Eh - Unit-1

T.Y.B.Sc.
CS- Semester-VI, Skill Enhancement: Ethical Hacking (TCSCSCS607)
Unit-I:
Information Security: Attacks and Vulnerabilities
Introduction to information security: Asset, Access Control, CIA, Authentication,
Authorization, Risk, Threat, Vulnerability, Attack, Attack Surface, Malware,
Security-Functionality-Ease of Use Triangle
Types of malware: Worms, viruses, Trojans, Spyware, Rootkits
Types of vulnerabilities: Unauthorized access by hackers, cracking of WiFi passwords, Cross
site scripting, Buffer overflow, SQL injection, unrestricted upload of dangerous files.
Types of attacks: DOS, DDOS, Man in the middle attack, Replay, Masquerade, Zero-day
exploit, DNS tunneling, Phishing, Ransomware.
Case-studies : Recent attacks – Yahoo, JP Morgan Chase, Bad Rabbit
Ms.Siddhi. B
Assistant Professor, Department of Computer Science, TCSC
Chapter 1- Information Security: Attacks and Vulnerabilities
Attacks:
Attack is an assault on system security that derives from an intelligent threat; that is, an
intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to
evade security services and violate the security policy of a system.
A cyber attack can maliciously disable computers, steal data, or use a breached computer as a
launch point for other attacks.
Cybercriminals use a variety of methods to launch a cyber attack, including malware, phishing,
ransomware, denial of service, among other methods.
Thus an attack is one of the biggest security threats in information technology, and it comes in
different forms. Attacks can be categorized as Passive Attack and Active Attack
1. Passive Attack:
A passive attack is a network attack in which a system is monitored and sometimes
scanned for open ports and vulnerabilities.
The purpose is solely to gain information about the target and no data is changed on the
target.
Further, this category of attack has different types:
a. Release of Message Content:

Sensitive or private information may be included in an e-mail message or
transmitted file.
We intend to be sure that the contents of these messages are not discovered by an
opponent. Encrypting the communication was the solution to this issue.
Sensitive or private information may be disclosed during a phone call, in an
email, or in a transmitted file.
Ms.Siddhi. B
b. Traffic Analysis:
Assume for a moment that we could somehow encrypt messages or other
information flow so that opponents could not decipher the contents even if they
managed to intercept it. Encryption is the method most often used to hide
material.
An intruder may potentially identify the pattern of these messages even if we
were protected by encryption.
An intruder might see the frequency and duration of communications being sent
as well as the location and identity of the communicating hosts.
This information might be helpful in determining the type of conversation that
was occurring.
2. Active Attack:
Active assaults involve manipulating the data stream in some way or fabricating a fake
stream.
The availability and integrity of data are seriously threatened by these attacks. These
attacks are difficult to stop.
There are four groups into which this assault falls:
a. Masquerade:
A "masquerade" occurs when one entity adopts the identity of another.
One of the other active attack types is typically a part of a masquerade attack.
For instance, the authentication process has been completed, allowing individuals
with limited access to get further privileges by imitating someone with those
privileges.
Ms.Siddhi. B
b. Replay:
Data transmitted over a network can be subject to security attacks like replay
attacks.
In this attack, the hacker or any other individual with unauthorized access
intercepts traffic, sends the message to its intended recipient, and assumes the role
of the original sender. Although it was actually sent by the attacker, the recipient
believes it to be an authenticated message.
Replay Attack gets its name from the fact that its primary characteristic is that the
client receives the message twice.
c. Modification of Message:
To produce an unauthorized effect, it simply means that a message is delayed or
rearranged, or that a portion of an authorized message is changed.
For instance, "Allow Rehman to read confidential file accounts" replaces the
original message "Allow Rehan to read confidential file accounts."
Ms.Siddhi. B
d. Denial of Services:
An attack known as a denial-of-service (DoS) aims to bring down a computer or
network so that the intended users cannot access it.
DoS attacks achieve this by sending information that causes a crash or by
overloading the target with traffic.
The denial of service or resource to legitimate users, such as employees,
members, or account holders, is the result of a denial of service attack in both
cases.
Vulnerabilities:
An application vulnerability is a discrepancy or weakness that allows an attacker to harm the

application's stakeholders.
It can be a design flaw or an implementation bug.
The owner of the application, users of the application, and other organizations that depend on the
application are examples of stakeholders.
For examples, situations of vulnerability are as follows:
❖ A firewall's flaw that allows hackers to access a computer network
❖ Unlocked doors that are left open
Ms.Siddhi. B
❖ Absence of security cameras
❖ Unrestricted upload of dangerous files
❖ Code downloads without integrity checks
❖ Using broken algorithms
❖ URL Redirection to untrustworthy websites
❖ Weak and unchanged passwords
❖ Website without SSL
Different kinds of vulnerabilities include:

❖ Natural vulnerabilities; physical vulnerabilities
❖ Vulnerabilities in hardware and software
❖ Vulnerabilities in the media (such as lost or damaged disks or tapes)
❖ Radiation-related emanation vulnerabilities; communication vulnerabilities; human
vulnerabilities
★ Review Questionnaire
1. Explain Attack in Information and Network Security with its type in detail.
2. Define term Vulnerabilities. And mention various scenarios of its.
3. Give brief on Active attack with its categories.
4. Explain Passive Attack concept with its categories with examples and mention cons.
**********
Chapter 2- Introduction to Information Security
To maintain integrity, confidentiality, and availability, information security refers to

safeguarding data and information systems against unauthorized access, use, disclosure,
disruption, modification, or destruction.
Asset:
An asset in the context of information security, computer security, and network security is any
information, hardware, or other element of the environment that facilitates information-related
activities.
Generally speaking, assets consist of software (such as mission critical applications and support
systems), hardware (such as servers and switches), and confidential data.
It is important to safeguard assets against unauthorized use, access, disclosure, alteration,
destruction, and/or theft that could cause losses for the company.
Access Control:
A key element of information security is access control, which establishes limitations on who
can access and utilize company resources and information.
Ms.Siddhi. B
Access control policies ensure that users are who they say they are and have the right access to
company data through authorization and authentication.
Limiting physical access to buildings, data centers, rooms, and campuses is another use for
access control.
Through the verification of multiple login credentials, such as PINs, biometric scans, security
tokens, and usernames and passwords, access control figures out the identity of users. Multi
Factor authentication (MFA), which requires several authentication techniques to confirm a
user's identity, is another feature that many access control systems have.
Access control grants permission for the proper degree of access and actions related to a user's
credentials and IP address after authentication.
CIA:
The three key objectives that are at the heart of computer security:
• Confidentiality: Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information. A loss of
confidentiality is the unauthorized disclosure of information.This term covers two related
concepts:
Data confidentiality: Assures that private or confidential information is not made available or
disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed.
• IntegrityGuarding against improper information modification or destruction, including
ensuring information nonrepudiation and authenticity. A loss of integrity is the unauthorized
modification or destruction of information.This term covers two related concepts:
Data integrity: Assures that information and programs are changed only in a specified and
authorized manner.
System integrity: Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system.
• Availability: Assures that systems work promptly and service is not denied to authorized
users.A loss of availability is the disruption of access to or use of information or an
information system.
Ms.Siddhi. B
These three concepts form what is often referred to as the CIA triad. The three concepts embody
the fundamental security objectives for both data and for information and computing services.
There are some additional concepts are needed to present a complete picture.Two of the most
commonly mentioned are as follows:
• Authenticity: The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator. This means
verifying that users are who they say they are and that each input arriving at the system came
from a trusted source.
• Accountability: The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion
detection and prevention, and after-action recovery and legal action. Because truly secure
systems are not yet an achievable goal, we must be able to trace a security breach to a
responsible party. Systems must keep records of their activities to permit later forensic analysis
to trace security breaches or to aid in transaction disputes.
Authentication:
The process of identifying someone's identity by confirming that they are similar to the object of
their claim is known as authentication. Both the client and the server can use it.When someone
needs to access the data, the server uses authentication since it needs to know who is gaining
access. When the client needs to verify that the server is who it says it is, it uses it.
The username and password are mostly used by the server to complete the authentication
process. Cards, fingerprints, voice recognition, and retinal scans are some additional ways that
the server can authenticate users.
Authorization:
The process of giving someone permission to do something is called authorization. It describes a

method for determining whether or not the user has authorization to use a resource. What data
and information a single user can access can be represented by it.
In order for the system to determine who is accessing the information, authorization typically
works in tandem with authentication. A security framework called authorization is used to
determine the level of access that a user or client has to certain system resources, like software,
files, services, data, and application features.
Authentication and Authorization:
In short we can say,During the authentication process, users' identities are verified before they
are granted access to the system. The authority of the person or user to access the resources is
Ms.Siddhi. B
verified during the authorization process.The authorization process occurs after the
authentication process, but authentication occurs before the authorization process.
Risk:
It's critical to recognize the difference between a risk and a threat in order to comprehend the
idea of information security risk. A threat is anything that could endanger the information assets
of an organization, like malware or hackers trying to access a system. The possibility that a threat
will truly hurt the organization is what makes it a risk. Therefore, even though a threat might
exist, an organization may not be at risk from it.
Risk related to information security can have serious repercussions for companies. For instance,
sensitive information, including financial and personal data, may be lost due to data breaches,
which may result in financial losses, legal repercussions, and harm to one's reputation.
Cyberthreats and malware can infiltrate a company's networks and systems, causing disruptions
and
Threat:
A potential for violation of security, which exists when there is a circumstance, capability, action,
or events that could breach security and cause harm. That is, a threat is a possible danger that
might exploit a vulnerability.
Attack:
An assault on system security that derives from an intelligent threat; that is, an intelligent act that
is a deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system.
Attack Surface:
The total number of locations, or attack vectors, through which an unauthorized user may gain
access to a system and retrieve data is known as the attack surface. It is easier to defend against
an attack with a smaller attack surface.
It is imperative for organizations to continuously monitor their attack surface in order to
promptly identify and block potential threats. To lower the chance that cyberattacks will be
successful, they must also make an effort to minimize the attack surface area. But as they adopt
new technologies and increase their digital footprint, it gets harder to do so.
There are two types of attack surfaces: digital and physical.
Ms.Siddhi. B
❖ Digital: Attack Surface : Every single piece of the hardware and software that connects
to a company's network is included in the digital attack surface area. Applications, code,
ports, servers, websites, and shadow IT—where users get around IT to use unapproved
apps or devices—are some examples of these.
❖ Physical Attack Surface: Everything that an attacker can physically access, including
desktop and laptop computers, USB drives, mobile phones, and other endpoint devices, is
included in the physical attack surface. Physical break-ins, users writing passwords down
on paper, and irresponsibly discarded hardware holding user data and login credentials
are all examples of the physical attack threat surface.
By implementing access control and conducting surveillance around their physical
locations, organizations can safeguard the physical attack surface. They also have to put
disaster recovery plans and procedures into practice and test them.
Malware:
Malware, which stands for malicious software, is any disruptive software that is created by
hackers or cybercriminals with the intention of stealing data and destroying or damaging
computers and computer systems. Malware that is frequently encountered includes Trojan
viruses, worms, spyware, adware, and ransomware.
Security- Functionality- Ease of Use Triangle:
❖ The security, functionality, and ease of use triangle is a straightforward yet powerful
illustration of the difficulties encountered when implementing security of any kind into
practice. It functions as a sliding scale that directly affects all three of the points when it
comes to IT security.
❖ These three qualities are dependent on one another. Functionality and usability decrease
as security increases. To create a balanced information system, any organization must
establish a balance between these three attributes.
❖ The reason a triangle is used is that the presence of any one of the three factors will be
affected by changes in the other two.
Ms.Siddhi. B
❖ For instance, expanding an application's functionality expands the area that a malevolent
user can target in an effort to identify an exploitable vulnerability.
❖ In the real world, security and usability are frequently traded off, which frequently leads
to conflict between users and those in charge of upholding security.
❖ Case Study as an example:
The security community had long targeted Microsoft for granting regular users
administrative or system level permissions, which meant that any exploit aimed at a
userland application would grant full access to the system right away. Users were
unhappy with the additional steps needed to finish tasks when Microsoft attempted to
restrict this functionality by requiring users to explicitly request elevated privileges via
User Access Control (UAC). Because of this, a ton of manuals and tutorials were
produced to show users how to turn off UAC functionality, which made some tasks easier
to complete and required fewer steps to complete, but at the cost of turning off an
enhanced security system.
★ Review Questionnaire-
1. Discuss role of Access Control in Information Security.
2. Give a brief on the CIA Triad and mention its purpose for use.
3. Describe in detail the concepts of authorization and authentication together with their
goals. Use the examples as a guide for helping in understanding these ideas.
4. Elaborate concept of Attack surface with its types.
5. Describe the Security, Functionality, and Usability Triangle in detail. Describe the idea
via a case study
6. Define terms-
A. Threat,
B. Risk,
C. Accountability,
D. Malware,Attack.
**********
Chapter 3- Types of malware

Malware:
Malware, which stands for malicious software, is any disruptive software that is created by
hackers or cybercriminals with the intention of stealing data and destroying or damaging
Ms.Siddhi. B
computers and computer systems. Malware that is frequently encountered includes Trojan
viruses, worms, spyware, adware, and ransomware.
What does malware aim to accomplish?
Malware is malicious software that infiltrates or tampers with your computer network. Malware
aims to create havoc and steal information or assets for financial gain or pure sabotage.
❖ Intelligence and intrusion:

Emails, plans, and especially private data like passwords are all compromised.
❖ Disruption and extortion:
Turns computers and networks unusable by locking them up. It's known as ransomware if
it holds your computer hostage in exchange for money.
❖ Destruction or vandalism:
Destroys computer systems in order to harm the infrastructure of your network.
❖ Steal computer resources:
Uses your computer power to send spam emails, run botnets, or engage in cryptomining,
also known as cryptojacking.
❖ Financial benefit:
Sell the intellectual property of your company on the dark web.
Types of Malware:
❖ Viruses: These malicious programs can replicate themselves by attaching themselves to

host computer programs, such as music, videos, etc., and then spreading throughout the
Internet. On the ARPANET, the Creeper Virus was initially discovered. File viruses,
macro viruses, boot sector viruses, and stealth viruses are a few examples.
❖ Worms: Although they don't attach themselves to the program on the host computer,
worms are also self-replicating in nature. Worms and viruses differ primarily in that
worms are aware of networks. If a network is available, they can move from one
computer to another with ease. While they are not very harmful, they can slow down the
target machine by using up hard disk space, for example.
❖ Trojan: The Trojan concept is entirely distinct from that of viruses and worms. The
Greek mythology story known as the "Trojan Horse" tells the story of how the Greeks
managed to breach the walls of Troy by concealing their soldiers inside a large wooden
Ms.Siddhi. B
horse that was gifted to them. This story is where the name Trojan originated. The
Trojans had a deep affection for horses and had complete faith in the gift. The soldiers
reappeared at night and launched an interior assault on the city. Their goal is to blend in
with the software that appears authentic, and when it is used, they will carry out their
intended function of either stealing data or carrying out some other purpose for which
they were created.
They frequently offer a backdoor gateway through which malicious apps or hostile users
can infiltrate your system and take advantage of your sensitive data without your
awareness or consent.
Malicious software of this type poses as trustworthy software. For instance, when Trojans
are downloaded, they might look like a Java or Flash Player update. Third parties are in
control of trojan malware. Credit card numbers and other private data, including Social
Security numbers, can be accessed with it.
❖ Spyware: Malicious software, sometimes known as spyware, is installed on a computer

system without the user's awareness. It breaks into the device, takes private data and
internet usage information, and then sends it to third parties like data companies,
advertisers, or other users.
Unwanted software known as spyware enters your computer and steals sensitive data and
internet usage statistics. Malicious software intended to access or harm your computer,
frequently without your knowledge, is categorized as spyware. Your personal information
is collected by spyware and shared with third parties, advertisers, and data companies.
There are numerous uses for spyware. Typically, it seeks to obtain your credit card or
bank account information, track and sell your online activity, or steal your identity.
➢ Adware: This kind of spyware monitors your downloads and browsing history in
an attempt to determine what goods and services you might find appealing. To get
you to click or buy something, the adware will show you adverts for similar or
related goods and services. Adware can cause your computer to lag and is used
for marketing purposes.
➢ Tracking cookies: For marketing purposes, these keep track of a user's online
activities, including searches, downloads, and history.
➢ surveillance systems or monitoring system :Spyware of this kind is capable of
recording nearly all of your computer activities. All keystrokes, emails, chat room
conversations, websites visited, and programs executed can be captured by system
monitors. It's common for system monitors to appear as freeware.
❖ Rootkits: A rootkit is a type of malicious software that grants unauthorized users special
access to a computer's operating system and restricted software areas.
Ms.Siddhi. B
Numerous malicious tools, including keyloggers, password stealers, antivirus disablers,
and bots for DDoS attacks, can be found inside a rootkit.
1. Describe the term Malware and mention goals of malware.
2. Describe the concept of Malware- Trojan.Explain with an example.
3. Give a quick overview of spyware and list its numerous varieties.
4. Describe various types of Malware and mention its effects.
**********
Chapter 4- Types of Vulnerabilities

A systemic weakness or flaw that could be discovered and used by an attacker. Default
passwords, outdated operating systems, and unencrypted protocols are a few instances of
vulnerabilities.
An application vulnerability is a gap or weakness that allows an attacker to harm the
application's stakeholders. It can be a design flaw or an implementation bug. The owner of the
application, users, and other organizations that depend on it are examples of stakeholders.
Few examples of weaknesses:
➢ Inadequate user input validation; insufficient logging mechanism
➢ Handling fail-open errors
➢ improperly terminating the database connection
Types of Vulnerabilities:
❖ Unauthorized Access by Hacker:

Unauthorized computer access, popularly referred to as hacking, describes a criminal action
whereby someone uses a computer to knowingly gain access to data in a system without
permission to access that data.
Unauthorized access encompasses any time an individual — an internal or external actor —
accesses data, networks, endpoints, applications, or devices without permission. There are
several common causes or scenarios of unauthorized data access and unauthorized access to
computer networks — from weak passwords that are easily guessed or hacked to sophisticated
social engineering schemes like phishing that trick authorized users into exposing credentials, to
compromised accounts that have been hacked and taken over by illegitimate actors.
Ms.Siddhi. B
Risks of unauthorized data access-
Once an individual has gained unauthorized access to data or computer networks, they can cause
damage to an organization in a number of ways.
➔ They may directly steal files, data, or other information.
➔ They may leverage unauthorized access to further compromise accounts.
➔ They may destroy information or sabotage systems and networks.
➔ All of these scenarios carry inherent risks, costs, and potential fines to the business — but
the long-term damage from unauthorized access can carry on insidiously in the form of
damaged reputation and trust, as well as ongoing impacts on revenue.
Strategies to prevent unauthorized access-

1. Adopt the Principle Of Least Privilege (POLP)
A 2020 report found that half of organizations have users with more access privileges than are
necessary to do their jobs. The POLP approach aims to regularly audit internal user access
privileges to ensure the minimal-necessary level of access to data, systems, networks, and
devices for the individual to perform the core responsibilities of their role. One key is focusing
on the “core responsibilities'' idea; temporary access can be granted in exceptional cases while
still maintaining the least privileged access for day-to-day work.
2. Put a strong password policy in place
Strong passwords are one of the best protections against unauthorized access. That means
developing and enforcing a strong password policy that requires all users to follow established
best practices for creating — and regularly changing — strong passwords, as well as ensuring
passwords are not reused across devices, apps, or other accounts. One of the easiest ways to help
your users maintain strong passwords is to use a password manager that can generate (and
remember) passwords with much deeper complexity and randomness than a human ever could.
3. Use Multi-Factor Authentication (MFA)
Unauthorized access often stems from a single compromised password or credential. But if all
the individual has done is guessed, hacked, or otherwise illegitimately obtained the password,
multi-factor authentication can easily stop unauthorized access. The illegitimate actor almost
certainly won’t have access to the secondary (or tertiary) form of identity verification (like a
one-time passcode sent to the legitimate user’s mobile device). Microsoft estimates that 99.9% of
compromised user accounts could be prevented with MFA.
4. Keep security patches up to date
External actors often gain unauthorized access through known vulnerabilities. Fortunately, this
means these intrusions can be blocked by simply ensuring you regularly update all software,
keep security patches up to date, and set security updates to automatic whenever possible.
5. Don’t forget about physical security
Ms.Siddhi. B
While most unauthorized access happens in a digital sense — the unauthorized actor is using a
compromised credential to access data or computer networks from their own device—physical
security in your workplace is still essential. Whether it’s a malicious inside actor or an external
actor visiting your workplace, leaving devices unlocked or written-down passwords plainly
visible is an easy recipe for unauthorized access.
How to detect unauthorized access:

Prevention is the first defense against unauthorized access. But when these accidents do
happen, time is of the essence in mitigating the damage. The more immediately you can detect
unauthorized access — and the more efficiently you can investigate the incident — the faster
you can effectively respond to lock down access, shut out the illegitimate actor, and take back
control of your data, systems, and networks.There are many conventional security
technologies, such as DLP and CASB, that promise to alert security teams to unauthorized data
access or unauthorized access to a computer network.
NOTE- Above highlighted part is just for knowledge purposes.
❖ Cracking of WiFi passwords:

➢ Wireless networks are now becoming increasingly dominant in our modern
environment. Most importantly, they impacted how people connect and
communicate. From homes to businesses, Wi-Fi networks enable seamless
connectivity and convenience. However, not only do these networks provide
comfort, but they also often come with the risk of security threats.
➢ Wireless network hacking” refers to an unauthorized, malicious intrusion into a
wireless network to access the system without authorization, intercept sensitive
information, or disrupt network performance. It involves breaking access rules
and risking the integrity, confidentiality, or availability of the network by taking
advantage of flaws in the security protocols, configurations, or hardware of the
network.
➢ Wi-Fi hacking contains a few tactics attackers use to gain unauthorized access or
disrupt network operations. One common technique is password cracking, where
attackers attempt to break into a network by exploiting your weak or easily
guessable passwords.
➢ They use methods like dictionary attacks, where they test a list of commonly used
passwords or perform brute-force attacks, which involve trying all possible
password combinations until they find the correct one. Wi-Fi Protected Setup
(WPS), a feature that connects devices to a network, is another method for
exploiting flaws.
➢ Attackers can exploit WPS implementation flaws to gain unauthorized access.
ARP spoofing and evil twin attacks are a few examples of man-in-the-middle
(MitM) attacks that block and change network communications, allowing
Ms.Siddhi. B
attackers to spy on conversations and introduce harmful material into the data
flow. DoS assaults are also frequent, in which attackers swamp the network with
more traffic to cause disturbances and make the network unusable.
❖ Cross site scripting:

➢ Injection attacks known as Cross-Site Scripting (XSS) occur when malicious
scripts are inserted into websites that are otherwise trustworthy and safe. XSS
attacks happen when a hacker sends malicious code—typically in the form of a
browser side script—to a different end user through a web application. The
vulnerabilities that facilitate the success of these attacks are quite common and
arise whenever a web application incorporates user input without verifying or
encoding it in the output it produces.
➢ An unaware user may receive a malicious script from an attacker via XSS. The
script will run because the end user's browser is unable to determine that it
shouldn't be trusted. The malicious script can access any cookies, session tokens,
or other sensitive data stored by the browser and used with that website because it
believes the script is from a reliable source. These scripts have the ability to
modify the HTML page's content.
Methods to mitigate the XSS vulnerability include:

➢ Train web and app developers proper escaping and encoding techniques for
HTML and JavaScript, among other coding best practices.
➢ Test for vulnerabilities in code during the design and development stages, and
make sure to scan code in production settings as well.
➢ Apply a zero-trust philosophy to data entered by users. Sort content from active
browsers from unvalidated data.
➢ Establish a content security policy that addresses the need for suitable XSS
website defenses.
❖ Buffer overflow:
While data is being moved from one place to another, buffers—regions of memory
storage—reserve it temporarily. A buffer overrun, also known as a buffer overflow, takes
place when the amount of data being stored in the memory buffer exceeds its storage
capacity. Consequently, when the program tries to write the data to the buffer, it ends up
overwriting nearby memory locations.
A buffer for log-in credentials, for example, might be built to hold eight bytes of
username and password inputs. If a transaction requires ten bytes of input—two bytes
more than anticipated—the program might write the extra data past the buffer boundary.
Ms.Siddhi. B
Software of all kinds is susceptible to buffer overflows. Usually, they are the result of
improperly formatted inputs or inadequate buffer space allocation. Executable code may
be overwritten by the transaction, which could lead to unpredictable program behavior,
incorrect results, memory access errors, or crashes.
❖ SQL injection:
➢ A SQL injection attack consists of insertion or “injection” of a SQL query via the
input data from the client to the application.
➢ A successful SQL injection exploit can read sensitive data from the database,
modify database data (Insert/Update/Delete), execute administration operations on
the database (such as shutdown the DBMS), recover the content of a given file
present on the DBMS file system and in some cases issue commands to the
operating system.
➢ SQL injection attacks are a type of injection attack, in which SQL commands are
injected into data-plane input in order to affect the execution of predefined SQL
commands.
➢ SQL injection attack occurs when:
➔ An unintended data enters a program from an untrusted source.
➔ The data is used to dynamically construct a SQL query
➢ Consequences:
➔ Confidentiality: Since SQL databases generally hold sensitive data, loss of
confidentiality is a frequent problem with SQL Injection vulnerabilities.
➔ Authentication: If poor SQL commands are used to check user names and
passwords, it may be possible to connect to a system as another user with
no previous knowledge of the password.
Ms.Siddhi. B
➔ Authorization: If authorization information is held in a SQL database, it
may be possible to change this information through the successful
exploitation of a SQL Injection vulnerability.
➔ Integrity: Just as it may be possible to read sensitive information, it is also
possible to make changes or even delete this information with a SQL
Injection attack.
➢ The platform affected can be:
➔ Language: SQL
➔ Platform: Any (requires interaction with a SQL database)
SQL Injection has become a common issue with database-driven web sites. The
flaw is easily detected, and easily exploited, and as such, any site or software
package with even a minimal user base is likely to be subject to an attempted
attack of this kind.
Essentially, the attack is accomplished by placing a meta character into data input
to then place SQL commands in the control plane, which did not exist there
before. This flaw depends on the fact that SQL makes no real distinction between
the control and data planes.
❖ Unrestricted upload of dangerous files:
Vulnerabilities related to file uploads occur when a web server permits users to upload
files to its filesystem without properly verifying attributes such as filename, type,
contents, or size.
If these limitations are not appropriately enforced, even a simple picture upload feature
may be used to upload random and possibly harmful files.
Even script files on the server side that permit remote code execution may fall under this
category.
In certain instances, the file uploading process itself can be harmful. A follow-up HTTP
request for the file may be used in other attacks, usually to cause the server to execute it.
Risk Factors:
● This vulnerability has a significant impact since it allows for the possible
execution of code both on the client and in the server context. There's a good
chance the attacker will be discovered. The frequency is typical. Consequently,
this kind of vulnerability has a high degree of severity.
● To adequately assess the risks, it is crucial to review the access controls of a file
upload module.
Ms.Siddhi. B
● Attacks on the server side: A web-shell that can be uploaded and run on the server
to run commands, view system files, browse local resources, attack other servers,
take advantage of local vulnerabilities, and so on, can compromise the web server.
● Attacks from the client side: When malicious files are uploaded, a website may
become open to client-side threats like Cross-Site Content Hijacking (XSS).
● When a file on the same or a trusted server is required, uploaded files can be
misused to attack other weak points in an application (can again lead to client-side
or server-side attacks)
● Uploaded files may cause server-side vulnerabilities in malfunctioning libraries or
applications (such as the ImageMagick flaw known as ImageTragick!).
● Uploaded files might trigger vulnerabilities in broken real-time monitoring tools
(e.g. Symantec antivirus exploit by unpacking a RAR file)
● It is possible for an attacker to deface the website or insert a phishing page.
● It is possible for the file storage server to be misused in order to host malicious
files, illicit software, or explicit content. Moreover, uploaded files may contain
steganographic information that criminal organizations may utilize, messages of
violence and harassment, or command and control information from malware.
● Sensitive files that have been uploaded may be accessed by unauthorized
individuals.
● File uploaders' error messages may reveal internal details like server internal
paths.
1. Describe the idea of Unauthorized Access by Hackers and highlight the dangers.
2. Mention Strategies to prevent Unauthorized Access.
3. Explain Vulnerability- Cracking of Wifi Passwords.
4. Write a short note on Cross- site scripting (XSS) and mention methods to mitigate the
XSS Vulnerability.
5. Explain Buffer Overflow Vulnerability with the help of an example.
6. Explain the functioning of SQL Injection.
7. Mention various Consequences faced due to SQL Injection Vulnerability.
8. Give risk factors caused due to Unrestricted upload of dangerous files.
9. Explain Vulnerability- Unrestricted upload of dangerous files.
10. Define the concept of Vulnerability with its types.
**********
Chapter 4- Types of Attacks
Ms.Siddhi. B
Types of attacks: DOS, DDOS, Man in the middle attack, Replay, Masquerade, Zero-day
exploit, DNS tunneling, Phishing, Ransomware.
❖ DOS/DDOS:
Already saw the DOS concept in Chapter 1 that, An attack known as a denial-of-service (DoS)
aims to bring down a computer or network so that the intended users cannot access it.DoS
attacks achieve this by sending information that causes a crash or by overloading the target with
traffic.
Now, lets have look on DDOS:
A Distributed Denial of Service (DDoS) attack is a type of non-intrusive online attack that
involves flooding a network, server, or application with fictitious traffic in an attempt to bring
down or slow down the targeted website. When targeting a resource-intensive endpoint that is
vulnerable, a small quantity of traffic is sufficient for the attack to be successful.
Working of DDOS:
Through the use of false traffic spikes, the DDoS attack will test the capacity of a web server,
network, and application resources.
Certain attacks consist of brief malicious request bursts on susceptible endpoints, like search
functions.
A botnet, or horde of zombie devices, is used in DDoS attacks. Usually, computers, websites,
and Internet of Things devices have been compromised to create these botnets.
The botnet will assault the target and exhaust the application resources when a DDoS attack is
initiated.
In the event of a successful DDoS attack, a website may become inoperable for users or
experience a spike in bounce rate. These outcomes could lead to monetary losses and
malfunctions.
❖ Man-in-the-middle Attack (MITM):
Ms.Siddhi. B
➢ An attack known as a "man in the middle" (MITM) occurs when an imposter
enters a conversation between a user and an application, pretending to be one of
the parties and creating the impression that normal communication is taking place.
➢ The purpose of an attack is to obtain personal data, including credit card numbers,
account information, and login credentials.
➢ An attacker may use information gathered during an attack for a variety of things,
such as identity theft, unauthorized financial transfers, or unauthorized password
changes.
➢ In general, a Man-in-the-Middle (MITM) attack can be compared to the mailman
reading your bank statement, noting your account information, resealing the
envelope, and having it delivered to your door.
❖ Replay Attack:
➢ A replay attack is a type of network attack in which an attacker captures a valid
network transmission and then retransmits it later.
➢ The main objective is to trick the system into accepting the retransmission of the
data as a legitimate one. Additionally, replay attacks are hazardous because it’s
challenging to detect.
➢ An attacker can launch a replay attack to gain unauthorized access to systems or
networks. Furthermore, a replay attack can disrupt the regular operation of a
system by inundating it with repeated requests.
➢ An attacker can plan to carry out this attack by intercepting and retransmitting
data packets over a network. Additionally, a successful replay attack can be
performed by replaying recorded audio or video transmissions.
➢ Working of attack:
Ms.Siddhi. B
The first step is to wait for the data transmission to begin. The attacker then tries
to sniff into the communication channel and extract the data.
As soon as the attacker gets the data, it might modify or change it based on the
objective and retransmit it to the receiver. The receiver receives the tempered data
but treats it as the original data.
➢ Example:
Imagine that Alice is trying to log into her online banking account using a secure
web connection. When she enters her login credentials and clicks the submit
button, the login request is sent over the internet to the bank’s server.
An attacker, Bob, is monitoring the network and captures the login request as it is
transmitted. Bob then waits until Alice has logged out of her account and
retransmits the captured login request to the bank’s server. Because the login
request is valid, the server accepts it and grants Bob access to Alice’s account.
In this scenario, Bob can gain unauthorized access to Alice’s account by replaying
a captured login request. However, Alice can prevent a replay attack using a
secure communication channel that includes a timestamp or a nonce.
❖ Masquerade:
Masquerade attack already discussed in Chapter 1. Let’s see examples explain it-
Ms.Siddhi. B
1. A hacker may use phishing. They would start by making an imitation web
page that is identical to the real one. After that, they would start an email
campaign in an attempt to dupe people into visiting the phony website and
providing their login information. The hacker can access the intended
network by logging in once they have the user credentials.
2. Messaging can be intercepted and altered by criminals. By using software
flaws, they can listen in on conversations and attempt to change and
intercept the message before sending it to the intended recipient.
Preventive measures:
➢ Surveillance of networks. Tracking user locations and login attempts could
be useful in detecting unauthorized login attempts.
➢ Durable access restrictions. It is possible to guarantee that only authorized
users are permitted access to the network and its resources by
implementing secure authentication techniques like two-factor
authentication.
➢ Systems for detecting intrusions. When suspicious network traffic or user
behavior is detected, these systems assist in notifying network
administrators.
➢ Up to date software. Maintain software updates to stop hackers from
taking advantage of vulnerabilities that are already known.
❖ Watering-hole:
➢ A computer attack technique known as a "watering hole" occurs when a hacker

determines or observes which websites a company frequently visits and then
infects one or more of those sites with malware. A portion of the targeted group
will eventually contract the infection.
➢ Working of Attack:
An attacker starts a series of actions in a watering hole attack in order to obtain
access to a victim.
Ms.Siddhi. B
The victim is not the attacker's direct target, though. The attacker starts by
figuring out which website or service the intended victim is already familiar with
and has used.
The target site is usually popular with the intended victim, has frequent traffic,
and has relatively low security. After breaking into the target website, the attacker
inserts malicious code, frequently in the form of JavaScript or Hyper Text Markup
Language (HTML), into the website.
The payload is activated when the victim accesses the compromised website,
starting an exploit chain that infects the victim's computer. The payload could be
sent automatically, or the attack could trigger a false alert telling the victim to
click on something else that will download malicious code.
The exploit chain could be a brand-new exploit that the attacker developed or one
that already exists and is well-known.
The attacker can access other resources on the network and use the victim's
computer to launch a pivot attack in order to accomplish other objectives once the
payload has been activated on that machine.
The objectives could include collecting data about the victim, trying to take
advantage of other computers in the victim's network, or using the victim's
computer as a component of a bot network.
Diagramatically process explained:
Ms.Siddhi. B
❖ Zero-day exploit:
➢ A zero-day vulnerability is a vulnerability that has been publicly revealed but

has not yet been patched by the developers and, as a result, can be exploited.
➢ A zero-day exploit refers to the method used by attackers to infiltrate and deploy
the malware into a system.
Ms.Siddhi. B
➢ A zero-day attack is a cyberattack that manages to exploit a zero-day
vulnerability – an unknown or newly discovered software/hardware vulnerability.
➢ A software is developed and released without knowing the fact that it has a
security vulnerability. An attacker identifies or exploits this vulnerability before
the developers identifies or fixes the same. While still the vulnerability is open
and unpatched, exploiting the vulnerability, the hacker attacks and compromises
the software which can lead to data theft, unauthorized access or crashing of the
software itself. After the attacker attacks the target, the public or developer
identifies the attack and tries to figure out the patch. The developer identifies the
fix and releases the update to safeguard its new user.
➢ Case Study examples:
Case Study 1: FACEBOOK-

Back in 2019, detailed information about 540 million Facebook users was left
publicly viewable for months after a zero-day exploit. Facebook confirmed at the
time that the data had been scrapped due to a vulnerability that the company later
patched. However, in April 2021, it was revealed that the same vulnerability led
to the leak of 533 million Facebook users’ information (approximately 20% of all
accounts).
The publicly accessible database had personal details of Facebook users with
phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in
some cases, email addresses. Even Facebook CEO Mark Zuckerberg’s own
private credentials were reportedly leaked in the process.
Case Study 2: LINKEDIN-

In June 2021, LinkedIn reported that it had been hit by a zero-day attack that
affected 700 million users (over 90% of LinkedIn’s user base). Hacker “GOD
User TomLiner” advertised the data of LinkedIn users for sale with samples that
the information is real and up to date as per June 2021. It’s still uncertain what the
origin of the data is but the scraping of public profiles might be the starting point.
That was the generator behind the collection of 500 million LinkedIn records that
were advertised for sale in April 2021.
Case Study 3: SONY-

The infamous 2014 zero day attack on American entertainment company Sony
Pictures is a pivotal moment in cyber history. Rumors that a certain nation-state
actor infiltrated the enterprise’s systems as retaliation for a then-unreleased film
parodying its totalitarian leader quickly arose and were debunked, creating a
global buzz around the incident. The reality of the situation is unknown
cybercriminals sought and successfully gained access to private corporate data,
such as exec emails, business plans, and film release dates.
➢ Preventive measure against zero-day attack:
Ms.Siddhi. B
It is not possible for organizations to completely protect themselves against
zero-day threats. However, they can follow certain best practices and strategize
their defensive game plan to defend and mitigate such attacks as much as
possible.
Here are some of the measures which organizations can follow to mitigate
zero-day threats:
➔ Use antivirus and antimalware software to protect against different viruses
and malwares.
➔ Ensure all the software and devices are updated and patched.
➔ Keep a backup of all the critical data and systems.
➔ Stay on top of news or information on any newly discovered vulnerability.
➔ Use a web application firewall.
➔ Detects threats by spotting anomalies.
➔ Educate and create awareness among users about zero-day attacks.
➔ Zero-day threats are hard to detect as they are generally known to the
public only upon their execution. However, organizations and users should
continue to take the best preventive measures possible to mitigate and to
contain zero-day attack damage.
❖ DNS tunneling:
The mechanism that converts machine-friendly IP addresses into human-friendly URLs is

known as the domain name system, or DNS.
One essential and fundamental internet protocol is DNS. Because it connects domain
names with IP addresses, it is sometimes referred to as the "phonebook of the internet."
Because DNS is so widely used (and often ignored), there are sophisticated and nuanced
ways to exchange data and communicate that go beyond the goals of the protocol.
Naturally, the fact that DNS is extensively used and trusted is known to hackers, which
highlights the significance of DNS security solutions.
Furthermore, a lot of firms don't keep an eye out for malicious behavior in their DNS
traffic because it's not meant for data exfiltration. Therefore, if enterprise networks are
targeted, a variety of DNS-based assaults may be successful. One such assault is DNS
tunneling.
Working of attack:
Via a client-server architecture, DNS tunneling attacks use the DNS protocol to tunnel
malware and other data.
Ms.Siddhi. B
1. An attack vector, such as badsite.com, is registered by the attacker. The attacker's
server, which has tunneling malware software installed, is the address that the
domain's name server points to.
2. Malware is installed on a computer by the attacker, which is frequently located
behind a business firewall. The compromised system is able to submit a query to
the DNS resolver as DNS queries are always permitted to enter and exit the
firewall. A server known as the DNS resolver is responsible for forwarding IP
address queries to root and top-level domain servers.
3. The query is sent to the attacker's command-and-control server, where the
tunneling software is installed, via the DNS resolver. The victim and the attacker
are now connected by means of the DNS resolver. This tunnel can be used
maliciously or for data exfiltration. It is more challenging to track down the
attacker's computer when there isn't a clear line of communication between them
and the victim.
The use of DNS tunneling has increased during the past 19 years. DNS tunneling has
been employed with both the Feederbot and Morto viruses. The terrorist organization
DarkHydrus, which attacked Middle Eastern government institutions in 2018, and
OilRig, which has been active since 2016, are two recent examples of tunneling assaults.
Preventions:
➔ Blocking domain names (or IP addresses, or geographical areas) according to
their perceived risk or established reputation.
➔ Guidelines on DNS query strings that appear "strange."
➔ Regulations pertaining to the size, form, and duration of DNS requests, both
incoming and outgoing.
➔ Hardening the client operating systems generally and being aware of their unique
search order and name resolution capabilities.
➔ User and/or system behavior analytics that automatically discover abnormalities,
such as new domains being accessed especially when the mode of access and
frequency are irregular.
Ms.Siddhi. B
➔ Recently, Palo Alto Networks unveiled a brand-new DNS security solution
designed to prevent access to rogue domain names.
➔
❖ Phishing:
By emailing the target a malicious link that appears genuine but really takes them to a
malicious website, the attacker can trick them into clicking on it and steal their personal
information.
This attack is carried out using various steps:
Let’s have look in detail-

Phase 1: Introducing as a reliable source, a corrupt hacker sends the victim an email or
message. Usually, it requests that the target click on a third-party link to do a security audit or
a basic feature upgrade.
Phase 2: The victim clicks on the malicious link, believing the email to be from the
sender—a bank or business—and is sent to a fake website that attempts to mimic the
appearance of the real thing.
Phase 3: The user is prompted to enter personal information, such as account login
credentials for a particular website, on the fraudulent website. The hacker who created the
malicious email and website receives all of the information once it is entered.
Phase 4: After obtaining the account credentials, the hacker may either utilize them to log in
or sell the resulting online information to the highest bidder.
Phishing occurs when a victim responds to a phony email requesting immediate action.
Ms.Siddhi. B
In a phishing email, typical requests for action may be:
➔ Activating macros in a Word document by clicking an attachment
➔ Changing a password
➔ Answering a connection request on social media
➔ making use of a fresh WiFi hotspot.
Examples of Phishing attack:

➔ Deactivation of Account:
The victim receives an email from PayPal informing them that their account has been
hijacked and that it will be canceled unless they verify the data of their credit card. The
victim clicks on the phishing email's link to visit a phony PayPal website, where their credit
card details are taken and used to perpetrate more crimes.
➔ Compromised Credit Card:
For example, the cybercriminal sends an email purporting to be from Apple customer care
knowing that the victim recently made a purchase there. In order to safeguard their account,
the victim is advised via email to verify their credit card details and be aware that their
information may have been hacked.
➔ Fake websites:
Phishing emails are sent by cybercriminals, requesting the target to enter their login
credentials or other information into the phony website's interface. The emails may contain
links to phony websites, such as the mobile account login page of a well-known mail
provider. In order to fool consumers, the malicious website may frequently utilize a minor
alteration to a well-known URL, such as mail.update.yahoo.com instead of mail.yahoo.com.
➔ Manipulation of links:
This assault uses well crafted phishing emails and links to a well-known website. By clicking
on this link, victims are sent to a fake version of the well-known website that poses as the
authentic one and requests that they verify or update their login information.
➔ Mobile Phishing:
Mobile phishing, also known as smishing, is when someone sends a phony SMS, voicemail,
social network message, or other in-app message requesting the receiver to update their
account information, reset their password, or notify them that their account has been
compromised. A link in the message can be used to infect the victim's mobile device with
malware or steal their personal information.
➔ Voice Phishing:
Voice Phishing, also known as "Vishing," is when someone leaves a voicemail with
aggressive language urging the listener to return the call right away and to contact someone
else. The victim is persuaded, among other things, that their bank account will be stopped if
they don't reply to these urgent voicemails.
Ms.Siddhi. B
❖ Ransomware:
Malware known as "ransomware" uses encryption to steal a victim's data. Critical data for
a person or organization is encrypted to prevent access to files, databases, or applications.
Then they want a ransom to unlock the system. Ransomware may swiftly render an entire
corporation inoperable as it is frequently intended to propagate over a network and target
file and database systems. It is an increasingly serious menace that costs governments and
companies a great deal of money while earning billions of dollars in rewards to
cybercriminals and causing serious harm.
Case Study as an example:

SpiceJet: Earlier this year, the Indian airline SpiceJet was the target of an attempted ransomware
assault that left hundreds of passengers stuck around the nation.
Even while the airline emphasized that the event was simply a "attempted" ransomware assault
and that its IT staff was able to control it, the incident revealed significant cybersecurity
vulnerabilities in one of the biggest aviation industries in the world.
It made clear how important it is for airlines in India and throughout the world to assess their
level of ransomware preparation and bolster their defenses in order to react swiftly and
efficiently to such assaults.
News sources state that SpiceJet's image suffered as a result of customers reportedly waiting
more than six hours to learn about the departure of their flights. It also emphasized the
importance of prompt communication and emergency response in sectors like aviation, where
effective incident response planning may be very helpful.
❖ Keystroke Logging:
Ms.Siddhi. B
➔ Keyloggers are a popular tool among hackers and script kiddies.
➔ The concept of keylogging was initially conceived in 1983.
➔ A program called Keylogger logs every keystroke you make, including mouse
clicks.
➔ There are several ways to install a keylogger on your computer. Anybody with
access to your computer might install it; keyloggers, no matter how harmless they
appear, can be installed as a part of a virus or via any program.
➔ Cons Of Keylogger:
1. Zero Privacy, 2. Release of Sensitive Information, 3. Gives Keylogging
Service Providers Free Reign.
1. Provide a detailed explanation of DDOS functioning.
2. Explain why the Man in the Middle (MITM) assault is being conducted.
3. . Use a situation that exemplifies the Replay attack.
4. Write a short note on the Masquerade attack. And enlist safeguards against this assault.
5. Give brief on working of Watering Hole attack.
6. Briefly discuss the Zero-Day Exploit.
7. Write any 2 Case Studies based on Zero- Day Exploit attacks.
8. Mention preventive measures against Zero- Day Exploit attack.
9. Compose a brief message explaining DNS tunneling and how it functions.
10. Explain DNS tunneling. Talk about countermeasures to DNS tunneling.
11. Explain various phases of Phishing attack with various examples.
12. Using a case study as help briefly describe ransomware.
13. Explain Keystroke Logging attack.
**********
Ms.Siddhi. B

Eh - Unit-1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eh - Unit-1

Uploaded by

Copyright:

Available Formats

T.Y.B.Sc.

CS- Semester-VI, Skill Enhancement: Ethical Hacking (TCSCSCS607)

a. Release of Message Content:

An application vulnerability is a discrepancy or weakness that allows an attacker to harm the

Different kinds of vulnerabilities include:

To maintain integrity, confidentiality, and availability, information security refers to

The process of giving someone permission to do something is called authorization. It describes a

Security- Functionality- Ease of Use Triangle:

Chapter 3- Types of malware

What does malware aim to accomplish?

❖ Intelligence and intrusion:

❖ Viruses: These malicious programs can replicate themselves by attaching themselves to

❖ Spyware: Malicious software, sometimes known as spyware, is installed on a computer

Chapter 4- Types of Vulnerabilities

❖ Unauthorized Access by Hacker:

Strategies to prevent unauthorized access-

How to detect unauthorized access:

❖ Cracking of WiFi passwords:

❖ Cross site scripting:

Methods to mitigate the XSS vulnerability include:

❖ Unrestricted upload of dangerous files:

Chapter 4- Types of Attacks

❖ Man-in-the-middle Attack (MITM):

➢ A computer attack technique known as a "watering hole" occurs when a hacker

➢ A zero-day vulnerability is a vulnerability that has been publicly revealed but

Case Study 1: FACEBOOK-

Case Study 2: LINKEDIN-

Case Study 3: SONY-

➢ Preventive measure against zero-day attack:

The mechanism that converts machine-friendly IP addresses into human-friendly URLs is

Let’s have look in detail-

Examples of Phishing attack:

Case Study as an example:

You might also like