1) What is Information Gathering?

Information Gathering is the act of gathering different kinds of information against the targeted
victim or system. It is the first step or the beginning stage of Ethical Hacking, where the
penetration testers or hackers (both black hat or white hat) performed this stage; this is a
necessary and crucial step to be performed. The more the information gathered about the
target, the more the probability to obtain relevant results. Information gathering is not just a
phase of security testing; it is an art that every penetration-tester (pen-tester) and hacker
should master for a better experience in penetration testing. There are various tools,
techniques, and websites, including public sources such as Whois, nslookup that can help
hackers to gather information. This step is necessary because while performing attacks on any
target, You may need any information (such as his pet name, best friend's name, his age, or
phone number to perform password guessing attack or other kinds of attacks).

Information gathering can be classified into three major categories:

Footprinting
Scanning
Enumeration
2) List 5 tools for the information gathering.

3) What is Google Dorks? How it benefits you in Security research?

4) What is SQL Injection?

SQL Injection is an attack that poisons dynamic SQL statements to comment out certain parts of
the statement or appending a condition that will always be true. It takes advantage of the
design flaws in poorly designed web applications to exploit SQL statements to execute malicious
SQL code. The types of attacks that can be performed using SQL injection vary depending on the
type of database engine. The attack works on dynamic SQL statements. A dynamic statement is
a statement that is generated at run time using parameters password from a web form or URI
query string. SQL Injections can do more harm than just by passing the login algorithms. Some of
the attacks include
Deleting data
Updating data
Inserting data
Executing commands on the server that can download and install malicious programs such as
Trojans
Exporting valuable data such as credit card details, email, and passwords to the attacker’s
remote server
Getting user login details etc
The above list is not exhaustive; it just gives you an idea of what SQL Injection
5) Write down steps for performing sql injection, Retrieving Table Name, Database Name, Column
name.

6) List various methods of HTTP form submission with example.

The set of common methods for HTTP/1.1 is defined below and this set can be
expanded based on requirements. These method names are case sensitive and they
must be used in uppercase.

S.N Method and Description

.

1 GET

The GET method is used to retrieve information from the given server using a given URI. Requests using GE
retrieve data and should have no other effect on the data.

2 HEAD
Same as GET, but transfers the status line and header section only.

3 POST
A POST request is used to send data to the server, for example, customer information, file upload, etc. using

4 PUT
Replaces all current representations of the target resource with the uploaded content.

5 DELETE
Removes all current representations of the target resource given by a URI.

6 CONNECT
Establishes a tunnel to the server identified by a given URI.

7 OPTIONS
Describes the communication options for the target resource.

8 TRACE
Performs a message loop-back test along the path to the target resource.

7) What are the information covered in HTTP Header?

HTTP header fields provide required information about the request or response, or about the
object sent in the message body. There are four types of HTTP message headers:
General-header: These header fields have general applicability for both request and response
messages.

Client Request-header: These header fields have applicability only for request messages.

Server Response-header: These header fields have applicability only for response messages.

Entity-header: These header fields define meta information about the entity-body or, if no body
is present, about the resource identified by the request.

- HTTP headers let the client and the server pass additional information with an HTTP request
or response. An HTTP header consists of its case-insensitive name followed by a colon (:), then
by its value. Whitespace before the value is ignored.

Custom proprietary headers have historically been used with an X- prefix, but this convention
was deprecated in June 2012 because of the inconveniences it caused when nonstandard fields
became standard in RFC 6648; others are listed in an IANA registry, whose original content was
defined in RFC 4229. IANA also maintains a registry of proposed new HTTP headers.

Headers can be grouped according to their contexts:

General headers apply to both requests and responses, but with no relation to the data
transmitted in the body.

Request headers contain more information about the resource to be fetched, or about the client
requesting the resource.

Response headers hold additional information about the response, like its location or about the
server providing it.

Entity headers contain information about the body of the resource, like its content length or
MIME type.

Headers can also be grouped according to how proxies handle them:

Connection

Keep-Alive

Proxy-Authenticate

Proxy-Authorization

TE

Trailer
 Transfer-Encoding

Upgrade.

End-to-end headers

These headers must be transmitted to the final recipient of the message: the server for a
request, or the client for a response. Intermediate proxies must retransmit these headers
unmodified and caches must store them.

Hop-by-hop headers

These headers are meaningful only for a single transport-level connection, and must not be
retransmitted by proxies or cached. Note that only hop-by-hop headers may be set using the
Connection general header.

8) What are the information covered in Who.is results.

9) List any two tools (based on kali) to collect whois data.

10) Write a brief note on Burp suite.

Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is
developed by the company named Portswigger, which is also the alias of its founder Dafydd
Stuttard. BurpSuite aims to be an all in one set of tools and its capabilities can be enhanced by
installing add-ons that are called BApps.
It is the most popular tool among professional web app security researchers and bug bounty
hunters. Its ease of use makes it a more suitable choice over free alternatives like OWASP ZAP.
11) Which tool can be used for intercepting web traffic, altering request. What is the default port for
the same.

12) What is Security Testing?

Security testing can be considered most important in all type of software testing. Its main
objective is to find vulnerabilities in any software (web or networking) based application and
protect their data from possible attacks or intruders.
As many applications contains confidential data and needs to be protected being leaked.
Software testing needs to be done periodically on such applications to identify threats and to
take immediate action on them.

13) What is “Vulnerability”?

The Vulnerability can be defined as weakness of any system through which intruders or bugs can
attack on the system.
If security testing has not been performed rigorously on the system then chances of
vulnerabilities get increase. Time to time patches or fixes requires preventing a system from the
vulnerabilities.
14) List the attributes of Security Testing?
There are following seven attributes of Security Testing:
 Authentication
Authorization
Confidentiality
Availability
Integrity
Non-repudiation
Resilience

15) What is SSL connection and an SSL session?

SSL or secured socket layer connection is a transient peer-to-peer communications link where
each connection is associated with one SSL Session.
SSL session can be defines as association between client and server generally crated by
handshake protocol. There are set of parameters are defined and it may be share by multiple
SSL connections.

16) What is “Penetration Testing”?

Penetration testing is on the security testing which helps in identifying vulnerabilities in a
system. Penetration test is an attempt to evaluate the security of a system by manual or
automated techniques and if any vulnerability found testers uses that vulnerability to get
deeper access to the system and found more vulnerabilities. The main purpose of this testing to
prevent a system from any possible attacks.
Penetration testing can be done by two ways –White Box testing and Black box testing.
In white box testing all the information is available with the testers whereas in black box testing
testers don’t have any information and they test the system in real world scenario to find out
the vulnerabilities.

17) Why “Penetration Testing” is important?

Security breaches and loop holes in the systems can be very costly as threat of attack is always
possible and hackers can steal the important data or even crash the system.
It is impossible to protect all the information all the time. Hackers always come with new
techniques to steal the important data and its necessary for testers as well to perform the
testing periodically to detect the possible attacks.
Penetration testing identifies and protects a system by above mentioned attacks and helps
organizations to keep their data safe.

18) What is a Cookie? How you can find out cookie?

Cookie is a piece of information received from web server and stored in a web browser which
can be read anytime later. Cookie can contain password information, some auto fill information
and if any hackers get these details it can be dangerous.
Types of Cookies:
Session Cookies – These cookies are temporary and last in that session only.
Persistent cookies – These cookies stored on the hard disk drive and last till its expiry or
manually removal of it.
19) What is Vulnerability Assessment?
Vulnerability Assessment is also known as Vulnerability Testing, is a software testing type
performed to evaluate the security risks in the software system in order to reduce the
probability of a threat.
A vulnerability is any mistakes or weakness in the system security procedures, design,
implementation or any internal control that may result in the violation of the system's security
policy. In other words, the possibility for intruders (hackers) to get unauthorized access.
Vulnerability Analysis depends upon two mechanisms namely Vulnerability Assessment and
Penetration Testing(VAPT).

20) Write a brief note on Vulnerability Assessment and Penetration Testing (VAPT) Process
1. Goals& Objectives: - Defines goals and objectives of Vulnerability Analysis
2. Scope: - While performing the Assessment and Test, Scope of the Assignment needs to be
clearly defined.
The following are the three possible scopes exist:
Black Box Testing: - Testing from an external network with no prior knowledge of the internal
network and systems.
Grey Box Testing: - Testing from either external or internal networks, with the knowledge of the
internal network and system. It's the combination of both Black Box Testing and White Box
Testing.
White Box Testing: - Testing within the internal network with the knowledge of the internal
network and system. Also known as Internal Testing.
3. Information Gathering: - Obtaining as much information about IT environment such as
Networks, IP Address, Operating System Version, etc. It's applicable to all the three types of
Scopes such as Black Box Testing, Grey Box Testing, and White Box Testing
4. Vulnerability Detection: -In this process, vulnerability scanners are used, it will scan the IT
environment and will identify the vulnerabilities.
5. Information Analysis and Planning: - It will analyze the identified vulnerabilities, to devise a
plan for penetrating into the network and systems.

21) Briefly explain types of a vulnerability scanner.

The downside of vulnerability scanning is that it can inadvertently result in computer crashes
during the actual scan if the operating system views the vulnerability scan as invasive.
Vulnerability scanners range from very expensive enterprise-level products to free open-source
tools.

Types of vulnerability scanners include:

Port Scanner: Probes a server or host for open ports
Network Enumerator: A computer program used to retrieve information about users and groups
on networked computers
Network Vulnerability Scanner: A system that proactively scans for network vulnerabilities
Web Application Security Scanner: A program that communicates with a Web application to find
potential vulnerabilities within the application or its architecture
 Computer Worm: A type of self-replicated computer malware, which can be used to find out
vulnerabilities
22) Write a brief note on NMAP.
Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon
(also known by his pseudonym Fyodor Vaskovich).[3] Nmap is used to discover hosts and
services on a computer network by sending packets and analyzing the responses.

Nmap provides a number of features for probing computer networks, including host discovery
and service and operating system detection. These features are extensible by scripts that
provide more advanced service detection,[4] vulnerability detection,[4] and other features.
Nmap can adapt to network conditions including latency and congestion during a scan.

Nmap started as a Linux utility[5] and was ported to other systems including Windows, macOS,
and BSD.[6] It is most popular on Linux, followed by Windows.
Nmap features include:

Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to
TCP and/or ICMP requests or have a particular port open.
Port scanning [8] – Enumerating the open ports on target hosts.
Version detection – Interrogating network services on remote devices to determine application
name and version number.[9]
OS detection – Determining the operating system and hardware characteristics of network
devices.
Scriptable interaction with the target – using Nmap Scripting Engine[10] (NSE) and Lua
programming language.
Nmap can provide further information on targets, including reverse DNS names, device types,
and MAC addresses.[11]

Typical uses of Nmap:

Auditing the security of a device or firewall by identifying the network connections which can be
made to, or through it.[12]
Identifying open ports on a target host in preparation for auditing.[13]
Network inventory, network mapping, maintenance and asset management.
Auditing the security of a network by identifying new servers.[14]
Generating traffic to hosts on a network, response analysis and response time measurement.
[15]
Finding and exploiting vulnerabilities in a network.[16]
DNS queries and subdomain search

23) What will be the use of –p- argument in nmap.

scan multiple ports using option “-p“.

24) What will be the use of –sV argument in nmap.

 We can find out service’s versions which are running on remote hosts with “-sV” option.

25) Who is Script kiddies & Hacktivist?

Script Kiddies: A non-skilled person who gains access to computer systems
using already made tools.
Hacktivist: A hacker who uses hacking to send social, religious, and politics
etc messages. This is usually done by hijacking websites and leaving
messages on the hijacked website.
26) Who is Black hat / Gray Hat / White hat Hackers?
White Hat Hackers
White Hat hackers are also known as Ethical Hackers. They never intent to harm a system, rather
they try to find out weaknesses in a computer or a network system as a part of penetration
testing and vulnerability assessments.

Ethical hacking is not illegal and it is one of the demanding jobs available in the IT industry.
There are numerous companies that hire ethical hackers for penetration testing and
vulnerability assessments.

Black Hat Hackers

Black Hat hackers, also known as crackers, are those who hack in order to gain unauthorized
access to a system and harm its operations or steal sensitive information.

Black Hat hacking is always illegal because of its bad intent which includes stealing corporate
data, violating privacy, damaging the system, blocking network communication, etc.

Grey Hat Hackers

Grey hat hackers are a blend of both black hat and white hat hackers. They act without
malicious intent but for their fun, they exploit a security weakness in a computer system or
network without the owner’s permission or knowledge.

Their intent is to bring the weakness to the attention of the owners and getting appreciation or a
little bounty from the owners.

27) Which are the information available under HTTP header.

28) List various things which can be derived from the HTTP header

29) Which tool can be used to find out various URLs.

30) Tools for the URL Fuzzing

31) Write at least 10 important / sensitive directories.

32) Which tool can be helpful for the Information Gathering.

33) What is the use of Information Gathering.

34) What is Penetration testing?

Penetration testing is on the security testing which helps in identifying vulnerabilities in a
system. Penetration test is an attempt to evaluate the security of a system by manual or
automated techniques and if any vulnerability found testers uses that vulnerability to get
deeper access to the system and found more vulnerabilities. The main purpose of this testing to
prevent a system from any possible attacks.
Penetration testing can be done by two ways –White Box testing and Black box testing.
In white box testing all the information is available with the testers whereas in black box testing
testers don’t have any information and they test the system in real world scenario to find out
the vulnerabilities

35) Write down the Phases of the PTES.

Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting
36) What is the usage of Th3inspector, NMAP, BURP SUITE, Metgofile, Whois, virus total API, DIRB,
Gobuster, WPSCan, Droop Scan, Joomscan.