Ethical Hacking (PE-III) - Answers

Ǫ1,13,28.] Explain common threats to web applications and how to

avoid them.?(Unit - 5)

1] Security Misconfiguration –
- A functioning web application is usually supported by some
complex elements that make up its security infrastructure.
- This includes databases, OS, firewalls, servers, and other
application software or devices.
- All these elements require frequent maintenance and configuration
to keep the web application running properly.
- Before using a web application, communicate with the developers to
understand the security and priority measures that have been
undertaken for its development.
- Whenever possible, schedule penetration tests for web applications
to test out its capability of handling sensitive data.
- This can help to find out web application vulnerabilities immediately.
2] Malware –
- The presence of malware is yet another most common threats
that companies commonly have to guard against.
- Upon downloading malware, severe repercussions like activity
monitoring, access to confidential information, and backdoor access
to large scale data breaches can be incurred.
- Malware can be categorized into different groups since they work
to achieve different goals- Spyware, Viruses, Ransomware, Worms,
and Trojans.
How to avoid -
- To overcome this problem, make sure to install and keep firewalls up
to date. - Ensure that all your operating systems have been updated
as well.
3] Injection Attacks –
- These types of attacks come in a variety of different injection types
and are primed to attack the data in web applications since web
applications require data to function.
- The more data is required, the more opportunities for injection attacks
to target.
- Some examples of these attacks include SǪL injection, code
injection, and cross-site scripting.
- SǪL injection attacks usually hijack control over the website owner’s
database through the act of data injection into the web application.
- The data injected gives the website owner’s database instructions that
have not been authorized by the site owner themselves.
- This results in data leaking, removal, or manipulation of stored data.
How to avoid -
- To overcome it, business owners are advised to implement
input validation techniques and robust coding.
- Business owners are also encouraged to make use of ‘least
privilege’ principles so that the user rights and authorization for
actions are minimized.
4] Phishing Scam –
- These types of threats are designed to look like emails that are from
legitimate sources, with the goal of acquiring sensitive information like
login credentials, bank account numbers, credit card numbers and
other information.
- If an individual is not aware of the differences and indications that the
email messages are suspicious, it can be deadly since they may respond
to it.
- Alternatively, they can also be used to send in malware that, upon
clicking, may end up gaining access to the user’s information.
How to avoid -
- To prevent such incidents from happening, ensure that all employees
are aware and capable of identifying suspicious emails.
- Preventative measures should be taken so that further actions can
be undertaken.
5] Brute Force –
- In Brute force attacks, hackers attempt to guess passwords and
forcefully
gain access to the web application owner’s details.
- There is no effective way to prevent this from happening.
- However, business owners can deter this form of attack by limiting
the number of logins attempts as well as making use of an
encryption.

Ǫ2,14. What is report writing? Explain report writing

(unit -5)

Report Writing –
- In penetration testing, report writing is a comprehensive task that
includes methodology, procedures, proper explanation of report
content and design, detailed example of testing report, and tester’s
personal experience.
- Once the report is prepared, it is shared among the senior
management staff and technical team of target organizations.
- If any such kind of need arises in future, this report is used as
the reference.
Report Writing Stages –

1] Report Planning –
- Report planning starts with the objectives, which help readers
to understand the main points of the penetration testing.
- This part describes why the testing is conducted, what the benefits of
pen are testing, etc. Secondly, report planning also includes the time
taken for the testing.
2] Information Collection –
- Because of the complicated and lengthy processes, pen tester is
required to mention every step to make sure that he collected all the
information in all the stages of testing.
- Along with the methods, he also needs to mention about the systems
and tools, scanning results, vulnerability assessments, details of his
findings, etc.
3] Writing the First Draft –
- Once, the tester is ready with all tools and information, now he
needs to start the first draft.
- Primarily, he needs to write the first draft in the details – mentioning
everything i.e. all activities, processes, and experiences.
4] Review and Finalization –
- Once the report is drafted, it has to be reviewed first by the drafter
himself and then by his seniors or colleagues who may have assisted
him.
- While reviewing, reviewer is expected to check every detail of the report
and find any flaw that needs to be corrected.

Ǫ3,24.] What is ethical hacking? Explain types of

hacking (unit-1)

Ethical Hacking –
-Ethical Hacking is an authorized practice of bypassing system security to
identify potential data breaches and threats in a network.
- The company that owns the system or network allows Cyber Security
engineers to perform such activities in order to test the system’s
defenses.
- Thus, unlike malicious hacking, this process is planned, approved,
and more importantly, legal.
- Ethical hackers aim to investigate the system or network for weak
points that malicious hackers can exploit or destroy.
- They collect and analyze the information to figure out ways to strengthen
the security of the system/network/applications.
- By doing so, they can improve the security footprint so that it can
better withstand attacks or divert them.
- Ethical hackers are hired by organizations to look into the
vulnerabilities of their systems and networks and develop solutions to
prevent data breaches.
TYPES OF HACKING: −
1] Website Hacking –
- Hacking a website means taking unauthorized control over a web server
and its associated software such as databases and other interfaces.
2] Network Hacking –
- Hacking a network means gathering information about a network by using
tools like Telnet, NS lookup, Ping, Tracert, Netstat, etc. with the intent
to harm the network system and hamper its operation.
3] Email Hacking –
- It includes getting unauthorized access on an Email account and
using it without taking the consent of its owner.
4] Ethical Hacking –
- Ethical hacking involves finding weaknesses in a computer or
network system for testing purpose and finally getting them fixed.
5] Password Hacking –
- This is the process of recovering secret passwords from data that
has been stored in or transmitted by a computer system.
6] Computer Hacking –
- This is the process of stealing computer ID and password by applying
hacking methods and getting unauthorized access to a computer
system.

Ǫ.4,23. Define intrusion detection system (IDS) & state its evasion
techniques (unit – 3)
1. *Definition*: An IDS is a security tool designed to detect unauthorized or
malicious activities within a network or computer system.
2. *Types*: There are two main types: Network-based IDS (NIDS)
which monitors network traffic, and Host-based IDS (HIDS) which
monitors individual hosts or devices.
3. *Functionality*: IDSs analyze data (e.g., network packets, system logs)
to identify suspicious patterns that may indicate a security breach.
4. *Alert Mechanism*: When potential threats are detected, IDSs generate
alerts to notify administrators for further investigation and response.
5. *Complementary Role*: IDSs work alongside other security measures
(e.g., firewalls) to provide a layered defense against cyber threats.
Evasion Techniques
1. Fragmentation
- *Explanation*: Fragmentation involves breaking up the malicious payload
into smaller fragments and sending them in multiple packets. Each
fragment appears benign on its own, making it difficult for the IDS to
reassemble and analyze the entire malicious payload.
- *Impact*: This technique can evade detection systems that do not
properly reassemble fragmented packets before inspection.
2. Flooding
- *Explanation*: Flooding is the act of overwhelming the IDS with a large
volume of traffic, causing it to either miss the malicious activity
buried in the noise or become overloaded and fail to function
correctly.
- *Impact*: By generating excessive traffic, attackers can reduce the
effectiveness of the IDS, making it easier to slip malicious
activities through undetected.
3. Obfuscation
- *Explanation*: Obfuscation involves altering the appearance of the
malicious payload to disguise its true nature. This can be done through
techniques like encoding, padding, or adding benign data, making it harder
for signature-based IDSs to recognize the threat.
- *Impact*: Obfuscated attacks can bypass detection if the IDS relies
on specific patterns or signatures to identify malicious activities.

4. Encryption
- *Explanation*: Encryption involves encrypting the payload of the attack
so that the IDS cannot read the content of the packets. Since the IDS
cannot decrypt the data, it is unable to analyze it for malicious intent.
- *Impact*: Encrypted payloads prevent the IDS from inspecting the
contents, potentially allowing malicious actions to proceed
without detection if the encryption cannot be bypassed.
Ǫ5,25. What is FootPrinting ? Explain types and tolls of foot (unit – 2)
Footprinting is a technique used in ethical hacking to gather data as
much as possible of a specific targeted infrastructure, computer
system, networks, employees and third-party partners to trace
vulnerabilities to penetrate them.
This information collected can include the Operating System used by
the organization, network maps, firewalls, domain name system
information, IP addresses, security configurations of the target machine,
virtual private networks (VPNs), Universal Resource Locator (URLs),
email addresses, staff IDs, and phone numbers.
TYPES OF FOOTPRINTING
DNA footprinting
DNA footprinting is used to scientifically identify the nucleic acid
sequence that holds together with proteins.
Ecological footprint
An ecological footprint is an approach for measuring human demand for
natural resources or capital. It basically calculates the quantity of natural
resources required to support the economy or people. Ecological
footprinting utilizes an ecological accounting system to keep track of the
demand.
Digital footprint
A digital footprint consists of one's traceable, unique digital activities.
These include communications, actions, and contributions expressed on
any digital services or the internet. Digital footprints can be either
passive or active.
tolls
Traceroute Tool
In most of the operating systems, the Traceroute tool is used to reach a
specific destination address by sending the Internet Control Message
Protocol (ICMP) to each hop through a gateway. The number of hops a
router receives from the sender can be determined by the hacker. The
Traceroute will be timeout if a firewall is encountered in the target
system. But, the firewall details will be sent to the hacker by the
traceroute. Then, the hacker can also use another technique to bypass
the firewall. For example, To locate the destination’s network route
containing the routers, the tracert command in Traceroute packet
tracking tool is used
Nmap Tool
Nmap is an open source tool mostly used to explore the auditing
security and network. Nmap is designed to scan large size networks, it
performs optimistically at single hosts. It is used in many cases like host
monitoring, network inventory, and to control service upgrade schedules.
The Nmap identifies hosts running on the operating system by using IP
packets in various ways.
NSlookup
nslookup is a simple yet a practical command-line tool, which
principally wants to trace the IP address that corresponds to a domain
name or host that corresponds to an IP address (a process known as
“Reverse DNS
Lookup”). nslookup permits itself to be used in the command-line of
the operating system in question; Windows users initiate the service
through the command prompt, and Unix users through the terminal
window.
Sam Spade
Sam Spade tool executes on all the versions of Windows and makes it
simpler to perform a complete analysis and investigation quickly, from
learning about the owner of a specific IP address block to examining
the contents of a specific internet page. It also has features that are
particular to the detection of spam and sites that relay spam. This tool
integrates the capabilities found in traceroute, ping, nslookup, time,
whois, a packet sniffer, finger, DIG, a port scanner, a scripting language,
etc, all with a GUI to boot.
SuperScan
SuperScan is a very powerful and quick tool. It allows you to scan TCP
ports as well as scan a variety of data processing addresses. It will
check some chosen ports or all ports.
Nessus
Nessus is an efficient tool for scanning vulnerability but it's not a free
tool. Once you locate the list of open ports, the next step is to begin
searching for vulnerability within the servers.

Ǫ.6 What is SǪL injection? explain Types of SǪL injection (unit – 5)

SǪL Injection Attack
SǪL (pronounced “sequel”) stands for structured query language; it’s a
programming language used to communicate with databases. Many of
the servers that store critical data for websites and services use SǪL to
manage the data in their databases.
A SǪL injection attack specifically targets this kind of server,
using malicious code to get the server to divulge information it
normally wouldn’t. This is especially problematic if the server
stores private
customer information from the website, such as credit card numbers,
usernames and passwords (credentials), or other personally identifiable
information, which are tempting and lucrative targets for an attacker.
Types of SǪL injection

In-band SQL Injection (Classic SQLi):

 In-band SQL injection is the most common type. It occurs when an

attacker uses the same communication channel to both launch the
attack and gather results.
 There are two subtypes:
o Error-based SQLi: The attacker exploits error messages generated
by the database to gather information about its structure or to
extract data.
o Union-based SQLi: The attacker uses the SQL UNION operator to
combine the results of two or more SELECT statements into a
single result set, allowing them to retrieve data from other tables.

 Out-of-band SQL Injection:

 In this type, the attacker does not directly receive the results of the SQL
injection in the response of the web application. Instead, the attacker uses
an alternative channel to retrieve the data. This might involve, for
example, using DNS or HTTP requests to transfer data.

 Blind SQL Injection:

 In blind SQL injection, the attacker doesn't receive direct feedback from
the application regarding the success of an attack. Instead, they infer the
success or failure of the attack by observing differences in the
application's behavior or response times.
 Blind SQL injection can be further classified into:
o Boolean-based SQLi: The attacker sends SQL queries to the
database that result in a boolean response (true or false), based on
which the attacker infers information about the database.
o Time-based SQLi: The attacker exploits time delays in the
database's response to infer information.

 Second-Order SQL Injection:

 In this scenario, the payload of the injection doesn't directly affect the
application's response, but it gets stored in the database for future
execution. Later, when this stored data is used in a different context,
it triggers the SQL injection attack.
Ǫ.7]Explain threats and attacks occurred on cloud computing / unit 6
Ans:- Data Breach:- Data Breach is the process in which the confidential
data is viewed, accessed, or stolen by the third party without any
authorization, so organization's data is hacked by the hackers. •
Hardware failures • Natural disasters • Authentication attack and V M
Level Attack organization. A malicious insider already has authorized
access to an
• Malicious insiders: - Insider threats are a major security issue for
anyorganization’s network and some of the sensitive resources
that it contains. Attempts to gain this level of access are what
reveals most
attackers to their target, making it hard for an unprepared organization to
detect a malicious insider. • Unknown risk profile
• Vulnerable co-existents
• Compliance risks
• E-discovery is difficult across cross-borders.
• Loss of the encoding key
•Unauthorized access: - Unlike an organization’s on-premises
infrastructure, their cloud-based deployments are outside the network
perimeter and directly accessible from the public Internet. While this is
an asset for the accessibility of this infrastructure to employees and
customers, it also makes it easier for an attacker to gain unauthorized
access to an organization’s cloud-based resources.
Improperlyconfigured security or compromised credentials can enable
an attacker to gain direct access, potentially without an organization’s
knowledge.
Account, Service & Traffic Hijacking: - Account hijacking is a serious
security risk in cloud computing. It is the process in which individual
user's or organization's cloud account (bank account, email account, and
social media account) is stolen by hackers. The hackers use the stolen
account to perform unauthorized activities. Almost every organization
has adopted cloud computing to varying degrees within their business.
However, with this adoption of the cloud comes the need to ensure that
the organization’s
cloud security strategy is capable of protecting against the top threats to
cloud security.
•Man-in-the-middle attacks
•Deletion without a backup
•Denial-of-service attacks:- Denial of service (DoS) attacks occur
when the system receives too much traffic to buffer the server.Mostly,
DoS attackers target web servers of large organizations such as banking
sectors, media companies, and government organizations.To recover
the lost data, DoS attackers charge a great deal of time and money to
handle the data.
Cyberattacks:- Cybercrime is a business, and cybercriminals select their
targets based upon the expected profitability of their attacks. Cloud-
based infrastructure is directly accessible from the public Internet, is
often improperly secured, and contains a great deal of sensitive and
valuable data. Additionally, the cloud is used by many different
companies, meaning that a successful attack can likely be repeated many
times with a high probability of success. As a result, organizations’ cloud
deployments are a common target of cyberattacks.
Accidental Exposure of Credentials: - Phishers commonly usecloud
applications and environments as a pretext in their phishing attacks. With
the growing use of cloud-based email (G-Suite, Microsoft 365, etc.) and
document sharing services (Google Drive, Dropbox, OneDrive), employees
have become accustomed toreceiving emails with links that might ask
them to confirm their account credentials before gaining access to a
particular document orwebsite

Ǫ.8 What is session hijacking how does session hijacking work(unit- 5)

Ans:- Session hijacking is an attack where a user session is taken over
by an attacker. A session starts when you log into a service and ends
when you log out; for example, your banking application. The attack relies
on the attacker’s knowledge of your session cookie, so it is also called
cookie hijacking or cookie side-jacking. Although any computer’s session
could be hijacked, session hijacking most commonly applies to browser
sessions and web applications
In most cases when you log into a web application (for example, via a
username and password), the server sets a temporary session cookie in
your browser to remember that you are currently logged in and
authenticated. HTTP is a stateless protocol and session cookies
attached to every HTTP header are the most popular way for the server to
identify your browser or your current session.
how does session hijacking work
 Session sniffing
It is one of the basic techniques used with application-layer session
hijacking. The attacker uses a sniffer tool such as Wireshark, or a proxy,
such as OWASP Zed, to capture network traffic which contains the
session ID between a website and a client. Once an attacker captures
this value, he can use this valid token to gain unauthorized access into
system
Predictable sessions token ID Many
web servers use a custom algorithm or some predefined pattern to
generate session IDs. Greater the predictability of a session token, the
weaker it is and the easier it is to predict. If an attacker can capture
several IDs and analyze its pattern, he may predict a valid session ID.
● Man-in-the-browser attack This is similar to a man-in-the-middle
attack, but the attacker must first infect the victim's computer with a
Trojan through some form of trickery or deceit. Once the victim is tricked
into installing malware onto the system, the malware waits for the
victim to visit a targeted site. The man-in-the-browser malware can invisibly
modify transaction information and it can also create additional
transactions without the user knowing. Because the requests are
initiated from the victim's computer, it is very difficult for the web
service to detect that the requests are fake.
● Cross-site scripting Cybercriminals exploit server or application
vulnerabilities to inject client-side scripts into web pages. This causes
the browser to execute arbitrary code when it loads a compromised
page. If HttpOnly isn’t set in session cookies, cybercriminals can gain
access to the session key through injected scripts, giving them the
information, they need for session hijacking.
● Session side jacking Cybercriminals can use packet sniffing to monitor
a victim’s network traffic and intercept session cookies after the user has
authenticated on the server. If TLS encryption is only used for login pages
and not for the entire session, cybercriminals can hijack the session, act
as the user within the targeted web application
● Session fixation attacks This technique steals a valid session ID that is
yet to be authenticated. Then, the attacker tries to trick the user into
authenticating with this ID. Once authenticated, the attacker now has
access to the victim's computer. Session fixation explores a limitation in
the way the web application manages a session ID. Three common
variations exist: session tokens hidden in an URL argument, session
tokens hidden in a form field and session tokens hidden in a session
cookie

Ǫ.9 What is penetration testing? Explain steps or phases of penetration

testing. (Unit- 5)
ANS:-  Pen Testing is also known as Penetration testing.
 It is a type of Security testing used to cover vulnerabilities, threats
and risks that an attacker could exploit in software applications,
networks or web applications and also used to test the insecurity of
an application.
 It is conducted to find the security risk which might be present in
the system
.  If a system is not secured, then any attacker can disrupt or take
authorized access to that system.  Security risk is normally an accidental
error that occurs while developing and implementing the software. For
example, configuration errors, design errors, and software bugs, etc.
 A penetration test simulates methods that intruders use to gain
unauthorized access to an organization’s network and systems and
to compromise them.
 The purpose of a penetration test is to identify and test all possible
security vulnerabilities that are present in the software application and
organization: basically to see if the organization has implemented
security measures as specified in the security policy.
 A hacker whose intent is to gain unauthorized access to an
organization’s network is very different from a professional penetration
tester who lacks malice and intent and uses their skills to improve an
organization’s network security without causing a loss of service or a
disruption to the business.
 Penetration testing can also cause problems such as system
malfunctioning, system crashing, or data loss. Therefore, a company
should take calculated risks before going ahead with penetration
testing. The risk is calculated as follows and it is a management risk. RISK
= Threat
× Vulnerability
 Penetration testing is conducted by professional ethical hackers who
mainly use commercial, open-source tools, automate tools and
manual checks. There are no restrictions; the most important
objective here is to uncover as many security flaws as possible.
The following are the seven steps or phases of penetration testing –
 Planning & Preparation :-
 Planning and preparation starts with defining the goals and objectives
of the penetration testing.
 The client and the tester jointly define the goals so that both the
parties have the same objectives and understanding. The common
objectives of penetration testing are –
 To identify the vulnerability and improve the security of the technical
systems.
 Have IT security confirmed by an external third party.
 Increase the security of the organizational/personnel infrastructure
 Reconnaissance
  Reconnaissance includes an analysis of the preliminary
information. Many times, a tester doesn’t have much information
other than the preliminary information, i.e., an IP address or IP
address block.
The tester starts by analyzing the available information and, if required,
requests for more information such as system descriptions, network
plans, etc. from the client. This step is the passive penetration test, a sort
of. The sole objective is to obtain a complete and detailed information of
the systems.
 Discovery
In this step, a penetration tester will most likely use the automated tools
to scan target assets for discovering vulnerabilities.  These tools
normally have their own databases giving the details of the latest
vulnerabilities.
However, tester discover:-  Network Discovery − Such as discovery of
additional systems, servers, and other devices.  Host Discovery − It
determines open ports on these devices.  Service Interrogation − It
interrogates ports to discover actual services which are running on them.
 Analyzing Information and Risks  In this step, tester analyzes and
assesses the information gathered before the test steps for
dynamically penetrating the system. Because of larger number of
systems and size of infrastructure, it is extremely time consuming. While
analyzing, the tester considers the following elements –  The defined
goals of the penetration test.  The potential risks to the system.  The
estimated time required for evaluating potential security flaws for the
subsequent active penetration testing.  However, from the list of
identified systems, the tester may choose to test only those which
contain potential vulnerabilities

.  Active Intrusion Attempts

 This is the most important step that hasto be performed with due
care.  This step entails the extent to which the potential vulnerabilities
that was identified in the discovery step which possess the actual risks.
 This step must be performed when a verification of potential
vulnerabilities is needed.  For those systems having very high integrity
requirements, the potential vulnerability and risk needs to be carefully
consideredbefore conducting critical clean up procedures.
 Final Analysis
 This step primarily considers all the steps conducted (discussed
above) till that time and an evaluation of the vulnerabilities present in
the form of potential risks. 255  Further, the tester recommends to
eliminate the vulnerabilities and risks. Above all, the tester must
assure the transparency of the tests and the vulnerabilities that it
disclosed.
 Report Preparation
 Report preparation must start with overall testing procedures, followed
by an analysis of vulnerabilities and risks.  The high risks and critical
vulnerabilities must have priorities and then followed by the lower order.
However, while documenting the final report, the following points needs
to be considered −  Overall summary of penetration testing.  Details of
each step and the information gathered during the pen testing.  Details of
all the vulnerabilities and risks discovered.  Details of cleaning and
fixing the systems.  Suggestions for future security

Ǫ.10,26. What is enumeration? Explain enumeration countermeasures

(UNIT - 4)
ANS:- Enumeration is the process of extracting data from a target system
in order to learn more about the system's setup and surroundings.
Depending on the OS, it is often feasible to extract information such
as users, machine names, shares, and services from a system, as
well as other data.
Unlike earlier phases, however, you will be making active connections
to a system in order to obtain a wide range of data. With this in mind, you
should consider enumeration to be a phase with a significantly higher
risk of being discovered. Make an extra effort to be exact to avoid being
detected.
So, what's the point of making active connections to a target? Simply
put, it's the only way to learn more information beyond what we've already
learned from footprinting and scanning. We can now conduct directed
searches at a host using these active connections, which will extract a
lot more data. We can properly examine the system's strengths and
flaws once we've gathered enough data. The following types of
information are commonly acquired at this phase:
 Shared resources and resources on the network
 Individuals and groups
 Tables of routing  Auditing and service configurations  Names
of machines  Banners and applications  Details about SNMP and
DNS
enumeration countermeasures
1] SNMP
 Turn off the SNMP service or remove the SNMP agent.
 If you can't turn off SNMP, change the name of the default community
string.  Upgrade to SNMP3 for password and message encryption. 
Add the Group Policy security option "Additional restrictions for
anonymous connections" to your security settings.  Access to null
session pipes, null session shares, and IPSec filtering should all be
limited. 93 94 Ethical Hacking
2] DNS
 Allow DNS zone transfers to untrusted hosts to be disabled.  Ensure
that private hosts and their IP addresses are not disclosed in the public
DNS server's DNS zone files.  Use premium DNS registration services to
keep sensitive data like HINFO out of the public eye.  To avoid social
engineering attacks, use regular network admin contacts for DNS
registrations.
3] SMTP
Configure SMTP servers so that:  Emails sent to unknown recipients
should be ignored.  In mail answers, do not provide sensitive mail server
and local host information.  Turn off the open relay function
4] LDAP
 LDAP traffic is sent unencrypted by default; utilise SSL technology to
encrypt the traffic.  Enable account lockout and choose a user name
that isn't your email address.
5] SMB
 On web and DNS servers, disable the SMB protocol.  Disable the
SMB protocol on servers that are exposed to the internet.  Disable
the SMB protocol's TCP 139 and TCP 445 ports.  The Windows
Registry's RestrictNullSessAccess setting can be used to limit
anonymous access

Ǫ.11.What is ARP spoofing? Explain steps of ARP spoofing attack.(Unit-

4)
When malicious ARP packets are transmitted to a LAN's default
gateway, ARP spoofing, also known as ARP poisoning, occurs. This is
done to change the ARP table's IP/MAC address pairings. The hacker
instructs the gateway that their MAC address should now be linked to
the IP address of the target victim. The attacker's IP address is linked to
the target's MAC address, and vice versa.
The default gateway then caches the updated IP/MAC relationships and
distributes them to the rest of the network's devices. This means that all
subsequent messages will be directed to the attacker's system instead of
the
intended receiver.
ARP spoofing attacks are carried out at a low level, which favours the
hackers because victims may find it difficult to notice that their traffic has
been tampered with.
Steps of an ARP spoofing attack
Attacks on ARP spoofing usually follow the same pattern:
1] The attacker gains access to the local network and scans it for
IP addresses of devices.
2] The attacker forges ARP answers using a spoofing tool like Driftnet
or Arpspoof. The IP address of the tool is set to match the victim's
IP
subnet.
3] ARP packets with the attacker's MAC and the victim's IP address
are sent, tricking the router and PC into connecting to the attacker
rather than each other.
4] The ARP cache is refreshed, allowing the PC and router to
maintain contact with the attacker.
5] Other hosts will now transmit data to the attacker instead of the
attacker seeing the faked ARP cache entries.

Ǫ.12,27. What are common types of phishing attacks? (unit – 1)

1.Email Phishing:
- Attackers send emails that appear to come from legitimate sources
like banks, social media sites, or other trusted entities.
- These emails often contain a sense of urgency, asking recipients to
click on a link and enter their personal information on a spoofed
website.
2.Spear Phishing:
- This is a targeted form of phishing where attackers customize their
messages based on the victim’s profile or role within an organization.
 - Spear phishing emails are often highly personalized and appear
more credible, making them harder to detect.
3.Whaling:
- A subset of spear phishing, whaling targets high-profile individuals
such as executives or senior managers.
- The emails often appear to be from trusted sources and can involve
fake invoices, legal notices, or requests for sensitive business
information.
4.Clone Phishing:
- Involves taking a legitimate email that the victim has received previously
and creating a near-identical copy with malicious links or attachments.
- The attacker resends the email with a message claiming it is an
updated or revised version.

5.Vishing (Voice Phishing):

- Involves phone calls where the attacker impersonates a legitimate
entity (e.g., tech support, bank) to trick the victim into revealing personal
information or transferring money.
6.Smishing (SMS Phishing):
- Uses SMS messages to lure victims into clicking on malicious links
or providing sensitive information.
- These messages often appear to come from reputable sources and
may include warnings or prize notifications.
7.Pharming:
- Involves redirecting users from legitimate websites to fraudulent ones,
typically through the manipulation of DNS settings or by infecting
users’ computers with malware.
- Unlike other phishing methods, pharming does not require victims
to click on a link in an email or message.
8.Malware Phishing:
 - Attackers send emails or messages containing malicious attachments
or links that, when clicked, download malware onto the victim’s device.
- This malware can be used to steal information, spy on users, or
create backdoors for future attacks.
9.Search Engine Phishing:
- Attackers create malicious websites that appear in search
engine results for common queries.
- These sites are designed to trick users into providing
personal information or downloading malware.
10. Social Media Phishing:
- Attackers use social media platforms to send fraudulent messages
or create fake profiles that lure victims into revealing personal
information.
- They often exploit the trust relationships users have on these
platforms.
Ǫ.15 Define ethical hacking. Explain types of hackers. (unit – 1)
Ethical Hacking − Ethical hacking involves finding weaknesses in a
computer or network system for testing purpose and finally getting them
fixed.
Definition:
Ethical Hacking is an authorized practice of bypassing system security to
identify potential data breaches and threats in a network.
The company that owns the system or network allows Cyber Security
engineers to perform such activities in order to test the system’s
defenses.
Thus, unlike malicious hacking, this process is planned, approved, and
more importantly, legal.
Ethical hackers aim to investigate the. ackers can exploit or destroy. They
collect and analyze the information to figure out ways to strengthen the
security of the system/network/applications.
By doing so, they can improve the security footprint so that it can better
withstand attacks or divert them.
Ethical hackers are hired by organizations to look into the vulnerabilities
of their systems and networks and develop solutions toprevent data
breaches. Consider it a high tech permutation of the old saying “It takes
a thief to catch a thief.”
Types Of Hackers
1) White Hat Hackers:
White Hat hackers are also known as Ethical Hackers. They never
intent to harm a system, rather they try to find weaknesses in a
computer or a network system as a part of penetration testing and
vulnerability assessments.
Ethical hacking is not illegal and it is one of the demanding jobs
available in the IT industry. There are numerous companies that hire
ethical hackers for penetration testing and vulnerability assessments.
2) Black Hat Hackers:
Black Hat hackers, also known as crackers, are those who hack in
order to gain unauthorized access to a system and harm its
operations or steal sensitive information.
Black Hat hacking is always illegal because of its bad intent which
includes stealing corporate data, violating privacy, damaging the
system, blocking network communication, etc.
3) Grey Hat Hackers:
Grey hat hackers are a blend of both black hat and white hat
hackers. They act without malicious intent but for their fun, they
exploit a security weakness in a computer system or network
without the
owner’s permission or knowledge.
Their intent is to bring the weakness to the attention of the owners and
getting appreciation or a little bounty from the owners.
•Miscellaneous Hackers
Apart from the above well-known classes of hackers, we have the
following categories of hackers based on what they hack and how
they do it −
1) Red Hat Hackers:
Red hat hackers are again a blend of both black hat and
white hat hackers. They are usually on the level of hacking
government agencies, top-secret information hubs, and
generally anything that falls under the category of sensitive
information.
2) Blue Hat Hackers:
A blue hat hacker is someone outside computer security consulting
firms who is used to bug-test a system prior to its launch. They
look for loopholes that can be exploited and try to close these
gaps. Microsoft also uses the term BlueHat to represent a
series of security briefing events.
3) Elite Hackers:
This is a social status among hackers, which is used to
describe the most skilled. Newly discovered exploits will
circulate among these hackers.

Ǫ.16 What is footprinting? Explain footprinting threats. (Unit -2)

=> Footprinting is a technique used in ethical hacking to gather data as
much as possible of a specific targeted infrastructure, computer
system, networks, employees and third-party partners to trace
vulnerabilities to penetrate them.
This information collected can include the Operating System used by
the organization, network maps, firewalls, domain name system
information, IP addresses, security configurations of the target machine,
virtual private networks (VPNs), Universal Resource Locator (URLs),
email addresses, staff IDs, and phone numbers.

FOOTPRINTING THREATS
Network and System Attacks: Foot printing helps an offender to perform
network and system attacks. By this, attackers will gather information
associated with the specific target organization’s system configuration,
operating system which is running on the machine, and so on.
Victimization of this information, rogues are able to trace
vulnerabilities within the target system so as to exploit those
vulnerabilities. Attackers can then take control over a specific target
system or the whole network.
Social Engineering: Hackers indirectly or directly collect data through
persuasion and various different means without using any intrusion
technique. Hackers can gather crucial and sensitive information from
employees who are unaware of the hackers’ intention.
Information Leakage: Data leakage poses a threat to any organization.
If crucial and confidential data of an organization falls into the
attacker’s hands, those attackers will make an attack set up to use the
knowledge in a destructive manner, or use it for financial profit.
Privacy Loss: Using footprinting techniques, hackers are able to have an
access to the networks and systems of the organization and even
obtain the privileges and rights up till the admin levels, endangering the
security thus, leading to the loss of organization’s privacy as an entire
and to its individual personnel.
Company Espionage: Corporate eavesdropping is a major threat to any
organizations, as competitors mostly aim to secure crucial and
confidential data with the help of footprinting techniques. In this
manner, a competitor's measure is able to alter costs, launch similar
kinds of products within the market, and customarily have an adverse
effect on the market position of any target organization.
Business Loss: Footprinting also has a significant outcome on
organizations like different eCommerce websites and on-line
businesses, banking and financial connected businesses. There are
financial losses every year due to the malicious attacks by hackers.
Footprinting and Reconnaissance

Ǫ.17 Explain proxy server in scanning techniques. (unit – 3)

PROXY SERVERS
The proxy server is a computer connected to the internet that takes client
requests and forwards them to the destination server. It functions as a
link between the user and the internet. It has its own Internet Protocol (IP)
address. It isolates the client and web server from the rest of the
network.
To put it another way, a proxy server allows us to access any website
using a different IP address. It acts as a link between users and the
websites or servers that are being targeted. It gathers and distributes data
in response to user requests. A proxy server's most crucial feature is
that it does not encrypt traffic.
A proxy server serves two primary functions:
• To keep the system's origins hidden.
• For speeding up access to a resource through caching technique.
Mechanism of Proxy Server
The proxy server accepts the client's request and responds according to
the following criteria:
1] If the requested data or page is already in the proxy server's local
cache, the client is not required to retrieve it.
2] The proxy server passes the request to the target server if the
requested data or page does not exist in the local cache.
3] The responses are transferred to the client and cached by the
proxy servers.
Types of Proxy Server
Open or forward proxy server: The most well-known sort of
intermediary worker that is accessed by the client is the open or forward
proxy server. An open or forward proxy server is a type of intermediary
that receives requests from web clients and then browses destinations to
acquire the requested data. After gathering data from websites, it sends
the information straight to internet users. It gets around the authorities'
firewall. The configuration of a forward proxy is shown in the image below.
Reverse proxy server: A reverse proxy server is one that is installed near a
number of other internal resources. It validated and processed a
transaction without requiring direct communication between the clients.
Varnish and Squid are the most common reverse proxies.

Split Proxy Server: It consists of two programmes that are installed on

two separate machines.
Transparent Proxy: This is a proxy server that only modifies requests
and responses to the extent necessary for proxy authentication and
identity. It connects to the internet via port 80.
Non-Transparent Proxy: This is an intermediary that modifies the
solicitation response in order to provide the client with additional
services. Web requests are sent directly from the intermediary, regardless
of the worker from whom they originated.
Hostile Proxy: This type of proxy is used to eavesdrop in on data traffic
between the client system and the web.
Web Proxy Server: A web proxy server is a proxy that is used to access
the internet.
The proxy server: It does not include the proxy server type and the client
IP address in the request header is known as a high anonymity proxy.
Clients who use the proxy are untraceable.
Rotating proxy: Each client connected to it is assigned a unique IP
address through a rotating proxy. It's great for people that conduct a lot of
web scraping on a regular basis. It enables us to return to the same
website on a regular basis. As a result, employing the rotating proxy
necessitates greater attention.

Ǫ.18 What is enumeration? Explain enumeration techniques.

(unit – 4)

WHAT IS ENUMERATION
Enumeration is the process of extracting data from a target system in
order to learn more about the system's setup and surroundings.
Depending on the OS, it is often feasible to extract information such as
users, machine names, shares, and services from a system, as well as
other data.
Unlike earlier phases, however, you will be making active connections
to a system in order to obtain a wide range of data. With this in mind, you
should consider enumeration to be a phase with a significantly higher
risk of being discovered. Make an extra effort to be exact to avoid being
detected.
ENUMERATION TECHNIǪUES
So, what are the alternatives accessible to an enumeration attacker?
Let's take a look at the techniques.
Getting Username and Domain Name Information from Email IDs: This
method is used to get username and domain name information from an
email address or ID. There are two pieces to an email address: The
username is the first portion before the @, and the domain name is the
second part after the @.
Using Default Passwords to Get Information: Every device has default
settings, and default passwords are included in this group. It's not
uncommon to see default settings left in place, either partially or entirely,
allowing an attacker to simply get access to the system and collect data
as needed.
Using Brute-Force Attacks on Directory Services: A directory service is a
database that stores information that is needed to manage a network. As
a result, it's a prime target for an attacker trying to gather a lot of data on a
given environment. Many directories are subject to input verification
flaws and other security flaws that could be used to identify and
compromise user accounts.
SNMP Exploitation: An attacker who can guess the strings and utilise
them to obtain usernames can use the Simple Network Management
Protocol (SNMP).
Exploiting SMTP: An attacker can utilise the Simple Mail Transport
Protocol (SMTP) to connect to an SMTP server and obtain information about
usernames.

Ǫ.19 What is sniffing? Explain sniffing detection techniques. (unit – 4)

Sniffers are tools that you can use as an ethical hacker to gather and
scan traffic as it moves across a network. Sniffers are a broad category
that includes any application that can capture packets. Sniffers capture
traffic by enabling promiscuous mode on the linked network interface,
regardless of the build, allowing them to capture all traffic, whether or
not it is meant for them. When an interface is set to promiscuous mode,
it does not distinguish between traffic destined for its address and all
other traffic on the network, allowing you to record and analyse every
packet.
Sniffing can be either active or passive. Passive sniffing is generally
defined as any sort of sniffing in which traffic is observed but not
manipulated in any manner. Passive sniffing essentially entails merely
listening. Not only is traffic watched in active sniffing, but it may also be
manipulated in some way by the attacking party. For your exam, be aware
of the differences.
The relative and inherent insecurity of certain network protocols
determines how good you are at sniffing. Protocols like the tried-and-true
TCP/IP were never built with security in mind, and hence offer little in this
regard. Sniffing is made simple by a number of protocols:
Sniffer detection technique
Ping Method
Ping the suspect machine using the IP address and the erroneous MAC
address. The Ethernet adapter rejects it because the MAC addresses do
not match, but the sniffer on the suspicious system accepts it because
it does not reject packets with differing MAC addresses.
ARP Method
The ARP information is cached only by a machine in promiscuous mode
(machine C) (IP and MAC address mapping). A computer in
promiscuous mode responds to a ping message because it has accurate
information about the host making the ping request in its cache; the rest
of the machines will send an ARP probe to find out who sent the ping
request. Packets that were supposed to be filtered by the NIC are now
transmitted to the system kernel when the NIC is set to promiscuous
mode. We come up with a new approach to detect promiscuous nodes
using this mechanism: if we configure an ARP packet without a
broadcast address as the destination address, send it to every node on
the network, and certain nodes react, then those nodes are in
promiscuous mode.
DNS Method
The majority of sniffers use reverse DNS lookup to identify the computer
based on its IP address. A sniffer will very certainly be operating on a
machine that generates reverse DNS lookup traffic.
PromqryUI
PromqryUI is a Microsoft security application that may be used to identify
network interfaces that are in promiscuous mode.
Nmap
The NSE script in Nmap can be used to see if a target on a local
Ethernet is in promiscuous mode.

Ǫ.20 What is a web server? Explain stages of web server attack. (unit – 5)
 web server:-
Web servers are hardware, computer, or software, used to host
websites. Web server is a computer where the web content is
stored. Web servers run on various operating systems connected
to the back-end database and run various applications. The use of
web servers has increased in recent years as most online services
are
 implemented as web applications. Web servers are mostly used in
web hosting or the hosting of data for websites and web
applications.
Stages of web server attack:-
1. Information Gathering:-
Every attacker tries to gather as much information as possible
about the target web server. The attacker gathers the information and
then analyzes the information so as to seek out lapses within the
current security mechanism of the online server.
2. Web Server Footprinting:-
The purpose of footprinting is to collect more information about
security aspects of an internet server with the help of tools or
footprinting techniques. The main purpose is to understand about
the online server’s remote access capabilities, its ports and
services, and other aspects of its security.
3. Website Mirroring :-
Website mirroring is a method of copying a website and its content
onto another server for offline browsing. With a mirrored website, an
attacker can view the detailed structure of the web site.
4. Vulnerability Scanning :-
Vulnerability scanning is a common practice to seek out
vulnerabilities and misconfiguration of an internet server.Attackers
scan for vulnerabilities with the help of automated tools referred
to as vulnerability scanners. Vulnerability scanners are automated
tools that allow organizations to check if their networks, systems
and applications have security weaknesses that could expose them
to attacks.
5. Session Hijacking :-
A session hijacking attack happens when an attacker takes over
your internet session — for instance, while you’re checking your
credit card balance, paying your bills, or shopping at an online
store.Session hijackers usually target browser or web application
sessions.
6. Web Server Passwords Hacking:-
Attackers use password-cracking methods such as brute force
attacks, hybrid attacks, dictionary attacks, and so on to crack web
server’s password.
Ǫ.21 What is SǪL injection? How to prevent SǪL injection. (unit – 5)
SQL injection is a cyber attack where hackers inject malicious SQL code
into input fields on a website, exploiting vulnerabilities to gain
unauthorized access to a database or perform harmful actions like data
manipulation or deletion.
How to prevent SǪL injection:-
Preventing SǪL Injection vulnerabilities is not easy. Specific
prevention techniques depend on the subtype of SǪLi
vulnerability, on the SǪL database engine, and on the programming
language.
Step 1: Train and maintain awareness:- To keep your web
application safe, everyone involved in building the web
application must be aware of the risks associated with SǪL
Injections. You should provide suitable security training to all
your developers, ǪA staff, DevOps, and SysAdmins.
Step 2: Don’t trust any user input:- Treat all user input as
untrusted. Any user input that is used in an SǪL query introduces a
risk of an SǪL Injection. Treat input from authenticated
and/orinternal users the same way that you treat public input.
Step 3: Use whitelists, not blacklists :-Don’t filter user input based
on blacklists. A clever attacker will almost always find a way to
circumvent your blacklist. If possible, verify and filteruser input
using strict whitelists only.
Step 4: Adopt the latest technologies:-Older web development
technologies don’t have SǪLi protection. Use the latest version of
the development environment, language and the latest technologies
associated with that environment/language. For example, in PHP
use PDO instead of MySǪLi.
Step 5: Employ verified mechanisms:- Don’t try to build SǪLi
protection from scratch. Most modern developmenttechnologies
can offer you mechanisms to protect against SǪLi. Use such
mechanisms instead of trying to reinvent the wheel. For example,
use parameterized queries or stored procedures.
Step 6: Scan regularly:- SǪL Injections may be introduced by your
developers or through external libraries/modules/software. You
 should regularly scan your web applications using a web
vulnerability scanner tool.
Ǫ.22 What is session hijacking? How to prevent session hijacking.(unit –
5)
A session starts when you log into a service and ends when you log
out.
Session hijacking is when an attacker takes control of a user's
session on a computer system by intercepting communication and
stealing the session ID or token. This allows them to impersonate
the user and gain unauthorized access, potentially accessing
sensitive information.
How to prevent session hijacking:-
1.Avoid public Wi-Fi :-Never use public Wi-Fi, for important
transactions like banking, online shopping, or logging into your email
or social media accounts. There may be a cybercriminal at the
next table who is using packet sniffing to capture session cookies
and other information.
2.Use a VPN:- If you want to use public Wi-Fi, get a virtual private
network (VPN) to help stay safe and keep session hijackers out of
your sessions. A VPN masks your IP address and keeps your
online activities private by creating a “private tunnel” through
which all your online activity travels. A VPN encrypts the data you
send and receive.
3.Add security software:- Install licensed security software on
your devices and make sure to update it regularly. You can also
set automatic updates. Security software can detect viruses and
protect you from malware, including the malware attackers who
perform session hijacking.
4.Watch out for scams:- Avoid clicking on any link in an email
unless you’ve verified that it’s from a legitimate sender. Session
hijackers may send you an email with a link and showing an
urgency to click it. The link may install malware on your device or
take you to a login page that will log you into a site using a session
ID provided by the attacker.
5.Be aware of site security:- Reputable banks, email providers,
online merchants, and social media sites have safeguards in place
to
 avoid session hijacking. Smart site owners will install HTTPS on
the entire site, not just their homepage. They’ll also find and close
security loopholes promptly. The possibility of falling victim to a
session hijacking attack can be scary. But just taking these steps
will go a long way toward protecting you from these attackers who
want to steal your session information. Over the past decade,
more individuals have access to the internet than ever before.
Many organizations develop web-based applications, which users
can use to interact with them. But improper configuration and poorly
written codes in web servers are a threat and can be used to gain
unauthorized access to the servers' sensitive data.
Ǫ.29 Case studies on ethical hacking.