ETHICAL HACKING

& DIGITAL FORENSIC

HCSC501

SE EXTC, SEM-IV

- Dr. RASIKA NAIK

- Mrs. ARTI SAWANT
2
COURSE OBJECTIVES

 To describe fundamentals of Ethical hacking.

 To understand Network security threats, vulnerabilities assessment and social
engineering.
 To understand the methodologies and techniques of hardware security.
 To understand cyber-attacks and the digital forensic process.
 To discuss the need and process of digital forensics and Incident Response Methodology, to
explore the procedures for identification, preservation, and extraction of digital evidence
 To discuss the investigation process of network and host based system intrusions.

3
 COURSE OUTCOMES: STUDENTS SHOULD BE ABLE TO

 Interpret the knowledge of networking and ethical hacking.

 Apply the knowledge of network reconnaissance to perform Network and web
application-based attacks.
 Apply the concepts of hardware elements and endpoint security to provide security to
physical devices.
 Discuss various cybercrimes and its prevention methods, the phases of Digital Forensics
and methodology to handle the computer security incident.
 Understand the process of collection, analysis and recovery of the digital evidence.
 Investigate the process of monitoring and analysis of computer network traffic for
network investigation.

4
5
6
7
8
 ETHICAL HACKING

 Ethical hacking is a legitimate way to test and improve a computer

system's security.
 It's a process that involves gaining access to a system with the owner's
permission to identify and fix vulnerabilities.
 Ethical hacking helps protect individuals and organizations from cyber
threats and data breaches.
 It refers to act of locating weaknesses and vulnerabilities of computer and
information system by replicating the intent and actions of malicious
hackers.
 It is also called as Penetration Testing, Intrusion testing and Red Teaming.

9
 IMPORTANT TERMINOLOGIES

 Hacking: Computer expertise actions

 Cracking: Breaching the security on software / system

 Spoofing: Faking originating IP address in a datagram

 DOS : Denial of services i.e. flooding host with sufficient network traffic so
that it will not respond
 Port scanning: Searching for vulnerabilities

10
ACCESS POINTS FOR HACKER

 Front door: Password guess/trials/steal

 Back door: Opening kept by developer for debug or for diagnosis in
future
 Trojan horses: malicious virus hidden inside of software that
downloaded/ installed from net. Backdoors can also be installed
 Software vulnerability exploitation: Often available on OEMs
(original equipment manufacturer) website along with security patches.
It is fertile ground for script kiddies

Script Kiddie- is an unskilled individual who uses scripts or programs

developed by others, primarily for malicious purposes.
11
WHAT CAN BE DONE, ONCE INSIDE?

 Modify logs
 to cover their tracks
 Steal files
 sometimes destroy after stealing.
 An expert hacker would steal and cover their tracks to remain undetected.

 Modify files
 To let you know they were there
 To cause mischief.
 Install backdoors
 So that they can get in again.
 Attack other systems
12
WHAT IS LEGAL & ILLEGAL?

Do’s:
 Laws changes according to implementation region

Don’ts:
 Accessing any system without permission

 Installing worms or viruses

 Denial of service attacks

 Denying access to users

13
SOME PROTOCOL VULNERABILITIES

 Protocol vulnerabilities are weaknesses in communication protocols that

can be exploited by attackers to gain access to a system or network.
Protocol attacks
 These attacks involve manipulating a protocol's rules and procedures to
disrupt or intercept data transmission

How to protect against protocol vulnerabilities

 Use cybersecurity protocols to enforce the confidentiality, integrity, and
availability of information assets.
 Ensure that software is up to date.

 Limit what type of data is transmitted.

14
SOME PROTOCOL VULNERABILITIES
ARP Maps IP addresses to MAC addresses
DNS Converts IP addresses into a human-readable hostname
FTP Allows users to transfer files between computers over a network
HTTP A protocol that allows users to communicate data on the internet
IMAP A protocol that allows users to access their email from multiple devices
POP3 An internet protocol that allows users to retrieve emails from a server to a local
device
SMTP A standard for sending and receiving emails over the internet
SNMP A network protocol that allows users to monitor and manage network components
SSH A network protocol that allows secure communication between two computers over an
unsecured network
Telnet A network protocol that allows users to access remote computers over a network

15
SOME PROTOCOL VULNERABILITIES
Address Resolution Protocol (ARP):
ARP maps IP addresses to MAC addresses, which is essential for
routing network traffic.
There is no way that the host can validate where the network packet
came from in the peer to peer network. This is a vulnerability and gives rise
to ARP spoofing. The attacker can exploit this if the attacker is on the same
LAN as the target or uses a compromised machine that is on the same
network.
The idea is that the attacker associates his MAC address with
the IP address of the target so that any traffic meant for the target is
received by the attacker.

16
Domain Name System (DNS):
DNS is a hierarchical system that converts these IP addresses into a
human-readable hostname. The most common vulnerability in DNS is cache
poisoning. Here the attacker replaces the legitimate IP address to send
the target audience to malicious websites.

DNS amplification can also be exploited on a DNS server which permits

recursive lookups and uses recursion to amplify the magnitude of the attack.

DNS amplification attack -is a type of Distributed Denial of Service (DDoS) attack that uses
DNS servers to overwhelm a target system with DNS response traffic. The goal is to make the
target system unavailable for legitimate users.

17
File Transfer Protocol/Secure (FTP/S):
Most common FTP attacks use Cross-Site scripting when the attacker
uses a web application to send malicious code, in the form of a browser-side
script (or cookies) to the user.
The remote File Transfer Protocol (FTP) does not control connections and
encrypt its data. The usernames along with passwords are transmitted in clear
text which can be intercepted by any network sniffer or can even result in a
man-in-the-middle attack (MITM).

Cross-site scripting (XSS) is a cyberattack that involves injecting malicious code into a trusted website
or application. The code is then executed on the user's browser, allowing the attacker to steal data or
impersonate the user.
A man-in-the-middle (MITM) attack is a cyberattack where a hacker intercepts communications between
two parties to steal or alter data. The attacker can then use this data for financial gain or disruption.

18
HyperText Transfer Protocol/Secure (HTTP/S):
Its main features include authentication of the website accessed and
then protecting the privacy and integrity of the data that is exchanged.
A major vulnerability in HTTPS is the Drown attack which helps attackers
to break the encryption, steal credit card info and passwords.
Another serious bug is the Heartbleed bug which allows stealing of the
information which is protected by the TLS/SSL encryption which is used to
secure the Internet.
DROWN- is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS.
DROWN allows attackers to break the encryption and read or steal sensitive communications,
including passwords, credit card numbers, trade secrets, or financial data.
Heartbleed bug- The Heartbleed bug allows anyone on the Internet to read the memory of the
systems (secrete key) protected by the vulnerable versions of the OpenSSL software. This allows
attackers to steal data directly from the services and users and to impersonate services and users.
TLS/SSL- Transport Layer security/Secure Socket layer provides communication security and
privacy over the Internet for applications such as web, email, instant messaging (IM) and some
virtual private networks (VPNs). 19
🞆 Internet Message Access Protocol (IMAP):
When an email is sent via the internet, it goes through
unprotected communication channels. Usernames, passwords,
and messages can be intercepted themselves.
A Denial of Service(DoS) attack can also be carried out on the
mail server which results in unreceived and unsent emails.
Also, the email server can be injected with malware, which in
turn can be sent to clients using infected attachments.

20
Post Office Protocol (POP3):
An application-layer Internet protocol is used to retrieve emails from the remote
server to the client’s personal local machine. It can be used to view messages even
when you’re offline.
Vulnerabilities that target mailbox storage comprise of a Firewire direct memory
access or DMA attack that relies on using direct hardware access to read or write
directly to the main memory without any operating system interaction or supervision.
Login processes allow the user to connect via unencrypted pathways resulting in login
credentials being sent across the network as clear text.

A Firewire direct memory access (DMA) attack is a cyberattack that allows an attacker to gain
access to a computer's memory through different ports like FireWire, Thunderbolt, USB 4.0, ExpressCard,
PC Card, and PCI/PCIe hardware interfaces.. DMA attacks are dangerous because they can bypass
security measures like encryption and password protection.
21
🞆 Simple Mail Transfer Protocol (SMTP):
It is a communication application layer protocol and is used to
send emails.
Spammers and hackers can use an e-mail server to send spam or
malware through email under the pretense of the unsuspecting
open- mail relay owner.

Open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way
that it allows anyone on the Internet to send e-mail through it.

22
Simple Network Management Protocol (SNMP):
It is used for gathering and organizing information regarding managed
devices on the IP networks
The SNMP reflection is a kind of Distributed Denial of Service or DDoS attack. These
attacks can generate attack volumes of hundreds of gigabits per second that can be
directed at attack targets from various broadband networks. The adversary sends out
a huge number of SNMP queries with a forged IP address (that is the victim’s
IP) to multiple connected devices which, in turn, reply to that forged IP address.

Secure SHell (SSH):

It is a cryptography-based network protocol for operating network services
securely and reliably over an unsecured network.
A man-in-the-middle(MITM) attack may allow the adversary to completely
destabilize and bring down encryption and may gain access to the encrypted contents
that can include passwords. A successful adversary is a cable to inject commands into
the terminal to modify or alter data in transit or to steal data. The attack
23 can also
allow the injection of harmful malware into any binary files and other software
updates downloaded through the system.
Telnet:
It is an application protocol that is used on the Internet or local area network
(LAN) that provides bidirectional interactive text-oriented communication
that uses a virtual terminal connection.
The biggest security issue in the telnet protocol is the lack of encryption.
Every communication sent to a networking device from a remote device that is
being configured is sent in the form of plain text.
The attacker can easily see what we are configuring on that device and he can see
the password that we have used to connect to the device and enter configuration
mode.
Another type of Telnet attack is the DoS, the attacker sends many not useful
and irrelevant data frames and in this manner suffocates the connection.

24
STEPS FOR ETHICAL HACKING

1 Performing Reconnaissance
2 Scanning and enumeration
3 Gaining Access
4 Maintaining access and placing backdoor
5 governing tracks or clearing logs
1. Reconnaissance:
❖ This is the first phase where the Hacker tries to collect information about the
target.
❖ It may include Identifying the Target, finding out the target’s IP Address Range,
Network, DNS records, etc.
❖ He may do so by using a search engine like maltego, researching the target say a
website (checking links, jobs, job titles, email, news, etc.), or a tool like
HTTPTrack to download the entire website for later enumeration.

❖ The hacker is able to determine the following: Staff names, positions, and email
addresses.
2. Scanning:
❖ This phase includes the usage of tools like dialers, port scanners, network mappers, sweepers,
and vulnerability scanners to scan data.
❖ Hackers are now probably seeking any information that can help them perpetrate attacks
such as computer names, IP addresses, and user accounts.
❖ Now that the hacker has some basic information, the hacker now moves to the next phase and
begins to test the network for other avenues of attacks.
❖ The hacker decides to use a couple of methods for this end to help map the network (i.e. Kali
Linux, Maltego and find an email to contact to see what email server is being used).
❖ The hacker looks for an automated email if possible or based on the information gathered he may
decide to email HR with an inquiry about a job posting.
❖ Maltego is an open-source intelligence forensic application. Which will help you to get more accurate
information and in a smarter way.
3. Gaining Access:
❖ In this phase, the hacker designs the blueprint of the network of the target
with the help of data collected during Phase 1 and Phase 2.
❖ The hacker has finished enumerating and scanning the network and now
decides that they have some options to gain access to the network.
4. Maintaining Access:
❖ Once a hacker has gained access, they want to keep that access for future exploitation and
attacks. Once the hacker owns the system, they can use it as a base to launch additional
attacks. In this case, the owned system is sometimes referred to as a zombie system.
❖ Now that the hacker has multiple e-mail accounts, the hacker begins to test the accounts on the
domain.
❖ The hacker from this point creates a new administrator account for themselves based on the
naming structure and tries and blends in.
❖ As a precaution, the hacker begins to look for and identify accounts that have not been used for a
long time.
❖ The hacker assumes that these accounts are likely either forgotten or not used so they change the
password and elevate privileges to an administrator as a secondary account in order to maintain
access to the network.
❖ The hacker may also send out emails to other users with an exploited file such as a PDF with a
reverse shell in order to extend their possible access.
5. Clearing Tracks (so no one can reach them):
❖ Prior to the attack, the attacker would change their MAC address and run the attacking
machine through at least one VPN to help cover their identity. They will not deliver a direct
attack or any scanning technique that would be deemed “noisy”.
❖ Once access is gained and privileges have been escalated, the hacker seeks to cover their
tracks. This includes clearing out Sent emails, clearing server logs, temp files, etc. The
hacker will also look for indications of the email provider alerting the user or possible
unauthorized logins under their account.
❖ Most of the time is spent on the Reconnaissance process. Time spend gets reduced in
upcoming phases.
 Protect Yourself: What and what not to do?

•Do not post information on social media that can be related to challenging questions

•Use passwords that cannot be broken by brute force or guessing.

•Consider 2-factor authentication when possible.

•Be careful of password requests emails. Services like Heroku, Gmail, and others will not request to type in
passwords for additional promotion or service.

•Verify the source of contact.

•Before clicking a link, investigate it.

•Always scan a file and never click on batch files.

•Always see the background services that are running on your device and never rely on others’ devices.

•Be sure to have an antivirus installed and set root passwords for installation.

•Log out of sessions and clean the cache. 31

Be safe and refrain from becoming the target!!

 SOME ATTACKS ON NETWORK

1. DoS (Denial of Service) attack:

 (a) Smurf DoS attack

 (b) Ping of Death attack

 (c ) SYN flooding attack

2. DDoS: Distributed DoS

 (a) htttp flood attack
SMURF DOS ATTACK
• An attacker attempts to flood a targeted server with ICMP packets
• By making requests with the spoofed IP address of the targeted device to one or more
computer networks, the computer networks then respond to the targeted server
PING -TO -DEATH ATTACK
• The attacker aims to disrupt a targeted machine by sending a packet larger than the maximum
allowable size
• Result is - the target machine to freeze or crash
• When a maliciously large packet is transmitted from the attacker to the target, the packet becomes
fragmented into segments, each of which is below the maximum size limit. When the target machine
attempts to put the pieces back together, the total exceeds the size limit and a buffer overflow can
occur, causing the target machine to freeze, crash or reboot.
SYN FLOODING ATTACK

 It aims to make a server unavailable to legitimate traffic by consuming all

available server resources
 By repeatedly sending initial connection request (SYN) packets, the attacker is
able to overwhelm all available ports on a targeted server machine, causing the
targeted device to respond to legitimate traffic sluggishly or not at all.
1. First, the client sends a SYN packet to the server in order to initiate the
connection.
2. The server then responds to that initial packet with a SYN/ACK packet, in order
to acknowledge the communication
3. Finally, the client returns an ACK packet to acknowledge the receipt of the packet
from the server. After completing this sequence of packet sending and receiving,
the TCP connection is open and able to send and receive data.
 To create denial-of-service, an attacker exploits the fact that after an initial SYN
packet has been received, the server will respond back with one or more SYN/ACK
packets and wait for the final step in the handshake;
 1. The attacker sends a high volume of SYN packets to the targeted server, often
with spoofed IP addresses.
 2. The server then responds to each one of the connection requests and leaves an
open port ready to receive the response.
 3. While the server waits for the final ACK packet, which never arrives, the
attacker continues to send more SYN packets. The arrival of each new SYN
packet causes the server to temporarily maintain a new open port
connection for a certain length of time, and once all the available ports have
been utilized the server is unable to function normally.
 SYN FLOODING ATTACK

TCP 3- way handshaking (Normal scenario)

TCP 3-way handshaking attacked
by SYN flooding scenario
DDOS (DISTRIBUTED DOS)
• An attacker overwhelms a website, server, or network resource with malicious traffic
• As a result, the target crashes or is unable to operate, denying service to legitimate
users and preventing legitimate traffic from arriving at its destination.
HTTP FLOOD ATTACK
• It is designed to overwhelm a targeted server with HTTP requests
• Once the target has been saturated with requests and is unable to respond to normal traffic, denial-
of-service will occur for additional requests from actual users.
INFORMATION GATHERING IN CYBER SECURITY
▪ Information Gathering is the act of gathering different kinds of information
against the targeted victim or system
▪ Data gathering helps information security and cybersecurity executives uncover
information about a potential target
▪ Gathering information is the first step where a hacker tries to get information about the
target
▪ Hackers use different sources and tools to get more information
▪ Information gathering is not just a phase of security testing; it is an art that every
penetration-tester (pen-tester) and hacker should master for a better experience in
penetration testing
▪ There are various tools, techniques, and websites, including public sources such as Whois,
nslookup that can help hackers gather information
Reconnaissance:
▪ It is also called as Reconnaissance or Information Gathering in
Cybersecurity
▪ This information-gathering process can be both automated and manual
and can involve techniques such as port scanning, vulnerability scanning,
social engineering, OSINT (open-source intelligence), passive
reconnaissance, and active reconnaissance.
▪ Active Reconnaissance: This involves actively probing or interacting
with the target system to gather information
▪ Passive Reconnaissance: This involves gathering information about the
target without actively interacting with it.
Reconnaissance

Information
Gathering

Scanning & Social

Footprinting
Enumeration Engineering
1. FOOTPRINTING

▪ Footprinting is the technique to collect as much information as possible

about the targeted network/victim/system
▪ This technique also determines the security postures of the target
▪ Passive footprinting/pseudonymous footprinting involves collecting data
without the owner knowing that hackers gather their data
▪ Active footprints are created when personal data gets released
consciously and intentionally
▪ Open source footprinting is legal
1.1 Open source footprinting:
This type of footprinting is the safest, holding all legal limitations, and hackers can do it
without fear because it is legal and, hence, coined the term Open-source. Examples of this
type include: finding someone’s email address and phone numbers, scanning IP through
automated tools, searching for age, DOB, house address, etc.

1.2 Network-based Footprinting

Using this footprinting category, hacktivists can retrieve information such as user name,
information within a group, shared data among individuals, network services, etc.

1.3 DNS Interrogation

After gathering the information from the different areas using various techniques, the
hacker usually queries the DNS using pre-existing tools.
Many freeware tools are available online to perform DNS interrogation.
2. SCANNING:

▪ The package of techniques and procedures used to identify hosts,

ports, and various services within a network.
▪ Network scanning is one of the components of intelligence gathering
and information retrieving mechanism an attacker used to create an
overview scenario of the target organization
▪ Vulnerability scanning is performed by pen-testers to detect the
possibility of network security attacks. This technique led hackers to
identify vulnerabilities such as missing patches, unnecessary services,
weak authentication, or weak encryption algorithms.
3. SOCIAL ENGINEERING:
▪ Social Engineering is something different from physical security exploits
▪ Shoulder Surfing is the direct observation technique, such as
looking over victims shoulder to get information - what he/she is typing or
what password, PIN, security pattern locks the victim is entering.
▪ Dumpster diving is a form of modern salvaging of wastes such as
papers, hard copy, documentation, paper-based records discarded in large
commercial, residential, industrial, and construction containers.
▪ Dumpster diving refers to the practice of searching through discarded
physical or digital trash (like old computers, documents or storage devices)
to find sensitive information that can be used for malicious purposes (such
as identity theft, unauthorized access to accounts.)
VULNERABILITY ASSESSMENT

▪ A Vulnerability assessment is the process of defining, identifying,

classifying and prioritizing vulnerabilities in computer systems
▪ Vulnerability assessments also provide an organization with the necessary
knowledge, awareness and risk backgrounds to understand and react to
threats to its environment
▪ Organizations of any size, or even individuals who face an increased risk of
cyber attacks, can benefit from some form of vulnerability assessment.
Types of vulnerability assessments:
i. Host assessment : Assessment of critical servers, which may be
vulnerable to attacks if not adequately tested or not generated from a
tested machine image.
ii. Network and wireless assessment: Assessment of policies and
practices to prevent unauthorized access to private or public networks
and network-accessible resources.
iii. Database assessment : Assessment of databases or big data systems
for vulnerabilities and misconfigurations, identifying rogue databases or
insecure dev/test environments, and classifying sensitive data across an
organization’s infrastructure.
iv. Application scans: Identifying of security vulnerabilities in web
applications and their source code by automated scans on the front-end
or static/dynamic analysis of source code.
Vulnerability Assessment Process:
i.Vulnerability identification (testing): Security analysts test the security health of
applications, servers or other systems by scanning them with automated tools, or testing
and evaluating them manually.
ii. Vulnerability analysis: The objective of this step is to identify the source and root
cause of the vulnerabilities identified in step one. For example, the root cause of a
vulnerability could be an old version of an open source library.
iii. Risk assessment: The objective of this step is the prioritizing of vulnerabilities. It
involves security analysts assigning a rank or severity score to each vulnerability, based on
such factors as:
-Which systems are affected
-What data is at risk
-Which business functions are at risk
-Ease of attack or compromise
-Severity of an attack
-Potential damage as a result of the vulnerability.
iv. Remediation: Closing of security gaps by remedies like;
-Introduction of new security procedures, measures or tools
-The updating of operational or configuration changes
-Development and implementation of a vulnerability patch
Some Vulnerability assessment tools:

1. Web application scanners that test for and simulate known attack
patterns
2. Protocol scanners that search for vulnerable protocols, ports and
network services.
3. Network scanners that help visualize networks and discover warning
signals like stray IP addresses, spoofed packets and suspicious packet
generation from a single IP address.

Stray IP address- IP address that appears to be unconnected to a known device or network.

Spoofed Packet- data packet on a network that has been manipulated to display a false
source IP address.
OPEN VAS (VULNERABILITY ASSESSMENT SYSTEM)
▪ OpenVAS is a full-featured vulnerability scanner
▪ It is part of the Greenbone Vulnerability Manager (GVM) suite
▪ It provides tools to scan networks, applications, and systems for known
vulnerabilities.
Features:
- It can carry unauthenticated and authenticated testing
- Supports various high-level and low-level internet and industrial protocols
- Performance tuning for large-scale scans
- Provides powerful internal programming language to implement any type of
vulnerability test

▪ OpenVAS has been developed and driven forward by the

company Greenbone since 2006
KEY FEATURES OF OPENVAS:
•Free and Open-Source: Available under an open-source license, making it accessible
for individuals and organizations.

•Regular Updates: Provides daily updates for vulnerability checks, known as Network
Vulnerability Tests (NVTs).

•Comprehensive Scanning: Covers a wide range of vulnerabilities, including network

and application-level issues.

•Integration with Greenbone Vulnerability Manager (GVM) : Offers a full-featured

vulnerability management platform when combined with Greenbone's tools.

•Customizable Policies: Users can configure scans according to their needs.

•Community Support: A robust community for troubleshooting and enhancements

NESSUS
Nessus is a widely used vulnerability scanner developed by Tenable. It is
designed to identify vulnerabilities in computer systems, networks, and
applications, helping organizations improve their security posture.
• Key Features of Nessus:
i. Comprehensive Vulnerability Scanning: Detects a wide range of
vulnerabilities, including misconfigurations, outdated software, missing
patches, and weak credentials
ii. Extensive Plugin Library: Nessus uses a plugin-based architecture,
with thousands of plugins updated regularly to address new
vulnerabilities and threats
iii. Customizable Scans: Allows users to create custom scan policies
tailored to specific environments or compliance requirements
iv. Operating System and Device Support: Scans various platforms,
including Windows, macOS, Linux, network devices, cloud
infrastructures, and virtualized environments 54
 NESSUS
Continue…

v. Risk Assessment and Reporting: Provides detailed reports with risk

scores, remediation recommendations, and compliance checks against
security standards
vi. Ease of Use: Offers a user-friendly web interface for configuring scans,
managing assets, and analyzing results
vii. Integration Capabilities: Integrates with other tools, such as SIEMs
(e.g., Splunk) and IT management systems, to streamline vulnerability
management processes

55
NESSUS: Enterprise vulnerability management software

Vulnerability Manager Plus is a multi-OS vulnerability management

and compliance solution that offers built-in remediation. It is an end-to-end
vulnerability management tool delivering comprehensive coverage,
continual visibility, rigorous assessment, and integral remediation of
threats and vulnerabilities, from a single console. Whether your endpoints
are on your local network, in a DMZ (demilitarized zone) network, at a
remote location, or on the move.
Vulnerability Manager Plus is the go-to solution to empower your
distributed workforce with safe working conditions.
• Versions:
1. Nessus Essentials: Free for personal and educational use, limited to
scanning up to 16 IPs
2. Nessus Professional: Designed for security professionals, offering56
unlimited IP scanning, advanced reporting, and support
March 13, 2025 Database Management System
57
 NESSUS VS OPEN VAS

Feature Nessus OpenVAS

Commercial (free for
License Open-source
limited use)
User-friendly GUI and Requires more setup and
Ease of Use
setup technical expertise
Regular updates by Free daily NVT updates
Plugin/Script Updates
Tenable
Support Paid support available Community support
(free)
Performance Optimized for enterprise May require tuning for
use large networks
Cost Paid versions for Free (open-source)
professionals
UNIT 1.2 SYSTEM HACKING

▪ Password cracking
▪ Penetration testing
▪ Social engineering attacks
PASSWORD AUTHENTICATION & PASSWORD
CRACKING

Types of password:
i. Plain text password
ii. Password hashing
iii. Password hash salting
PASSWORD GUESSING ATTACKS
1. Random Guesses: A random password guess rarely succeeds unless it’s a
common password, or based on a dictionary word. Knowing information about the
target identity enhances the likelihood of a successful guess by a threat actor
2. Dictionary Attacks: An automated technique utilizing a list of words from
dictionary against a valid account to reveal the password
3. Brute Force: Utilize a programmatic method to try all possible combinations for
a password. This method is efficient for passwords that are short in string
4. Credential Stuffing: Stolen credentials are comprised of lists of usernames,
email addresses, and passwords
5. Password Spraying: A credential-based attack that attempts to access many
accounts by using a few common passwords
 SOCIAL ENGINEERING & HUMAN-BASED ATTACKS

1. Phishing & Vishing: Often leveraged for information gathering for other attacks, as
well as to plant malicious software on an endpoint. This malware could be used to siphon
off passwords.
2. Forced Password Changes and Resets: Resetting a password is the act of a forced
password change by someone else, such as from the service desk or an application owner.
3. Eavesdropping: Password exposure occurring because of being overheard. Password
eavesdropping may be either inadvertent or intentional and can encompass both voice-
based and digital eavesdropping
4. Shoulder Surfing: To gain knowledge of credentials through observation. A threat
actor physically observes or uses an electronic device like a camera to collect passwords and
use them for an attack.
5. Passwords for Purchase: A rogue insider could sell credentials and claim they were
breached, giving them plausible deniability. This insider threat is of particularly concern
with privileged users, whose credentials could give access to the enterprise’s most sensitive
assets.
 HASH-BASED ATTACKS ON PASSWORDS
1. Pass-the-Hash Attack(PtH): PtH are a type of attack that involves stealing hashed
credentials from one computer and using them to gain unauthorized access to other
computers on the network. The attackers does not need to crack the actual password,
but rather used stored hash value of the password to impersonate the legitimate users.
The password hash remains static for every session until the password itself changes.
However, changing the password frequently or using one-time passwords
(OTPs) is a good defense to keep the hash different between the sessions.

2. Rainbow Table Attack: A hash table is a precomputed list of hashed passwords in a

simple comparison against the stolen data. Rainbow Tables hold the passwords and
hashes for multiple ciphers. A common approach to defeating hash tables and Rainbow
Table Attacks is to "salt" the hash. This applies an extra, unique encoding to each
password. Even though the cipher is the same, without the salt, it won’t result in the
same hash.
More information about Rainbow Table Attack-
https://www.strongdm.com/what-is/rainbow-table-attack
MALWARE
• Malware is malicious software that is designed to harm or compromise
devices, networks, or data.
• Cybercriminals use malware to steal sensitive information, disrupt operations,
and more.

Types of Malware
❑ Viruses: A piece of code that inserts itself into an application and executes when the app is
run. Once inside a network, a virus may be used to steal sensitive data, launch DDoS attacks
or conduct ransomware attacks.
❑ Worms: It target vulnerabilities in operating systems to install themselves into networks.
They may gain access in several ways: through backdoors built into software, through
unintentional software vulnerabilities, or through flash drives.
❑ Spyware: It collects information about users’ activities without their knowledge or consent.
This can include passwords, PINs, payment information and unstructured messages.
❑ Trojan Horse: It disguises itself as desirable code or software. Once downloaded by
unsuspecting users, the Trojan can take control of victims’ systems for malicious purposes.
Trojans may hide in games, apps, or even software patches
❑ Logic bombs: A malicious program that is triggered when a logical condition is met, such
as after a number of transactions have been processed, or on a specific date. Malware such
as worms often contain logic bombs, behaving in one manner, then changing tactics on a
specific date and time.
❑ Ransomware: Software that uses encryption to disable a target’s access to its data until a
ransom is paid.
❑ Backdoors: A malware type that negates normal authentication procedures to access a
system. As a result, remote access is granted to resources within an application, such as
databases and file servers, giving perpetrators the ability to remotely issue system
commands and update malware.
❑ Rootkits: It is a software that gives malicious actors remote control of a victim’s computer
with full administrative privileges. Rootkits can be injected into applications, kernels,
hypervisors, or firmware. They spread through phishing, malicious attachments, malicious
downloads, and compromised shared drives.
❑ Key loggers: A type of spyware that monitors user activity. Keyloggers have legitimate
uses; businesses can use them to monitor employee activity and families may use them to
keep track of children’s online behaviors.