Introduction

What is ethical hacking?

 When combining ethics with hacking, you arrive at the practice of ethical
hacking, where the use of hacking skills aligns with moral principles and
professional standards to ensure security and protect systems.
 Ethical hacking, also known as penetration testing or white-hat hacking,
is the authorized and legal practice of testing an organization's security
measures to identify vulnerabilities and weaknesses
 Ethical hackers are skilled professionals who use the same techniques and
tools as malicious hackers, but their intent is to improve security rather than
exploit it.

Key Features of Ethical Hacking:

1. Authorized Activity: Ethical hacking is conducted with the explicit

permission of the organization being tested.
2. Objective: The goal is to find and fix security flaws before malicious
hackers can exploit them.
3. Techniques: Ethical hackers use various methods, such as social
engineering, penetration testing, and scanning networks.
4. Ethical Responsibility: These hackers adhere to a professional code of
conduct and avoid causing harm.
5. Documentation and Reporting: They provide detailed reports on
vulnerabilities found, including recommendations for mitigation.

Importance of Ethical Hacking:

 Protects sensitive data from theft or exposure.

 Enhances trust with clients by ensuring robust security.
 Complies with regulations and standards (e.g., GDPR-General Data
Protection Regulation, is a legal framework established by the European
Union (EU) to regulate how personal data is collected, processed, stored,
and shared.).
 Prepares organizations to defend against real cyber attacks.

Types of Ethical Hacking:

1. Network Security Testing: Evaluating the security of networks and

devices.
2. Web Application Testing: Identifying vulnerabilities in websites and online
applications.
3. Wireless Network Testing: Assessing the security of wireless networks.
4. Social Engineering: Simulating attacks that exploit human behavior, such
as phishing.
5. Physical Security Testing: Checking physical access points to secure
servers or data.

Who Performs Ethical Hacking?

 Certified Ethical Hackers (CEH): Professionals who have obtained

recognized certifications.
 Penetration Testers: Experts who specialize in simulating cyberattacks.
  Security Consultants: Advisers who provide security strategies and
improvements.

Terminology

 ATTACK-Unauthorized action taken on system or network

 BACKDOOR- To access a computer system that bypasses security
mechanisms
 BRUTE-FORCE ATTACK-Uses Trail & Error method to guess the login
information
 EXPLOIT- Program or Instructions to find the weakness and take
advantage of flaw in an application or system
 FIREWALL- Is a network device which monitors all incoming and
outgoing traffic and alows only authorized traffic.
 HACKER-Person who finds the weakness and takes an advantage of system
( Unauthorized access)
 HACKING-Process of finding weakness of system and gaining access.
 KEYSTROKE LOGGING// KEYLOGGING-Action of recording all the
keystrokes performed on our keyboard
 MALICIOUS CODE- Group of virus or unwanted files or programs which
can harm or destroy data stored in our computer
 MALWARE-Intrusive software to damage the system or destroy data stored
in our computer
 PHISHING- Social Engineering Attack where an attacker sends a fraud
message to a person inorder reveal sensitive data
 SPOOFING- Uses Malicious SQL code for backend database to access
information or to manipulate information
 THREAT-Possible danger to computer which may destroy the data or
system
 TROJAN- TROJAN HORSE-Type of computer software that is
camouflaged in the form of regular software
 VULNERABLITY-Weakness that can be identified by attacker to gain
unauthorized access

Hacking Technology Types

1. Phishing

 Definition: A technique where attackers trick individuals into revealing

sensitive information (e.g., usernames, passwords, or credit card details) by
pretending to be a trusted entity.
 How it works:
o Victims receive fake emails or messages mimicking legitimate
organizations.
o Clicking on malicious links redirects them to fraudulent websites.
 Example: An email claiming to be from a bank asking for account details.
 Prevention:
o Verify sender information.
o Avoid clicking on unknown links.
o Use anti-phishing software.

2. Virus

 Definition: Malicious software that attaches itself to legitimate files or

programs and spreads when executed.
 How it works:
o Infects files or systems, causing damage such as data corruption or
system crashes.
o Can replicate and spread to other devices.
 Example: A virus hidden in an email attachment that deletes important
system files when opened.
 Prevention:
o Install antivirus software.
o Avoid downloading files from untrusted sources.

3. UI Redress (Clickjacking)

 Definition: A type of attack where a malicious webpage tricks users into

clicking on elements that perform unintended actions, such as enabling
permissions or making unauthorized purchases.
 How it works:
o Invisible or disguised UI elements are placed over legitimate buttons
or links.
 Example: A fake "Play" button on a video that actually downloads malware.
  Prevention:
o Use browser security settings.
o Implement Content Security Policy (CSP) on websites.

4. Cookie Theft

 Definition: Stealing browser cookies to gain unauthorized access to a user’s

account or personal information.
 How it works:
o Cookies store session data for websites.
o Attackers intercept cookies using methods like sniffing or malware.
 Example: Session hijacking in an online banking account.
 Prevention:
o Use secure (HTTPS) connections.
o Clear cookies regularly.
o Implement secure cookie flags.

5.Distributed Denial-of-Service (DDoS)

 Definition: Overwhelming a server, website, or network with excessive

traffic to make it unavailable to legitimate users.
 How it works:
o Attackers use a botnet (network of infected devices) to flood the target
with requests.
 Example: A website going offline due to a sudden spike in malicious traffic.
 Prevention:
o Use load balancers.
o Implement firewalls and rate-limiting.

6. DNS Spoofing

 Definition: Manipulating DNS (Domain Name System) records to redirect

users to malicious websites.
 How it works:
o Attackers modify DNS responses to send users to fake sites.
 Example: Redirecting a bank's domain to a phishing website.
 Prevention:
o Use DNSSEC (Domain Name System Security Extensions).
o Regularly monitor DNS configurations.

7. Social Engineering

 Definition: Exploiting human psychology to trick individuals into revealing

confidential information or performing actions.it is the art of manipulating
people so that they give away their personal information.
 How it works:
o Attackers use tactics like impersonation, fear, or urgency.
 Example: Pretending to be IT support to extract login credentials.
 Prevention:
o Conduct awareness training.
o Verify identities before sharing sensitive data.

8. Missing Security Patches

  Definition: Exploiting systems that lack critical updates or patches, leaving
vulnerabilities open to attack.
 How it works:
o Unpatched systems are targeted with known exploits.
 Example: The WannaCry ransomware attack exploited unpatched Windows
systems.
 Prevention:
o Regularly update software and operating systems.
o Enable automatic updates.

9. Malware-Injection Devices

 Definition: Physical devices (e.g., USB drives) used to inject malware into a
system.
 How it works:
o Attackers plant infected devices in accessible areas (e.g., parking
lots).
o Victims plug in the device, unknowingly executing malware.
 Example: A USB stick containing ransomware.
 Prevention:
o Avoid using unknown devices.
o Disable auto run features.

10. Cracking Passwords

 Definition: Breaking passwords to gain unauthorized access to systems or

accounts.
 How it works:
o Techniques include brute force attacks, dictionary attacks, and
credential stuffing.
 Example: An attacker guessing weak passwords to log in to accounts.
 Prevention:
o Use strong, unique passwords.
o Enable multi-factor authentication (MFA)

Hacktivism :

Hacktivism is when people use hacking to promote causes they care about, such as
social or political issues. It combines hacking skills with activism, usually targeting
governments, companies, or other organizations they believe are doing something
wrong or unjust.

Instead of protesting in the streets, hacktivists might:

 Break into websites and replace them with messages supporting their cause.
 Overload websites to shut them down temporarily (called a DDoS attack).
 Leak sensitive information to expose wrongdoing.
It's a way to use technology to raise awareness and make a point about issues like
freedom, human rights, or government actions.

Key Characteristics of Hacktivism

Motivation:

 Driven by political, social, or ethical causes rather than personal gain.

 Common goals include promoting free speech, exposing corruption, and
protesting censorship.

Methods:

 Defacement: Altering websites to display messages supporting the cause.

 DDoS Attacks: Overloading servers to disrupt services (e.g., government or
corporate websites).
 Information Leaks: Exposing confidential documents or data (e.g.,
classified government information).
 Social Media Campaigns: Amplifying messages or taking over social
media accounts.
 Digital Protests: Organizing online campaigns against perceived injustices.

Tools and Techniques:

 Exploiting vulnerabilities in websites or networks.

 Using tools like Low Orbit Ion Cannon (LOIC) for DDoS attacks.
 Encryption and anonymization tools (e.g., Tor, VPNs) to maintain privacy.

Notable Hacktivist Groups

Anonymous:

 A decentralized collective known for targeting governments, corporations,

and oppressive regimes.
 Famous actions include the 2010 Operation Payback and campaigns
supporting WikiLeaks.
 They are known for their use of the Guy Fawkes mask as their symbol.

LulzSec (Lulz Security):

 LulzSec (Lulz Security) is a well-known hacker group that gained notoriety

for their high-profile cyberattacks
 Known for exposing security flaws in major organizations.
 Responsible for high-profile hacks of Sony, Fox, and PBS
WikiLeaks:

 Focused on publishing classified information.

 Notable for exposing government and corporate secrets.

Syrian Electronic Army:

 A pro-Syrian government group targeting anti-regime entities.

 is a group of hackers who are known for their support of the Syrian
government under President

RedHack:

 A Turkish hacktivist group targeting government and political

organizations.

Competitive Intelligence (CI)

Competitive Intelligence (CI) is the practice of gathering, analyzing, and using

information about competitors, markets, and industry trends to support strategic
decision-making. It involves ethical and legal methods of obtaining data to gain a
competitive edge. CI is crucial for businesses to understand what others are doing,
spot opportunities, and stay ahead in the market

Competitive intelligence must not involve illegal activities like hacking or

corporate espionage. It adheres to laws and professional ethics, such as the Code
of Ethics for Competitive Intelligence Professionals by SCIP (Strategic and
Competitive Intelligence Professionals)

Process contains:

1. Understanding Competitors

 Analyzing competitors' strengths, weaknesses, strategies, and

market positions.
 Monitoring product launches, pricing strategies, marketing
campaigns, and customer feedback.

2. Market Analysis

 Identifying market trends, customer preferences, and emerging

technologies.
 Analyzing supply chain dynamics and economic factors affecting
the industry.
 Effective CI requires identifying vulnerabilities, trends, and
competitive advantages within the supply chain.

3. Strategic Positioning
  Assessing competitive positioning using tools like SWOT
(Strengths, Weaknesses, Opportunities, Threats) analysis.
 Developing strategies to outperform competitors or enter untapped
markets.

4. Data Collection Techniques

 Public Sources: Websites, press releases, annual reports, social

media, and news articles.
 Industry Reports: Subscription-based market analysis, white
papers, and case studies.
 Customer Feedback: Surveys, reviews, and focus groups to
understand consumer preferences.
 Observation: Visiting trade shows, monitoring advertisements, or
analyzing job postings for insights.

5. Tools for Competitive Intelligence

 Web Scraping Tools: Automate the collection of publicly

available data.
 Analytics Platforms: Tools like Google Analytics, SEMrush, and
SimilarWeb for web and marketing insights.
 Social Media Monitoring: Tools like Hootsuite or Brandwatch to
track competitors’ social media activity.
 Financial Tools: Platforms like Bloomberg or market research
services for financial analysis.

6. Applications of CI

 Product Development: Identifying gaps in the market to innovate

new products.
 Sales and Marketing: Crafting targeted campaigns by
understanding competitors’ messaging.
 Strategic Planning: Aligning business goals based on insights into
industry dynamics and competitors’ actions.

Benefits of Competitive Intelligence

 Improved decision-making and risk management.

 Enhanced ability to anticipate competitors’ moves.
 Identification of new opportunities for growth.
 Better alignment of internal strategies with external market conditions.

DNS Enumeration

DNS Enumeration is a process in ethical hacking used to gather information

about a target organization's domain name system (DNS). This information can
include domain names, subdomains, IP addresses, mail servers, and other details
that may reveal vulnerabilities or entry points for potential attacks.

Ethical hackers use DNS enumeration during the reconnaissance phase to

understand the target's infrastructure and identify potential attack vectors.
Key Concepts of DNS Enumeration

1. DNS Basics

 DNS translates human-readable domain names (e.g., example.com)

into IP addresses (e.g., 192.168.1.1).
 DNS records store critical information about domain
configurations.

2. Types of DNS Records

 A (Address) Record: Maps a domain to an IPv4 address.

 AAAA Record: Maps a domain to an IPv6 address.
 CNAME (Canonical Name) Record: Aliases one domain to
another.
 MX (Mail Exchange) Record: Specifies mail servers for the
domain.
 NS (Name Server) Record: Lists authoritative DNS servers for
the domain.
 PTR (Pointer) Record: Maps an IP address to a domain (reverse
DNS).
 SOA (Start of Authority) Record: Contains administrative
information about the domain.
 TXT Record: Contains human-readable text or machine-readable
data like SPF and DKIM.

3. Purpose of DNS Enumeration

 Identify publicly accessible subdomains and services.

 Uncover misconfigured or exposed DNS records.
 Map out the organization’s network structure.
 Identify email servers (for phishing campaigns or spam)

Techniques for DNS Enumeration

1. WHOIS Lookup

 Retrieves domain registration details such as the domain owner,

creation date, and expiration.
 Tools: whois command, online services like ICANN WHOIS.

2. Zone Transfers

 Transfers the entire DNS zone file from a DNS server.

 Exploits misconfigured name servers that allow unauthorized zone
transfers.
 Tool: dig or nslookup with the axfr flag.
3. DNS Querying

 Query specific DNS records using tools like dig, nslookup, or host.
 Example: Query for MX records
 dig example.com MX
 4. Reverse DNS Lookup

 Maps IP addresses back to domain names to identify associated hosts.

 Tool: nslookup, dig, or online tools.

5. Subdomain Enumeration

 Identifies subdomains of a target domain.

 Tools: Sublist3r, Knockpy, Amass, and online services like crt.sh.

6. Brute Forcing

 Attempts to discover subdomains by brute-forcing using wordlists.

 Tools: Gobuster, DNSRecon, and Fierce.

7. Online DNS Services

 Use platforms like VirusTotal, Shodan(IoT and internet search engine), and
Censys to gather DNS information passively.

Popular Tools for DNS Enumeration

1. dig

 A command-line tool to query DNS records.

 Example: dig example.com ANY

2. nslookup

 A basic command-line tool for DNS lookups.

 Example: nslookup -type=mx example.com

3. Fierce

 A DNS reconnaissance tool for discovering subdomains.

4. DNSRecon

 Automates DNS enumeration and zone transfers.

5. Amass

 A powerful open-source tool for passive and active DNS

enumeration.

6. Sublist3r

 A subdomain enumeration tool.

Ethical Applications of DNS Enumeration

 Security Assessments: Identify exposed records and subdomains that could

be exploited by attackers.
 Compliance Testing: Ensure DNS configurations meet security standards.
  Incident Response: Investigate DNS-related breaches or misconfigurations.

ARIN Lookup

Definition:
ARIN (American Registry for Internet Numbers) is a Regional Internet Registry
(RIR) responsible for managing IP address allocations and Autonomous System
Numbers (ASNs) in North America. An ARIN Lookup queries ARIN's database
to retrieve details about an IP address or ASN.

Purpose:

 To identify the organization to which an IP address or IP range is assigned.

 To locate the geographical region or service provider associated with an IP.
 To investigate suspicious IP addresses during cybersecurity assessments.

Information Provided:

1. IP Address Details:

 Organization name and contact details.

 IP block allocations.

2. ASN Details:

 Owner of the ASN and related IP ranges.

3. Network Information:

 Netblock size, location, and responsible parties.

How to Perform an ARIN Lookup:

 Online Tools: Visit ARIN WHOIS for IP or ASN lookups.

 Command-Line: Use the whois command with ARIN-specific queries

Key Differences :

Feature WHOIS Lookup ARIN Lookup

Scope Domain names and IP IP addresses and ASNs

addresses

Region Global Focused on North

America
Purpose Domain registration IP address and network
details ownership details

Databases Queried Domain registrars ARIN database

Traceroute in Footprinting

Traceroute is a crucial tool used in footprinting during the reconnaissance phase

of ethical hacking or penetration testing. Its primary purpose is to map the route
data packets take from the source system to the destination system and to gather
valuable information about intermediate network devices

a diagnostic tool that tracks and records the path taken by packets across an IP
network. It shows the sequence of routers (hops) the packet traverses to reach its
destination. This provides insight into the network's structure and the connectivity
between systems.

Traceroute operates by sending a series of ICMP (Internet Control Message

Protocol) or UDP packets to the destination. Each packet has an increasing TTL
(Time-To-Live) value, which determines the number of hops the packet can take
before being discarded.

Traceroute provides insight into the network topology, including the devices and
routers that form the route between the attacker’s machine and the target. This tool
helps identify potential vulnerabilities, map out the target’s network, and gather
crucial information that can assist in subsequent stages of the penetration testing or
hacking process.

Social Engineering: Common Types Of Attacks

Social engineering involves manipulating individuals into revealing confidential

information or performing actions that compromise security. Below are the
common types of social engineering attacks:

Social engineering cycle contains

1.investigate

2.Hook

3.Play

4.Exit

Technology-Based Social Engineering Attacks

These rely on exploiting technological tools, software, or devices to deceive

victims.
1. Phishing

 Description:link- Using emails, fake websites, or other electronic

communication to steal credentials or sensitive information.
 Example: An email with a malicious link mimicking a trusted
organization’s login page.

2. Spear Phishing

 Description: A personalized phishing attack targeting specific individuals or

organizations.
 Example: A fake email to a company’s CFO with a fraudulent invoice
attachment.

3. Whailing

 Target high ranked individual.

3. Smishing (SMS Phishing)

 Description: Sending malicious links or messages via SMS or instant

messaging apps.
 Example: "Your account has been locked. Click here to verify your
identity."

4. Vishing (Voice Phishing)

 Description: Using phone calls with voice technology to trick victims.

 Example: A call claiming to be from tech support requesting remote access
to resolve "urgent issues."

5. Watering Hole Attacks

 Description: Infecting a website frequently visited by the target with

malware or spyware.
 Example: Compromising a professional association’s website to target
members.

6. Baiting

 Description: use physical device contains malicious code. Device will be

thrown and left in the place where victims often visit.
 Example: A website offering free software that contains malware.

7. Pop-Up Attacks

 Description: Displaying fake security alerts to trick users into downloading

malware.
 Example: "Your system is infected! Click here to clean your device."

8.Website phishing
  Clone original website

Human-Based Social Engineering Attacks

These exploit human emotions, trust, or psychology to manipulate individuals into

revealing information or performing certain actions.Also called non technical
social engineering attacks

1. Pretexting

 Description: Creating a convincing story or role to gain trust and extract

information.
 Example: Posing as an HR executive asking employees to update sensitive
details.

2. Tailgating (Piggybacking)

 Description: Gaining unauthorized physical access by following someone

with legitimate access.
 Example: Walking into a secure area after someone holds the door open.

3. Dumpster Diving

 Description: Searching through discarded items for confidential

information.
 Example: Retrieving shredded documents or storage media from trash bins.

4. Quid Pro Quo

 Description: Offering a benefit or service in exchange for confidential

information or access.
 Example: An attacker pretending to conduct a survey and asking for
sensitive data.

5. Shoulder Surfing

 Description: Observing someone to capture sensitive information such as

passwords or PINs.
 Example: Watching someone input their password on a laptop in a public
place.

6. Impersonation

 Description: Pretending to be a trusted individual, such as an employee,

technician, or authority figure.
 Example: A fake delivery person asking for access to secure office areas.

7.Reverse social engineering

 Reverse Social Engineering is a clever manipulation technique in which the

attacker makes the target come to them, rather than directly approaching the
target. It involves creating a problem for the victim and then presenting the
attacker as the solution to that problem
Scanning and Enumeration

1.Port scan

 Port is virtual pipe through which information passes

 A port scan is the process of systematically scanning a computer or network
device to identify open ports.
 It is a network reconnaissance technique designed to identify which ports are
open on a computer.
 A port scan attack helps cyber criminals find open ports and figure out
whether they are receiving or sending data. It can also reveal whether active
security devices like firewalls are being used by an organization
 All ports are numbered and on each a particular service or software is
running For example, HTTP uses port 80, DNS uses port 53, and SSH uses
port 22.
 Open ports can potentially be used by attackers to exploit vulnerabilities or
gain unauthorized access to a system.
 Port scanning can be performed for legitimate purposes such as network
security audits or troubleshooting, but it can also be used by attackers for
malicious purposes.

Nmap (Network Mapper):

 A widely used tool to scan and identify open ports and services.

There are different types of port scans, including:

1. TCP Scan: A full connection is made with each open port on the target system,
verifying if the port is open.

Nmap –sT 172.

 SYN Packet Sent: The scanner sends a SYN (synchronize) packet to the
target port. This is the first step of a TCP handshake.
  SYN-ACK Response: If the target port is open, the target responds with a
SYN-ACK packet, indicating that it is willing to establish a connection.
 ACK Sent: The scanner then sends an ACK packet to complete the
handshake and establish a connection.
 Connection Established: Once the connection is established, the scanner
can then report that the port is open. It may also immediately close the
connection, depending on the tool or process used.
 Port Closed: If the port is closed, the target will respond with a RST (reset)
packet, indicating the port is not open or accepting connections.

2.SYN Scan: This is a more stealthy scan that sends a SYN (synchronize) packet,
like the start of a TCP handshake, to determine if the port is open or closed. SYN
Scan is a more stealthy and faster way to scan for open ports compared to a TCP
Connect Scan. It works by only initiating the first part of the TCP handshake and
never completing the connection, which helps to avoid being find out.

Nmap –sS (IP address)

 SYN Packet Sent: The scanner sends a SYN (synchronize) packet to the
target port. This is the first part of the TCP three-way handshake. The SYN
packet is used to request a connection.
 SYN-ACK Response (Port Open): If the target port is open and accepting
connections, the target responds with a SYN-ACK packet. This indicates
that the target is willing to establish a connection.
 RST Response (Port Closed): If the port is closed, the target will respond
with a RST (reset) packet to indicate that it refuses the connection attempt.
 Scanner Does Not Complete the Handshake: The scanner does not
respond to the SYN-ACK packet with an ACK (which would complete the
handshake), and instead just moves on to the next port. This behavior means
the target never fully establishes a connection.

3.UDP Scan: Scans for open UDP ports, which don't rely on the connection
process like TCP does. These can identify DNS and other UDP-based services.

Nmap –sU (IP address)

 Send UDP Packet: The scanner sends a UDP packet (often a "dummy"
packet or an application-specific request) to the target port on the remote
system.
 No Response (Port Open): If the target port is open, it will typically not
respond at all. This is because, with UDP, there is no inherent
 acknowledgment or handshake process. An open port may just silently
accept the incoming packet.
 ICMP Port Unreachable (Port Closed): If the target port is closed, the
target system will typically respond with an ICMP (Internet Control
Message Protocol) "Port Unreachable" message. This indicates that the
UDP packet could not be delivered because the port is closed.
 Additional Responses (Optional): Depending on the application or service
running on the open port, some responses may be received, especially for
certain services that expect specific UDP packets. For example, a DNS
server may reply with a DNS response if a UDP request for DNS resolution
is sent to it.

Key Characteristics of UDP Scan:

 No Handshake: Unlike TCP, UDP does not require the completion of a

handshake. This makes it difficult to determine whether a port is open since
there's no confirmation in the form of a packet like there is with TCP (SYN-
ACK).
 Stealthier Than TCP: Since there's no initial connection establishment (like
the three-way TCP handshake), UDP scans can sometimes be more difficult
to detect. However, they may still be flagged by security systems due to the
nature of the traffic.
 More Challenging: UDP is more challenging to scan because of its
connectionless nature. An open UDP port may not reply at all, while a
closed port typically responds with an ICMP error message. Therefore,
distinguishing between open and filtered ports requires additional
interpretation.

4.FIN Scan: Sends a TCP FIN packet to see if it receives a response, indicating the
port is open. This is used to bypass firewalls that are not configured to properly
handle such packets.

Nmap -sF, -sN, -sX ( Ip address)

1. Send FIN Packet:

The scanner sends a FIN packet to the target port. A FIN packet in TCP is
used to indicate that the sender wants to close the connection. Typically, this
 would be used by the two parties in a connection to gracefully shut down
communication.

2. Response from Target (Port Closed):

If the port is closed, the target system will respond with a RST (Reset)
packet. This is because, according to the TCP protocol, when a closed port
receives a FIN packet, the system must reset the connection, as it cannot
respond to the termination request.

3. No Response or Anomaly (Port Open):

If the port is open, the system will generally not respond at all (because
there is no active connection to terminate), or it may ignore the FIN packet.
According to TCP standards, sending a FIN to an open port is not a valid
action in an existing connection, so the system typically does not send a
reset (RST) packet.

Key Characteristics of FIN Scan:

 Stealth: The FIN scan is considered stealthier than a standard TCP Connect
Scan because it doesn't complete the handshake (SYN-ACK-ACK) and
instead sends a FIN packet, which should not be expected unless there's an
active connection. As a result, many firewalls and intrusion detection
systems may not detect a FIN scan as easily as a full connection scan.
 No Connection Establishment: Since the FIN scan does not establish a
connection (it doesn't go through the full TCP handshake), it is more "quiet"
compared to other types of scans.
 Can Be Detected by Some Firewalls or IDS: While FIN scans are
stealthier than standard scans, they are not foolproof. Some modern
firewalls or intrusion detection/prevention systems (IDS/IPS) can recognize
unusual FIN packets or patterns that indicate scanning behavior.
Additionally, some systems may be configured to send a reset (RST) even
for FIN packets, which could give away the scan.

Different systems react to these packets in different ways, so these scans can reveal
details of the target system and whether it is protected by a firewall.

5.Xmas Scan: Sends packets with unusual flags to check for open ports. The
scanner sends a TCP packet with FIN, PSH, and URG flags set to a target port.

The Xmas Scan is another type of port scan that uses TCP flags in an
unconventional way to probe whether ports are open or closed. It is often
considered a stealthy scan, similar to the FIN scan, but with a different approach.
Let's dive into how it works.
What is a Xmas Scan?

In TCP, different flags are used to control the state of a connection. A Xmas Scan
sends a packet with a combination of flags that is rarely used in normal
communication, specifically with the FIN, URG, and PSH flags set. These flags
are not typically sent together in regular TCP traffic, which is why this scan can
sometimes be stealthier and harder to detect by security systems.

 FIN (Finish): Typically used to indicate the termination of a connection.

 URG (Urgent): Indicates that the data is urgent and should be prioritized.
 PSH (Push): Requests the receiver to send the data immediately instead of
buffering it.

How Does the Xmas Scan Work?

 Send an Xmas packet: The scanner sends a packet to the target port with
the FIN, URG, and PSH flags set in the TCP header. This is an unusual
combination of flags that doesn't normally occur in regular network
communication.
 What happens when the port is open:
1. If the port is open, the target system typically does not respond to the
Xmas packet. It does not send a reset (RST) packet or any other
response because the Xmas packet doesn't correspond to any valid
request for connection initiation or termination.
 What happens when the port is closed:
1. If the port is closed, the target system will respond with an RST
(Reset) packet. This is because the packet, with those unusual flags, is
effectively interpreted as an erroneous or invalid packet, and the target
system will reset the connection, indicating that the port is closed.

6.Stealth Scan: Scanning technique used to probe a computer network with

minimal or no footprint, aiming to avoid detection by intrusion detection systems
(IDS) or other security measures.to avoid detection by the target system, usually by
not completing the handshake process

A Stealth Scan refers to a category of port scanning techniques specifically

designed to evade detection by security systems such as firewalls and intrusion
detection/prevention systems (IDS/IPS). The goal of a Stealth Scan is to avoid
completing the full TCP handshake, which is typically the point where many
firewalls or IDS/IPS systems would detect a connection attempt and raise an alert.
In a Stealth Scan, the idea is to probe the target system without actually
establishing a full TCP connection. By doing so, the scanner tries to avoid being
detected or logged by the target system's monitoring tools.

Let’s break down how Stealth Scans work, their different types, and why they are
often used.

How a Stealth Scan Works:

A Stealth Scan involves sending partially completed packets (i.e., incomplete

handshakes) or using unusual packet flags that won't trigger a response from the
target system as a normal connection would. This technique relies on not
completing the 3-way handshake (SYN → SYN-ACK → ACK) in the TCP
connection establishment process.

The idea is that many systems only log or respond to fully established
connections (i.e., when the handshake is complete). By only sending the initial
packets of the handshake or sending unusual packets that don't fit normal behavior,
a Stealth Scan attempts to avoid triggering the system's defenses.

6. Null Scan

 How it works: A Null Scan sends a TCP packet with no flags set (all flags
are turned off). Since the packet does not contain any flag, the target system
is unsure about what the packet is for.

 If the port is open, the system may ignore the packet.

 If the port is closed, the system will typically respond with an RST
packet.
 Why it's stealthy: Like the FIN scan, the Null scan doesn't establish a
connection, and the absence of flags may make it hard to detect,
especially with simple firewalls or monitoring tools.

What is Network Scanning?

Network scanning is a crucial phase in ethical hacking where security professionals

identify live hosts, open ports, services, and vulnerabilities within a network. It
helps in understanding the network infrastructure and finding potential security
weaknesses before attackers exploit them.

Types of Network Scanning

1. IP Scanning (Host Discovery) – Identifies active devices in a network.

2. Port Scanning – Finds open ports on a target system to determine available
services.
3. Service and Version Detection – Identifies running services and their
versions.
4. Vulnerability Scanning – Detects security flaws in networked devices.

Ping Sweep Techniques

 A Ping Sweep (also called ICMP Sweep) is a network scanning technique

used by attackers and network administrators to identify live hosts (active
systems) on a network.
 It works by sending ICMP Echo Request (ping) packets to multiple IP
 addresses and analyzing the responses
 Ping sweeps are useful for both ethical hacking (penetration testing) and
malicious reconnaissance.

Types of Ping Sweep Techniques

Different methods can be used to conduct a ping sweep, depending on

firewalls, network configurations, and security policies.

1. ICMP Echo Request (Standard Ping Sweep)

 Sends an ICMP Echo Request to a range of IPs.

 Hosts that are alive respond with ICMP Echo Reply.
 Eg. ping -c 1 192.168.1.1
 Many modern firewalls block ICMP packets, making this method unreliable
in restricted environments.

2. TCP ACK Scan for Firewalled Networks

 Instead of ICMP, it sends TCP ACK packets to specific ports (e.g., 80,
443).
 If a RST (Reset) is received, the host is alive.
 Eg. nmap -sn -PA 192.168.1.0/24
 Firewalls often block ICMP but allow TCP packets.
 Bypasses ICMP restrictions.
 More stealthy than SYN scans because it doesn’t try to establish a
connection.

3. TCP SYN Ping Sweep (Stealth Mode)

 Sends TCP SYN packets (instead of ICMP) to common ports like 80, 443.
 If the host responds with SYN-ACK, it is alive.
 Eg. nmap -sn -PS80,443 192.168.1.0/24
 Useful when ICMP and ACK scans are blocked.
 Often bypasses firewalls

4. UDP Ping Sweep (For UDP-Based Networks)

 Sends empty UDP packets to specific ports (e.g., 53, 161).

 If a "Port Unreachable" ICMP response (Type 3, Code 3) is received, the
host is offline.
 If no response, the host is alive.
 Eg. nmap -sn -PU53,161 192.168.1.0/24
 Good for detecting DNS (port 53) and SNMP (port 161) servers.

5. ARP Ping Sweep (For Local Networks)

 Uses Address Resolution Protocol (ARP) instead of ICMP.

 Sends ARP requests to all IPs in a subnet.
 Only live hosts respond with ARP replies.
 Eg. nmap -sn -PR 192.168.1.0/24
 Bypasses ICMP blocking firewalls.
 Works only on local networks (LANs) because ARP is a Layer 2 protocol
  More reliable than ICMP, TCP SYN, or UDP pings because ARP cannot
be blocked by firewalls on a local network.
 Reveals MAC addresses, useful for device identification.

IDLE scan

The Idle Scan (also called a Zombie Scan) is an advanced TCP port scanning
technique that allows an attacker to perform stealthy network reconnaissance
without revealing their own IP address.

This method exploits the behaviour of an idle machine (called a "zombie") to infer
information about a target system.

Idle scan relies on IP ID (Identification field) prediction in the IP header of

packets sent by a zombie machine. IP header is a unique number assigned to each
outgoing IP packet from a host.

1. Selecting a "Zombie" Machine

 The attacker finds a machine that is "idle" (not communicating frequently)

and has a predictable IP ID sequence.
 The idle machine is used as a relay to send packets to the target.

2. Checking the Zombie's IP ID

 The attacker sends a SYN/ACK or SYN packet to the zombie.

 The zombie responds with a RST (Reset) packet, revealing its current IP
ID.
 The attacker records this IP ID value.

 Eg. The attacker first sends a probe packet (SYN/ACK or SYN) to the
zombie and records the IP ID value.Let’s assume the zombie's current IP
ID is 1000.

3. Spoofing a SYN Packet to the Target

 The attacker forges a SYN packet (pretending to be from the zombie) and
sends it to the target system.
 The target responds based on the port status:

 If the port is open → Target sends a SYN/ACK to the zombie.

 If the port is closed → Target sends a RST to the zombie.
 The zombie was not expecting the SYN/ACK from the target.
 It responds with a RST (Reset) packet to the target.
 This increases the zombie’s IP ID by 1.

4. Checking the Zombie's IP ID Again

 The attacker re-checks the zombie's IP ID.

 If the IP ID has increased by 2, it means the zombie sent an RST back to
the target, indicating the port was open.
  If the IP ID increased only by 1, the target didn’t send a SYN/ACK,
meaning the port is closed.

Advantages of Idle (Zombie) Scan

 Stealthy & Anonymous – The attacker's IP is never directly involved,

making it harder to trace.
 Bypasses Firewalls – Since the zombie interacts with the target, security
mechanisms may not detect the actual attacker.
 Can Identify Open Ports – Helps in fingerprinting a system's network
services.

Tools for Idle Scan

 Nmap: The most popular tool for performing idle scans

 nmap -sI <zombie-IP> <target-IP>

SNMP Enumeration

1. Simple Network Management Protocol (SNMP) enumeration is a technique

used to extract detailed information about network devices such as routers,
switches, printers, and servers. Hackers or penetration testers use SNMP queries to
gather data about:

 System details (Hostname, OS, uptime, running services)

 Network configuration (IP addresses, interfaces, routing tables)
 User accounts
 Processes and services
 Installed software

2. SNMP Versions & Security

 SNMPv1 – Uses plaintext community strings (default: "public" for read-

only, "private" for read-write). Vulnerable to attacks.
 SNMPv2 – Similar to v1 but includes better error handling. Still uses
plaintext community strings.
 SNMPv3 – Secure version with authentication and encryption (MD5, SHA,
DES, AES).
3.SNMP Enumeration Tools

 snmpwalk – Queries SNMP-enabled devices recursively to extract

information.
Cmd - snmpwalk -v2c -c public <target-ip>
 snmp-check – Automates SNMP enumeration.
Cmd - snmp-check <target-ip>
 onesixtyone – SNMP scanner to identify community strings.
Cmd- onesixtyone -c community-strings.txt <target-ip>
 Nmap SNMP scripts – Uses NSE scripts for SNMP reconnaissance.
Cmd - nmap -sU -p 161 --script=snmp-* <target-ip>

System Hacking :

System hacking involves gaining unauthorized access to computer systems to

exploit vulnerabilities, steal information, or compromise system integrity. It is a
crucial phase in ethical hacking, penetration testing, and cybersecurity defense
strategies. Here's a detailed breakdown of the key components:

1. Password-Cracking Techniques

Password cracking is the process of recovering passwords from stored data or

transmitted information using various techniques.

The primary goal is to gain unauthorized access to a system or account. In ethical

hacking, it’s used to test the strength of passwords and enhance security.

1. Non-Electronic Attacks:
These attacks don’t involve any digital tools or software. Instead, they rely
on human interaction or observation.

 Social Engineering: Manipulating individuals into revealing passwords or

other confidential information.
 Shoulder Surfing: Observing someone’s screen or keyboard as they enter
their password.
 Dumpster Diving: Searching for sensitive information in discarded
documents.

2. Active Online Attacks:

These attacks actively interact with the target system by repeatedly
attempting to log in. They can be detected by monitoring tools due to
multiple failed login attempts.

 Brute Force Attack: Trying all possible combinations until the correct one
is found. It’s time-consuming but effective.
 Dictionary Attack: Using a predefined list of common words or passwords.
 Credential Stuffing: Using stolen username and password pairs from one
breach to access other accounts.
 Phishing: Trick users into providing passwords via fake emails or websites.

3. Passive Online Attacks:

These attacks involve attack on network communications without directly
interacting with the target system.
  Sniffing: Capturing network traffic to intercept unencrypted passwords.
Tools like Wireshark are often used.
 Man-in-the-Middle (MitM): Intercepting communication between two
parties to capture login credentials.
 Replay Attack: Capturing and reusing authentication packets to gain
unauthorized access.

4. Default Password Attacks:

These attacks exploit devices or systems using their factory-set default
passwords.

 Many devices (e.g., routers, IoT devices) come with default credentials that
users often don’t change.
 Attackers look up these default credentials online and use them to gain
unauthorized access.

5. Offline Attacks:
These involve obtaining the encrypted password file and cracking the
passwords without interacting with the live system.

 Brute Force and Dictionary Attacks: Applied offline using powerful

computing resources.
 Rainbow Table Attack: Uses precomputed hash tables to crack passwords
faster.
 Password Hash Cracking: Attacking stored password hashes using tools
like Hash cat or John the Ripper.

2. Types of Passwords

Different types of passwords are used for various security purposes:

 Static Passwords:

 Unchanging passwords, vulnerable to replay attacks and password

guessing.

 Dynamic Passwords:

 Change frequently, e.g., OTPs (One-Time Passwords) used in

banking.

 Passphrases:

 Longer, more secure combinations of words or phrases.

 Graphical Passwords:

 Use images or patterns instead of alphanumeric characters.

 Biometric Passwords:

 Based on physiological traits like fingerprints, iris scans, or facial

recognition.
3. Keyloggers and Other Spyware Technologies

Keyloggers and spyware capture sensitive information without user knowledge:

 Keyloggers:

Keyloggers are malicious tools designed to record every keystroke made on

a keyboard. They are often used by attackers to capture sensitive
information, such as passwords, credit card details, and personal messages.
In ethical hacking, keyloggers are studied to understand their functionality
and develop countermeasures.

Types of Keyloggers:

1. Hardware Keyloggers:

 Physical Devices plugged between the keyboard and the computer,

capturing keystrokes before they reach the system.
 Examples:

 USB Keyloggers: Inserted between the keyboard and USB port.

 PS/2 Keyloggers: Placed between the PS/2 keyboard cable and the
port.
 Keyboard Overlays: Thin devices placed over the keyboard
(commonly used at ATMs).

2. Software Keyloggers:

 Programs installed on the computer that monitor and record keystrokes.

 Examples:

 Application Keyloggers: Target specific applications (e.g., web

browsers).
 Kernel-based Keyloggers: Operate at the OS kernel level, making
them difficult to detect.

How it works ?

 Recording: Captures keystrokes and stores them in log files.

 Transmission: Sends logs to the attacker via email, FTP, or cloud storage.
 Stealth Mechanisms: Operate in the background without the user’s
knowledge. Advanced versions can bypass antivirus software.

How to Detect and Prevent Keyloggers:

 Anti-keylogger Software: Specifically designed to detect

keyloggers.eg.Norton Antivirus,360 safeguard
 Antivirus and Anti-malware Tools: Regular scans to identify and remove
malicious software.
 Task Manager and Startup Programs: Check for unknown or suspicious
processes.
 Virtual Keyboards and Two-Factor Authentication (2FA): Reduce the
risk of keylogger attacks.
 Regular Updates and Patching: Keep the OS and applications up to date to
fix security vulnerabilities.
4. Escalating Privileges

 Privilege escalation is the process of gaining higher access rights than

originally granted. In ethical hacking, it's used to test system security and
identify vulnerabilities that attackers could exploit to gain unauthorized
control over sensitive data and resources.

Types of Privilege Escalation:

1. Vertical Privilege Escalation:

 The attacker gains higher privileges than their current level (e.g., from a
normal user to an administrator).
 Example: Exploiting a vulnerability in system software to gain root or
admin access.

2. Horizontal Privilege Escalation:

 The attacker accesses another user’s account with the same privilege level.
 Example: Logging into another user’s email account without increasing
access rights.

Techniques Used for Privilege Escalation:

1. Exploiting Software Vulnerabilities:

 Buffer Overflows, Race Conditions, or Unpatched Bugs can be used to

execute malicious code with elevated privileges.
 Example: Exploiting a misconfigured SUID (Set User ID) program in Linux
to gain root access.

2. Misconfigured Permissions:

 Files or directories with insecure permissions allow unauthorized users to

read or modify them.
 Example: A sensitive configuration file with read/write permissions for all
users.

3. Credential Dumping:

 Extracting credentials from memory, registry, or configuration files.

4. Tools Used: Metasploit

5. Bypassing User Account Control (UAC):

 Exploiting UAC misconfigurations in Windows to execute code with

elevated privileges.

5. DLL Injection and Hijacking:

 Placing a malicious Dynamic Link Library (DLL) in the application’s

directory so that the application loads it with elevated privileges.

6. Scheduled Tasks and Services Abuse:

  Modifying scheduled tasks or services running with admin rights to execute
malicious commands.

Prevention and Mitigation:

 Regular Patching: Update systems and applications to fix known

vulnerabilities.
 Least Privilege Principle: Grant users and applications only the necessary
privileges.
 Security Audits: Periodic review of user accounts and permissions.
 Multi-Factor Authentication (MFA): Adds an extra layer of security
beyond passwords.
 Monitoring and Logging: Track system changes and alert administrators to
suspicious activities.

5. Rootkits :

Rootkits are a type of malicious software designed to gain unauthorized access to a

computer system while keeping their presence hidden. They allow attackers to
maintain privileged access to a system without being detected, enabling them to
steal information, modify system settings, or launch further attacks.

Rootkit- means a set of tools that allow someone to gain and maintain root-level
access to a system without detection.

Types of Rootkits:

1. Hardware/Firmware Rootkits: Infect hardware components like the BIOS

or network cards, making them difficult to detect and remove.
2. Bootloader Rootkits: Attack the boot process, loading before the operating
system to maintain control.
3. Kernel Rootkits: Target the core of the operating system (kernel), giving
the attacker full control over system processes.
4. User-mode Rootkits: Operate at the application level, intercepting system
calls to hide malicious activities.
5. Memory Rootkits: Reside in the RAM, avoiding storage drives, and
disappear when the system is rebooted.

How Rootkits Work:

 They modify system files or functions to hide their presence.

 Often, they disguise themselves as legitimate system files or processes.
 Some rootkits open backdoors for remote access, allowing attackers to
control the system.

Detection and Removal:

 Detection is challenging because rootkits are designed to be stealthy.

Advanced antivirus tools, rootkit scanners (like GMER or RootkitRevealer),
or system integrity checks are required.
 Removal can be difficult. It may require specialized tools or a complete
system reinstallation, especially for firmware or bootloader rootkits.
Denial of Service (DoS)

A Denial of Service (DoS) attack aims to make a computer, network, or website

unavailable to users by overwhelming it with excessive traffic or exploiting system
vulnerabilities. When multiple systems are used to launch the attack, it is called a
Distributed Denial of Service (DDoS) attack.

Flood the system with unwanted packets to overload the resource.

Types of DoS Attacks:

1. Volume-based Attacks:

 Overwhelm the target's bandwidth with massive data traffic.

 Examples: UDP floods, ICMP floods, Amplification attacks,syn
floods,http flood attack

2. Protocol Attacks:

 Exploit weaknesses in network protocols, consuming server resources.

 Examples: SYN flooding, Ping of Death, Smurf attack.

3. Application Layer Attacks:

 Target specific applications or services, exhausting resources at the

application level.
 Examples: HTTP floods, Slowloris attacks.

Working of DoS Attacks:

 Attackers send a large number of requests or malformed packets to the target

system.
 The target is overwhelmed, leading to resource exhaustion (CPU, RAM, or
bandwidth).
 This results in legitimate users being unable to access the service or
resource.

BOTs/BOTNETs:

 BOTs are compromised devices (computers, IoT devices) controlled by an

attacker.
 A BOTNET is a network of these infected devices, acting together under a
command-and-control (C&C) server.
  BOTNETs are used to launch large-scale DDoS attacks by sending massive
amounts of traffic from different locations.
 They can also be used for data theft, email spamming, or spreading malware

“Smurf” Attack:

 A Smurf attack is a type of volume-based DoS attack.

 The attacker sends ICMP Echo requests (pings) with the victim's IP address
spoofed as the source.
 These requests are broadcasted to a network, causing all devices to respond
to the victim's IP.
 The victim is overwhelmed by the volume of responses, leading to a denial
of service.
 Countermeasure: Disable IP-directed broadcasts on network routers.

“SYN” Flooding:

 SYN Flooding is a protocol attack that exploits the TCP handshake process.
 During a normal TCP handshake:
1. Client sends a SYN packet.
2. Server responds with a SYN-ACK packet.
3. Client completes the handshake with an ACK packet.
 In SYN Flooding:

 The attacker sends multiple SYN packets but never responds to SYN-
ACKs.
 The server holds open connections, waiting for ACKs, exhausting
connection resources.
 This prevents legitimate users from establishing connections.

 Countermeasure: Use SYN cookies or increase the backlog queue size.

DoS/DDoS Countermeasures:

1. Network-Level Defenses:

 Firewalls and Intrusion Prevention Systems (IPS) to filter malicious

traffic.
 Rate limiting and traffic shaping to control traffic flow.

2. Application-Level Defenses:

 Web application firewalls (WAF) to protect against HTTP floods.

 Load balancers to distribute traffic and prevent server overload.

3. Architectural Measures:

 Content Delivery Networks (CDNs) to absorb traffic spikes.

 Redundancy and failover systems to ensure service continuity.

4. Detection and Response:

 Real-time monitoring tools to detect abnormal traffic patterns.

 DDoS mitigation services (e.g., Cloudflare, Akamai) for rapid
response.
 5. Preventive Measures:

 Disabling unused network services and ports.

 Patching software to fix vulnerabilities

Sniffers

Sniffers are tools or software used to capture and analyze network traffic. They can
be used for legitimate purposes like network monitoring or troubleshooting, but
they can also be misused by attackers to capture sensitive data like usernames,
passwords, and other confidential information.

Protocols Susceptible to Sniffing

Certain protocols transmit data in plaintext, making them more vulnerable to

sniffing attacks:

1. HTTP – Transmits data unencrypted, exposing sensitive information.

 2. FTP – Sends credentials and files in plaintext.
3. Telnet – Sends commands and credentials without encryption.
4. SMTP, POP3, IMAP – Email protocols that may transmit credentials and
messages unencrypted.
5. SNMP v1 and v2 – Transmit community strings in plaintext.

Active vs. Passive Sniffing

 Passive Sniffing:

 Listens to traffic without altering or interacting with the network.

 Used in networks with hubs (broadcast-based networks).
 Difficult to detect since it does not generate network traffic.

 Active Sniffing:

 Involves manipulating network traffic to capture data.

 Used in switched networks where traffic is directed to specific
devices.
 Techniques include ARP Poisoning, MAC Flooding, and DNS
Spoofing.

ARP Poisoning

 Description:

 An attacker sends falsified ARP messages to link their MAC address

with the IP address of a legitimate device.
 This causes data intended for that IP to be sent to the attacker's device,
enabling data interception or modification.

 Impact:

 Man-in-the-Middle (MITM) attacks, session hijacking, and data theft.

MAC Flooding

 Description:

 The attacker floods a switch with a large number of fake MAC

addresses.
 This overloads the switch’s MAC table, forcing it to operate as a hub
by broadcasting packets to all ports.
 The attacker can then capture traffic not intended for them.

 Impact:

 Network congestion, data interception, and reduced network

performance.

DNS Spoofing Techniques

 Description:
  An attacker corrupts the DNS cache to redirect users to malicious
websites.
 Methods include:

 DNS Cache Poisoning: Injecting false DNS records into a

resolver’s cache.
 Man-in-the-Middle (MITM) DNS Spoofing: Intercepting and
altering DNS requests.
 DNS ID Spoofing: Predicting the transaction ID of a DNS
query and sending a malicious response.
 Impact:
 Phishing attacks, data theft, and malware distribution.

Sniffing Countermeasures

1. Encryption:

 Use secure protocols like HTTPS, SFTP, SSH, and TLS for data
transmission.
 Implement VPNs for secure communication over public networks.

2. Network Segmentation:

 Separate sensitive data traffic from general network traffic.

3. Switch Security:

 Use port security and static ARP entries to prevent MAC flooding and
ARP poisoning.
 Enable DHCP snooping and dynamic ARP inspection (DAI).

4. Intrusion Detection Systems (IDS):

 Deploy IDS/IPS to monitor and detect abnormal network traffic

patterns.

5. Regular Audits and Updates:

 Regularly update firmware and security patches on network devices.

 Conduct network audits to identify vulnerabilities.

6. User Education:

 Educate users about phishing and social engineering attacks related to

DNS spoofing.

Session Hijacking

Session hijacking is an attack where an attacker takes over a valid session between
a user and a web server. This is done to gain unauthorized access to information or
services by stealing or manipulating session tokens.

Types of Session Hijacking

1. Active Session Hijacking:

  The attacker takes control of an active session by injecting data or
commands.
 Usually involves a Man-in-the-Middle (MITM) attack.

2. Passive Session Hijacking:

 The attacker monitors the session without interfering.

 The goal is to gather information, such as session tokens or
credentials.

3. Cross-site Scripted (XSS) Hijacking:

 Exploits vulnerabilities in web applications to steal session cookies.

 Malicious scripts are injected into trusted websites.

4. Session Fixation:

 The attacker sets a known session ID and tricks the user into
authenticating with it.
 After authentication, the attacker uses the known session ID to access
the account.

5. Session Sidejacking:

 Involves intercepting session cookies during transmission.

 Often done using packet sniffers on unencrypted networks.

Sequence Prediction

 Description:

 In TCP/IP communications, packets are numbered using sequence

numbers.
 An attacker predicts these sequence numbers to inject malicious
packets into an active session.
 This can allow the attacker to take control of the communication
stream.

 Impact:

 Man-in-the-Middle (MITM) attacks, data manipulation, and

unauthorized commands.

Steps of Session Hijacking

1. Session Sniffing:

 The attacker monitors network traffic to capture session tokens or

cookies.
 Tools like Wireshark or tcpdump are commonly used.

2. Session Prediction:

 The attacker predicts session IDs based on weak algorithms or

patterns.
  Poorly generated session tokens are vulnerable to prediction.

3. Session Fixation:

 The attacker sets a session ID and forces the victim to use it.
 After authentication, the attacker uses the same session ID for
unauthorized access.

4. Session Stealing:

 The attacker steals a session ID using methods like XSS, sidejacking,

or sniffing.
 The stolen session ID is then used to impersonate the victim.

5. Man-in-the-Middle (MITM) Attack:

 The attacker intercepts communication between the user and the

server.
 This allows the attacker to read, modify, or inject data into the
session.

Prevention techniqes :

1. Encryption:

 Use HTTPS and secure communication protocols (SSL/TLS) to

encrypt session tokens.
 Implement VPNs to secure network traffic.

2. Session Management Best Practices:

 Use secure, random, and unique session IDs.

 Regenerate session IDs after login or privilege escalation.

3. Timeouts and Logout:

 Implement session timeouts and automatic logout after inactivity.

 Invalidate sessions on logout or when changing passwords.

4. Token Security:

 Use anti-CSRF tokens to prevent Cross-Site Request Forgery.

 Encrypt session cookies to protect them from theft.

5. Intrusion Detection Systems (IDS):

 Deploy IDS/IPS to detect unusual session activity or repeated login

attempts.

6. User Awareness and Security Practices:

 Educate users about phishing and social engineering attacks.

 Encourage users to avoid public Wi-Fi for sensitive transactions.

Hacking Web Servers :

  Web Server: A software or hardware that handles HTTP requests, delivers
web pages, and hosts websites (e.g., Apache).
 Web Application: A software application that runs on a web server and is
accessed through a browser (e.g., Gmail, Facebook, online banking portals).

1. Web Server Vulnerabilities

Web servers are crucial components of web applications but are often targeted due
to various vulnerabilities. Common weaknesses include:

 Misconfigurations: Default settings, unnecessary services, or improper

access control.
 Outdated Software: Unpatched servers with known security flaws.
 Weak Authentication: Weak passwords, lack of multi-factor authentication
(MFA).
 Directory Traversal: Improper validation allowing attackers to access
sensitive files.
 Improper Input Validation: SQL injection, cross-site scripting (XSS), and
other injection attacks.
 Misconfigured Permissions: Overly permissive file and directory
permissions.

2. Attacks Against Web Servers

Hackers exploit the above vulnerabilities through various attack methods:

 Denial-of-Service (DoS) & Distributed Denial-of-Service (DDoS):

Overloading the server to make it unavailable.
 Man-in-the-Middle (MITM) Attacks: Intercepting communication
between client and server.
 Brute Force Attacks: Attempting multiple password combinations to gain
unauthorized access.
 Session Hijacking: Stealing active session cookies for unauthorized access.
 Directory Traversal Attack: Accessing restricted directories via URL
manipulation.
 Zero-Day Exploits: Attacking unpatched vulnerabilities before fixes are
available.
 Web Defacement: Modifying website content to display hacker messages.
 XSS attack-It allows the attacker to inject client side script into web
page.may be used to by pass access control.

2. Patch Management Techniques

Patches in a Web Server are software updates released by vendors to fix security
vulnerabilities, bugs, and performance issues.

Basically patch management is the process that helps to acquire,test and install
multiple patches(code change)on existing application and software tools

It is an essential part of configuration and change management.

The main objective of patch management program is to create a consistently

configured environment that is secure against known vulnerabilities in operating
system and application software.
To mitigate security risks, regular patching is necessary:

 Automated Patch Management Tools: Tools like WSUS (Windows Server

Update Services), SCCM, and third-party solutions.
 Regular Vulnerability Scanning: Using scanners like Nessus, OpenVAS,
or Qualys.
 Testing Patches Before Deployment: Implementing patches in a test
environment before applying them to production.
 Updating Third-Party Applications: Keeping CMS (WordPress, Joomla,
etc.), plugins, and server-side applications updated.
 Monitoring Security Bulletins: Staying informed about new vulnerabilities
via sources like CVE databases(Common Vulnerabilities and Exposures).

3. Web Server Hardening Techniques

Web server hardening is the process of securing a web server to reduce

vulnerabilities and protect against cyber threats.

To strengthen web server security, implement the following measures:

 Disable Unnecessary Services: Turn off unused modules/ports/services and

features.
 Use Secure Configurations: Modify default settings, restrict access
permissions.
 Implement Strong Authentication: Use MFA, strong passwords, and limit
login attempts.
 Enable HTTPS & TLS Encryption: Secure communication using
SSL/TLS.
 Configure Firewalls & Intrusion Detection Systems (IDS/IPS): Set up
Web Application Firewalls (WAF) like ModSecurity.
 Restrict File & Directory Access: Use proper permissions (e.g., chmod 750
for sensitive files).
 Monitor Server Logs: Regularly check logs for suspicious activity.
 Use Virtual Patching: Implement WAF rules to mitigate vulnerabilities
before official patches are released.
 Regular Backups: Keep encrypted backups for recovery in case of attacks.
 Change management : Change management is a structured approach to
handling modifications in IT systems, security policies, or infrastructure
while minimizing risks, downtime, and security vulnerabilities.

SQL Injection:

 SQL Injection (SQLi) is a security vulnerability that allows attackers to

manipulate database queries.
 It can lead to unauthorized data access, data alteration, or database control.
In some cases, attackers can even escalate privileges, gaining full control
over the database or server.
 SQLi often occurs when user input is not properly sanitized or unexpectedly
executed as an SQL command.
 Error based and union based

Error-Based SQL Injection

 This technique relies on database error messages to extract information.

  Attackers manipulate the SQL query to force the database to return an error
message that reveals information about the database structure.
 If an error message is displayed, it may contain details about table names,
column names, or data types.

Union-Based SQL Injection

 This technique exploits the UNION SQL operator to combine results from
multiple SELECT queries.
 Attackers use UNION SELECT to retrieve additional data from other
tables.

 Steps of SQL Injection Attack :


 1. Identifying Vulnerable Input Fields

 Attackers test input fields (login forms, search boxes, URL parameters) to
check if they accept SQL queries.
 Example: Entering ' OR 1=1 -- in a login form might bypass
authentication.(error baesd)

2. Crafting Malicious SQL Queries

 Attackers try modifying queries to extract, delete, or modify data.

 Eg. SELECT * FROM users WHERE username = 'admin' --' AND password
= 'password';
 -- is a comment in SQL, ignoring the password check.
 We use select operator in union based sql injection.

3. Extracting Data from the Database

 Using SQL queries like:

 UNION SELECT username, password FROM users;
 Attackers retrieve user credentials, credit card data, or other sensitive
information.

4. Escalating Privileges

 If attackers gain admin access, they can modify database contents or create
new accounts.

5. Deleting or Modifying Data

DROP TABLE users;

To mitigate SQL Injection threats

 Apply input validation

 Implement least privilege access
 Disable dangerous SQL Server features
 Use firewalls and monitoring tools

 Web-Based Password Cracking Techniques:

Password cracking is a method used by attackers to gain unauthorized access to
web applications by exploiting weak or compromised passwords.

Authentication Types :

Authentication is the process of verifying the identity of users before granting

access. The most common types include:

1. Single-Factor Authentication (SFA)

 Users authenticate using one factor, typically a password.

 Vulnerable to password-based attacks like brute force and dictionary attacks.
 Example: Standard username-password login.

2. Two-Factor Authentication (2FA) / Multi-Factor Authentication (MFA)

 Requires at least two authentication factors:

 Something you know (Password, PIN)

 Something you have (OTP, security token)
 Something you are (Biometric data like fingerprint, retina scan)

 Adds an extra layer of security against password cracking.

3. Token-Based Authentication

 Uses session tokens, such as JSON Web Tokens (JWT), OAuth, or

SAML((Security Assertion Markup Language) Used for Single Sign-On
(SSO) in enterprise applications.).
 Reduces reliance on passwords but can be vulnerable to token theft.

4 .Biometric Authentication

 Uses fingerprints, facial recognition, or voice authentication.

 Harder to crack than traditional passwords but vulnerable to spoofing attacks

Web-Based Password Cracking Techniques

Attackers use various methods to crack passwords and gain unauthorized access:

1 .Brute Force Attack

 The attacker tries every possible combination of characters until the correct
password is found.
 Slow but effective if passwords are weak

2 .Dictionary Attack

 Uses a precompiled list of common passwords (e.g., "123456",

"password", "qwerty").
 Faster than brute force but ineffective against strong, unique passwords.

3. Credential Stuffing

 Attackers use previously leaked credentials from data breaches.

 Works if users reuse passwords across multiple sites.
4 .Hybrid Attack

 A combination of dictionary and brute force attacks.

 Example: Uses dictionary words with common variations like ?

5. Phishing Attack

 Attackers trick users into revealing passwords via fake login pages or
emails.
 Example: A fake PayPal login page asking users to enter their credentials.

6. Keylogging

 Malicious software (keylogger) records keystrokes and captures passwords.

 Attackers use malware or infected websites to install keyloggers.

7 .Man-in-the-Middle (MITM) Attack

 Attackers intercept login credentials during transmission.

 Common when logging in over unencrypted (HTTP) connections.

8. Password Spraying

 Tries a few common passwords against many accounts to avoid detection

 Eg company having 1000 employees ,The attacker tries one common
password (like Welcome@123) on all 1000 accounts.

Password Cracking Tools :

1.Hashcat

 Fastest password recovery tool using GPU acceleration.

 Supports brute force, dictionary, hybrid, and rule-based attacks.

2 John the Ripper

 Open-source tool used for offline password cracking.

 Efficient against hashed passwords.

3 .Hydra

 A network login cracker that performs brute force attacks on web

applications.
 Supports multiple authentication protocols (HTTP, FTP, SSH).

4. Burp Suite

 Web security testing tool that can be used for brute force attacks on web-
based login forms.

5.SQLmap

 Used for SQL Injection attacks to extract login credentials from vulnerable
databases.

Countermeasures :
1. Enforce Strong Password Policies

 Require minimum password length (12-16 characters).

 Mandate mix of uppercase, lowercase, numbers, and special characters.

2 .Implement Account Lockout Mechanism

 Lock user accounts after multiple failed login attempts (e.g., 5-10 attempts).

3 .Use Multi-Factor Authentication (MFA)

 Require a second factor like OTP, biometric verification, or security key.

 Example: Google Authenticator, Microsoft Authenticator.

4. Implement Rate Limiting & CAPTCHA

 Rate-limit login attempts to prevent brute force attacks.

 Use CAPTCHA (reCAPTCHA) to block bots.

5. Use HTTPS and Secure Cookies

 Always enforce HTTPS to encrypt data during transmission.

6. Educate Users About Phishing Attacks

 Train users to recognize phishing emails and fake login pages.

 Enable email alerts for login attempts from unrecognized devices.

7. Conduct Regular Security Audits

 Perform penetration testing to identify weak authentication mechanisms.

 Web Application Vulnerabilities :

Web applications are prime targets for attackers due to their exposure to the
internet. Hackers exploit vulnerabilities to steal data, gain unauthorized access, or
disrupt services

1. Injection Attacks
 Web applications are prone to injection attacks like SQL injection. By
exploiting these vulnerabilities, malicious actors can gain unauthorized
access to your databases. However, vigilant coding practices and input
validation can fortify your defense.

2. Cross-Site Request Forgery

 CSRF attacks manipulate user actions without their knowledge, potentially
leading to unintended transactions or changes in user data. Implementing
strategies such as token-based validation can thwart these attacks and keep
your web application secure.

3. Cross-Site Scripting (XSS)

 XSS (Cross-Site Scripting) is a web attack where hackers inject malicious

JavaScript into a website. When users visit the infected page, the script runs
in their browser, allowing attackers to steal data, deface content, or hijack
 accounts.

4. Security Misconfigurations
 A security misconfiguration happens when a web application or server has
weak settings, default credentials, or unnecessary features enabled, making it
vulnerable to attacks. Unpatched software exposes known vulnerabilities.

6. Broken Authentication

 Broken authentication occurs when an attacker exploits weak login

mechanisms to gain unauthorized access to user accounts. This can lead to
account takeovers, data breaches, and identity theft. Robust authentication
mechanisms are a cornerstone of web application security.

Google Hacking (Google Dorking):

Google Hacking is a technique used to find sensitive data and vulnerabilities using
Google search queries (also called Google Dorks).
It is a technique used to find sensitive information using advanced search queries
on Google. Hackers and security researchers use it to discover:
 Exposed login pages
 Sensitive files (passwords, databases, etc.)
 Vulnerable web applications
 Open directories & webcams
 Google Dorking is a powerful tool—used by ethical hackers to find
vulnerabilities and attackers to exploit weak websites.
 If your site is misconfigured, hackers can find & exploit it easily.
 Secure your web apps by blocking indexing, restricting access, and fixing
misconfigurations prevents from Google dorking.

How Google Dorking Works?

 Google provides special search operators that help refine search results.
These operators allow attackers to filter results and find hidden information.

Common Google Dorking Operators:

Operator Function Example

site: Search within a specific site:example.com

website

intitle: Find pages with a intitle:"admin login"

specific title

inurl: Find URLs containing inurl:admin

specific text
filetype: filetype:pdf
Search for specific file site:example.com
types

index of Find open directories "index of /"

site:example.com

cache: View Google’s cached cache:example.com

version of a page

ext: Search for specific file ext:sql

extensions

Buffer Overflows:

 Buffer overflows are exploits that hackers use against an operating system or
application; like SQL injection attacks, they’re usually targeted at user input
fields.
 A buffer overflow exploit causes a system to fail by overloading memory or
executing a command shell or arbitrary code on the target system.
 buffer-overflow vulnerability is caused by a lack of bounds checking or a
lack of input-validation sanitization in a variable field (such as on a web
form).
 If the application doesn’t check or validate the size or format of a variable
before sending it to be stored in memory, an overflow vulnerability exits.
 The two types of buffer overflows are stack-based and heap-based. The
stack and the heap are storage locations for user-supplied variables are
stored in the stack or heap until the program needs them.
 To detect program buffer overflow vulnerabilities that result from poorly
written source code, a hacker sends large amounts of data to the application
via a form field and sees what the program does as a result.
 If the program does not handle the excess data, it overwrites memory,
causing the application to crash.
 The hacker can overwrite the return address of a function to point to
malicious code (shellcode).

Stack-Based Buffer Overflows :

A stack-based buffer overflow happens when a program writes more data than
allowed into a buffer (a temporary storage area in memory). This overwrites other
data in memory, including the function return address, which can allow an
attacker to execute malicious code.

A Program Creates a Buffer in Memory

 Example: A program reserves 10 bytes for user input.

The User Enters More Data Than Allowed

 If the program doesn't check input size, entering more than 10 bytes causes
an overflow, overwriting nearby memory.

Overwriting the Return Address

 The extra data spills into the return address, which normally tells the
program where to go next.
 Hackers replace it with the address of their own malicious code.

Execution of Malicious Code

 When the function returns, it jumps to the hacker’s code instead of the
correct program instructions.

Mutation techniques :

Mutation techniques are methods used by hackers to modify attack patterns

dynamically to bypass security defenses like Intrusion Detection Systems (IDS).
These techniques help in evading signature-based detection by slightly altering the
attack payload without affecting its functionality.

1.Standard Buffer Overflow to Return Pointer Redirection

 Hackers start with a basic buffer overflow attack.

 They overwrite the return pointer to redirect execution to their malicious
code.
 This requires knowing the exact memory address and stack size.

2.Use of No Operation (NOP) Instructions

 A NOP (No Operation) instruction is a CPU instruction that does nothing

except move the instruction pointer (EIP/RIP) to the next instruction.
 When an attacker overwrites the return address in memory to execute
shellcode, finding the exact memory address of the shellcode is difficult.
 Instead of jumping directly to the shellcode, the attacker fills memory with
NOP instructions (a NOP sled) before the actual malicious code.
 If the return address lands anywhere in the NOP sled, the execution slides
forward until it reaches the shellcode.

3.Bypassing Intrusion Detection Systems (IDS)

  An IDS can detect a long sequence of NOP instructions and block the attack.
 Hackers use mutation techniques by randomly replacing some NOPs with
equivalent instructions (e.g., x++, x--).
 This variation bypasses signature-based IDS detection.

4.Avoiding Vulnerable C Functions

 Functions like strcpy(), strcat(), and streadd() do not check buffer sizes,
making them prone to buffer overflows.
 Safer alternatives: Use strncpy(), strncat(), fgets(), or bounded memory
functions.

5.Using Java for Security

 Java manages memory automatically and does not allow direct buffer
manipulations like C/C++.
 Java programs cannot suffer from buffer overflow attacks, making it a safer
alternative for secure applications.

Wireless Hacking:
WEP (Wired Equivalent Privacy)
 WEP was the first security protocol for wireless networks, introduced in 1997 as part of
the IEEE 802.11 standard. It was designed to provide confidentiality similar to a wired
network but was later found to be highly vulnerable.
 It basically provides 64 bits of data at a time to encrypt and/or decrypt your data. The
algorithm used to encrypt and decrypt data is RC4, which is a stream cipher that uses an
initialization vector (IV). Employs a 24-bit Initialization Vector (IV) added to the
encryption key.
 The IV is transmitted in plaintext, making it susceptible to attacks.
 WEP has two modes of operation – text mode and hexadecimal mode. In-text mode,
the encryption key is a plain text string, while in hexadecimal mode, it is represented as
six 8-bit integers
 Attackers can break WEP encryption using the following methods:
1. Passive Attack: Capturing enough IVs and analyzing patterns.
2. Active Attack: Injecting packets to accelerate IV collection.
3. ARP Injection: Trick the network into generating more packets.
 WEP was deprecated in 2004 due to its weak encryption and ease of cracking.
 Modern Wi-Fi networks should use WPA2 or WPA3 for better security.

WPA Authentication Mechanisms

1.WPA (Wi-Fi Protected Access)

 As WEP became insecure, WPA was introduced as a stronger security mechanism.

 Uses TKIP (Temporal Key Integrity Protocol) to enhance encryption.
 Includes dynamic key changes, improving security over WEP.
 However, it remains vulnerable to brute-force and dictionary attacks

2.WPA2 (Wi-Fi Protected Access 2)

 Introduced AES (Advanced Encryption Standard), a stronger encryption method.

  Considered secure but can still be attacked if weak passwords are used.
 Vulnerable to KRACK (Key Reinstallation Attack) in some implementations.

WPA3 (Wi-Fi Protected Access 3)

 Uses SAE (Simultaneous Authentication of Equals) to prevent offline dictionary attacks.

 Stronger encryption with GCMP-256 instead of AES-128.
 Introduces forward secrecy, protecting past communications even if a key is
compromised.

Wireless Cracking Techniques

Wireless cracking involves exploiting vulnerabilities in Wi-Fi security protocols to gain

unauthorized access to networks. Attackers use various techniques to intercept and manipulate
wireless traffic.

WEP Cracking Techniques :

1. Passive Attacks

A passive attack involves listening to wireless traffic without interfering with the network. The
attacker captures packets and analyzes them to extract encryption keys.

Capturing IVs (Initialization Vectors)

 Used primarily against WEP encryption.

 Attackers collect large amounts of IVs to find patterns.
 Once enough IVs are collected, a statistical attack is performed to recover the key.

How it Works:

1. Attacker monitors network traffic without interaction.

2. Collects IVs from WEP-encrypted packets.
3. Runs a key recovery algorithm to decrypt traffic.

Limitation:

 Requires capturing a large number of packets.

 Can be slow if the network has little traffic.

2.Active Attacks

An active attack interferes with the network by injecting packets, causing increased traffic to
speed up the attack.

1.Packet Injection

 Used to force the network to generate more packets.

 Works by replaying captured packets to stimulate traffic.
 Helps speed up IV collection in WEP cracking.

How it Works:

1. Attacker listens for packets.

2. Replays them back into the network.
3. The router responds, generating more IVs.
4. Attacker collects enough IVs to recover the WEP key.

2.ARP Injection Attack

ARP injection forces a Wi-Fi access point to generate traffic by tricking it into responding to
ARP requests.
How it Works:

1. Attacker captures a valid ARP request from the network.

2. Uses aireplay-ng to replay the ARP request.
3. The router responds, generating new encrypted packets.
4. The attacker collects enough IVs to crack the WEP key.

Advantage:

 Fastest way to crack WEP by forcing the router to generate IVs.

Limitation:

 Requires a connected client on the network.

 Ineffective against WPA/WPA2 (which uses dynamic encryption).

WPA/WPA2 Cracking Techniques

Dictionary & Brute-Force Attacks

 Capturing WPA handshake and using a wordlist to guess passwords.

 Tools: Aircrack-ng, Hashcat, John the Ripper.

De-authentication Attack (Forced Handshake Capture)

 Forces a client to disconnect and reconnect, capturing the WPA handshake.

 Tools: aireplay-ng (part of Aircrack-ng suite).

KRACK Attack (Key Reinstallation Attack)

 Exploits weaknesses in WPA2's four-way handshake.

 Allows attackers to decrypt network traffic.
 Mitigation: Use WPA3 or update WPA2 devices.

WPA3 Cracking Techniques

Although WPA3 is more secure, attackers use downgrade and side-channel attacks:

Downgrade Attacks

 Forces the network to fall back to WPA2, making it vulnerable to known attacks.

Side-Channel Attacks

 WPA3 uses Simultaneous Authentication of Equals (SAE), also known as the Dragonfly
Handshake.
 Attackers analyze timing leaks or power consumption patterns to extract cryptographic
keys.

Evil Twin Attack

 A fake Wi-Fi access point (AP) is created to steal login credentials.

 Victims unknowingly connect and enter their passwords.

Wireless Sniffers :

A wireless sniffer is a tool used to monitor, capture, and analyze network traffic over a Wi-Fi connection.
These tools can be used for network troubleshooting, security auditing, and penetration testing. However,
they can also be misused for eavesdropping and hacking.

 Capture packets traveling over a wireless network.

  Analyze network traffic to detect security issues.
 Can operate in promiscuous mode (monitor all traffic) or monitor mode (capture packets without
being connected).

Types of Wireless Sniffers

1. Passive Sniffers

 Only listen to network traffic without interference.

 Used for network analysis and security monitoring.
 Cannot be detected by users on the network.

Example: Wireshark

2 Active Sniffers

 Actively inject packets into the network.

 Used to manipulate or capture encrypted traffic.
 Easier to detect compared to passive sniffers.

Eg. Ettercap

Rogue Access Points (APs)

A Rogue Access Point (AP) is an unauthorized wireless access point installed within a network.
It can be either malicious (set up by attackers) or accidental (set up by employees without IT
approval). These rogue APs pose serious security threats to organizations and individuals.

Types of Rogue Access Points

1. Malicious Rogue AP

 Installed by hackers to intercept network traffic.

 Used in Man-in-the-Middle (MITM) attacks to steal sensitive data.
 Often disguised as legitimate APs (Evil Twin attacks).

2. Unauthorized Employee AP

 Set up by employees for convenience without IT department approval.

 May have weak security settings, making the network vulnerable.

3. Compromised AP

 A legitimate AP hacked or reconfigured to allow unauthorized access.

Mitigation & Prevention

 Use Strong Wireless Security – WPA3 or WPA2-Enterprise with strong

authentication.
 Disable SSID Broadcasting – Prevent unauthorized users from easily identifying
the network.
 Monitor Wireless Traffic – Detect anomalies and unauthorized devices.
 Educate Employees – Awareness training to prevent accidental rogue AP setups.
 Physical Security – Restrict access to network hardware.

Wireless Hacking Techniques

 1. Packet Sniffing

 Tools like Wireshark capture wireless packets to analyze network traffic.

 Attackers use this method to gather unencrypted data like login credentials.

2. Evil Twin Attack

 An attacker creates a fake Wi-Fi network with the same SSID as a trusted network.
 Users unknowingly connect, allowing attackers to intercept sensitive information.

3. Man-in-the-Middle (MITM) Attack

 Intercepting communication between two devices to eavesdrop or alter data.

 Tools like Ettercap and ARP poisoning are used for MITM attacks.

4. WEP/WPA Cracking

 Cracking weak encryption protocols (e.g., WEP) using tools like Aircrack-ng.
 WPA/WPA2 attacks use dictionary or brute-force methods to crack passwords.

5. Deauthentication Attack

 Forces devices to disconnect from the Wi-Fi network, making them reconnect to an
attacker-controlled network.
 Tools like MDK3 and Aireplay-ng are commonly used.

6. Bluetooth Hacking

 Exploiting Bluetooth vulnerabilities to gain unauthorized access.

 BlueSnarfing and BlueJacking are common techniques.

7. Rogue Access Point Attack

 A malicious access point is set up to capture data from unsuspecting users.

 Often used in corporate environments to steal confidential data.

Securing Wireless Networks

1. Use Strong Encryption

 Always use WPA3 or at least WPA2 encryption instead of WEP.

 Enable AES encryption for better security.

2. Change Default SSID and Password

 Avoid using default router credentials to prevent easy access.

 Use strong, unique passwords for both the network and router admin access.

3. Enable MAC Address Filtering

 Restrict access to specific devices based on their MAC addresses.

4. Disable WPS (Wi-Fi Protected Setup)

 WPS is vulnerable to brute-force attacks; disable it to enhance security.

5. Enable Network Firewall

 Use a firewall to monitor and filter incoming and outgoing traffic.

 6. Use a VPN (Virtual Private Network)

 Encrypts network traffic to prevent data interception.

7. Monitor Connected Devices

 Regularly check the list of connected devices to identify unauthorized access.

8. Reduce Wi-Fi Signal Range

 Adjust router settings to limit the signal range, preventing outsiders from accessing
the network.

9. Regular Firmware Updates

 Keep the router firmware updated to patch security vulnerabilities.

10. Implement Intrusion Detection Systems (IDS)

 Use network monitoring tools to detect and respond to unauthorized access attempts.

What is Penetration Testing?

Penetration Testing (Pen-Test) is a simulated cyber attack performed on a computer system,

network, or web application to evaluate its security. The goal is to identify and exploit
vulnerabilities before malicious attackers can do so.

It is also known as ethical hacking because it follows legal and authorized procedures to test
security defenses.

Why is Penetration Testing Important?

 Identifies security weaknesses before attackers exploit them.

 Helps organizations comply with security standards (e.g., ISO 27001, PCI-DSS).
 Protects sensitive data from breaches.
 Evaluates the effectiveness of security measures.
 Reduces the risk of financial and reputational damage.

Types of Penetration Testing

1. Black Box Testing

 The tester has no prior knowledge of the system's internal structure, architecture, or
source code.
 Simulates an external attack by a real hacker who does not have insider access.
 Finding security loopholes through reconnaissance
 Testing firewalls, intrusion detection systems (IDS), and external-facing applications
 Identifying vulnerabilities in publicly available resources
 Time-consuming due to lack of information

2. White Box Testing

 The tester has full knowledge of the system, including network diagrams, source code,
architecture, and internal security controls.
 Simulates an insider attack where the attacker has complete access, such as a developer
or an employee with malicious intent.
 Conducted Code review for security flaws (e.g., SQL injection, buffer overflow)
 Conducted Testing authentication mechanisms
 Checking for misconfigurations and insecure APIs
 Saves time compared to black-box testing
 Requires skilled testers with programming knowledge
 3. Gray Box Testing

 The tester has partial knowledge of the system, such as login credentials or limited
network details.
 Simulates an attack from a semi-privileged insider, such as a contractor or a user with
limited access.
 Testing privilege escalation possibilities
 Evaluating how much damage a compromised user account can cause
 Identifying security flaws in authentication and session management
 Might miss vulnerabilities that only a deep source-code analysis (white box) can uncover

Penetration Testing Methodologies

Penetration testing (pen-testing) is a simulated cyberattack to evaluate a system's security. It

follows structured methodologies to identify vulnerabilities and provide actionable insights for
risk mitigation.

Several standardized methodologies guide ethical hackers in conducting effective penetration

tests:

a) OSSTMM (Open Source Security Testing Methodology Manual)

 Focuses on operational security testing

 Covers information security, physical security, and fraud prevention
 Emphasizes risk assessment and compliance

b) NIST (National Institute of Standards and Technology) SP 800-115

 It provides a structured methodology for conducting security assessments, penetration testing, and
vulnerability analysis in IT systems.
 Defines planning, discovery, attack, and reporting phases
 Often used in government and regulated industries

c) PTES (Penetration Testing Execution Standard)

 Covers the entire penetration testing lifecycle

 Divided into seven phases: Pre-engagement, Intelligence Gathering, Threat Modeling,
Vulnerability Analysis, Exploitation, Post-Exploitation, and Reporting

d) OWASP (Open Web Application Security Project) Testing Guide

 Specifically designed for web application security testing

 Focuses on identifying vulnerabilities in web applications, such as SQL injection and cross-site
scripting (XSS)

e) ISSAF (Information Systems Security Assessment Framework)

 Focuses on structured testing with a risk-based approach(Focuses on identifying and prioritizing

vulnerabilities based on risk levels.)
 Used for assessing the security posture of an organization

Steps in Penetration Testing

Penetration testing follows a systematic approach, typically involving:

1) Pre-engagement & Planning

 Define scope, objectives, and legal permissions

 Identify the target system and set rules of engagement

2) Reconnaissance (Information Gathering)

 Passive and active intelligence gathering

  Uses OSINT (Open-Source Intelligence) techniques
 Tools: nmap, Google Dorking, Whois Lookup, theHarvester

3) Threat Modeling & Vulnerability Analysis

 Identify potential threats based on the target’s infrastructure and data.

 Categorize assets based on risk levels (e.g., sensitive data, financial records).
 Develop attack scenarios (e.g., privilege escalation, lateral movement).

4) Exploitation

 Attempt to exploit identified vulnerabilities

 Execute real-world attacks to assess risk impact
 Tools: Metasploit, SQLmap, Hydra

5) Post-Exploitation

 Assess the impact of a successful attack.

 Check for persistence mechanisms (backdoors, trojans).
 Identify critical data that could be stolen (user credentials, financial records).
 Identify lateral movement possibilities

6) Reporting & Documentation

 Provide a detailed report with findings and risk assessments

 Include recommendations for mitigation
 Deliverables: Executive summary, technical details, risk analysis, and remediation strategies

Pen-Test Deliverables

After completing penetration testing, a comprehensive report is provided. The key deliverables
include:

 Executive Summary: High-level findings for management

 Scope & Methodology: Details of tested systems and approaches
 Findings & Risk Assessment: Identified vulnerabilities with severity ratings
 Proof of Concept (PoC): Demonstration of successful exploits
 Recommendations: Suggested security improvements
 Appendices: Logs, tool outputs, and screenshots