ETHICAL HACKING

ANSWER KEY

2024-2025

11.A)
Post-Engagement in Penetration Testing refers to the activities that occur after the actual
testing phase is completed. It ensures that all findings are communicated, cleaned up, and
documented appropriately. Here’s a detailed

Post-Engagement in Penetration Testing

1. Report Preparation and Documentation
A comprehensive report is created detailing all the vulnerabilities discovered, their
risk ratings, exploitation methods, and potential impacts. The report includes both
executive summaries for management and technical details for developers and
security teams.
2. Remediation Recommendations
The penetration testers provide clear and actionable recommendations to fix the
identified vulnerabilities. This may include patches, configuration changes, code
improvements, or policy enhancements.
3. Data Cleanup
Any test data, files, user accounts, or scripts that were uploaded or created during
testing must be removed. This ensures that the environment is restored to its original
state and no testing artifacts remain that could be misused.
4. Debriefing and Presentation
A formal meeting is held with stakeholders (technical and non-technical) to present
the findings. The testers explain the risks, attack paths, and remediation strategies
to ensure clear understanding.
5. Retesting (Optional)
After remediation efforts, testers may conduct a follow-up test to verify whether the
vulnerabilities have been effectively addressed and no new issues have been
introduced.
6. Lessons Learned and Feedback
Both the testing team and the client analyze the testing process to identify what went
well and what could be improved. Feedback is collected for future engagements.
7. Legal and Compliance Considerations
Ensure that all legal obligations (such as data protection laws and contractual
requirements) are fulfilled, including secure destruction of any sensitive data
accessed during the test.
8. Archiving and Confidentiality Assurance
The final report and any sensitive data are stored securely or destroyed, depending
on client preference and compliance standards. Confidentiality agreements remain
in force even after the engagement ends.
THE FINAL REPORT:
Structure of a Penetration Testing Report
EX 3 Implementation Of Penetration Testing Report

Penetration Testing Report: Structure

1. Cover Page
• Title: Penetration Testing Report
• Client: Organization/Company Name
• Tester: Testing Team Name/Consultant
• Date: Report Date
• Confidentiality Statement

2. Executive Summary
• Overview of findings
• Purpose of the test
• High-level risks identified
• Overall security posture
This section is for non-technical stakeholders. It highlights critical findings and risk
levels.

3. Engagement Details
• Scope: IP ranges, applications, systems tested
• Objective: Goals of the penetration test
• Methodology: Tools, techniques, and frameworks (e.g., OWASP, NIST)
• Limitations: Constraints or exclusions

4. Methodology
Provide a step-by-step approach:
• Reconnaissance
• Scanning and Enumeration
• Exploitation
• Post-Exploitation
• Reporting
 5. Findings and Vulnerabilities
List vulnerabilities found during the test. For each, include:
• Title: Name of the vulnerability
• Severity: Critical, High, Medium, Low
• Description: Overview of the vulnerability
• Impact: Potential impact on the system
• Evidence: Screenshots, code snippets, logs, etc.
• Recommendation: Steps to fix the issue

6. Risk Summary
Present vulnerabilities in a tabular format for quick review.

Vulnerability Severity Affected System Status

SQL Injection High Application Server Unresolved

Outdated Software Medium Web Server Resolved

7. Conclusion
Summarize the test outcomes and overall security posture. Provide guidance on
prioritizing fixes.

8. Appendices
• Tools Used: List of tools (e.g., Nmap, Burp Suite, Metasploit)
• References: CVE numbers, industry best practices
• Raw Data: Logs, outputs, and command results

B)
1. ARP Spoofing (Man-in-the-Middle Attack)
● How it works: The attacker sends fake ARP (Address Resolution Protocol)
messages to associate their MAC address with the victim’s IP address, redirecting
the victim’s traffic through the attacker’s system.
● Real-Time Example:
○ A hacker in a public Wi-Fi hotspot uses a tool like Bettercap to
perform ARP Spoofing. If a victim logs into their bank accountwithout HTTPS encryption,
the attacker can steal their
 credentials.
2. MAC Flooding (Switch Table Overflow Attack)
● How it works: The attacker floods the switch with fake MAC addresses, forcing it
to act like a hub, sending all traffic to every connected device, including the
attacker.
● Real-Time Example:
○ An attacker in a corporate LAN network floods a switch with
fake MAC addresses using macof (a Kali Linux tool). The
switch starts broadcasting all traffic, allowing the attacker to sniff
confidential emails and file transfers.
3. DNS Spoofing (Pharming Attack)
● How it works: The attacker corrupts DNS cache entries, redirecting users to a
malicious website instead of the legitimate one.
● Real-Time Example:
○ A user in a university network tries to access
[Link], but due to DNS spoofing, they are
redirected to a fake login page controlled by the attacker. If they
enter their credentials, the attacker steals [Link] Measures Against Sniffing

Use HTTPS & VPNs: Encrypt data to prevent sniffing on public networks.

Enable ARP Inspection: Prevent ARP spoofing attacks in corporate networks.

Switch to Secure Protocols: Use SSH instead of Telnet and SFTP instead of FTP.

MAC Address Binding: Prevent unauthorized devices from connecting to the

network.

Use Network Monitoring Tools: Detect unusual traffic patterns in real time.

ARP Attacks
ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses in a
local network. ARP attacks exploit vulnerabilities in this protocol.
Types of ARP Attacks:
1. ARP Spoofing/Poisoning
○ An attacker sends fake ARP messages to associate their MAC address with
a legitimate IP (e.g., a gateway).
○ This allows them to intercept, modify, or block traffic.
○ Often used for Man-in-the-Middle (MITM) attacks.
2. ARP Flooding
○ Overwhelms a network switch with fake ARP replies, forcing it into hub
mode (where traffic is broadcast to all devices).
○ Allows attackers to sniff sensitive information.
Common Tools for ARP Attacks:
● Ettercap – Used for ARP spoofing and MITM attacks.● Cain & Abel – Can perform ARP
poisoning and sniff credentials.
● Arpspoof (part of dsniff) – Used for ARP cache poisoning.
● Wireshark – Used to monitor and analyze ARP packets.
● Bettercap – Advanced MITM and ARP spoofing tool.
Mitigation Strategies:
● Use Static ARP Entries (but this isn’t scalable for large networks).
● Enable Dynamic ARP Inspection (DAI) on switches.
● Use VPNs and encryption to protect traffic.
● Implement port security on network devices.
SYN Flood Attack (Denial of Service - DoS)
What is it?
Imagine a restaurant with only 10 tables.
Customers arrive and book all the tables but never order food.
● The restaurant keeps waiting for them to order, but they never do.
● Real customers can’t find a table and leave angry.
This is what happens in a SYN Flood Attack.
The hacker keeps asking the server for a connection but never completes it,
making the server too busy to accept real users.
Example (How a hacker does it)
1. Send Fake Requests to a Website
The attacker runs this command to send thousands of fake requests:
hping3 -S -p 80 --flood -c 1000000 [Link]○ Here’s what it does:
■ hping3 → A hacking tool.
■ -S → Sends SYN packets (fake requests).
■ -p 80 → Attacks port 80 (web traffic).
■ --flood → Sends requests very fast.
■ -c 1000000 → Sends 1 million requests!
2. Impact on the website:
○ The server keeps waiting for real connections, but they never arrive.
○ It runs out of space to accept new connections.
○ The website crashes or becomes very slow.
○
Purpose of a SYN Flood Attack
1. Crashing or Slowing Down Websites
○ Attackers send thousands of fake connection requests to a
website.
○ The website gets stuck waiting for responses that never
come.
○ Result: Real users can’t access the website.
2. Disrupting Online Services (Businesses, Banks, or Government
Sites)
○ Hackers attack banks, e-commerce stores, or government
portals.
○ The website stops working, causing loss of revenue and
customer trust
3. Hiding a Bigger Cyberattack○ While the SYN Flood keeps security teams distracted,
hackers steal data or install malware.
4. Extortion & Cyber Blackmail (Ransom DoS - RDoS)
○ Hackers demand money from companies, saying:

"Pay us, or we will crash your website!"

○ If the company doesn’t pay, they continue the attack until
the site is down.

○ How a SYN Flood Attack Works (Step-by-Step)

12.A) 1)
Sources of Information Gathering, Copying Websites Locally, Information Gathering with
Whois.
Sources of Information Gathering
Information gathering involves collecting data from various sources to understand a subject,
system, or target. Below are common sources used in the process:
1. Open Sources (OSINT)
● Websites: Official company pages, blogs, and forums.
Example: Visit "[Link]" to gather details about their products and
services.
● Search Engines: Use Google or Bing to find indexed data.
Example: Search for "[Link] vulnerabilities" to uncover known security issues.
 ● Social Media: Public posts on platforms like LinkedIn, Twitter, or Facebook.
Example: Find employee information or announcements on LinkedIn.
● Public Records: Legal documents, patents, and databases.
Example: Access patent filings for "[Link]" from a patent database.
● DNS Records: Public DNS data revealing domain structure.
Example: Use DNS lookup tools to find subdomains.
2. Restricted Sources
● Subscription Databases: Bloomberg, LexisNexis, or Factiva.
Example: Use Bloomberg to analyze financial data of a company.
● APIs: Access specific data using authorized APIs.
Example: Query Twitter’s API for trends related to a domain.
3. Confidential Sources
● Internal Data: Proprietary documents and communications.
Example: An employee accesses internal reports for analysis.
● Encrypted Traffic: Data captured from internal systems (requires permission).

Copying Websites Locally

Copying a website allows offline access or deep analysis of its structure. Below are methods to
do this effectively:
Tools and Techniques
1. Using HTTrack:
o HTTrack is a tool that downloads entire websites, maintaining their structure.
o Command:
httrack "[Link] -O /path/to/folder
o Example: Use HTTrack to copy "[Link]" and review its design offline.
2. Using wget:
o wget is a command-line tool for recursively downloading web pages.
o Command:
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent
[Link]
o Example: Mirror "[Link]" for offline navigation.
3. Manual Download:
o Save individual pages by right-clicking and selecting "Save As."
o Example: Save the homepage of "[Link]" as an HTML file.
Use Cases
● Web Development: Analyze a competitor’s website design.
● Offline Access: View a website without internet connectivity.
Considerations
 ● Ensure legality and ethical compliance before copying any website.
● Some sites use anti-scraping measures that might block or detect such activities.

2)
Reverse IP Lookup
• This technique involves checking which domain names resolve to the same IP
address.
• Tools like YouGetSignal, ViewDNS, or SecurityTrails can be used.
• This helps identify other domains sharing the same IP address (i.e., hosted on the
same shared server).
Search Engine Queries (Google Dorking)
• You can use search engines with advanced operators, e.g.,
ip:[Link] (replace with actual IP) to list domains indexed with that IP.
• Useful for quickly identifying publicly known websites on the same server.
DNS Zone Transfer (if misconfigured)
• If the server’s DNS is improperly configured, you may be able to perform a zone
transfer to retrieve domain names and subdomains.
• Use tools like dig or host for zone transfers.
WHOIS Information
• WHOIS lookup may help find domains registered to the same owner or IP block.
• While not direct, correlating registration data (email, organization) can reveal
connected domains.
Certificate Transparency Logs
• SSL/TLS certificates often list all domains for which they’re valid.
• You can search certificate transparency logs using tools like [Link], Censys, or
Google’s Certificate Transparency log to find domains using the same certificate.
Web Hosting Detector Tools
• Tools like Netcraft or BuiltWith can provide hosting data and may reveal other
domains hosted on the same server or infrastructure.
Passive DNS Replication
• Services like PassiveTotal or RiskIQ offer historical DNS data, showing which
domains have pointed to a given IP in the past.

B)
Traceroute, ICMP Traceroute,TCP Traceroute,

Traceroute is a network diagnostic tool used to trace the path that data packets take
from a source to a destination. It identifies each hop (router or device) along the route and
measures the latency (time delay) at each step.
Traceroute can be performed using different protocols, such as ICMP, TCP, and UDP. Here's a
breakdown of the types of traceroute and how they work:
1. Traceroute Overview
● Purpose: To diagnose network routing issues by identifying the devices and time
delays along the path to a target.
● Mechanism:
○ Sends packets with increasing TTL (Time-to-Live) values.
○ When TTL expires, intermediate devices send back error messages, allowing
the tool to record their IP addresses and response times.

Suppose we have some problem in google its running slow using traceroute we can find
where the error occurred
Some times it could be long distance so problem can occur

TTL (TIME TO LIVE ) : Its says how much time data packets will live

Setting hop into 4 for TTL

2. ICMP Traceroute
● Protocol Used: ICMP (Internet Control Message Protocol).
● How It Works:
○ Sends ICMP Echo Request packets (similar to ping).
○ Routers along the path reply with ICMP Time Exceeded messages when the
TTL expires.
○ The final destination sends an ICMP Echo Reply.
● Advantages:
○ Simple and widely supported.
● Disadvantages:
○ Some routers block ICMP packets (firewall restrictions).
○ Results may be incomplete or misleading due to blocked responses.
Example (Linux/Unix):

traceroute -I [Link]

Example (Windows):

tracert [Link]

3. TCP Traceroute
● Protocol Used: TCP (Transmission Control Protocol).
● How It Works:
○ Sends TCP SYN packets to a specific port on the destination (commonly port
80 for HTTP).
○ Routers send ICMP Time Exceeded messages when TTL expires.
 ○ The destination replies with a TCP SYN-ACK or RST depending on whether the
port is open.
● Advantages:
○ Effective when ICMP is blocked but TCP traffic is allowed.
○ Mimics real-world traffic more closely, useful for troubleshooting web server
connectivity.
● Disadvantages:
○ Slightly slower than ICMP traceroute due to TCP handshake processing.
Example (Linux/Unix):

traceroute -T [Link]

Alternative Tool:
On Linux systems, you can use tcptraceroute:

tcptraceroute [Link] 80

4. UDP Traceroute (Default for Traditional Traceroute)

● Protocol Used: UDP (User Datagram Protocol).
● How It Works:
○ Sends UDP packets to high-numbered ports (e.g., 33434-33534).
○ Routers send ICMP Time Exceeded messages when TTL expires.
○ The final destination sends ICMP Port Unreachable if the port is closed.
● Advantages:
○ Supported by most devices and networks.
● Disadvantages:
○ UDP packets may be filtered by firewalls, causing incomplete results.
Example:

traceroute [Link]
13 A)
Domain Name System (DNS)
What is a Domain Name System (DNS)?
The Domain Name System (DNS) is a fundamental component of the internet,
responsible for translating human-readable domain names ([Link]) into
machine-readable IP addresses ([Link]).
This translation allows computers and devices to communicate across the internet
using IP addresses while enabling humans to use easy-to-remember domain names.
DNS operates in a hierarchical structure, involving multiple types of DNS
servers and caches to efficiently resolve domain names.
DNS Levels (Hierarchy of the Domain Name System)
The Domain Name System (DNS) follows a structured hierarchy, like a tree or
phonebook, to resolve domain names into IP addresses. Here are the main levels
of DNS:1. DNS Resolver (Recursive Resolver)
● The DNS Resolver is typically provided by the Internet Service Provider
(ISP). It serves as the starting point for the DNS resolution process.
● When you enter a domain name ([Link]) in the browser, your
device contacts the DNS resolver to find the corresponding IP address.
● The resolver queries other DNS servers on behalf of the client until it finds
the authoritative answer. The resolver is called “recursive” because it
follows a recursive process, querying one server after another.
2. DNS Caching
DNS caching is a performance optimization mechanism that allows the DNS
resolvers to temporarily store previously queried DNS records. This helps if the
same domain is requested again, the resolver can return the cached IP address
without querying upstream DNS servers, speeding up the resolution process.
Caching can occur at multiple points:
● Browser Cache: Browsers maintain their cache of recently visited domain
names and corresponding IP addresses.
● Operating System Cache: The OS, such as Windows or Linux, has its DNS
cache to store results from previous queries.
● Recursive DNS Resolver Cache: The resolver itself caches DNS responses
to reduce the need for repeated queries to upstream servers.
3. Root Level (.)
● The top-most level of the DNS hierarchy.
● Represented by a dot (.) at the end of a domain (e.g., [Link].).
● Managed by 13 root name servers worldwide.
● Example: When you enter [Link], your request first reaches the root
DNS server.
4. Top-Level Domain (TLD)
● The TLD is the extension of a domain name.
● Common TLDs:○ Generic TLDs (gTLDs): .com, .org, .net, .edu
○ Country Code TLDs (ccTLDs): .us (USA), .in (India), .uk (UK)
● Example: In [Link], the TLD is .com.
5. Second-Level Domain (SLD)
● The name that comes before the TLD.
● Usually represents a company, brand, or individual.
● Example: In [Link], "google" is the SLD.
6. Subdomain Level
● A subdomain is an extension of the main domain.
● Allows websites to organize content or services.
● Example: [Link] is a subdomain of [Link].
7. Host/Device Level
● The lowest level where individual devices or servers exist.
● Each device has an IP address linked to a DNS record.
● Example: www. in [Link] refers to a specific web server.
3. Importance of DNS
● Makes the Internet user-friendly by converting names to numbers.
● Helps websites load faster by caching domain information.
● Enables scalability, allowing millions of users to access websites.
● Protects against cyber threats using DNS security extensions (DNSSEC).
DNS (Domain Name System) – How It Works & Common Vulnerabilities

How DNS Works

DNS translates human-readable domain names (like [Link]) into IP addresses (like
[Link]) that computers use to identify each other on the network.

DNS Resolution Process (Simplified)

1. User enters a domain in the browser (e.g., [Link]).
2. DNS Resolver (often run by your ISP or a public resolver like Google’s [Link]) checks
its cache.
3. If not cached, it queries the Root Server.
 4. The Root Server directs to a TLD (Top-Level Domain) Server (e.g., for .com).
5. The TLD Server returns the IP of the Authoritative Name Server for [Link].
6. The Resolver queries the Authoritative Name Server, which returns the IP address.
7. The IP is returned to the user’s browser, which connects to the server.

Common DNS Vulnerabilities

1. DNS Spoofing / Cache Poisoning
o Attacker inserts fake DNS records into the resolver's cache.
o Users are redirected to malicious sites.
2. DNS Amplification Attack
o A type of DDoS attack.
o Attacker sends small queries with spoofed source IPs; the DNS server replies
with large responses to the victim.
3. DNS Tunneling
o Encodes data into DNS queries/responses to bypass firewalls and exfiltrate
data.
4. Zone Transfer Vulnerability
o If a DNS server allows unauthorized zone transfers (AXFR), an attacker can
download the entire DNS zone file (names and IPs in the domain).
5. Typosquatting / DNS Hijacking
o Users mistype URLs or have DNS settings altered to redirect them to malicious
domains.
6. NXDOMAIN Attack
o Attackers send large volumes of requests for non-existent domains to exhaust
DNS resolver resources.

DNS Security Best Practices

• Use DNSSEC (Domain Name System Security Extensions) to validate DNS responses.
• Disable unauthorized zone transfers.
• Limit and monitor recursive queries.
• Implement rate limiting to mitigate amplification attacks.
• Regularly patch DNS servers and software.
B)
Network Sniffing: Introduction, Types of Sniffing
Introduction to Network Sniffing
Network sniffing is the process of monitoring, capturing, and analyzing network traffic to
gather
information about data packets transmitted over a network. It is commonly used for network
troubleshooting, performance analysis, and security auditing. However, it can also be exploited
by attackers to intercept sensitive information such as passwords, emails, and credit card
details.
Network sniffing is the process of capturing and analyzing data packets
that travel across a network. It is used for both legitimate and
malicious purposes. IT administrators use sniffing for network
monitoring, troubleshooting, and security analysis, while attackers use it
to intercept sensitive data like usernames, passwords, and financial
transactions.
Sniffing can be done using specialized software tools like Wireshark,
tcpdump, and Ettercap, or through hardware-based packet sniffers
Types of Network Sniffing
1. Passive Sniffing
● Definition: In passive sniffing, the sniffer listens to network traffic without
altering or injecting any data into it. This method works best in hub-based
networks, where data packets are sent to all connected devices.
● Real-Time Example:
○ Suppose a company is using an old hub-based network. An
attacker connects a laptop with a sniffing tool like Wireshark andpassively captures
unencrypted communications, including login
credentials sent via HTTP.
2. Active Sniffing
● Definition: Active sniffing involves injecting packets or exploiting network
vulnerabilities to capture traffic in switched networks, where data is sent only to
intended recipients. Attackers use techniques like ARP Spoofing, MAC
Flooding, and DNS Spoofing to redirect traffic to their sniffing device.
● Real-Time Example:
○ A hacker connected to a Wi-Fi network in a coffee shop
performs ARP Spoofing using Ettercap, making users' traffic
pass through the hacker’s device. This allows them to capture
sensitive information like bank credentials if the connection is
not encrypted.
Sniffing Techniques with Real-Time Examples
1. ARP Spoofing (Man-in-the-Middle Attack)
● How it works: The attacker sends fake ARP (Address Resolution Protocol)
messages to associate their MAC address with the victim’s IP address, redirecting
the victim’s traffic through the attacker’s system.
● Real-Time Example:
○ A hacker in a public Wi-Fi hotspot uses a tool like Bettercap to
perform ARP Spoofing. If a victim logs into their bank accountwithout HTTPS encryption, the
attacker can steal their
credentials.
2. MAC Flooding (Switch Table Overflow Attack)
● How it works: The attacker floods the switch with fake MAC addresses, forcing it
to act like a hub, sending all traffic to every connected device, including the
attacker.
● Real-Time Example:
○ An attacker in a corporate LAN network floods a switch with
fake MAC addresses using macof (a Kali Linux tool). The
switch starts broadcasting all traffic, allowing the attacker to sniff
confidential emails and file transfers.
3. DNS Spoofing (Pharming Attack)
● How it works: The attacker corrupts DNS cache entries, redirecting users to a
malicious website instead of the legitimate one.
● Real-Time Example:
○ A user in a university network tries to access
[Link], but due to DNS spoofing, they are
redirected to a fake login page controlled by the attacker. If they
enter their credentials, the attacker steals [Link] Measures Against Sniffing

Use HTTPS & VPNs: Encrypt data to prevent sniffing on public networks.

Enable ARP Inspection: Prevent ARP spoofing attacks in corporate networks.

Switch to Secure Protocols: Use SSH instead of Telnet and SFTP instead of FTP.

MAC Address Binding: Prevent unauthorized devices from connecting.

Feature P promiscuous Mode Non-Promiscuous Mode

Captures all network packets, Captures only packets specifically

1. Definition
even if not addressed to the device. addressed to the device.

Sees all network traffic on the same

2Packet Visibility Sees only traffic meant for the device.
segment.

High risk if misused—attackers can

3. Security Risk Low risk—cannot view others’ traffic.
capture sensitive data.

Network monitoring, security testing,

Normal data communication and
4. Use Cases
sniffing attacks. network usage.

Higher CPU/network load due to extra

Minimal impact; processes only relevant
5. Performance Impact
traffic. data.

Detectable by IDS or network

Not detected—follows standard NIC
6. Detection
monitoring tools. behavior.

Used by admins for diagnostics and

Used by end users during routine
7. Ethical Usage
intrusion detection. operations.

Can be abused for MITM attacks and

Cannot be used for sniffing or
8. Malicious Usage
data theft. interception.

Wireshark, tcpdump, Ettercap,

No special tools; standard NIC
9. Tools Used
Bettercap, Tshark. configuration.

A regular user checks email and

A cybersecurity analyst uses
10. Real-Time Example browses—only receiving intended
Wireshark to inspect all LAN traffic.
packets.

Definition: In Promiscuous Mode, a network interface captures all network packets, even
if they are not addressed to the device, whereas in Non-Promiscuous Mode, it captures only
packets specifically addressed to the device.
Packet Visibility: Promiscuous Mode allows a device to see all network traffic on the same
segment, while Non-Promiscuous Mode restricts visibility to only the traffic meant for that
device.
Security Risk: Promiscuous Mode poses a high security risk if misused, as attackers can
intercept and capture sensitive data; in contrast, Non-Promiscuous Mode has low risk since
users cannot view others' traffic.
Use Cases: Promiscuous Mode is typically used for network monitoring, security testing,
and packet sniffing attacks, whereas Non-Promiscuous Mode is used for regular network
communication and data exchange.
Performance Impact: Running in Promiscuous Mode can slow down a system due to the
need to process a large volume of data, while Non-Promiscuous Mode maintains normal system
performance by handling only relevant packets.
Detection: Promiscuous Mode can be detected on secure networks using intrusion
detection systems (IDS), while Non-Promiscuous Mode does not require detection as it aligns
with normal network behavior.
 Ethical Usage: Network administrators use Promiscuous Mode ethically for tasks like
troubleshooting and detecting intrusions, whereas Non-Promiscuous Mode is used ethically
by general users for everyday network operations.
Malicious Usage: Hackers may exploit Promiscuous Mode for Man-in-the-Middle (MITM)
attacks and to steal credentials, but Non-Promiscuous Mode cannot be exploited in this way
since only intended packets are received.
Tools Used: Tools like Wireshark, tcpdump, Ettercap, Bettercap, and Tshark are commonly
used in Promiscuous Mode; in Non-Promiscuous Mode, no special tools are required as it's the
default behavior of a network interface.
Real-Time Example: A cybersecurity expert may enable Wireshark in Promiscuous Mode
to monitor all traffic on a corporate network, while a typical user browsing the web or sending
an email operates in Non-Promiscuous Mode, receiving only data directed to their device.

14 A)
Types of Malware and Their Countermeasures
Malware, short for malicious software, is any software designed to harm, exploit, or
otherwise compromise a computer system, network, or user. There are various types of
malware, each with unique characteristics and behaviors. Understanding them, along with
their countermeasures, is essential for maintaining robust cybersecurity.
One common type is a virus, which attaches itself to clean files and spreads when the
infected file is executed. Viruses can corrupt data, slow down systems, or even render them
inoperable. To prevent infection, users should install and regularly update antivirus
software, avoid opening unknown attachments, and ensure their operating systems are fully
patched.
A worm is similar to a virus but differs in that it does not need a host file to spread. Worms
exploit vulnerabilities in network protocols and replicate rapidly, potentially causing
widespread damage. Effective countermeasures include using firewalls, applying regular
security patches, and implementing proper network segmentation.
Trojan horses, or simply Trojans, disguise themselves as legitimate software to deceive
users into installing them. Once active, they can open backdoors, steal information, or
install other malware. To defend against Trojans, users should only download software from
trusted sources and use endpoint protection that scans for unusual behavior.
Ransomware is a particularly dangerous form of malware that encrypts a user’s files and
demands a ransom payment—usually in cryptocurrency—in exchange for a decryption key.
To protect against ransomware, organizations should maintain regular offline backups,
patch software vulnerabilities promptly, and educate users on identifying phishing
attempts, which are a common infection vector.
Spyware secretly monitors user activity and collects sensitive data, such as browsing habits
or login credentials. It can be difficult to detect as it often runs silently in the background.
Countermeasures include using anti-spyware tools, enabling real-time protection, and
practicing good digital hygiene, such as avoiding unknown downloads.
Adware, though less harmful, bombards users with unwanted advertisements and can be
a gateway to more serious threats. Installing ad-blockers, avoiding bundled free software,
and running regular malware scans can help mitigate adware.
Rootkits are advanced malware tools that provide attackers with administrative-level
access while remaining hidden from normal detection tools. They are difficult to remove and
often require a system reinstallation. Preventive measures include using strong endpoint
protection, monitoring system behavior, and minimizing administrative privileges.
Another serious threat is the keylogger, which records every keystroke a user makes,
potentially stealing sensitive information such as passwords and credit card numbers.
Using secure input methods (like on-screen keyboards), updating antivirus software, and
avoiding suspicious links can reduce the risk of keylogger infections.
Botnets are networks of compromised devices controlled remotely by hackers to perform
coordinated cyberattacks, such as Distributed Denial-of-Service (DDoS). To prevent devices
from becoming part of a botnet, users should ensure all software is updated, restrict
unnecessary services, and monitor outbound traffic for suspicious behavior.
Lastly, fileless malware operates directly in memory rather than being stored on disk,
making it harder to detect. It often exploits trusted tools like PowerShell to execute
commands. Countering fileless malware requires behavioral analysis tools, disabling
macros and scripting where unnecessary, and applying the principle of least privilege to
user accounts.
In conclusion, malware poses a significant threat to individuals and organizations alike. A
strong cybersecurity strategy must include a combination of technical defenses, regular
updates, user awareness, and proactive monitoring to effectively detect, prevent, and
respond to malware attacks.

B)
Text-Based Protocols
Text-based protocols use human-readable commands for communication
between networked systems. These protocols are often used for
configuration, data transfer, and command execution.
Examples of Text-Based Protocols:
1. HTTP (Hypertext Transfer Protocol)
– Uses text-based commands for web
communication.
2. FTP (File Transfer Protocol) – Uses plain-text commands for file
transfer.
3. SMTP (Simple Mail Transfer Protocol) – Uses plain-text messages to
send emails.
4. Telnet – A text-based protocol for remote command-line access.
5. POP3/IMAP – Email retrieval protocols using text commands.
Example of a Text-Based Protocol (SMTP)
HELO [Link]
MAIL FROM: <sender@[Link]>
RCPT TO: <receiver@[Link]>
 DATA
Subject: Test Email
This is a test email.
.
QUIT● This is an SMTP session used to send an email.
Binary Protocols
1. Binary Protocols
Binary protocols use a compact, non-human-readable format to transmit data
efficiently over networks. Unlike text-based protocols, they are faster and
more secure but harder to debug manually.
Examples of Binary Protocols:
1. HTTPS (Hypertext Transfer Protocol Secure)
– Encrypts HTTP communication
using SSL/TLS.
2. SMB (Server Message Block) – Used for file sharing and network
communication in Windows.
3. RDP (Remote Desktop Protocol) – Enables remote access to a
Windows machine.
4. DNS (Domain Name System, in UDP format) – Transmits domain
name queries in a binary format.
5. MQTT (Message Queuing Telemetry Transport) – Used for IoT
communication.

Example – SMB Packet (Binary Format in Wireshark):

A captured SMB request in Wireshark might look like:
0000 fe 53 4d 42 40 00 00 00 00 18 07 c0 00 00 00
00 |.SMB@..........|0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 |................|

🛠 Use Case: Used for file sharing in Windows networks.

Text-Based and Binary-Based Protocols – Their Significance in Communication

In computer networks, communication protocols define the rules and structure of how data
is exchanged between systems. Two important forms of protocols in this domain are text-
based protocols and binary-based protocols, both of which play a vital role in ensuring
reliable and efficient communication.
Text-based protocols are protocols where data is transmitted in a human-readable format, usually
as plain text using ASCII or UTF-8 encoding. These protocols are widely used for their simplicity
and readability. Examples include HTTP (Hypertext Transfer Protocol), SMTP (Simple Mail
Transfer Protocol), and FTP (File Transfer Protocol). The major advantage of text-based
protocols lies in their ease of debugging and troubleshooting. Developers can easily read and
construct requests manually, making them ideal for testing, learning, and diagnosing issues. In
addition, these protocols are platform-independent and work well across various operating
systems and architectures. Their significance is especially prominent in web communication and
email systems, where human interaction with the data format is often required.
In contrast, binary-based protocols encode data in a compact binary form that is optimized
for speed, performance, and reduced bandwidth usage. They are not human-readable
and require specialized tools to interpret. Examples of binary-based protocols include DNS
(Domain Name System), MQTT (Message Queuing Telemetry Transport), SMB (Server
Message Block), and Protocol Buffers (Protobuf). These protocols are extremely important
in environments where performance and efficiency are critical, such as in IoT devices,
real-time systems, and multimedia streaming. Since binary formats transmit data in a
compressed and structured way, they minimize network overhead and improve processing
speed.
The significance of both types of protocols lies in their ability to serve different needs within
digital communication. Text-based protocols support easy human interaction and
debugging, making them highly useful during development and web interactions. Binary-
based protocols, on the other hand, enable fast and resource-efficient communication in
high-performance or low-power systems.
In conclusion, both text-based and binary-based protocols are essential components of
modern communication systems. Their individual strengths address different technical
needs, and understanding both helps ensure optimal protocol selection for specific network
applications.

15. A)
The Need for Safe Browsing and Guidelines for Social Networking Sites
In today's digital age, safe browsing is essential to protect users from a wide range of cyber
threats such as identity theft, phishing attacks, malware infections, and cyberbullying. With
the rapid expansion of the internet and the increasing use of social networking sites, the
need for users to adopt safe browsing practices has never been more critical. Social
networking sites like Facebook, Instagram, Twitter, and LinkedIn have become platforms
for personal interaction, business networking, and information sharing. However, they also
pose significant risks if users are not vigilant about their online behavior and privacy
settings.
Safe browsing refers to the practice of navigating the internet in a way that minimizes
exposure to these threats while protecting personal information and maintaining security.
Safe browsing is particularly crucial on social networking sites where individuals share
personal details, photos, and engage in public conversations. Without proper precautions,
attackers can exploit these platforms to gather personal data, launch scams, or target users
with harmful content.
Need for Safe Browsing
The primary reason for ensuring safe browsing is to protect personal information. Social
networking sites often require users to input sensitive data such as email addresses, phone
numbers, and birthdates. If this data falls into the wrong hands, it can lead to identity
theft, fraud, or even harassment. Furthermore, social media accounts can serve as
gateways for more severe attacks such as phishing or social engineering, where attackers
trick users into providing confidential details.
Another significant concern is cyberbullying and online harassment. Social networking sites
enable users to engage with others on a global scale, but this also opens the door for malicious
activities like trolling, harassment, and defamation. Safe browsing practices help minimize these
risks by providing privacy controls, reporting mechanisms, and security measures to protect users
from harmful interactions.
Moreover, social networking sites are a prime target for malware distribution. Malicious
links, fake advertisements, and compromised third-party apps can lead to the installation
of malware, which can harm devices, steal personal information, or compromise other
accounts. Practicing safe browsing on these platforms helps users avoid dangerous sites,
suspicious links, and downloads that could potentially compromise their security.
Guidelines for Safe Browsing on Social Networking Sites
To foster safer browsing on social networking sites, the following guidelines should be
followed:
1. Use Strong, Unique Passwords: Always use strong passwords that combine letters,
numbers, and symbols. Avoid using easily guessable information like birthdays or
common phrases. Additionally, enabling two-factor authentication (2FA) can add
an extra layer of security to accounts.
2. Be Cautious with Sharing Personal Information: Limit the amount of personal
information shared online, such as your full name, phone number, address, and
workplace. Avoid posting sensitive data that can be used to steal your identity or gain
unauthorized access to your accounts.
3. Review Privacy Settings Regularly: Social media platforms often update their
privacy policies and settings. Users should regularly review these settings to ensure
their information is visible only to trusted people and networks. It is essential to
configure who can see posts, send friend requests, or access personal data.
4. Avoid Clicking on Suspicious Links: Social media platforms are rife with phishing
attacks, where attackers attempt to trick users into clicking on malicious links that
steal login credentials or spread malware. Always be cautious of links in unsolicited
messages or suspicious emails, even if they appear to come from a trusted source.
5. Use Secure Connections: Always ensure that the website uses HTTPS encryption
when browsing social media platforms. This protects data from being intercepted
during transmission. Avoid logging into social accounts over unsecured networks,
such as public Wi-Fi, as this increases the risk of data theft.
6. Regularly Update Software: Keeping software, apps, and devices updated is crucial
for protecting against security vulnerabilities. Updates often include patches for
newly discovered security flaws, preventing cybercriminals from exploiting them.
7. Report Suspicious Activity: Many social networking sites have built-in features to
report phishing attempts, harassment, or suspicious profiles. It is important to take
advantage of these features to alert the platform and protect others from potential
threats.
8. Educate Yourself and Others: Staying informed about common online threats, such
as phishing, scams, and malware, is critical. Additionally, educating friends and
family members about safe browsing practices can help create a safer online
environment for everyone.
9. Be Skeptical of Unknown Friend Requests or Messages: Always be cautious when
accepting friend requests from unknown individuals or interacting with users who
send unsolicited messages. They may be attempting to scam or gather personal
information.
 10. Use Security Software: Installing and maintaining security software, such as
antivirus programs and firewalls, can help protect against malware, phishing
attacks, and other cyber threats when browsing social media sites.
Conclusion
In conclusion, safe browsing on social networking sites is vital to protect users from a range
of online threats, including identity theft, fraud, malware, and online harassment. By
following the aforementioned guidelines, users can minimize risks and ensure a safer and
more enjoyable experience on social media platforms. It is the responsibility of both
individuals and social media providers to adopt and promote safe browsing practices to
secure the digital landscape. As the internet continues to evolve, practicing safe browsing
will remain a crucial aspect of maintaining personal security and privacy online.

B)
Importance of Two-Step Verification and Other Authentication Mechanisms
In today’s digital world, cybersecurity is more critical than ever. As online accounts and
services become increasingly integrated into our daily lives, the importance of securing
these accounts from unauthorized access has never been more paramount. Authentication
mechanisms are fundamental to ensuring that only authorized users can access sensitive
information. Among these mechanisms, two-step verification (2SV), also known as two-
factor authentication (2FA), plays a crucial role. However, there are several other
authentication methods that, when implemented correctly, provide an added layer of
protection to secure digital environments.
Importance of Two-Step Verification (2SV)
Two-step verification (2SV), or two-factor authentication (2FA), significantly enhances
account security by requiring users to provide two forms of verification before granting
access to their accounts. This is an improvement over traditional password-based systems,
where a single password serves as the sole method of authentication. With 2FA, even if an
attacker manages to acquire or guess the password, they cannot access the account without
the second factor of authentication. This additional layer makes it much more difficult for
malicious actors to gain unauthorized access.
1. Protection Against Phishing and Credential Theft: One of the main reasons for
adopting two-step verification is its ability to protect against phishing attacks.
Phishing involves tricking users into revealing their passwords, often through fake
login pages. With 2FA in place, even if an attacker manages to steal a password, they
would still need the second authentication factor, which is typically something only
the user possesses (e.g., a phone or hardware token). This reduces the risk of
account takeover significantly.
2. Enhanced Account Security: Two-step verification greatly enhances the security of
personal accounts, such as email, banking, and social media accounts. Even in cases
where passwords are weak or compromised, 2FA offers an added layer of defense.
For example, many services use a one-time password (OTP) sent via SMS or a
specialized app (e.g., Google Authenticator, Authy) as the second factor, ensuring
that unauthorized logins are blocked.
3. Mitigating the Risk of Data Breaches: The widespread use of weak or reused
passwords has been a major factor in many high-profile data breaches. Two-step
verification helps mitigate this risk by making stolen passwords useless without the
 second factor. Even if passwords are leaked during a data breach, attackers will be
unable to use them without also accessing the second factor.
4. Reduced Impact of Keylogging: If malware or a keylogger is installed on a device,
it can record keystrokes and steal passwords. However, with 2FA enabled, the
attacker would still require access to the second factor (e.g., a phone or authenticator
app), which provides a stronger defense against keylogging attacks.
5. Compliance with Regulations: Many regulatory frameworks, such as GDPR
(General Data Protection Regulation) and HIPAA (Health Insurance Portability and
Accountability Act), require certain sectors (e.g., finance, healthcare) to implement
additional layers of security, including two-step verification. By adopting 2FA,
businesses not only improve their security posture but also ensure compliance with
legal and industry standards.
Other Authentication Mechanisms
While two-step verification is widely regarded as a strong authentication mechanism, there
are other techniques that enhance security:
1. Password-Based Authentication: Although a traditional method, password-based
authentication is still the most common form of authentication. The main challenge
with passwords is ensuring their strength and uniqueness. Passwords should ideally
be complex, with a mix of uppercase and lowercase letters, numbers, and special
characters, and be unique for every service.
2. Biometric Authentication: Biometrics, such as fingerprints, facial recognition, or
retina scans, have gained traction as an alternative to passwords. These systems rely
on unique physiological or behavioral traits to authenticate users. Biometric
authentication is convenient, as users do not need to remember anything, and it is
generally more secure than passwords. However, there are concerns regarding
privacy and the potential for biometric data theft.
3. Behavioral Biometrics: A newer approach in authentication is behavioral
biometrics, which analyzes patterns in user behavior (such as typing speed, mouse
movements, or even walking patterns). This type of authentication can add an
additional layer of security by verifying that the person attempting to access an
account is the legitimate user based on their unique behaviors.
4. Multi-Factor Authentication (MFA): While two-factor authentication (2FA) involves
two factors, multi-factor authentication (MFA) extends this idea by requiring more
than two factors, combining knowledge (password), possession (phone or hardware
token), and inherence (biometric). This approach is often used in high-security
environments where the stakes are high, such as in banking, government, and
corporate networks.
5. Smart Cards and Hardware Tokens: Smart cards and hardware tokens are
physical devices that generate or store authentication information. Users must
possess the physical token in addition to entering a PIN or password to gain access.
These tokens can be used for highly secure access to networks and applications,
offering protection against many forms of digital attacks.
6. Single Sign-On (SSO): Single Sign-On systems allow users to authenticate once and
gain access to multiple systems or services without having to log in repeatedly. While
convenient, SSO should be combined with strong authentication methods, such as
2FA, to ensure that the initial login is secure.
7. One-Time Passwords (OTPs): One-time passwords are temporary, randomly
generated codes used for authentication. They are typically sent via email, SMS, or
generated by an app like Google Authenticator. These passwords provide an
additional layer of security, as they expire quickly and can’t be reused.
Conclusion
In conclusion, two-step verification and other authentication mechanisms are essential
for protecting sensitive online accounts from unauthorized access. Two-step verification is
an especially effective measure, enhancing security by requiring something the user knows
(password) and something the user possesses (e.g., phone or hardware token). Other
authentication methods, such as biometric authentication and multi-factor authentication
(MFA), offer additional layers of security that help safeguard against evolving cyber threats.
By implementing robust authentication mechanisms, individuals and organizations can
significantly reduce the risk of account compromises, data breaches, and other security
incidents. As cyber threats continue to evolve, strong authentication practices will remain
an essential part of any comprehensive security strategy.