Footprinting and Reconnaissance

Footprinting

 Foot-printing is the process of collecting as much information as

possible about target systems, networks, or organizations without
actively engaging with it. The goal is to gather valuable intelligence
that can be used in later stages of an attack or assessment

 Foot-printing involves gathering information about a target using both

passive (non-intrusive) and active (more direct) techniques. Passive
methods use publicly available data like websites and social media.
Active methods can include scanning for open ports or identifying
vulnerabilities, but without malicious intent.

 The information collected during the foot-printing phase can include

details about the target's infrastructure, IP addresses, domain names,
employee names, email addresses, software versions, and more.

Reconnaissance

Reconnaissance, often referred to as "recon," is a subset of the foot-printing

phase and involves more active probing and scanning of the target. The goal
is to gather additional information that might not be readily available
through passive means. It can include port scanning to identify open ports
and services, network mapping to understand the topology of the target
network, OS fingerprinting to determine the target's operating system and
vulnerability scanning to identify potential weaknesses.
Some common tools for Foot-Printing &
Reconnaissance

I. OSR Framework
https://www.kali.org/tools/osrframework/

Domainfy – Used to get the information about the target domain.

Usufy – Looks for registered accounts with given nicknames.
Mailfy – Gets information about email accounts.
Searchfy – Performs queries on several platforms.
Phonefy – Looks for information linked to spam practices by a phone
number.
Alias_Generator – Generates a list of candidate usernames based on
available information.
https://www.geeksforgeeks.org/osrframework-open-source-research-
framework-on-linux/ more stuff in this link

II. theHarvester
is used to perform reconnaissance on email addresses subdomain
hosts and other online information which collects data from various
sources including search engines public databases and social media
platforms.
Syntax
theHarvester -d <target_domain> -l <limit> -b <data_sources>
theHarvester -d example.com -l 100 -b google,bing

III. FOCA
Windows tools
FOCA is an open-source software bundle that allows users to perform
basic metadata analyses in order to determine whether or not a
 specific website may contain corrupted documents.

IV. Footprinting from the website

https://dnschecker.org/all-dns-records-of-domain.php
https://www.whois.com/whois/
https://www.nslookup.io/

V. NS Lookup using CLI

nslookup is a network administration command-line tool for querying
the Domain Name System to obtain the mapping between the domain
name and IP address, or other DNS records.

Write the following syntax in CMD

nslookup
?
Set type=a
domain iic.edu.np
set type=cname
www.iic.edu.np

VI. Web data Extractor or HT track website copier (exe)

VII. Email tracker (exe)
is used for gathering data from emails, identifying spam emails,
accessing the location of the sender, etc.

Scanning (Active Reconnaissance)

 The goal of scanning is to ultimately find vulnerable targets that we
can exploit

Some key points in Scanning

 Port scanning
 Service Identifications
 OS Fingerprinting
 Vulnerability Scanning
 Network Mapping
 Scanning Tools

Scanning Tools
I. Angry IP Scanner
II. Zenmap
III. Nmap
IS a open source tools for scanning networks based on CLI for
both windows, Linux and Mac-OS also available GUI version for
Windows (Zenmap).

Some of the Common features of Nmap are

 Host discovery
 Port and services discovery
 OS and services fingerprinting
 Enumeration
 MAC address detections
 Vulnerability and exploit detections

Nmap provides wide range of options while

scanning

Click here for syntax and examples

 Enumeration
The process of extracting information from a target system or network after
initial scanning or reconnaissance.
Some of the activities that can be carried while enumerations are service
enumeration, user enumerations, Network share enumeration, operating
system enumeration, SNMP enumeration, DNS enumeration and SMTP
enumeration.
For Enumeration we can get OS & Services details, User & Groups, Email
address & contact information, Network resources, Routing tables, SNMP &
DNS information.

Vulnerability Scanning
Simply, Vulnerabilities refers to weakness or flaws in computer system,
software, Hardware, or network that can be exploited by attacker to
compromise the confidentiality, availability, or functionality of the system.
 System Hacking/Compromising/Exploiting
System hacking, also known as system exploitation or system compromise,
involves unauthorized access to computer systems, networks, or devices
with the intent to steal data, gain control, disrupt operations, or perform
other malicious activities.

The goals for such attacks are

 Unauthorized Access
 Data theft
 Data Manipulation
 Resource Exploitation: Using the compromised system to launch
further attacks, such as DDOS attacks, Crypto Mining or spreading
Malware.
 Espionage: Steal sensitive information, trade secrets or classified
data for espionage purpose, often associated with sate-sponsored or
corporate espionage.

 Persistence: To establish a foothold in a system or network to

maintain a long-term access and control for future attacks.
  Botnet Creations: Compromise devices and systems to build a
botnet, a network of infected devices controlled by the attacker, which
can be used for various malicious purposes, such as sending spam or
launching attacks.

 Political or Ideological Motives: Carry out attacks for political,

ideological, or hacktivist reasons to promote a particular cause or
agenda.

 Competitive Advantage: Gain an advantage in business or

competition by stealing intellectual property, trade secrets, or
proprietary information from rivals.

System Hacking Stages

1. Gain Access
2. Escalate Privilege
 Kernel or service flaws
 Social Engineering
3. Execute Applications
4. Hide files
5. Cover Traces
Exploits And Payloads
Exploits
An exploit are pieces of code or techniques designed to take advantage of
vulnerabilities or weakness in system or software or network and are primary
purposed for delivering malicious instruction to targeted system. Common
exploits target vulnerabilities like buffer overflows, SQL injections, remote
code executions, or weakness in software applications, OS, or network
Payloads
Payloads are pieces of code or data that are delivered and executed on a
compromised system after a successful exploit. It can perform various task
depending on the attacker’s goals. They might establish a remote -
connections, execute commands, exfiltrate data, provide backdoor access.
Some of the common examples are reverse shells meterpreter sessions,
keyloggers, and data extraction scripts.

Where to gets tools for compromising system?

 Ps tools: https://learn.microsoft.com/en-us/sysinternals/downloads/pstools
 Kali Linux
 Exploit-db.com
 Exploit Alert: https://www.exploitalert.com/search-results.html
 Packets Strom Security: https://packetstormsecurity.com

Buffer Overflows

Buffer: In computing and programming, a "buffer" is a temporary data

storage area used to hold data that is being transferred from one place to
another. Buffers are commonly employed in various aspects of computer
systems to manage and optimize data transfer and processing.

What is a Buffer overflow?

 A condition when incoming data exceeds the size of the app’s buffer
 Extra information can cause an overflow into adjacent buffers,
resulting in corrupting or overwriting the valid data held in them.

Metasploit
Metasploit is popular and widely used penetration testing and
exploitations framework in the field of cyber security which provides a
comprehensive suite of tools, libraries, and modules for ethical hacker,
security professionals, and penetration tester to identify, exploit and
validate vulnerabilities in computer system and networks.

Metasploit Frameworks
 open source tools
 Written mostly in ruby
 Modules are organized into categories
For more https://nooblinux.com/metasploit-tutorial/
Keyloggers and Spyware
Key Loggers
A keylogger short for “keystroke Loggerr”, is a type of a malicious software or hardware
devices designed to secretly record and capture every keystroke made on a computer or
mobile device or network and can used along with spyware to transmit what you type to
third party for both Legitimate and malicious use

Keylogger Types
1. Hardware-based: Inserted between keyboard and computer
2. PC/BIOS Embedded
3. Keyboard keylogger
4. External Keylogger
5. Kernal/rootkit/Device driver
6. Hypervisor-based
7. Form Grabbing based
Some popular software based key logger are Metasploit payload
module, All in one keylogger, free keylogger, spyrix personal
monitor, Refog keylogger, Realtime-spy, Staffcop Standard.

Spyware
Spyware is a type of malicious software (malware) that is designed to
secretly gather information about a user's activities on a computer,
smartphone, or other device without their knowledge or consent. This
information can include keystrokes, web browsing history, login credentials,
personal data, and more.

Spyware Activities
 Steal passwords
 Log keystrokes
 Location tracking
 Record desktop activity
 Monitor email
 Audio/Video surveillance
 Record/monitor Internet activity
  Record software usage/timings
 Change browser settings
 Change Firewall Settings

Well-known Spyware
 Agent Tesla
 AzorUlt
 TrickBot
 Gator
 Pegasus
 Vidar
 DarkHotel
 Zlob
 FlexiSpy
 Cocospy
 Mobistealth

Password Attacks

Password attacks, also known as password cracking attacks, are a category

of cybersecurity attacks aimed at obtaining unauthorized access to user
accounts, system, or data by guessing, manipulating, or decrypting
password.

Where password is stored?

1) Windows: (c:\Windows\System32\config\) In Windows operating
systems, passwords are typically stored as hashes in the Security
Account Manager (SAM) database. Windows uses a one-way
cryptographic hashing algorithm, such as NTLM or Kerberos, to store
password hashes. Additionally, modern versions of Windows also
support the use of the more secure NTLMv2 and the use of salting to
 protect against rainbow table attacks.

2) Linux/Unix: (etc/shadow) Linux and Unix systems store password

hashes in the /etc/shadow file (or a similar location). Passwords are
hashed using various algorithms, such as MD5, SHA-256, or SHA-512,
depending on system configuration. The /etc/shadow file is typically
only readable by the root user, adding an extra layer of security. Note
that linux and unix only store password hashes only which requires
/etc/passwd file to provide associated username after that tools like
john-the-ripper can be used to unshadow the two files before cracking

3) MacOS: (etc/shadow) macOS uses a similar approach to Unix-like

systems for storing password hashes. Passwords are typically stored in
the /etc/shadow file or a related location, with various hashing
algorithms, such as SHA-256 or SHA-512. Like Unix, access to
password hashes is restricted to privileged users.

What are password Hashes?

Password hashes are cryptographic representations of user passwords that
are used to securely store and verify passwords without exposing the actual
plaintext password. Hashing is a one-way process, meaning it converts the
password into an irreversible string of characters. When a user attempts to
log in, the system hashes the entered password and compares it to the
stored hash for authentication. Hashes are one-way cryptographic function
that are not meant to be decrypted. They are encrypted using various
hashing algorithm. Some of the common hashing algorithm includes
 MD5: Once popular but now considered weak due to
vulnerabilities.
 SHA-1: Also considered weak for security purposes.
 SHA-256 and SHA-512: Part of the SHA-2 family and considered
more secure.
 bcrypt: A slow hashing algorithm specifically designed for
securely hashing passwords. It includes built-in salting.
 Argon2: The winner of the Password Hashing Competition and
considered one of the most secure options for password hashing.
One-Way Cryptographic Function: Password hashing is a one-way
process, which means that once a password is hashed, it cannot be reversed
or decrypted to retrieve the original plaintext password. This provides a layer
of security in case the password database is compromised.
What is salting the hash?
A salt is addition of random data added to user’s password before it is
hashed that lengthens the password, making it harder to crack which should
be unique to each user, and never reused.

Password Attacks Types

1. Active online attacks
 Dictionary
 Brute Forcing
 Password Spraying
 Hash-dumping
 Keylogging
 MITM Attacks
2. Passive online Attacks
 Sniffing

3. Offline Attacks
 Grab a copy of the password database/file and
start cracking
 Introduction to Malware
Malware: Malware is a file program or string of code used for malicious
activity, such as damaging device demanding ransom and stealing data
which are classified by payload or malicious action it performs. Typically
malware are delivered over a network, physical media. Mostly download from
the internet with or without the user’s knowledge. Social engineering is often
used to trick user into installing malware.

Types of Malwares:
 Viruses
 Worms
 Trojans
 Ransomware
 Bots
 Adware
 Spyware
 Browser hijackers
 Rootkits
 Keyloggers
 Fileless malware
 Malvertising

Malware vs Virus
All virus are malware but all malware are not virus

Virus vs worm

Basis of WORMS
Compariso VIRUS
n
 A Virus is a malicious
A Worm is a form of malware executable code attached to
Definition that replicates itself and can another executable file
spread to different computers via which can be harmless or
Network. can modify or delete data.

The main objective of worms is

to eat the system resources. It
consumes system resources such
Objective as memory and bandwidth and
made the system slow in speed
to such an extent that it stops The main objective of viruses
responding. is to modify the information.

It doesn’t need a host to

Host replicate from one computer to It requires a host is needed
another. for spreading.

Harmful It is less harmful as compared. It is more harmful.

Detection Worms can be detected and

and removed by the Antivirus and Antivirus software is used for
Protection firewall. protection against viruses.

Controlled Worms can be controlled by Viruses can’t be controlled

by remote. by remote.

Execution Worms are executed via Viruses are executed via

weaknesses in the system. executable files.

Worms generally comes from the Viruses generally comes

Comes downloaded files or through a from the shared or
from network connection. downloaded files.

Internet worms, Instant

Types messaging worms, Email worms, Boot sector virus, Direct
File sharing worms, Internet relay Action virus, Polymorphic
chat (IRC) worms are different virus, Macro virus, Overwrite
types of worms virus, File Infector virus
 Examples of worms include Examples of viruses include
Examples Morris worm, storm worm, etc. Creeper, Blaster, Slammer, e

It does not need human action to It needs human action to

Interface replicate. replicate.

Trojan
 AKA Trojan Horse
 A malicious program hidden inside of another program
 Usually embedded into a legitimate application that the victim
willingly installs
 Executes malicious activities in the background without the user's
knowledge

Rootkits:
A rootkit is a type of malicious software that is designed to gain
unauthorized access and maintain control over a computer or
computer system while remaining hidden from detection. Rootkits are
the most advanced and stealthy forms of malware, and they are
 typically used by cybercriminals and attackers to compromise system
for various malicious purpose
Some characteristics of rootkits are:
 Stealth and persistence
 Privilege Escalation: Rootkits often seek to escalate their privileges to
gain the highest level of access on a system, such as "root" or "administrator"
privileges on Unix-like and Windows systems, respectively.
 Hiding and Evasion
 Backdoor Access
 Kernal and hardware Level: Some rootkits target the kernel of the
operating system or even firmware and hardware components, making
them exceptionally difficult to detect and remove
 Boot-kits: A subtype of rootkit, known as bootkits, infect the master
boot record (MBR) or other boot components of a system. This allows
them to execute before the operating system loads, providing an early
point of control.
 File System and Registry Manipulation
 Anit-Analysis Measures

Botnet:
A botnet is a network of computers that have been infected with malware
and controlled by a hacker or cybercriminal. These infected computers, also
known as "bots" or "zombies," are often used to carry out malicious activities
such as launching DDoS attacks, distributing spam emails, stealing sensitive
information, or conducting other types of cybercrime. The operator of the
botnet can remotely control and manipulate the infected computers,
typically without the knowledge or consent of their owners. Botnets can be
large-scale operations, consisting of thousands or even millions of
compromised computers, and they pose a significant threat to cybersecurity.
Botnet can be instructed to do malicious task including bitcoin mining,
Delivering ransomware.

Sniffing
Network sniffing, also known as packet sniffing or packet analysis, is
the process of capturing and inspecting data packets as they travel
over the computer network. This practice can used for both purpose
legitimate and malicious purpose.

Type of Network sniffing

1. Passive Sniffing: In passive sniffing, the sniffer tool simply
observes network traffic without actively participating. This
method is less likely to be detected but may have limitations in
capturing encrypted traffic.
2. Active Sniffing: Active sniffing involves manipulating network
traffic or sending crafted packets to gather information actively.
This method can be more intrusive but is also more versatile.

Some examples of active sniffing:

 DNS Poisoning & Flooding
 MAC Flooding & Spoofing
 ARP Poisoning & Spoofing
 DHCP Attacks
 Switch port Stealing

MAC Attacks
MAC attacks, in the context of computer networking, refer to various types of
attacks that target the Media Access Control (MAC) address, which is a
hardware address unique to each network interface card (NIC). These attacks
can exploit vulnerabilities or weaknesses in the MAC address management
and communication processes in a network.
Some common attacks related to MAC are:
 1. MAC Spoofing: MAC spoofing, MAC address impersonation, involves
changing the MAC address of a network interface to impersonate a
legitimate device on the network.
2. MAC Flooding: In a MAC flooding attack, an attacker sends a flood
of fake MAC addresses to overload the switch's MAC address table,
causing it to enter a state where it forwards traffic to all connected
ports
3. MAC Theft: MAC theft occurs when an attacker forcibly disconnects a
legitimate device from the network and takes over its MAC address.
This is often used for unauthorized network access.
4. MAC filtering Bypass: Some networks use MAC address
filtering as a security measure to allow only authorized devices
to connect. MAC filtering bypass attacks involve finding ways to
circumvent this filtering.
5. MAC Cloning: MAC cloning is a form of MAC spoofing where an
attacker clones the MAC address of an authorized device to gain
access to a network.

ARP Attacks
ARP (Address Resolution Protocol) attacks refer to a category of network
attacks that exploit vulnerabilities in the ARP protocol, which is responsible
for mapping IP addresses to MAC (Media Access Control) addresses on a local
network. These attacks can disrupt network communication, intercept traffic,
or carry out other malicious activities.
Here are some common ARP attacks:

1. ARP Spoofing: ARP spoofing involves sending false ARP

messages to associate the attacker's MAC address with the IP
address of a legitimate device on the local network. It is used to
intercept, manipulate, or redirect network traffic between two
legitimate user and often used for MitM Attacks
2. ARP Flooding: In ARP flooding attacks, an attacker sends a
flood of forged ARP requests to overwhelm a target's ARP cache
or the network's ARP infrastructure.
3. ARP Poisoning: ARP cache poisoning involves modifying the
ARP cache entries of network devices to redirect traffic to an
attacker-controlled device.

Social Engineering
Social engineering is a type of cyberattack or manipulation technique that
exploits human psychology to deceive individuals or gain unauthorized
access to systems, data, or confidential information. It involves tricking
people into revealing sensitive information, performing certain actions, or
making decisions that benefit the attacker. Social engineering attacks do not
rely on technical vulnerabilities but instead exploit human trust, curiosity,
fear, and other emotions.
Some forms of social Engineering Attacks:

1. Phishing
2. Pretexting: Pretexting involves creating a fabricated
scenario or pretext to trick individuals into disclosing
information or performing actions. The attacker typically poses
as a trusted entity, such as a coworker, customer service
representative, or authority figure. Examples: Impersonating a
company executive to request sensitive data, pretending to be
a customer to gain access to an account.

3. Baiting: Baiting attacks lure victims into downloading

malicious software or giving away their credentials by offering
something enticing, such as free software, media downloads, or
physical items like USB drives infected with malware.
Examples: allowing to download paid software free, leaving
infected USB drives in public places, fake promotions and social
media scams

4. Impersonation: Impersonation attacks involve pretending

to be someone else, such as a coworker, executive, or trusted
contact, to manipulate individuals or gain their trust.
Examples: Pretending to be a company's IT support team to
request password resets from employees.

5. Tailgating: In tailgating attacks, an attacker gains

unauthorized physical access to a secured area by following an
authorized person without their knowledge or consent.
Examples: Entering in office building or in secured room , Accessing
A Public Transport Turnstile, Entering A residential Building by
following a resident through a controlled entry point, without the
necessary access key or code

6. Fear or Authority-Based Attacks: Attackers exploit

fear, urgency, or authority to manipulate victims into complying
 with their demands. They may pose as law enforcement,
government agencies, or other authoritative figures.
Examples: Threatening legal action if payment is not made
immediately, claiming to be from the tax authorities and
demanding personal information.

DOS & DDOS Attacks

A DOS/DDOS attack is a malicious attempt to disrupt the normal functioning
of network, service or website by overwhelming it with a flood of internet
traffic.
DOS Attacks: A traditional Dos attack typically involves a single attacker or
a single flooding the target with traffic. They are usually smaller in scale and
may be less effective at causing widespread disruption which focus on a
specific network protocol or service, such as flooding a web server with HTTP
request or overwhelming a DNS server. A DoS attacks is conducted by a
single source which involves a lower volume of traffic, but they can still be
effective in disrupting services, if a target is vulnerable.
DDoS Attacks: In a DDoS attacks, the attacker uses a network of multiple
compromised devices often referred as bot to lunch attacks. Thes devices
can be located in various geographical locations which are typically larger in
scale and have the potential to generate massive amount of traffic,
overwhelming the target’s source. DDOS attacks can utilize various attacking
vectors, including UDP floods, TCP connection exhaustion, ICMP floods, and
application-layer attacks. DDoS attacks involves multiple sources launching
the attacks simultaneously which involve a high volume of traffic, making it
difficult for the target to distinguish between legitimate and malicious
request.
Volumetric Attacks:
1. Packet flood:
2. Botnet DDoS:
3. DR-DoS:
4. ICMP flood:
5. HTTP flood:
6. DNS Flood:
7. NTP Flood:

Fragmentation Attacks:
1. Fragmentation Attack:
2. Teardrop Attack:
3. UDP & TCP Fragmentation:
4. Ping of Death:
5. Protocol Attacks:
6. BGP Hijacking
7. Land Attacks:
8. Permanent DOS:
9. P2P Attacks:

Session Hijacking

The Act of taking over someone else’s session after they established it
and are usually aimed for web browser which can done sometime at
network level where server doesn’t realize that someone is
masquerading as the client and even user or victim may not realize it.

The server usually not realize it because the attacker and victim might
be running parallel sessions or the server would see this two session
by same client.

Some examples of session hijacking:

Token:
A “token” refers to a small, portable device or piece of information used
to verify a user’s identity or access rights. Token are commonly used to
enhance security in various system.

In term of session hijacking, there are commonly two

types of Tokens:
1. Access token: They are used in authorization to grant access to
resource or services. They are commonly employed in OAuth and
OpenID connect protocols for securing APIs and wed application.

2. JWT (JSON Web Token): JWT is a compact, URL-safe token

format that is often used for securely transmitting information between
parties. Its commonly used for authentication and authorization in web
application.

So, How does token look like?

 URLs embedded cookie:
http://www.example.com/PHPSESSID=298zf09hf012fh2
http://www.example.com/userid=sup3r4n0m-us3r-1d3nt1f13r
 JSON Web Token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
1pVOLQduFWW3muii1LExVBt2TK1-MdRI4QjhKryaDwc

What is the difference between Hijacking & Spoofing?

 Hijacking:
1. Process of taking over active session
2. Needs legitimate user to make/authenticate connection

 Spoofing:
1. Process of initiating new session using stolen credentials
2. Attacker pretends to be a user/machine to gain access
Waya to obtain session Token:
1. Stealing: Attackers steals session IDs using various techniques
such as sniffing, XSS, Malicious site etc.
2. Guessing: Attackers looks at variable parts of session IDs to try to
guess what they are
3. Brute force: Attackers keeps trying different session IDs until the
right one is found

Session Hijacking Methods:

1. Command Injection:
 Attacker injects malicious code into the target server
2. Session ID Prediction:
 Attacker takes over the session
3. Session Desynchronization:
 Attacker breaks the connection with target machine
4. Monitoring:
 Attacker watches the TCP segment flow and predicts the TCP
sequence number
5. Sniffing:
 Attacker intercepts a token
6. Attacker gains access to a machine that still has an active
session:
 User has stepped away
 Access is via RAT
 Session has no logout or expiration time

XSS (Cross-Site Scripting)

XSS is a type of security vulnerability commonly found in web application. It
occurs when an attacker injects malicious scripts into webpages viewed by
other users which also can take advantage of a client’s trust in a server. It
also requires some level of social engineering.
There are three main types of attacks based on XSS:

1. Stored XSS: The malicious script is permanently stored on the

target server, such as in a database or user-generated content. When
other user view the affected page the script executes in their browser.
2. Reflected XSS: In this scenario, the malicious page is embedded in
a URL or a form input. When a user clicks on a manipulated links or
submit a form, the script is executed immediately.
 3. DOM-Based XSS: It occurs when the malicious script manipulates
the Document Object Model (DOM) of web page within the victim’s
browser. It doesn’t necessarily involve server-side vulnerabilities and
often harder to detect.

Some session hijacking at network level:

 TCP Session Hijacking:
 Source Routed Packets:
 RST Hijacking: A common way to de-authenticate a client by sending
spoofed TCP segment to client with the RST flag raised. In this scenario
victim (client) thinks the other side (server) has closed the connection
and attacker take the place of client’s place
 Blind Hijacking:
 ICMP/ARP Spoofing:
 UDP hijacking:

IDS
Intrusion Detection System
An intrusion detection system is a cybersecurity tool or system designed to
monitor network traffic or system activities for sign of malicious or
unauthorized activities. IDSs play a crucial role in identifying potential
security threats and responding to them.

There are two main types of IDS:

1. Network-based IDS(NIDS): A Network based IDS monitors network
traffic in real-time to detect suspicious patterns or anomalies. It
analyzes network packets to identify potential threats, such as
intrusion attempts, malware traffic, or unusual data flow. NIDS sensor
are typically deployed at strategic points within a network, like network
perimeter gateways or critical network segments.

2. Host-based IDS(HIDS): A Host-base IDS focuses on the individual

devices or host within a network. It monitors system logs files and
processes on specific device to detect unusual or unauthorized
activities. HIDS agents are installed on individual host , like server or
workstation, and analyze host level activities
Some points are left I will return in coming future

Firewalls
A firewall is a network security devices or software that acts as a barrier
between a trusted internal network and untrusted external network, such as
the internet. Its primary purpose is to monitor and control incoming and
outgoing network traffic based on a set of predefined rules and policies.
Firewalls are fundamental components of network security and play a crucial
role in protecting networks and system from unauthorized access,
cyberattacks and other security threats.

Firewalls types:
1. Hardware-based:
2. Software-based:
3. Cloud Firewall:
4. Next-Generation firewall:
5. Network Firewall:
6. Host-Based Firewall:
7. Proxy Firewall:
8. Application firewall:

Packets Filtering
 Packet filtering is a fundamental function performed by firewalls and
routers to control the flow of network traffic based on a set of
predefined rules or criteria. It involves inspecting data packets as they
traverse a network and making decisions about whether to allow or
block them. These decisions are typically based on various packet
attributes, including source and destination IP addresses, ports, and
protocols. Packet filtering is a core mechanism for enforcing network
security policies and protecting networks from unauthorized access
and malicious activities.

Syntax for packet filtering:

Different products have different rules syntax but a typical rules
element include following entities:
 Action
  Protocol
 Source IP
 Source Port
 Destination IP
 Destination Port
 Connection state
 Interface
 Traffic Direction

Web server operation

Generally, web server operation includes three basic elements:
 Web server security
 Web server Architecture
 Web server Vulnerabilities

1. Web server Security:

2. Web server Vulnerabilities:
Some of the common web server vulnerabilities might be
following
 Webserver, OS, and misconfiguration
 Bugs in the OS, web apps, logic software, and database
engine
 Insufficient host hardening
 Improper authentication
 Improper permissions for files and directories
 Unchanged defaults accounts, setting and sample files
 Unnecessary services
 Vulnerable web apps that put the host at risk
 Conflict with security due to business ease-of-use
3. Web server Architecture:

Hacking web server

Web server: A web server is a software application or hardware
device that stores, processes, and serves website content to users over
the internet or an intranet. It plays a fundamental role in the World
Wide Web by handling client requests for web pages and delivering the
requested content to web browsers. Web servers are a critical
component of the infrastructure that makes the internet and websites
accessible to users worldwide.

Some popular web server are:

1. Apache web server: Apache is one of the most widely used and
historically significant web servers. It is open-source and highly
configurable, making it a popular choice for hosting websites and
web applications. Apache is compatible with various operating
system, including linux unix macOS and windows
2. Nginx: Nginx is known for its high performance, scalability, and
efficiency in serving static content and handling a large number of
concurrent connections. It is often used as a reverse proxy and load
balancer in addition to being a web server and is compatible with
unix-based system free BSD as well as windows.
3. Microsoft information internet system: IIS is Microsoft's web
server software, designed for Windows Server environments. It
integrates seamlessly with other Microsoft technologies, making it a
common choice for hosting web applications on Windows servers.
Windows server are primary platform for this type of server