BCSE1607: Ethical Hacking and Penetration

Testing

Rahul Shandilya

December 14, 2023

Introduction to Hacking

Types of Hacker
Grey, black, and white hackers are terms used to categorize individuals based
on their ethical and moral stance when it comes to hacking and cybersecu-
rity. These terms help dierentiate between hackers who use their skills for
dierent purposes. Here's an overview of each type:

1. White Hat Hacker:

ˆ Ethical Intentions: White hat hackers, also known as ethical
hackers, are individuals who use their hacking skills for good and
with ethical intentions.

ˆ Legal: They operate within the boundaries of the law and typ-
ically have permission to test and secure computer systems, net-
works, and software.

ˆ Goals: Their primary goal is to identify and x vulnerabilities

and weaknesses in computer systems and network infrastructure
to strengthen security.

ˆ Examples: White hat hackers may work as security professionals,

penetration testers, or cybersecurity consultants.

2. Grey Hat Hacker:

ˆ Ambiguous Intentions: Grey hat hackers are somewhere in
between white and black hat hackers. They may have mixed mo-
tivations, and their actions can be morally ambiguous.

ˆ Legal: They may perform hacking activities without explicit au-

thorization, which can be illegal in some cases.

ˆ Goals: Grey hat hackers may identify vulnerabilities and disclose

them to the aected parties without consent, sometimes with the
expectation of receiving a reward or acknowledgment.

1
 ˆ Examples: Some grey hat hackers disclose security aws they
discover, but they may not always follow legal procedures or eth-
ical guidelines.

3. Black Hat Hacker:

ˆ Malicious Intentions: Black hat hackers are individuals who en-
gage in hacking with malicious intent. Their actions are typically
illegal and unethical.

ˆ Illegal: They break into computer systems, networks, and soft-

ware without permission and often for personal gain or to cause
harm.

ˆ Goals: Their primary goals include stealing data, spreading mal-

ware, conducting cyberattacks, and engaging in criminal activi-
ties.

ˆ Examples: Cybercriminals, hackers involved in identity theft,

data breaches, and other illicit activities fall into this category.

Ethical Hacker Tools

Ethical hackers and penetration testers use a variety of tools to assess and
secure computer systems, networks, and applications. These tools are essen-
tial for identifying vulnerabilities and weaknesses that could be exploited by
malicious actors. Here are dierent categories of tools commonly used by
ethical hackers and penetration testers:

1. Scanning and Enumeration Tools:

ˆ Nmap: A powerful network scanning tool for discovering open
ports and services.
ˆ Masscan: A faster network scanner for quickly identifying open
ports.
ˆ Netcat: A versatile networking utility for banner grabbing, port
scanning, and creating reverse shells.

2. Vulnerability Scanning Tools:

ˆ OpenVAS: An open-source vulnerability assessment system that
identies security issues in networks and web applications.

ˆ Nessus: A widely-used vulnerability scanner that helps identify

and remediate security vulnerabilities.

2
3. Exploitation Tools:
ˆ Metasploit: A penetration testing framework that provides a
range of exploits, payloads, and post-exploitation modules.

ˆ ExploitDB: A comprehensive database of exploits and vulnera-

bilities.

ˆ BeEF: The Browser Exploitation Framework for targeting web

browsers and web applications.

4. Password Cracking Tools:

ˆ John the Ripper: A popular password cracking tool for dictio-
nary and brute-force attacks.

ˆ Hashcat: A tool for cracking password hashes using various at-

tack methods and algorithms.

5. Wireless Network Tools:

ˆ Aircrack-ng: A suite of tools for assessing the security of wireless
networks, including WEP and WPA/WPA2 cracking.

ˆ Wireshark: A network protocol analyzer for capturing and ana-

lyzing data on a network.

6. Web Application Testing Tools:

ˆ Burp Suite: A web vulnerability scanner and proxy for assessing
web application security.

ˆ OWASP ZAP: An open-source web application scanner for nd-

ing vulnerabilities in web apps.

ˆ SQLMap: A tool for automated SQL injection and database

takeover.

7. Forensic Tools:
ˆ Autopsy: A digital forensics platform for analyzing disk images
and extracting information.

ˆ Volatility: A memory analysis tool for examining volatile mem-

ory (RAM) in a forensically sound manner.

8. Social Engineering Tools:

ˆ Social Engineering Toolkit (SET): A framework for simulat-
ing social engineering attacks.

3
 ˆ Maltego: A data mining tool for gathering information about
individuals and organizations.

9. Reporting and Documentation Tools:

ˆ Dradis: A reporting platform that helps testers and security pro-
fessionals manage and present ndings.

ˆ KeepNote: A note-taking and organization tool for documenting

ndings during a penetration test.

Phases of Hacking
Reconnaissance and Footprinting Reconnaissance is where you gather
information about your target. Footprinting is just getting an idea of
the footprint of the organization, meaning the size and appearance.
This means trying to identify network blocks, hosts, locations, and
people.

Scanning and Enumeration Identifying systems that are accessible within

network blocks. Finding services running on any available host. Ulti-
mately, these services will be used as entry points. This includes not
only a list of all open ports, which will be useful information, but also
the identity of the service and software running behind each open port.

Gaining Access This is where you can demonstrate that some services are
potentially vulnerable. You do that by exploiting the service.

Maintaining Access Maintaining access is often called persistence. This

is where any access mechanism is installed to persist on a system. No
matter whether a user logs out or reboots a system, the attacker can
continue to get in. This is commonly done by installing software that
reaches out, or beacons, to systems on the Internet somewhere.

Covering Tracks Covering your tracks is where you hide or delete any ev-
idence to which you managed to get access. Additionally, you should
cover up your continued access. This can be accomplished with mal-
ware that ensures that your actions aren't logged or perhaps misreports
system information, like network connections.

4
Security and Risk Management

The CIA Triad

One of the models often used to describe the relationship between security
and its objects is known the CIA triad. CIA stands for Condentiality,
Integrity, and Availability. Each of these is a desirable property of the things
we might want to secure, and each of these three properties can be attacked.

ˆ Condentiality: Can actors who should not have access to the system
or information access the system or information?

ˆ Integrity: Can the data or the system be modied in some way that
is not intended?

ˆ Availability: Are the data or the system accessible when and how
they are intended to be?

Risks, Threats, Vulnerabilities, and Exploits

Risk: A simple way to dene risk is to consider two axes: the probability
that a negative event will occur, and the impact on something we value if
such an event happens. As cybersecurity professionals, we should always
consider risk by examining the questions How likely is it that a particular
attack might happen? and What would be the worst possible outcome if
the attack occurs?

Threat: When we can attribute a specic risk to a particular cause, we're

describing a threat. In cybersecurity, a threa4 is something that poses risk to
an asset we care about protecting. Not all threats are human; if our network
depends on the local electricity grid, a severe lightning storm could be a
threat to ongoing system operations. A person or group of people embodying
a threat is known as a threat actor, a term signifying agency, motivation, and
intelligence.

5
Vulnerability For a threat to become an actual risk, the target being
threatened must be vulnerable in some manner. A vulnerability is a aw
that allows a threat to cause harm. Not all aws are vulnerabilities. To
take a non-security example, let's imagine a bridge. A bridge can have some
aesthetic aws; maybe some pavers are scratched or it isn't perfectly straight.
However, these aws aren't vulnerabilities because they don't pose any risk
of damage to the bridge. Alternatively, if the bridge does have structural
aws in its construction, it may be vulnerable to specic threats such as
overloading or too much wind.

Exploits In computer programs, vulnerabilities occur when someone who

interacts with the program can achieve specic objectives that are unintended
by the programmer. When these objectives provide the user with access or
privileges that they aren't supposed to have, and when they are pursued
deliberately and maliciously, the user's actions become an exploit. The word
exploit in cybersecurity can be used as both a noun and as a verb. As a noun,
an exploit is a procedure for abusing a particular vulnerability. As a verb,
to exploit a vulnerability is to perform the procedure that reliably abuses it.
An attack surface describes all the points of contact on our system or
network that could be vulnerable to exploitation. An attack vector is a
specic vulnerability and exploitation combination that can further a threat
actor's objectives. Defenders attempt to reduce their attack surfaces as much
as possible, while attackers try to probe a given attack surface to locate
promising attack vectors.

Types of Malware
Malware is a broad term that can be associated to any program or script
that was intentionally developed to destroy data or cause damage to the
normal functionality of a computer or network, or to perform malicious ac-
tivities such as stealing sensitive information (e.g. login credentials, credit
card numbers, nancial information, etc.) or gaining unauthorized access
to computer systems. It can come in dierent formats, such as executables,
binary shell code, script, or rmware.
The widely used classication is made by malware type, with some being
more common than others. The most signicant and common malware types
are

ˆ Virus: It is malicious software that injects its malicious code into

other les in a target system, thus spreading within the target system

6
 and potentially to other systems as well. Viruses must execute to do
their malicious activities, so they target any type of le that could be
executed on the system.

ˆ Worms: It is like virus, worms are infectious and designed to replicate

themselves. However, a worm duplicates itself without targeting and
infecting specic les that are already present on the target system.
Worms can spread very quickly through the network, relying on secu-
rity weaknesses and vulnerabilities in the target host to access it, and
perform its malicious activities like stealing or deleting data.

ˆ Trojan horses: This malicious program pretends to be harmless, in

order to deceive the victim into loading and executing it, and therefore
perform its malicious tasks [4]. A Trojan payload can be anything
but is usually a form of a backdoor that allows attackers unauthorized
access to the aected devices. It can also be used to install keyloggers
that can easily capture sensitive data such as names and passwords,
credit card, nancial information, etc.

ˆ Rootkits: These are a set of malicious software tools that give attack-
ers privileged access to the victim system. Attackers can then remotely
execute les, steal sensitive information, change the system congura-
tion, or alter the functionality of the security mechanism [1]. Unlike
virus and worms, rootkits cannot self-propagate or replicate but, it
must be installed on the target system.

ˆ Adware: This malicious software automatically displays advertise-

ments to users and collect data about their activities without their
consent. This type of malware does not usually harm the system, and
most of the times the user will never be able to identify its malicious
activities; for this reason, adware is also referred to as grayware. Some
adware may come with integrated spyware such as keyloggers and other
privacy-invasive software

ˆ Spyware: This kind of malware installs secretly on the target sys-

tem for the purpose of monitoring the user's activities without their
knowledge. The main goal of spyware is usually to capture sensitive
information like bank accounts, passwords, or credit card information.
Any software that is downloaded and installed without the user's au-
thorization can be classied as spyware.

ˆ Ransomware: This malicious program prevents users from accessing

their system, either by disabling the system's functionality or by lock-

7
 ing the users' les and displays a message that demands payment (or
ransom) to restore its functionality. It can be spread to the victim's
devices through vulnerabilities in the system or through downloaded
les and links in phishing emails . According to security reports, re-
cent ransomware attacks focused on healthcare, local government, and
education sectors, in particular.

ˆ Keylogger: It is a malicious piece of software that records the keystrokes

on a device to intercept sensitive information typed in through the key-
board. This gives attackers the benet of access to account numbers
and PIN codes, passwords to online shopping websites, email logins,
and other condential information.

ˆ Bot/Botnet: Short for robot network, is a software application or

script that is programmed to do certain repetitive tasks automatically.
Malicious bots are used by cyber-criminals to remotely take control
over compromised devices and use them to launch more attacks, or
create botnets, which are networks of infected devices. In this case, in-
fected devices (also referred as zombies) are orchestrated by a command
and control (C&C) server that instructs them with specic malicious
actions, such as Distributed Denial of Service (DDoS) attacks, Ap-
plication Programming Interface (API) abuse, phishing attacks, spam
emails, ransomware, etc.

Malware programs can span multiple categories. For instance, a worm

might include a keylogger that collects login credentials. Malware can also
create new vulnerabilities in the victim host or network by disabling their
security mechanisms (e.g. removing antivirus), or changing passwords and
rewall settings, installing backdoors, and more. For instance, the Gh0st
RAT (Remote Access Terminal) Trojan, which is one of the top ten alerted
malware in February 2020, can create a backdoor into infected devices, and
therefore allows the attacker to fully control them.

8
Hacking Mobile Platforms

We all know the rapid increase of mobile phone users and exibility of func-
tion and advancement to perform every task has brought a dramatic shift. As
mobile phones are popularly used for online transactions, banking applica-
tion, and other nancial applications, mobile phone devices must have strong
security to keep the transactions secure and condential. Similarly, mobiles
have important data such as contacts, messages, emails, login credentials,
and les which can be stolen easily once a phone is compromised.

Mobile Platform Attack Vectors

OWASP Top 10 Mobile Threats

For detail of these attack check:

https://owasp.org/www-project-mobile-top-10/

9
Vulnerability Assessment

A vulnerability is a weakness or security aw that exists within technical,

physical, or human systems that hackers can exploit in order to gain unau-
thorized access or control over systems within a network. Vulnerability As-
sessment  is the process of scanning for vulnerabilities, and then, prioritiz-
ing and rating those vulnerabilities based on the risk they pose. This step is
precursor to exploitation  the act of breaking into the target.

Vulnerability Categories
Vulnerabilities are grouped in categories based on their origins or impacts.
Thus, with categories, we can have preventive measures or solutions to vul-
nerabilities that are similar to each other.

Insucient Input Validation Vulnerabilities

A secure application will always validate any external input. In other words,
no external input is assumed to be trusted. Input validation means ensuring
that the input is exactly what the application expects in terms of length,
content, format, etc. A lack of input validation provides attackers with a
doorway into the application. Since hackers think outside the box, they may
send data that the application could not expect, thus causing an abnormal
behavior on part of the application.
Input Validation Vulnerabilities can be further divided into multiple sec-
tions; the most common two sections are:

1. Buer Overow Vulnerabilities A buer is a sequential segment of

memory allocated to contain anything from a character string to an
array of integers:

10
 When a program attempts to put more data into a buer than it can
store, the extra data will overwrite the memory area past the buer.
Writing outside the bounds of a block of allocated memory can corrupt
data, crash the program, or cause the execution of malicious code.

If the extra data is a string of random characters, the program will

crash. However, a hacker may insert a specially-crafted string of char-
acters  i.e., shellcode or payload - that may lead to code-execution.

2. Format-String Vulnerabilities: This particular class of vulnerabilities

is associated with the way C Programming Language handles printing
strings out. C provides two ways to print out a string and they are as
follows:

ˆ Printing the string using a format string (the right way):

printf(%s, buer);

ˆ Printing the string directly (the wrong way):

printf( buer );

If the user (i.e., a hacker) enters AAAA%08x.%08x.%08x.%08x , then,

the two methods will become as follow:
printf(%s, AAAA%08x.%08x.%08x.%08x);
and
printf(AAAA%08x.%08x.%08x.%08x);

The rst method will print the string AAAA%08x.%08x.%08x.%08x as

it is, however, the second will print the rst portion AAAA plus four
HEX numbers from adjacent memory. Thus, this method will lead to
information leakage. In other words, the hacker can read segments of
the memory.

11
 3. Deserialization Vulnerabilities : Serialization is the process of convert-
ing an object into a byte stream. This facilitates transferring the serial-
ized object over the network. Deserialization is the process of reversing
the byte stream into the original objects of programming language. The
problem occurs when the receiving node does not validated or verify
the deserialized object. In other words, if the receiving node deserial-
izes a byte stream and then directly uses the reconstructed object, an
attacker can inject a malicious object into that node.

Cryptographic Vulnerabilities
This category contains vulnerabilities related to how applications handle en-
cryption and decryption of sensitive information. A cryptographic vulnera-
bility leads to breaching the condentiality of information. And exploiting a
cryptographic vulnerability allows an attacker to access sensitive information.
This category can be further divided into the following three sub-categories:

1. Insecure Algorithms: A software application can be vulnerable if it

is using algorithms that are proven to be awed or weak, i.e., algorithms
that once were strong but have been revoked. The following table lists
some of the weak cryptographic algorithms in contrast with strong and
secure ones

Also, an application should never use non-standard algorithms.

2. Weak Encryption Keys: Encryption algorithms work by providing

a key alongside the message to encrypt. Short keys can be cracked
faster than long keys. Thus, it is important to have a long key. Also,
the key must be random enough and not a representation of a human
chosen password.

12
Conguration Vulnerabilities
These vulnerabilities result from incorrect or improper conguration of ap-
plications. System administrators and IT engineers must always follow best
practices when conguring any appliance or service. The following are few
examples of Conguration Vulnerabilities:

1. Unrestricted Zone Transfer : An example of a conguration vulner-

ability is leaving DNS Zone Transfer unrestricted. The best practice in
this scenario is to restrict Zone Transfer to only secondary DNS servers
or to disable it fully. However, allowing Zone Transfer to any host is a
weakness/vulnerability that makes it easy for hackers to get the entire
DNS zone.

2. Publicly Exposed SIP Service : SIP (Session Initiation Protocol)

is used for Voice of IP (VoIP) service. Companies use SIP servers so
that telephone calls, within the same oce or between branches, are
carried over TCP/IP network (either LAN, or VPN). Care has to be
taken when conguring multiple SIP servers in multiple branches. If
the SIP server is exposed to the Internet through miscongured rewall
rules, then, attackers can make free calls through that SIP server

TCP/IP Protocol Vulnerabilities:

Many of the TCP/IP protocols were initially implemented with no security
mindset. And this allowed hackers to misuse these protocols and cause un-
intended behaviors which may result in trac interception, denial of service,
information disclosure, etc. The following are examples of some TCP/IP
protocol vulnerabilities:

ˆ ARP Poisoning : The ARP Poisoning technique exploits how ARP

works with no authentication or authorization. An attacker can easily
manipulate the ARP table/cache of a victim machine if they are on the
same subnet.

ˆ DNS Poisoning Attacks against DNS protocols had enabled hackers

in the past to inject false DNS records into either a DNS server or a
workstation's DNS cache. Some DNS poisoning techniques take place
when the attacker and victim are on the same subnet. However, some
techniques can be done from the Internet, even though this has become
tremendously dicult in recent times.

13
 ˆ DHCP Exhaustion : DHCP is a protocol responsible for assigning
dynamic IP address congurations to workstations in the LAN. DHCP
works through a process known as DORA  Discover, Oer, Request,
and Acknowledge. Given the lack of any authentication mechanism,
an attacker can simulate the DORA process indenitely until the IP
address pool of the DHCP server is exhausted.

ˆ Routing Manipulation : Routing protocols such as RIP and OSPF,

especially older versions, are also susceptible to various attacks. An
attacker may send fake packets, disrupt the routing tables within an
Autonomous System (AS), and announces his machine as a legitimate
router; thus, the attacker receives all trac. There is a tool called
Internetwork Routing Protocol Attack Suite (IRPAS) that is made
to perform routing protocol attacks.

Authentication Vulnerabilities :
Authentication is the process of validating the identity of a certain entity
(e.g., a user or a process). Authentication is done through one or more of
the following:

ˆ What the user is: such as ngerprints, face or voice recognition.

ˆ What the user knows: such as passwords.
ˆ What the user has: such as an access card or a one-time token.

Examples of password-related vulnerabilities are:

1. Hard-Coded Passwords: The passwords are written in plain text

inside the code. All developers can read the passwords. Also, if a hacker
manages to reverse engineer the application, he can read the passwords.
The correct and best practice procedure to handle passwords is to hash
them and store them in a backend Database System.

2. Default Passwords: Many manufacturers and vendors set default

passwords for their appliances and applications. Not changing these
passwords makes those systems vulnerable to password guessing.

Authorization Vulnerabilities
Authorization is the process of granting privileges and rights after an entity
has been authenticated. When a user accesses a system as a normal user (not
as root/administrator), all processes running by that user account will have

14
limited privileges. In case certain process requires to do a task with adminis-
trative privileges, it will elevate its privileges temporarily in order to perform
such task. However, it must drop those elevated privileges immediately after
the operation is completed. If the process failed to drop those privileges, the
process will continue running as root/admin and any other vulnerability will
have a greater impact on the system. In other words, later vulnerabilities
will be exploited with admin/root privileges instead of user privileges.

Hardware Vulnerabilities
This class contains vulnerabilities residing in the CPU hardware due to poor
manufacturing design. Thus, they cannot be patched easily; some require
patching the rmware, while others remain until the hardware component
is replaced and upgraded. The two vulnerabilities are called Meltdown and
Spectre and they aected Intel CPUs. These vulnerabilities exist because of
a modern CPU feature known as Speculative Execution.
Speculative Execution is a feature in modern CPUs that was implanted
to speed up the execution process of programs. However, under Speculative
Execution, the CPU executes both paths in advance  prior to condition
evaluation  and stores the results in its cache. And once the condition is
evaluated, the CPU chooses the right results from its cache. Given that
both logical branches have been executed and stored in the cache, a running
program that does not have privilege to see either of the logical branches,
may now run a so-called Side-Channel Attack and access the stored data.
By knowing the Cache address of the data, it can check the content of that
cache not by directly accessing it (since it has no permission), but rather by
how fast CPU rejects its attempt.

15
Exploits

Exploits are specic techniques or pieces of code that take advantage of vul-
nerabilities or weaknesses in computer systems, software, or networks to gain
unauthorized access, control, or privileges. Ethical hackers and penetration
testers use exploits to demonstrate and identify security aws, and their pri-
mary goal is to help organizations strengthen their security by identifying
and xing vulnerabilities before malicious hackers can exploit them.

ˆ Purpose: The primary purpose of using exploits in ethical hacking

and penetration testing is to assess the security of a system and nd
weaknesses that could be exploited by malicious actors. This helps
organizations understand their potential vulnerabilities and improve
their security measures.

ˆ Types of Exploits: Exploits come in various forms, such as code,

scripts, or techniques, and they are tailored to specic vulnerabilities
or weaknesses. Common types of exploits include buer overows, SQL
injection, remote code execution, cross-site scripting (XSS), and many
more.

ˆ Payload: An exploit typically contains a payload, which is the ma-

licious code or instructions that are executed when the vulnerability
is successfully exploited. The payload can vary widely, from gaining
unauthorized access to a system to executing arbitrary commands.

ˆ Ethical Use: Ethical hackers and penetration testers use exploits with
the permission and knowledge of the organization they are testing.
Their actions are legal and intended to uncover and address security
issues.

ˆ Responsible Disclosure: When ethical hackers discover vulnerabil-

ities and successfully exploit them, they follow responsible disclosure
practices. This involves notifying the aected organization of the nd-
ings and allowing them to address the issues before any public disclo-
sure.

16
 ˆ Legality: Unauthorized use of exploits or hacking into systems with-
out explicit permission is illegal and unethical. Ethical hacking and
penetration testing are conducted within the boundaries of the law
and ethical guidelines.

ˆ Tools and Frameworks: Ethical hackers and penetration testers of-

ten use specialized tools and frameworks that contain a library of ex-
ploits and techniques. Examples of such tools include Metasploit, Burp
Suite, and OWASP Zap.

ˆ Continuous Learning: As new vulnerabilities and exploits are dis-

covered, ethical hackers and penetration testers must stay up-to-date
with the latest threats and security trends to eectively test and secure
systems.

injection-based attacks
Injection-based attacks allow threat actors and penetration testers to inject
customized code into an input eld within a form on a web application.
The web application will process the input and provide a response, as it is
designed to operate in a client-server model and a request-response model
too. However, if a user sends malformed code to a login form on a web
application, the user may be able to retrieve sensitive information from the
web application and the database server, and even perform operations on the
operating system of the hosting web server.
Without proper validation and sanitization of users' input, threat actors
are able to determine whether a web application has security vulnerabilities,
manipulate the data stored within the backend database server, and even
perform command injections on the host operating system.

SQL injection (SQLi) is a type of injection-based attack that allows the

threat actor to inject customized SQL statements (code) within an input form
on a web application. If the web application does not validate or sanitize the
input, the code will be sent to the SQL server on the backend for processing.
If the web application is vulnerable, the threat actor will be able to create,
modify, retrieve,

Command injection is another type of injection-based attack that allows

a threat actor to inject customized code into an input form on a web ap-
plication. A vulnerable web application will pass the user input to the host

17
operating system, which then executes the code. This will allow the threat
actor to execute commands on the host operating system of the web server.

SQL injection
https://owasp.org/www-community/attacks/SQL_Injection

18
Session Management Flaws

Session management aws in the context of ethical hacking refer to vulner-

abilities or weaknesses in the way a web application manages user sessions.
These aws can be exploited by attackers to gain unauthorized access, hi-
jack user accounts, or perform other malicious actions within the application.
Ethical hackers, also known as penetration testers, identify and help reme-
diate these aws to improve the security of the application. Here are some
common session management aws:

1. Session Fixation: In this attack, an attacker sets a user's session

ID to a known value (usually obtained through social engineering or
phishing) before the user logs in. When the user logs in, their session
is eectively hijacked by the attacker.

2. Session Prediction: Attackers can predict or guess session IDs by

analyzing patterns in how session IDs are generated. This can allow
them to hijack active sessions and gain unauthorized access.

3. Insucient Session Expiration: Sessions should have a dened ex-

piration time, after which the user is required to re-authenticate. If
sessions remain active indenitely or for an extended period, attackers
may have more opportunities to hijack them.

4. Weak Session ID Generation: Session IDs should be long, random,

and unpredictable. If they are easily guessable or can be brute-forced,
attackers may be able to guess valid session IDs and hijack sessions.

5. Insecure Transmission of Session Data: If session tokens are trans-

mitted over unencrypted channels (HTTP instead of HTTPS), attack-
ers can intercept them using techniques like packet sning.

6. Client-Side Session Storage: Storing session data on the client side,

such as in cookies or local storage, can be risky if not implemented
securely. Attackers may tamper with or steal this data.

19
 7. Session Impersonation: Attackers may use session management aws
to impersonate other users, gaining unauthorized access to their ac-
counts and data.

8. Session Timeout Management: If sessions are not properly timed

out after a period of inactivity, attackers may be able to take over the
user's session.

9. Session Revocation: If there is no mechanism to revoke sessions (e.g.,

in case of a password change or a user logout), an attacker with access
to an old session ID can continue to use it even after the user has taken
actions to invalidate it.

10. Cross-Site Request Forgery (CSRF): While not a session man-

agement aw per se, CSRF attacks can manipulate an authenticated
user's session to perform unauthorized actions on their behalf.

Session Hijacking
The attacker intercepts the session and takes over the legitimate authenti-
cated session. When a session authentication process is complete, and the
user is authorized to use resources such as web services, TCP communica-
tion or other, the attacker takes advantage of this authenticated session and
places himself in between the authenticated user and the host. Authenti-
cation process initiates at the start of TCP session only, once the attacker
successfully hijacks the authenticated TCP session, trac can be monitored,
or attacker can get the role of the legitimate authenticated user. Session hi-
jacking becomes successful because of weak session IDs or no blocking upon
receiving an invalid session ID.

20
Session Hijacking Techniques
Session Hijacking process is categorized into the following three techniques:

1. Stealing Stealing category includes the dierent technique of stealing

session ID such as "Referrer attack" network sning, Trojans or by
any other mean.

2. Guessing Guessing category include tricks and techniques used to

guess the session ID such as by observing the variable components
of session IDs or calculating the valid session ID by guring out the
sequence etc.

3. Brute-Forcing Brute-Forcing is the process of guessing every possible

combination of credential. Usually, Brute-Forcing is performed when
an attacker gains information about the range of Session ID.

Session Hijacking Process

The process of session hijacking involves: -

ˆ Sning Attacker attempt to place himself in between victim and tar-

get in order to sni the packet.

ˆ Monitoring Monitor the trac ow between victim and target.

ˆ Session Desynchronization The process of breaking the connection

between the victim and the target.

ˆ Session ID Attacker takes control over the session by predicting the

session ID.

ˆ Command Injection After successfully taking control over the ses-

sion, the attacker starts injecting the commands.

21
Types of Session Hijacking
Active Attack The active attack includes interception in the active session
from the attacker. An attacker may send packets to the host in the active
attack. In an active attack, the attacker is manipulating the legitimate users
of the connection. As the result of an active attack, the legitimate user is
disconnected from the attacker.

Passive Attack The passive attack includes hijacking a session and mon-
itoring the communication between hosts without sending any packet.

Session Hijacking in OSI Model

1. Network Level Hijacking Network level hijacking includes hijacking
of a network layer session such as TCP or UDP session.

2. Application Level Hijacking Application level hijacking includes

hijacking of Application layer such as hijacking HTTPS session.

Spoong vs. Hijacking

The major dierence between Spoong and Hijacking is of the active session.
In a spoong attack, the attacker is pretending to be another user by im-
personating to gain access. The attacker does not have any active session; it
initiates a new session with the target with the help of stolen information.

22
Hijacking is basically the process of taking control over an existing active
session between an authenticated user and a target host. The attacker uses
the authenticated session of a legitimate user without initiating a new session
with the target.

Application Level Session Hijacking

Application-Level Hijacking Concept Session hijacking as dened fo-
cuses on the application layer of the OSI model. In the application layer
hijacking process, the attacker is looking for a legitimate session ID from the
victim in order to gain access to an authenticated session which allows the
attacker to avail web resources. For example, attacker, with an application
layer hijacking can access the website resources secured for authenticated
users only. The web server may assume that the incoming request forms the
known host whereas an attacker has been hijacked the session by predicting
the session ID.

Compromising Session IDs using Sning Session sning is another

avor of sning in which an attacker is looking for the session ID / Session
Token. Once the attacker has the found the session ID, it can gain access to
the resources.

Compromising Session IDs by Predicting Session Token Predicting

the session ID is the process of observing the currently occupied session IDs
by the client. By observing the common and variable part of the session key,
an attacker can guess the next session key.

How to Predict a Session Token? Web servers normally use random

session ID generation to prevent prediction however some web servers use
customer dened algorithms to assign session ID. For example, as shown
below:

After observing the above session IDs, you can easily identify the constant
part and other variable parts. In the above example, ABCD is the constant
part, 01012017 is a date. and the last section is the time. An attacker may
attempt with the following session ID at 19:25:10

23
Compromising Session IDs Using Man-in-the-Middle Attack The
process of compromising the session ID using Man-in-the-Middle attack re-
quires splitting of the connection between Victim and Web server into two
connections, one of them between Victim-to-Attacker and another between
Attacker-to-Server.

Compromising Session IDs Using Man-in-the-Browser Attack Com-

promising Session ID using Man-in-the-Browser attack requires a Trojan, al-
ready deployed on the target machine. The trojan can either change the
proxy settings, redirecting all trac through the attacker whereas another
technique using Trojan is that intercept the process between the browser and
its security mechanism.

Steps to Perform Man-in-the-Browser Attack To launch Man-in-the-

Browser attack; the attacker rst infected the victim's machine using a Tro-
jan. Trojan installs malicious code in the form of an extension on the victim's
machine and which modies the browser's conguration upon boot. When a
user logged into the site, URL is checked against a known list of the targeted
website; the Event handler will register the event when it is detected. Using
DOM interface attacker can extract and modify the values when the user
clicks the button. The browser will send the form with modied entries to
the web server. As the browser shows original transaction details, the user
could not identify any interception.

Compromising Session IDs Using Client-side Attacks Session IDs

can be compromised easily by using Client-side attacks such as:
1. Cross-Site Scripting (XSS)
2. Malicious JavaScript Code
3. Trojans

24
Cross-site Script Attack Cross-site Scripting attack is performed by an
attacker by sending a crafted link with a malicious script. When the user
clicks this malicious link, the script will be executed. This script may be
coded to extract the Session IDs and send it to the attacker.

Cross-site Request Forgery Attack Cross-Site Request Forgery (CSRF)

attack is the process of obtaining the session ID of a legitimate user and
exploiting the active session with the trusted website in order to perform
malicious activities.

Session Replay Attack Another technique for session hijacking is Ses-

sion Replay Attack. Attacker captures the authentication token from user
intended for the server and replays the request to the server resulting in
unauthorized access to the server.

Session Fixation Session Fixation is an attack permitting the attacker to

hijack the session. The attacker has to provide valid session ID and make
the victim's browser to use it. It can be done y the following technique
1. Session Token in URL argument
2. Session Token in hidden form
3. Session ID in a cookie
To understand the Session Fixation attack, assume an attacker, victim,
and the web server. The atttacker initiates a legitimate connection with the
web server, issues a session ID or uses a new session ID. The attacker then
sends the link to the victim with the established session ID for bypassing
the authentication. When the user clicks the link and attempts to log into
the website, web server continues the session as it is already established, and
authentication is performed. Now, the attacker already has the session ID
information will continue using a legitimate user account.

Network-level Session Hijacking

Network-Level hijacking is focused on Transport layer and Internet layer pro-
tocols used by the application layer. Network level attack results in extracting
information which might be helpful for application layer session.
There are several types of network level hijacking including: -
ˆ Blind Hijacking
ˆ UDP Hijacking
ˆ TCP/IP Hijacking
ˆ RST Hijacking

25
 ˆ MITM
ˆ IP Spoong

The 3-Way Handshake

TCP communication initiates with the 3-way handshaking between request-
ing host and target host. In this handshaking Synchronization (SYN) packets
and Acknowledgment (ACK) packets are communicated between them. To
understand the ow of 3-way handshaking observe the following diagram.

TCP/IP Hijacking
TCP/IP hijacking process is the network level attack on a TCP session in
which an attacker predicts the sequence number of a packet owing between
victim and host. To perform TCP/IP attack, the attacker must be on the
same network with the victim. Usually, the attacker uses sning tools to cap-
ture the packets and extract the sequence number. By injecting the spoofed
packet session can be interrupted. Communication from the legitimate user
can be disrupted by a Denial-of-Service attack or Reset connection.

Source Routing
Source routing is a technique of sending the packet via selected route. In
session hijacking, this technique is used to attempt IP spoong as a legitimate
host with the help of Source routing to direct the trac through the path
identical to the victim's path.

RST Hijacking
RST hijacking is the process of sending Reset (RST) packet to the victim
with the spoofed source address. Acknowledgment number used in this Reset
packet is also predicted. When the victim receives this packet, it could not
identify that the packet is spoofed believing the actual source has sent the
packet resulting in resetting the connection. RST packet can be crafted using
packet crafting tools.

26
Blind Hijacking
Blind Hijacking is the technique in which attacker is not able to capture the
return trac. In Blind hijacking, attacker captures the packet coming from
victim destined towards the server, inject malicious packet and forward to
the target server.

Forged ICMP and ARP Spoong

A man-in-the-middle attack can also be performed by using Forged ICMP
packet and ARP spoong techniques. Forged ICMP packets such as Desti-
nation unavailable or high latency message are sent to fool the victim.

UDP Hijacking
UDP Session Hijacking process is quite simpler than TCP session hijacking.
Since the UDP is a connectionless protocol, it does not require any sequence
packet between requesting client and host. UDP session hijacking is all about
sending the response packet before a destination server responds. There are
several techniques to intercept the coming trac from the destination server

Countermeasures

Session Hijacking Countermeasures

Mitigation of Session Hijacking attacks includes several detection techniques
and countermeasures that can be implemented including manual and auto-
mated processes. Deployment of Defense-in-depth technology, Network mon-
itoring devices such as Intrusion Detection System (IDS) and Intrusion Pre-
vention System (IPS) are categorized as automated detection process. There
are several Packet sning tools available which can be used for manual detec-
tion. Furthermore, encrypted session and communication using Secure Shell
(SSH), using HTTPS instead of HTTP, using Random and lengthy string for
Session ID, session timeout, and strong authentication like Kerberos can be
helpful to prevent and mitigate session hijacking. Using IPsec and SSL can
provide stronger protection against hijacking.

IPSec
IPSec stands for IP security. As the name suggests, it is used for the secu-
rity of general IP trac. The power of IPsec lies in its ability to support

27
multiple protocols and algorithms. It also incorporates new advancements in
encryption and hashing protocols. The main objective of IPSec is to provide
CIA (condentiality, integrity, and authentication) for virtual networks used
in current networking environments. IPSec makes sure the above objectives
are in action by the time packet enters a VPN tunnel until it reaches the
other end of the tunnel.

ˆ Condentiality IPSec uses encryption protocols namely AES, DES,

and 3DES for providing condentiality.

ˆ Integrity. IPSec uses hashing protocols (MD5 and SHA) for providing
integrity. Hashed Message Authentication (HMAC) can also be used
for checking the data integrity.

ˆ Authentication algorithms. RSA digital signatures and pre-shared

keys (PSK) are two methods used for authentication purposes.

Components of IPsec Components of IPsec includes: -

ˆ Components of IPsec
ˆ IPsec Drivers
ˆ Internet Key Exchange (IKE)
ˆ Internet Security Association Key Management Protocol
ˆ Oakley
ˆ IPsec Policy Agent

Modes of IPsec
There are two working modes of IPSec namely tunnel and transport mode.
Each has its features and implementation procedure.

28
IPSec Tunnel Mode Being the default mode set in Cisco devices, tunnel
mode protects the entire IP packet from originating device. It means for
every original packet; another packet is generated with new IP header and
send over the untrusted network to the VPN peer located on another end of
the logical connection. Tunnel mode is commonly used in case of Site-to-Site
VPN where two secure IPSec gateways are connected over public internet
using IPSec VPN connection. Consider the following diagram:
This shows IPSec Tunnel Mode with ESP header:
Similarly, when AH is used; new IP Packet format will be:

IPsec Transport Mode In transport mode, IPsec VPN secures the data
eld or payload of originating IP trac by using encryption, hashing or
both. New IPsec headers encapsulate only payload eld while the original IP
headers remain unchanged. Tunnel mode is used when original IP packets
are the source and destination address of secure IPsec peers. For example,
securing the management trac of router is a perfect example of IPsec VPN
implementation using transport mode. From a conguration point of view,
both tunnel and transport modes are dened in the conguration of transform
set. It will be covered in the Lab scenario of this section.
This diagram shows IPsec Transport Mode with ESP header:
Similarly, in case of AH:

29
Cross-Site Scripting

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious

scripts are injected into otherwise benign and trusted websites. XSS attacks
occur when an attacker uses a web application to send malicious code, gen-
erally in the form of a browser side script, to a dierent end user. Flaws that
allow these attacks to succeed are quite widespread and occur anywhere a
web application uses input from a user within the output it generates without
validating or encoding it.
If a web app doesn't correctly sanitize user inputs, such as comments or
blog entries, an attacker could inject malicious code into the site by entering
JavaScript code into the comment form instead of a legitimate comment.
For example, say the web page uses a template like the one in Figure

Templates are skeletons containing placeholders that represent a web page's

general structure. When a page is rendered, a program called a template
engine replaces these placeholders with values the programmer species. For
example, a programmer may tell the template engine to replace the name
placeholder with the last value entered into the database. The goal of an
XSS attack is to get a web app to add malicious JavaScript to a page. In

30
this example, an attacker could trick the web page into adding malicious
code by writing a comment containing the following
<script> alert("You've been hacked")</script>
If the programmer had correctly sanitized the comment, it wouldn't have
contained the <script> tags and the browser wouldn't have interpreted it as
code.

Categories of XSS
1. Stored XSS (Persistent XSS): In a Stored XSS attack, the malicious
script or code is permanently stored on the target server, often in a
database or in a web application's storage, such as comments or user
proles. When a user visits a page that retrieves and displays the stored
data, the injected script is executed in the user's browser. This type of
XSS attack is particularly dangerous because it aects multiple users
who view the same tainted content.

2. Reected XSS: In a Reected XSS attack, the malicious code is em-

bedded in a URL, email, or other input that is immediately reected
back to the user. The attacker tricks the victim into clicking on a spe-
cially crafted link that contains the payload. The server doesn't store
the payload; instead, it reects it back in the response to the victim's
request. The victim's browser executes the script in the context of the
current session.

3. DOM XSS (Document Object Model XSS): DOM XSS occurs

when the client-side JavaScript modies the Document Object Model
of a web page, and this modication leads to the execution of malicious
code. It typically happens when JavaScript code reads data from an
untrusted source (e.g., URL parameters or user input) and directly
manipulates the DOM without proper sanitization or validation. Unlike
Stored and Reected XSS, DOM XSS attacks don't rely on server-side
vulnerabilities; instead, they exploit client-side vulnerabilities in the
JavaScript code itself.

For more detail examples and prevention methods visit

https://owasp.org/www-community/attacks/xss/

31
Online Crime

Information Technology Act, 2000 (India)

The Information Technology Act, 2000 also Known as an IT Act is an act
proposed by the Indian Parliament reported on 17th October 2000. This
Information Technology Act is based on the United Nations Model law on
Electronic Commerce 1996 (UNCITRAL Model) which was suggested by the
General Assembly of United Nations by a resolution dated on 30th January,
1997. It is the most important law in India dealing with Cybercrime and
E-Commerce.
The main objective of this act is to carry lawful and trustworthy elec-
tronic, digital and online transactions and alleviate or reduce cybercrimes.
The IT Act has 13 chapters and 90 sections. The last four sections that
starts from `section 91  section 94', deals with the revisions to the Indian
Penal Code 1860.
The IT Act, 2000 has two schedules:

1. First Schedule: Deals with documents to which the Act shall not
apply.

2. Second Schedule: Deals with electronic signature or electronic au-

thentication method.

The oences and the punishments in IT Act 2000 :

The oences and the punishments that falls under the IT Act, 2000 are as
follows :

1. Tampering with the computer source documents.

2. Directions of Controller to a subscriber to extend facilities to decrypt
information.
3. Publishing of information which is obscene in electronic form.
4. Penalty for breach of condentiality and privacy.

32
 5. Hacking for malicious purposes.
6. Penalty for publishing Digital Signature Certicate false in certain par-
ticulars.
7. Penalty for misrepresentation.
8. Conscation.
9. Power to investigate oences.
10. Protected System.
11. Penalties for conscation not to interfere with other punishments.
12. Act to apply for oence or contravention committed outside India.
13. Publication for fraud purposes.
14. Power of Controller to give directions.

Sections and Punishments under Information Technology Act, 2000 are

as follows :

SECTION PUNISHMENT
Section 43 This section of IT Act, 2000 states that any act of destroying,
altering or stealing computer system/network or deleting data
with malicious intentions without authorization from owner of
the computer is liable for the payment to be made to owner
as compensation for damages.
Section 43A This section of IT Act, 2000 states that any corporate body
dealing with sensitive information that fails to implement rea-
sonable security practices causing loss of other person will also
liable as convict for compensation to the aected party.
Section 66 Hacking of a Computer System with malicious intentions like
fraud will be punished with 3 years imprisonment or the ne
of Rs.5,00,000 or both.
Section 66 B, C, D Fraud or dishonesty using or transmitting information or iden-
tity theft is punishable with 3 years imprisonment or Rs.
1,00,000 ne or both.
Section 66 E This Section is for Violation of privacy by transmitting image
of private area is punishable with 3 years imprisonment or
2,00,000 ne or both.
Section 66 F This Section is on Cyber Terrorism aecting unity, integrity,
security, sovereignty of India through digital medium is liable
for life imprisonment.
Section 67 This section states publishing obscene information or pornog-
raphy or transmission of obscene content in public is liable for
imprisonment up to 5 years or ne of Rs. 10,00,000 or both.

33
Social Engineering

While an organization may have a lot of security solutions, a threat actor can
use psychological techniques to manipulate and trick a person into retrieving
sensitive/condential information and even performing a task. This is the
art of hacking the human mind in the eld of cybersecurity, and it's known
as social engineering.

Elements of social engineering

One of the key aspects of being a good people person is communicating
eectively with anyone, whether in person, over the telephone, or even using
a digital medium such as emails or instant messaging. Being a good people
person usually means being able to interpret a person's mood and mindset
during a conversation and even determine whether the person trusts easily or
not. Using social engineering as a penetration tester, you need to understand
a person's emotional intelligence based on their tone of voice, body language,
gestures, choice of words, and even how easily they may develop trust during
a conversation.
To ensure you are excellent at social engineering, the following are the key
elements that are commonly used by threat actors and penetration testers:

ˆ Authority - During a social engineering attack, a threat actor may

pretend to be someone of high authority within the target organization.

ˆ Intimidation - Threat actors use intimidation to drive fear into their

potential victim's mind if they do not perform the instructed task or
provide the requested information. Imagine a user doesn't want to
provide the user credentials to their system.

ˆ Consensus - This element allows threat actors to use social proof that
an action is considered to be normal because others are doing the same
thing.

34
 ˆ Scarcity - This factor is used to inform the potential victims that an
event needs to be completed within a specic time, such as immediately.

ˆ Urgency - Applying urgency into a situation usually implies the im-

portance of a task. Threat actors commonly apply urgency during a
social engineering attack to convince the potential victim of the impor-
tance of providing the requested information or performing a task.

ˆ Familiarity - This element is used by threat actors to build some type

of familiarity or relationship between themselves and the potential vic-
tim. Threat actors may discuss a potentially mutual friend, a sporting
event, or anything.

ˆ Trust - Establishing trust during a social engineering exercise increases

the likelihood of the attack being successful.

Types of social engineering

Human-based
In human-based social engineering, the threat actor or penetration tester
usually pretends to be someone with authority, such as a person who is
important within the organization. This means the threat actor can attempt
to impersonate a director or senior member of sta and request a password
change on the victim's user account.
The following are additional types of attacks related to human-based
social engineering:

ˆ Eavesdropping - Eavesdropping involves listening to conversations

between people and reading their messages without authorization. This
form of attack includes the interception of any transmission between
users, such as audio, video, or even written communication.

ˆ Shoulder surng - Shoulder surng is looking over someone's shoulder

while they are using their computer. This technique is used to gather
sensitive information, such as PINs, user IDs, and passwords.

ˆ Dumpster diving - Dumpster diving is a form of human-based so-

cial engineering where the attacker goes through someone else's trash,
looking for sensitive/condential data. Victims insecurely disposing of
condential items, such as corporate documents, expired credit cards,
utility bills, and nancial records, are considered to be valuable to an
attacker.

35
Computer-based
In computer-based social engineering, the attacker uses computing devices to
assist them in tricking a potential victim into revealing sensitive/condential
information or performing an action.
The following are common types of computer-based social engineering:

ˆ Phishing: Attackers usually send an illegitimate email containing false

information while masking it to look like a legitimate email from a
trusted person or source. This technique is used to trick a user into
providing personal information or other sensitive details.

ˆ Spear phishing: In a regular phishing attack, the attacker sends

hundreds of generic email messages to random email addresses over
the internet. With spear phishing, the attacker sends specially crafted
messages to a specic group of people.

ˆ Whaling: Whaling is another type of computer-based social engineer-

ing attack. Similar to phishing, a whaling attack is designed to target
the high-prole employees of a target organization.

ˆ Pharming: This is a type of social engineering where the attacker is

able to manipulate the Domain Name System (DNS) records on either a
victim's system or DNS server. Changing the DNS records will ensure
users are redirected to a malicious website rather than visiting the
legitimate website.

ˆ Water hole: In this type of attack, the threat actor observes where
employees of a target organization are commonly visiting such as a
website. The threat actor will create a fake, malicious clone of the
website and attempt to redirect the users to the malicious website. This
technique is used to compromise all of the website visitors' devices and
not just the employees of the target organization.

Mobile-based
Mobile-based social engineering can include creating a malicious app for
smartphones and tablets with a very attractive feature that will lure users
into downloading and installing the app on their devices. To mask the true
nature of the malicious app, attackers use names similar to those of popu-
lar apps on the ocial mobile app stores. Once the malicious app has been
installed on the victim's device, the app can retrieve and send the victim's
user credentials back to the threat actor

36
 The following are common types of mobile-based social engineering at-
tacks:

ˆ Smishing: This type of attack involves attackers sending illegitimate

Short Message Service (SMS) messages to random telephone numbers
with a malicious URL, asking the potential victim to respond by pro-
viding sensitive information. Attackers sometimes send SMS messages
to random people, claiming to be a representative from their bank. The
message contains a URL that looks very similar to the ocial domain
name of the legitimate bank. An unsuspecting person may click on the
malicious link, which leads them to a fake login portal that will cap-
ture a victim's username and password and even download a malicious
payload onto the victim's mobile device.

ˆ Vishing: This is a type of social engineering attack that occurs over

a traditional telephone or a Voice over IP (VoIP) system. There are
many cases where people have received telephone calls from a threat
actor, claiming that they are calling from a trusted organization such
as the local cable company or the bank and asking the victims to re-
veal sensitive information, such as their date of birth, driver's permit
number, banking details, and even user account credentials.

Social networking
Threat actors usually attempt to create a fake prole and establish com-
munication with their targets. They pretend to be someone else using im-
personation while trying to trick their victim into revealing sensitive details
about themselves. Additionally, there are many cases where a person's ac-
count is compromised and the threat actor uses the compromised account to
communicate with other people in the victim's friends/connections list.
The following are some methods that are used to lure the employees of a
target organization:

ˆ Creating a fake user group

ˆ Using a false identity by using the names of employees from the target
organization

ˆ Getting a user to join a fake user group and then asking them to provide
credentials, such as their date of birth and their spouse's name

Doxing is a type of social engineering attack that usually involves the

threat actor using posts made by their targets on social networking websites.

37
During a doxing attack, the threat actor gathers personal information about
someone by searching for the information that was posted by the target.

Defending against social engineering

Defending against a social engineering attack is really important to any or-
ganization. While many organizations implement cybersecurity awareness
training, it's not always performed frequently to ensure employees are aware
of the latest cyberattacks and threats.
The following are additional techniques to help defend against social en-
gineering attacks:

ˆ Threat actors use methods such as impersonation and tailgating (fol-

lowing someone into a secure area) to gain entry to an organization's
compound. To prevent such attacks, organizations should implement
ID badges for all members of sta, tokenbased or biometric systems for
authentication, and continuous employee and security guard training
for security awareness.

ˆ Sometimes, threat actors implement eavesdropping, shoulder surng,

and impersonation to obtain sensitive information from the organiza-
tion's help desk and its general sta. Sometimes, attacks can be subtle
and persuasive; other times, they can be a bit intimidating and ag-
gressive in order to put pressure on an employee in the hope that they
will reveal condential information. To protect sta from such attacks,
organizations should ensure that frequent employee training is done to
raise awareness of such dangers and let them know never to reveal any
sensitive information.

ˆ Implement a password policy that ensures that users change their pass-
words periodically while avoiding reusing previous passwords. This will
ensure that if an employee's password is leaked via a social engineering
attack, the password in the attacker's hands could be rendered obsolete
by the password policy.

ˆ Ensure security guards escort all guests and visitors while in the com-
pound.

ˆ Implement proper physical security access-control systems. This in-

cludes surveillance cameras, door locks, proper fencing, biometric secu-
rity measures, and more to keep unauthorized people out of restricted
areas.

38
ˆ Implement the classication of information. The classication of infor-
mation allows only those with the required security clearance to view
certain data and have access to certain systems.

ˆ Perform background checks on new employees and implement a proper

termination process.

ˆ Implement endpoint security protection from reputable vendors. End-

point protection can be used to monitor and prevent cyberattacks, such
as social engineering attacks, phishing emails, and malicious downloads,
against employees' computers and laptops.

ˆ EnforceTwo-Factor Authentication (2FA) or Multi-Factor Au-

thentication (MFA) whenever possible, as it reduces the possibility
of account takeover.

ˆ Implement security appliances to lter both inbound and outbound

web-based and email-based trac

39
Intrusion Detection System

Intrusion Detection System (IDS)

When sensor is placed in line with the network, i.e., the common in/out of
specic network segment terminates on a hardware or logical interface of the
sensor and goes out from second hardware or logical interface of the sensor,
then every single packet will be analyzed and pass through sensor only if does
not contain anything malicious. By dropping the trac malicious trac, the
trusted network or a segment of it can be protected from known threats and
attacks. This is the basic working of Intrusion Prevention System (IPS)

ˆ Purpose: The primary purpose of an IDS is to monitor network or

system activities and identify any unusual or suspicious behavior.

ˆ Functionality: IDS passively observes and analyzes network trac or

system logs to detect patterns or signatures of known attacks or abnor-
mal activities.

ˆ Alerts: When the IDS identies a potential intrusion or security threat,

it generates alerts and noties administrators. However, it doesn't take
any automated action to prevent or block the detected activity.

Intrusion Prevention System (IPS):

The sensor running in promiscuous mode will perform the detection and
generate an alert if required. As the normal ow of trac is not disturbed, no

40
 Figure 1: Sensor deployment as IDS

end-to-end delay will be introduced by implementing IDS. The only downside

of this conguration is that IDS will not be able to stop malicious packets
from entering the network because IDS is not controlling the overall path of
trac.

ˆ Purpose: The main purpose of an IPS is to actively block or prevent

unauthorized access, attacks, or malicious activities in real-time.

ˆ Functionality: IPS not only monitors network or system activities but

also takes proactive measures to block or prevent identied threats. It
can dynamically update rewall rules, lter trac, or even terminate
connections to stop malicious activities.

ˆ Action: IPS can take automated actions, such as blocking specic IP

addresses, ltering malicious content, or reconguring rewall rules to
deny access to potential threats.

Ways to Detect an Intrusion

ˆ Signature-based IDS/IPS: A signature looks for some specic string
or behavior in a single packet or stream of packets to detect the anomaly.
Cisco IPS/IDS modules, as well as next-generation rewalls, come with
preloaded digital signatures which can be used to mitigate against al-
ready discovered attacks. Cisco constantly updates the signatures set
which also needs to upload to a device by the network administrator.

41
 Not all signatures are enabled by default. The network administrator
needs to tune the IPS/IDS module so that false positive generated for
legitimate trac must not be generated.

ˆ Policy-Based IDS/IPS: As the name suggests, policy-based IDS/IPS

module works based on the policy or SOP of an organization. For ex-
ample, if an organization has a security policy that every management
session with networking devices as well as end-devices must not initiate
via TELNET protocol. A custom rule specifying this policy needs to be
dened on sensors. If it is congured on IPS, whenever TELNET trac
hits the IPS, an alert will be generated followed by the drop of packets.
If it is implemented on IDS based sensor, then an alert will generate for
it, but trac keeps owing because IDS works in promiscuous mode.

ˆ Anomaly-Based IDS/IPS: In this type, a baseline is created for

specic kind of trac. For example, after analyzing the trac, it is
noticed that 30 halfopen TCP sessions are created every minute. After
deciding the baseline, say 35 half-open TCP connections in a minute,
assume the number of half-open TCP connected has increased to 150
then based on this anomaly, IPS will drop the extra half-open connec-
tions and generate alert for it.

ˆ Reputation-Based IDS/IPS: If there is some sort of global attack,

For example, recent DDoS attacks on servers of twitter and some other
social websites. It would be great to lter out the known trac which
results in propagation of these attacks before it hits the organizations
critical infrastructure. Reputation-based IDS/IPS collect information
from systems participating in global correlation. Reputation-based
IDS/IPS include relative descriptors like known URLs, domain names,
etc. Global correlation services are maintained by Cisco Cloud Services.

Types of Intrusion Detection Systems

Depending on the network scenario, IDS/IPS modules are deployed in

one of the following congurations:

 Host-based Intrusion Detection

 Network-based Intrusion Detection

Host-based IPS/IDS is normally deployed for the protection of specic

host machine, and it works closely with the Operating System Kernel

42
of the host machine. It creates a ltering layer and lters out any
malicious application call to the OS. There are four major types of
Host-based IDS/IPS:

 File System Monitoring: In this conguration, IDS/IPS works

by closely comparing the versions of les within some directory
with the previous versions of same le and checks for any unau-
thorized tampering and changing within a le. Hashing algorithms
are often used to verify the integrity of les and directories which
gives an indication of possible changes which are not supposed to
be there.

 Files Analysis: In this conguration, IDS/IPS works by analyz-

ing the log les of the host machine and generates warning for
system administrators who are responsible for machine security.
Several tools and applications are available which works by ana-
lyzing the patterns of behavior and further correlate it with actual
events.

 Connection Analysis: IDS/IPS works by monitoring the overall

network connections being made with the secure machine and tries
to gure out which of them are legitimate and how many of them
are unauthorized. Examples of techniques used are open ports
scanning, half open and rogue TCP connections and so forth.

 Kernel Level Detection: In this conguration, the kernel of

OS itself detects the changing within the system binaries, and an
anomaly in system calls to detect the intrusion attempts on that
machine.

The network-based IPS solution works as in-line with the perimeter

edge device or some specic segment of the overall network. As network-
based solution works by monitoring the overall network trac (or data
packets in specic) so it should be as fast as possible in terms of pro-
cessing power so that overall latency may not be introduced in the
network. Depending on vendor and series of IDS/IPS, it may use one
of above technologies in its working. The following table summarizes
the dierence between the host based and network-based IDS/IPS so-
lution:

43
 Figure 2: Host-based vs. Network-based IDS/IPS solution.

Firewall

The primary function of using a dedicated device named as the rewall

at the edge of the corporate network is isolation. A rewall prevents
the direct connection of internal LAN with internet or outside world.
This isolation can be performed in multiples way but not limited to:

 A Layer 3 device using an Access List for restricting the specic

type of trac on any of its interfaces.

 A Layer 2 device using the concept of VLANs or Private VLANs

(PVLAN) for separating the trac of two or more networks.

 A dedicated host device with software installed on it. This

host device, also acting as a proxy, lters the desired trac while
allowing the remaining trac.

Although the features above provide isolation in some sense, The fol-
lowing are the few reasons a dedicated rewall appliance (either in
hardware or software) is preferred in production environments:

44
Risks Protection by rewall
Access by un- Firewalls try to categorize the network into dierent por-
trusted entities tions. One portion is considered as a trusted portion of
internal LAN. Public internet and interfaces connected
to are considered as an untrusted portion. Similarly,
servers accessed by untrusted entities are placed in a
special segment known as a demilitarized zone (DMZ).
By allowing only specic access to these servers, like
port 90 of the web server, rewall hide the functionality
of network device which makes it dicult for an attacker
to understand the physical topology of the network.
Deep Packet One of the interesting features of the dedicated rewall is
Inspection their ability to inspect the trac more than just IP and
and protocols port level. By using digital certicates, Next Generation
exploitation Firewalls available today can inspect trac up to layer
7. A rewall can also limit the number of established
as well as half-open TCP/UDP connections to mitigate
DDoS attacks
Access Control By implementing local AAA or by using ACS/ISE
servers, the rewall can permit trac based on AAA
policy.
Antivirus and By integrating IPS/IDP modules with rewall, mali-
protection from cious data can be detected and ltered at the edge of
infected data the network to protect the end-users

Firewall Architecture
1. Bastion Host
Bastion Host is a computer system that is placed in between public
and private network. It is intended to be the crossing point where
all trac is passed through. Certain roles and responsibilities
are assigned to this computer to perform. Bastion host has two
interfaces, one connected to the public network while the another
is connected to the private network.

45
 2. Screened Subnet
Screened Subnet can be set up with a rewall with three inter-
faces. These three interfaces are connected with the internal pri-
vate network, Public network, and Demilitarized Zone (DMZ). In
this architecture, each zone is separated by another zone hence
compromise of one zone will not aect another zone.

3. Multi-homed Firewall
Multi-homed rewall referred to two or more networks where each
interface is connected to its network. It increases the eciency
and reliability of a network. A rewall with two or more interfaces
allows further subdivision.

Types of Firewall

1. Packet Filtering Firewall: Packet Filtering Firewall includes

the use of access-lists to permit or deny trac based on layer 3 and
layer 4 information. Whenever a packet hits an ACL congured
layer 3 device's interface, it checks for a match in an ACL (start-
ing from the rst line of ACL). Using an extended ACL in Cisco
device, following information can be used for matching trac:

46
  Source address

 Destination address

 Source port

 Destination port

 Some extra features like TCP established sessions etc.

2. Circuit-Level Gateway Firewall:

Circuit Level gateway rewall operates at the session layer of the
OSI model. They capture the packet to monitor TCP Handshak-
ing, in order to validate if the sessions are legitimate. Packets
forwarded to the remote destination through a circuit-level re-
wall appears to have originated from the gateway.

3. Application-Level Firewall:
Application Level Firewall can work at layer 3 up to the layer 7
of OSI model. Normally, a specialized or open source software
running on high-end server acts as an intermediary between client
and destination address. As these rewalls can operate up to layer
7, more granular control of packets moving in and out of network is
possible. Similarly, it becomes very dicult for an attacker to get
the topology view of inside or trusted network because connection
requests terminate on Application/Proxy rewalls.

47
4. Stateful Multilayer Inspection Firewall:
As the name depicts, this saves the state of current sessions in
a table known as a stateful database. Stateful inspection and
rewalls using this technique normally deny any trac between
trusted and untrusted interfaces. Whenever an end-device from
trusted interface wants to communicate with some destination ad-
dress attached to the untrusted interface of the rewall, its entry
will be made in a stateful database table containing layer 3 and
layer 2 information.

5. Transparent rewalls:
Transparent rewalls work exactly like above-mentioned techniques,
but the interfaces of the rewall itself are layer 2 in nature. IP
addresses are not assigned to any interface, think of it as a switch

48
 with ports assigned to some VLAN. The only IP address assigned
to the transparent rewall is for management purposes. Similarly,
as there is no addition of extra hop between end-devices, the user
will not be able to be aware of any new additions to network
infrastructure and custom- made applications may work without
any problem.

6. Next Generation (NGFW) rewalls:

NGFW is relatively a new term used for latest rewalls with the
advanced feature set. This kind of rewalls provides in-depth se-
curity features to mitigate against known threats and malware at-
tacks. An example of nextgeneration rewalls is Cisco ASA series
with FirePOWER services. NGFW provides complete visibility
into network trac users, mobile devices, virtual machine (VM)
to VM data communication, etc.

7. Personal Firewalls:
Personal Firewall is also known as desktop rewalls, helps the
end-users personal computers from general attacks from intrud-
ers. Such rewalls appear to be great security line of defense for
users who are constantly connected to the internet via DSL or
cable modem. Personal rewalls help by providing inbound and
outbound ltering, controlling internet connectivity to and from
the computer (both in a domain based and workgroup mode) and
altering the user for any attempts of intrusions.

49