○ Example: nmap -O 192.168.1.1
○ Purpose: Identify the operating system of a target host.

5. Script Scanning (NSE)

● Command: nmap --script=[script_name] [target]

○ Example: nmap --script=vuln 192.168.1.1
○ Purpose: Run specific scripts to detect vulnerabilities or other network
configurations.

6. Aggressive Scan

● Command: nmap -A [target]

○ Example: nmap -A 192.168.1.1
○ Purpose: Run an intensive scan that includes OS detection, version scanning, script
scanning, and traceroute.

7. Traceroute

● Command: nmap --traceroute [target]

○ Example: nmap --traceroute 192.168.1.1
○ Purpose: Trace the path packets take to the target.

8. Firewall Evasion

● Decoy Scan:
○ Command: nmap -D [decoy_ip1,decoy_ip2,...] [target]
○ Example: nmap -D RND,192.168.1.2 192.168.1.1
○ Purpose: Use decoy IP addresses to hide the real source of the scan.
● Packet Fragmentation:
○ Command: nmap -f [target]
○ Example: nmap -f 192.168.1.1
○ Purpose: Fragment packets to evade detection by firewalls.

9. Save Output
 ● Command: nmap -oN [file_name] [target]
○ Example: nmap -oN scan_results.txt 192.168.1.1
○ Purpose: Save the scan results to a file.

Q2.

(a) Define Snort. (3 Marks)

Snort is an open-source Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
that provides real-time traffic analysis, packet logging, and protocol analysis. It is designed to detect
and respond to various network security threats, such as buffer overflows, stealth port scans, CGI
attacks, SMB probes, and OS fingerprinting attempts.

Snort operates in three distinct modes:

1. Sniffer Mode: In this mode, Snort reads network packets and displays them on the screen.
It helps in monitoring network traffic in real-time.
2. Packet Logger Mode: Here, Snort logs network packets to a disk for later analysis. This
mode is useful for post-incident analysis.
3. Network Intrusion Detection System (NIDS) Mode: In this mode, Snort actively monitors
network traffic and compares it against a user-defined rule set. Based on the analysis, it
takes specific actions to detect and respond to network intrusions or malicious activities.

Given the growing importance of internet security, Snort plays a crucial role in detecting potential
threats and protecting network infrastructure.

(b) Differentiate between Stateful and Stateless firewalls. (4 Marks)

Feature Stateless Firewall Stateful Firewall

Definition Filters each packet individually, based Tracks active connections and filters
on predefined rules like IP address and packets based on the connection state.
port.
 Packet Treats each packet independently, Keeps track of the entire session,
Context without considering the connection. making decisions based on session
context.

Security Basic security; less effective against Higher security, as it recognizes

Level complex or advanced threats. legitimate packets in active sessions.

Speed & Faster and uses fewer resources, ideal Slower and more resource-intensive
Resources for simple filtering. but provides better security for
complex networks.

Best Use Suitable for smaller networks with Ideal for enterprise or secure
simple security needs. environments where session-aware
filtering is needed.

(c) Explain Network Sniffers with a suitable example. (7 Marks)

A network sniffer is a tool that monitors and captures network traffic used by both network
admins(for troubleshooting) and hackers (for gathering sensitive data).

Key Functions of Network Sniffers:

1. Packet Capture: Sniffers capture all the packets transmitted across the network, including
the headers, payload, and metadata.
2. Traffic Analysis: After capturing the data, sniffers analyze the packet contents to identify
the protocols being used, such as HTTP, FTP, TCP, UDP, etc.
3. Protocol Decoding: Network sniffers decode different layers of the protocol stack, enabling
detailed inspection of the data being sent between devices.
4. Network Monitoring: Sniffers help administrators monitor network performance, detect
bottlenecks, and ensure data integrity.
5. Security Monitoring: Sniffers can identify abnormal behavior, such as suspicious traffic,
unauthorized access attempts, or signs of a cyberattack.

Example of Network Sniffers:

Wireshark is one of the most popular and widely used network sniffing tools. It is a free and
open-source packet analyzer that allows users to capture and examine data packets in real time.
Wireshark is used by network engineers to troubleshoot network problems, by security
professionals to detect intrusions, and by developers to analyze application traffic.

How Wireshark Works:

● When installed on a system, Wireshark can monitor network traffic by putting the network
interface into promiscuous mode.
● It captures all packets, decodes them, and presents the information in a user-friendly
interface.
● The captured data can include protocol-specific details, such as HTTP requests, DNS
lookups, FTP transfers, etc.
● Wireshark allows users to filter specific packets based on various parameters like IP
addresses, protocols, and port numbers.

Use Case Example: In a corporate environment, a network administrator might use Wireshark to
monitor the performance of a company's internal network. If an employee complains about slow
internet speeds, the administrator can capture the traffic during the issue and analyze it. They may
discover that a large number of HTTP requests are being made to a particular external website,
causing congestion. Based on the findings, the administrator could block access to the site or
investigate further to see if it's a legitimate issue or part of a cyberattack.

OR

(c) Define NAT. Describe Port Forwarding with its types in detail. (7 Marks)

Network Address Translation (NAT) is a technique used to map private, internal IP addresses to a
public IP address, allowing devices within a private network to communicate with external networks
like the internet. NAT helps preserve the limited number of public IP addresses by enabling multiple
devices on a local network to share a single public IP address. It also adds a layer of security by
hiding internal IP addresses from external networks.

Q3.

(a) Explain Curl, OpenSSL, and Stunnel. (3 Marks)

1. Curl
 ● Curl is an open-source command-line tool used to transfer data across various protocols,
including HTTP, HTTPS, FTP, and IMAP.
● It supports operations like SSL certificates, HTTP POST/PUT, and FTP uploads.
● Curl is commonly used in command lines or scripts to automate data transfers and is
compatible with Unix, Linux, macOS, and Windows.
● It displays a progress meter for transferred data, showing speeds and estimated time
remaining.

2. OpenSSL

● OpenSSL is an open-source library that implements SSL (Secure Sockets Layer) and TLS
(Transport Layer Security) protocols for secure, encrypted connections.
● Widely used for establishing secure communications, it enables the creation of RSA and
DSA keys, X.509 certificates, and message digest calculations.
● OpenSSL prevents interception and manipulation by encrypting connections and confirming
web server identities, making it essential for secure web applications.

3. Stunnel

● Stunnel is a multi-platform tool that provides SSL/TLS tunneling for encrypting connections
between clients and servers.
● It wraps SSL around any network service, enabling encrypted connections even if the
application doesn’t natively support SSL.
● Stunnel relies on libraries like OpenSSL and is compatible with Unix-like systems and
Windows, making it useful for securing otherwise vulnerable network services.

(b) Define Password Cracking and Brute Force tools. Explain any one in brief. (4
Marks)

Password Cracking is the process of recovering or bypassing passwords from stored data.
Password cracking tools are used by cybersecurity professionals to test the strength of passwords
by attempting to guess or uncover them through various techniques.

Brute Force Tools specifically perform brute-force attacks, a common password-cracking method.
In a brute-force attack, the tool tries multiple password combinations until it finds the correct one.
While brute-force methods are time-consuming, they are effective for shorter and simpler
passwords

Example: John the Ripper (Password Cracking Tool)

John the Ripper is a popular open-source password-cracking tool that uses multiple techniques,
including brute-force, dictionary, and hybrid attacks. Originally designed for Unix passwords, it now
supports many operating systems, including Windows, macOS, and Linux.

Key Features of John the Ripper:

● Hash Support: Supports various password hash types (e.g., MD5, SHA-1, NTLM).
● Customizable: Users can configure dictionaries and rules to optimize attacks.
● Multi-threaded: Leverages multiple CPU cores for faster cracking speeds.

How John the Ripper Works:

1. Setup: The user provides a hash file containing encrypted passwords.

2. Choose Mode: Selects a mode based on the type of password cracking needed.
3. Execution: John the Ripper processes each hash and tests it against different combinations
or dictionary entries until the password is cracked.

(c) Describe DVWA. Explain SQL Injection in DVWA with an example in detail. (7
Marks)

DVWA (Damn Vulnerable Web Application) is a PHP/MySQL-based web application intentionally

designed with security vulnerabilities. It serves as a practice tool for security professionals, ethical
hackers, and students to learn and test their skills in finding and exploiting vulnerabilities in a
controlled environment.

DVWA includes various security flaws like SQL Injection, Cross-Site Scripting (XSS), and Command
Injection, and it allows users to practice penetration testing techniques safely without harming real
systems.

SQL Injection is a code injection technique where an attacker manipulates SQL queries by injecting
malicious input through a vulnerable web application. This allows attackers to retrieve, alter, or
delete data from the database. In DVWA, SQL Injection vulnerabilities are deliberately included so
users can learn how they work and practice defenses.

Example of SQL Injection in DVWA

1. Testing for Vulnerability:

○ Inputting a single quote (') in the User ID field checks if the field is vulnerable to
SQL Injection. If it shows an error, it confirms vulnerability.
2. Exploiting the Vulnerability:
○ Using 1' OR '1'='1 in the User ID field alters the SQL query to return all records,
since '1'='1' is always true. This allows unauthorized access to all user data in
the table.
 3. Retrieving Sensitive Information:
○ To extract specific data (like usernames and passwords), input 1' UNION SELECT
null, username, password FROM users; --. This command combines
the main query with a second query, potentially displaying sensitive user details.

This example illustrates how SQL Injection in DVWA allows attackers to access unauthorized data
by manipulating queries, emphasizing the need for input validation to prevent such attacks.

OR

(a) Explain Zed Attack Proxy. (3 Marks)

ZAP (Zed Attack Proxy) is a popular open-source web application security testing tool developed
by OWASP (Open Web Application Security Project). It helps find security vulnerabilities in web
applications and services.

Uses and Features:

● Automated Scanning: Finds common vulnerabilities (e.g., XSS, SQL injection).

● Intercepting Proxy: Allows interception and modification of web traffic.
● Spidering: Crawls websites to map all pages and forms.
● Fuzzing: Tests input fields with random data to find security weaknesses.
● Alerts and Reports: Generates reports on detected vulnerabilities with risk levels and
mitigation steps.

(b) Explain the following terms:

1. Datapipe
2. Fpipe
3. WinRelay
4. Traffic Probe (4 Marks)

1. Datapipe: It is a Unix tool that redirects traffic from one local port to a remote port on a
specified host.
2. FPipe: It is a Windows-based tool for port redirection that supports both TCP and UDP
protocols. Unlike Datapipe, FPipe also allows you to specify the source port for outgoing
traffic, which is helpful for bypassing firewalls that permit certain source ports.
3. WinRelay: It is a Windows-based port redirection tool that redirects traffic through a
specified port with a static source port. This helps maintain consistent port usage for
 redirected connections, which can be useful in specific applications like network testing and
gaming.
4. Traffic Probe: Sends valid requests to services to gather useful information (e.g., HTTP
HEAD request).

(c) Discuss Web Vulnerability tools in detail. (7 Marks)

Web Vulnerability Tools are specialized tools designed to identify, analyze, and report
vulnerabilities within web applications.

1. Web Vulnerability Scanning Tools:

a. Nikto: A web server scanner designed to identify vulnerabilities in web servers, such
as dangerous files, outdated server software, and misconfigurations.
i. Features:
1. SSL support, HTTP proxy support.
2. Checks for outdated server components.
3. Generates reports in multiple formats (plain text, XML, HTML).
4. Identifies installed software through headers and files.
5. Can scan multiple ports and subdomains.
b. W3af: An open-source web application vulnerability scanner and exploitation tool.
i. Capabilities:
1. Detects vulnerabilities like SQL injection, cross-site scripting (XSS),
and guessable credentials.
2. Supports manual and automated testing with variable parameters.
3. Cross-platform: Available for Windows, Linux, macOS, and more.
4. Well-suited for penetration testing with more than 200 vulnerabilities
covered.
2. HTTP Utilities:
a. Curl: A command-line tool used to transfer data via URL syntax across protocols
such as HTTP, FTP, and more. Supports SSL certificates, HTTP POST/PUT, and FTP
uploading.
b. OpenSSL: A widely-used open-source implementation of SSL and TLS protocols for
establishing encrypted network communications. Essential for securing web traffic
and preventing attacks like data interception.
c. Stunnel: A program that provides SSL/TLS tunneling services, enabling secure
encrypted connections for client-server communication. Can be used as a proxy to
decrypt SSL traffic.
3. Application Inspection Tools:
a. ZAP: A tool used for intercepting and manipulating web traffic to test for security
vulnerabilities in web applications. It provides interactive proxy capabilities for
probing web applications.
i. Features:
1. Cross-platform, open-source.
 2. Allows for the inspection and alteration of web traffic.
3. Can be used for passive inspection of security practices.
b. SQLmap: An open-source penetration testing tool that automates the detection and
exploitation of SQL injection vulnerabilities.
i. Key Features:
1. Database fingerprinting and over-fetching data.
2. Allows SQL injection-based exploitation.
3. Supports bypassing Web Application Firewalls (WAFs).
c. DVWA (Damn Vulnerable Web App): A deliberately vulnerable PHP/MySQL web
application designed for testing security tools and training purposes.
d. WebGoat: An intentionally vulnerable Java-based web application created for
educational purposes. It allows developers and security enthusiasts to test common
vulnerabilities found in web apps.
4. Password Cracking and Brute-Force Tools:
a. John The Ripper: A fast and versatile password cracker for detecting weak
passwords.
i. Supports multiple password hash formats like UNIX and Windows.
ii. Auto-detects password hash types and can perform dictionary-based
attacks.
b. L0phtcrack: A Windows password recovery tool that performs brute-force and
dictionary attacks on password hashes obtained from directory services, network
servers, or domain controllers.
c. Pwdump: A tool for extracting LM and NTLM password hashes from Windows
systems, even when Syskey is enabled. The extracted data can be used with tools
like L0phtcrack.
d. THC-Hydra: A fast network password cracker that supports multiple protocols like
HTTP, FTP, and SMTP. Can perform brute-force and dictionary attacks to crack
passwords.

Q4.

(a) Define Digital Forensics. (3 Marks)

Digital Forensics is the process of collecting, analyzing, and preserving digital evidence from
electronic devices in a manner that is legally admissible. It aims to investigate cybercrimes and other
digital misconduct by recovering and examining data from computers, networks, mobile devices,
and storage media.

Key Aspects of Digital Forensics:

 1. Evidence Collection: Securely obtaining data from digital sources without altering the
original information.
2. Analysis: Interpreting and reconstructing data to understand events and identify potential
offenders.
3. Legal Admissibility: Ensuring that evidence is collected and documented following legal
standards so it can be used in court.

In summary, digital forensics is essential for solving cybercrimes and understanding digital incidents,
ensuring that the findings hold up in legal proceedings.

(b) Explain types of Cyber Crimes. (4 Marks)

Cyber-crime is simply defined as crimes that are directly or indirectly related to computers, mobile,
network, communication or storage devices and using all or any of them.

Examples of cybercrime include identity theft, phishing, ransomware attacks, and financial fraud.

1. Cyber Crime Against Individuals:

○ Crimes targeting individuals using digital platforms.
■ Email Spoofing: Sending emails that appear to be from a trusted source but
are actually from a malicious actor.
■ Spamming: Sending mass amounts of unsolicited emails.
■ Phishing: Fraudulently tricking individuals into sharing sensitive information
by pretending to be legitimate entities.
■ Cyber Defamation: Publishing defamatory content about an individual on
the internet.
■ Cyber Stalking: Monitoring someone's online activities, often to harass or
intimidate them.
2. Cyber Crime Against Property:
○ Crimes targeting digital property.
■ Intellectual Property Crimes: Involves illegal copying or distribution of
software or copyrighted content.
■ Credit Card Fraud: Stealing credit card information for unauthorized
purchases.
■ Internet Time Theft: Unauthorized use of internet service paid by someone
else.
3. Cyber Crime Against Organizations:
○ Targeting organizations or corporations through cyber means.
■ Unauthorized Access: Gaining access to an organization's computer
systems without permission.
■ Changing or deleting data, or simply observing confidential data.
 Denial of Service (DoS) Attack: Overloading an organization's server,
■
making it unusable for legitimate users.
■ Salami Attacks: Stealing small amounts of money from multiple sources to
accumulate a large sum.
4. Cyber Crime Against Society:
○ Crimes targeting society at large or posing a threat to national security.
■ Cyber Terrorism: Using technology to commit acts of terror.
■ Web Jacking: Taking control of another's website and altering its content,
often for political or financial gain.
5. Crimes Originating from Usenet Newsgroup
○ Usenet: Definition: Usenet is a popular platform for sharing and distributing
information on the web, usually based on specific subjects or topics.
○ Risks: Usenet groups can sometimes contain harmful, offensive, or inappropriate
content, often leading to criminal use.
○ Following criminal use Usenet
■ Distribution/sale of pirated software package
■ Distribution of hacking software
■ Distribution/sale of pornographic material
■ Sale of stolen credit card number
■ Sale of stolen data/stolen property

(c) Explain IT Act, 2000. List out and discuss different sections under the IT Act,
2000 in detail. (7 Marks)

The Information Technology (IT) Act, 2000 is India’s primary law governing cyber activities,
providing a legal framework for electronic transactions, digital signatures, cybercrime, and data
protection. It was enacted to promote e-commerce, secure digital transactions, and combat
cybercrime. This act also defines various types of cyber offenses, sets penalties, and outlines
procedural guidelines for cyber-related investigations.

Section 43 – Damage to Computer, Computer System, or Network:

● Covers unauthorized access, downloading, introduction of viruses, and causing damage to

a computer or network.
● Penalty: Compensation for damages up to INR 1 crore.

Section 66 – Hacking and Unauthorized Access:

● Criminalizes hacking and unauthorized access to computer resources.

● Penalty: Imprisonment up to 3 years and/or a fine of up to INR 5 lakh.

Section 66C – Identity Theft:

 ● Addresses identity theft, including the misuse of someone’s digital signature or unique
identification features.
● Penalty: Imprisonment up to 3 years and a fine of up to INR 1 lakh.

Section 66D – Cheating by Personation (Impersonation):

● Punishes cheating through electronic means, particularly by pretending to be someone else.

● Penalty: Imprisonment up to 3 years and/or a fine of up to INR 1 lakh.

Section 66E – Violation of Privacy:

● Makes it illegal to capture, publish, or transmit private images of a person without their
consent.
● Penalty: Imprisonment up to 3 years and/or a fine up to INR 2 lakh.

Section 67 – Publishing Obscene Material:

● Prohibits the publication, transmission, or circulation of obscene content, especially on

digital platforms.
● Penalty: Imprisonment up to 5 years and a fine up to INR 10 lakh.

Section 69 – Government's Power to Intercept, Monitor, or Decrypt:

● Allows the government to intercept or monitor information on any computer system to

protect national security, integrity, and public order.
● Penalty for non-compliance: Imprisonment up to 7 years.

OR

(a) Define Incident Response. (3 Marks)

Incident response is the response to a computer crime, security policy violation, or similar event

Incident Response

1. Pre-Incident Preparation:
○ Preparing for potential cyber incidents by setting up an incident response team and
defining protocols.
2. Detection of Incidents:
○ Identifying possible security breaches or incidents in a system.
3. Initial Response:
○ Investigating the incident, notifying key personnel, and assembling a response team.
4. Formulate Response Strategy:
 ○ Developing a strategy to contain and mitigate the incident based on the facts.
5. Reporting:
○ Accurately reporting the findings of the investigation to decision-makers.
6. Resolution and Recovery:
○ Implementing security measures to prevent future incidents and ensuring recovery
from the breach..

(b) Discuss Contaminants and Destruction of Data. (4 Marks)

Contaminants and Destruction of Data refer to actions that compromise the integrity, availability,
or confidentiality of data within a system, often through malicious attacks or unintended disruptions.

1. Data Contamination

Data contamination occurs when information in a system is altered, corrupted, or tampered with,
either accidentally or intentionally, making it unreliable or inaccurate.

● Causes: Can result from malware, unauthorized access, or errors in data handling.
● Impact: Contaminated data can mislead decision-making processes, disrupt business
operations, and harm an organization’s reputation.
● Example: A virus that alters database entries, causing inconsistencies in customer records.

2. Data Destruction

Data destruction refers to the complete deletion or erasure of data, rendering it permanently
inaccessible. This can occur deliberately (as in cyberattacks) or accidentally (due to system failures
or human error).
 ● Causes: Often caused by malware like ransomware, accidental deletions, or hardware
failures.
● Impact: Leads to loss of critical information, financial damages, and disruption in services.
● Example: A ransomware attack that encrypts all data files and demands payment for
decryption, effectively destroying access to the data.

(c) Discuss Attack Vectors. List out different types of Attack Vectors. (7 Marks)

An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer
or network server in order to deliver a payload or malicious outcome.

Types of Attack Vectors:

1. Email as an Attack Vector:

○ Email attacks are becoming more sophisticated, with malicious messages sent to
deceive users.
○ Attachments: Malicious attachments in emails can install malware (e.g., viruses or
Trojans) as soon as they are opened.
2. Attack by Deception:
○ This involves tricking the user into performing actions that expose them to threats,
often by pretending to be legitimate entities.
○ Viruses: Malicious code that spreads through infected files or devices, including
USB drives, email attachments, and downloads.
3. Heedless Guests (Attack by WebPages):
○ Fake websites that mimic legitimate ones are used to steal personal information,
such as credit card numbers and addresses.
4. Attacks of the Worms:
○ Worms spread through email attachments or vulnerabilities in systems and can
propagate without user interaction, causing widespread damage.
5. Foistware (Sneakware):
○ This refers to software that secretly installs additional unwanted components on the
system, often for malicious purposes. Spyware is a common example, redirecting
users to unwanted websites.
6. Malicious Macros:
○ Macros in applications like Microsoft Word and Excel can be exploited to execute
malicious actions, such as installing malware when the document is opened.
Q5.

(a) Explain SQL Injection. (3 Marks)

SQL Injection is a code injection technique where attackers insert or "inject" malicious SQL
statements into input fields of a web application, aiming to manipulate or exploit the backend
database. This vulnerability allows attackers to retrieve, modify, or delete sensitive data, bypass
authentication, or even take control of the database server.

Key Aspects of SQL Injection:

1. How it Works: Attackers input SQL code into vulnerable fields (e.g., login forms, search
bars) that execute on the database, altering the intended query.
2. Example: An attacker might input 1' OR '1'='1 in a login field, causing the query to
return true for all users, thereby bypassing authentication.
3. Impact: SQL Injection can lead to data breaches, unauthorized data access, and significant
security risks for applications reliant on databases.

Summary: SQL Injection is a critical security threat that allows attackers to exploit database
vulnerabilities through malicious inputs, highlighting the importance of proper input validation and
query handling.

(b) Discuss Keyloggers and Spyware. (4 Marks)

Keyloggers

● Definition: Keyloggers track everything you type on a keyboard. They can capture sensitive
data like passwords, credit card numbers, and usernames.
● Types:
○ Software Keyloggers: Installed through malware (e.g., Trojan), recording
keystrokes secretly.
○ Hardware Keyloggers: Small physical devices attached to the computer or
keyboard to log keystrokes.
● Prevention: Use anti keylogger tools, on-screen keyboards for secure input, and
updated antivirus software to reduce risks.

Spyware:

● Definition: Spyware is malicious software that gathers information from a computer without
permission. It can record browsing activity or even capture passwords and personal data.
● Impact: Slows down the computer and compromises privacy by sending data to attackers.
● Prevention: Install anti-spyware software, and avoid suspicious websites or downloads.
(c) Explain Virus, Worms, Trojan Horses, and Backdoors in detail with examples. (7
Marks)

1. Virus:
○ It’s a malicious code that attaches to legitimate files or programs. Requires a host
file to spread and activates only when the infected file is opened.
○ Examples: Stealth virus, polymorphic virus (changes form to avoid detection).
○ Prevention: Use updated antivirus software, avoid opening unknown attachments,
and scan downloaded files.
2. Worm:
○ A self-replicating malware that spreads across networks without needing a host file
or user interaction.
○ Can cause network congestion and system slowdowns by replicating itself.
○ Prevention: Use updated antivirus software, avoid opening unknown attachments,
and scan downloaded files.
○ Examples: Email worms, file-sharing worms.
3. Trojan Horse:
○ A Trojan horse is a harmful program disguised as legitimate software. Once installed,
it can create backdoors to allow attackers to access files or control the system.
○ Trojans don’t replicate but can steal sensitive data or give attackers remote access
to the computer.
○ Prevention: Avoid downloading software from untrusted sources and keep
firewalls active.
○ Example: Banking Trojan which steals credentials for online banking through fake
interfaces.
4. Backdoors:
○ A backdoor is an entry point that bypasses normal security procedures, allowing
unauthorized access to a system.
○ Sometimes created by developers for troubleshooting but can be exploited by
hackers if left in the final product.
○ Prevention: Regularly apply security patches and updates to close any known
vulnerabilities.
○ Example: Application Backdoor – Embedded in software to allow access outside of
normal authentication.

OR

(a) Explain Steganography with an example. (3 Marks)

Steganography is the practice of concealing a message, file, or image within another file,
message, or image to prevent detection. Unlike encryption, which scrambles the content,
steganography hides the existence of the content itself, making it a useful technique for covert
communication.

Example of Steganography

A common example of steganography is hiding a text message within an image file. For instance:

● A sender embeds a secret message into the pixel values of an image (e.g., changing the
least significant bits of certain pixels).
● To the human eye, the image appears unchanged, but a receiver with the appropriate tool
can extract the hidden message from the image.

(b) Explain Buffer Overflow Attack in detail. (4 Marks)

A Buffer Overflow attack occurs when a program attempts to store more data in a buffer than it
was designed to hold, causing the excess data to overwrite adjacent memory locations. This can
lead to unintended behavior, including the execution of malicious code.

1. Input Exceeds Buffer Size:

If a program does not properly check the size of the data being written to the buffer, a user
or attacker can input more data than the buffer can accommodate. This excess data starts
overwriting adjacent memory, which can overwrite important data such as return
addresses, function pointers, or other critical program variables.
2. Control Over Execution Flow:
By strategically crafting the overflow data, an attacker can overwrite the return address of a
function. The return address tells the program where to go next after completing a function.
If an attacker changes this address to point to malicious code (often called shellcode), they
can take control of the program's execution.
3. Execution of Malicious Code:
Once the attacker has redirected the program’s flow, the malicious code is executed, which
can lead to unauthorized actions such as gaining control of the system, stealing data, or
corrupting files.

(c) Describe DoS and DDoS attacks with suitable examples. (7 Marks)
● Example: In a Ping Flood attack, an attacker sends a high volume of ICMP (ping) requests
to a server, overloading it with more requests than it can handle, which results in service
disruption.

● Example: In a Botnet DDoS Attack, the attacker compromises thousands of devices

(computers, IoT devices) and instructs them to send requests simultaneously to a target
server. This coordinated traffic overwhelms the server, causing it to crash or become
unresponsive, impacting services for legitimate users.