Chapters 3

Methods and tools

used in cyber line
 “Can we secure the world from
a bloodless war? I’m talking
“ about Cyber Security. India
must take the lead in cyber
security through innovation.”
— PM Narendra Modi

2
Learning Objectives
01 Interpret and Document - Password Cracking attacks.

02
Compare Key loggers and Spywares, Virus and Worms, Trojan and
Backdoor, Steganography.
03 Understand and Identify DoS and DDoS Attacks.

04 Understand the Concept of SQL Injection, Buffer Overflow.

05 Assess Attacks on Wireless Networks.

0 Understand the concept of Enumeration.

6
Predict Phishing, Identity Theft (ID Theft) attacks and Explore the
07
knowledge of Phishing tools used in cyber line.
3
Introduction
Topics to be covered in this chapter -
Keyloggers, Spyware, Virus and SQL injection and Attacks on
Worms, Trojan and Backdoor, Buffer Overflow Wireless Networks
Steganography attacks

02 04 0
6

01 0 0
3 5

Password Cracking Denial of Services (DoS) and Phishing and

and Enumeration Distributed Denial of Services Identity Theft Attacks
(DDoS) attacks
Chapter 3
Topic 1

6
 Password
1 Cracking
What is Password Cracking?
• Password
cracking techniques are
used to recover
passwords from the data
that are stored in computer
systems or from the ones
that are being transmitted.

• Used by attackers for

gaining access to
vulnerable systems or
services or accounts

• Can also used to recover

forgotten passwords
Password cracking techniques used
by attackers -
• Guessing
• Dictionary attack
• Brute force attack
• Rainbow table attack
• Phishing
• Social engineering
• Offline cracking
• Shoulder surfing
• Spidering
• Malware

9
 Password Cracking Techniques
Guessing Dictionary Attacks Brute Force Attack

• Guessing passwords is the • As the name suggests, there are multiple words • Brute force attack is a bit more
most basic technique. already defined in the system. sophisticated then dictionary attack as it
includes non-dictionary term such as
• Most passwords are easy to • one by one they are bombarded to the system alpha-numeric combinations.
predict based upon a until the match is found. For example abcd,
person’s important details aaaa, etc. • So, passwords such as a1b2c3, abc123
such as birthdate, family could be easily recoverable by this attack.
member details, etc. • If you mash words together to make a phrase,
such as “smart administrator officer” to avoid • This method slows down when larger
dictionary attacks then this attack will take passwords are used.
more time but is able to crack the passwords by
using combinations of words. • It needs additional power to reduce hacking
time.

10
 Password Cracking Techniques
Rainbow Table Attack Phishing

• When an attacker tries to use a rainbow hash table to hack passwords present in • There's a much easier way to crack password:
the database then it is called a Rainbow table attack. ask the user himself for his password.

• A rainbow table is a 1-way hash function used for storing important data such as • A phishing email leads the unsuspecting
passwords and their corresponding hash values in the database. reader to a fake login page, requesting the user
to provide their credentials and passwords.
• Hence, whenever the user enters a password, the password is encrypted every time
with the same key and then matched with the stored password. • That page then skims the password and the
hacker can go use it for any purpose.
• Attacker create the table with the most common passwords and then they search
whether these passwords are present in the database. As the match is found the • Why to write such big codes and programs to
process is terminated and the password is cracked. crack passwords when the user itself is
providing them to you?
• However, rainbow tables are huge, they require a huge amount of space to run. If
the hash is salted i.e. a random character is added before hashing the password
then rainbow tables does not work.

11
 Password Cracking Techniques
Social Engineering Offline Cracking Shoulder Surfing

• Social engineering refers to the • In offline cracking, the attacker • It’s the oldest and simplest method that
malicious activities that take place via tries to extract the password hash always works. It’s also called as visual
human interactions. file stored by the victim in hacking.
computer systems and attempts to
• At first attacker gathers information crack them without alerting the • A sharp-eyed attacker sneaks into your PC's
about the victim. victim. keyboard or ATM keypad while providing
pin or password to some software.
• Then it tries to acquire the victim’s trust • These kinds of attacks i.e. offline
and tries to make user agree to some attacks are the most widespread • They can record/recognize the movement of
security practices that grant access to attacks for password cracking. your fingers and later take advantage of it.
critical resources.
• They find security holes in the • This attack can take place anywhere for
• This technique relies on human error victim’s infrastructure to make example at ATMs or restaurants while
rather than software vulnerabilities. this kind of attack work. paying a bill or when you perform some
This type of attack can take many bank transaction in public places.
different forms and it works very often.

12
Password Cracking Techniques
Spidering Malware

• Spidering technique relies on the victim information • When an attacker creates malicious software and
intimately. installs it in the victim’s system without the victim’s
knowledge to gain personal info or to damage system
• Many companies use passwords that are related to their is called malware attack.
business.
• It can record everything during login or signup and
• Hence, attackers study business corporate literature, copy documents to his computer.
mission statement, sales material and create a word list
that can be used as a part of a brute force attack. • Also, the passwords stored in browsing history or the
bank and debit/credit card details can be easily
• There are some automated tools available for improving accessed.
the efficiency to crack passwords.

13
 Preventive Measures
Avoid using most Store encrypted Add salt to the password.
common and predictable passwords into the Salting involves adding
Avoid short and weak
passwords such as database and try to hash some word to the
passwords.
1234, a1b2c3 or 112233, it more than once with provided password
etc. same or different keys. before creating the hash.

Use strength detecting

Do not use the same Try to avoid using slang
techniques to make sure Do not save passwords
password for every words or dictionary
that the strong password in web browsers.
system. words.
is provided by the user.

Don’t reply to any emails

Apply 2-step verification/ asking for password or
Do not agree to terms
multi-factor Enter your credentials to information before
and conditions before
authentication wherever the fully secure websites. making sure that it
reading them.
available. comes from a secure
and trusted.

14
 7
character
password
- 0.29
seconds 8
character
password
Amount of - 5 hours
time
required to
11 crack
password 9
character
character
password
password
-1 10 - 5 days
decade character
password
-4
months

15
 John the Ripper THC Hydra

Cain & Abel Medusa

Wfuzz OphCrack

RainbowCrack L0phtCrack

PASSWORD
Brutus CRACKING AirCrack-NG
TOOLS

16
 Points to remember

Password To prevent password

cracking techniques from getting cracked,
Different methods and
are used to recover make sure you set
techniques are used to
passwords from the strong password
crack passwords like
data that are stored in having alpha-numeric
Brute force attack,
computer systems or characters and
Dictionary attack, etc.
from the ones that are symbols and is at least
being transmitted. 8 character long.

17
Chapter 3
Topic 2

18
2 Enumeration
What is Enumeration?
Enumeration is the process of extracting User names, Host names,
information from the system. Group names Machine names
To do this, attacker first creates active
connection and performs queries.
Network shares Routing tables
These queries result in giving more information and services and IP tables
about target device.
And result is then used in identifying Service settings
vulnerabilities and weak points in the system. Application and
and Audit
banners
configurations
Enumeration is mainly used to gather following
information -
SNMP and
DNS Details

20
Types of Enumeration -
SNMP NTP DNS UNIX or Linux
enumeration enumeration enumeration enumeration

02 04 0 0
6 8

01 0 0 07
3 5

NetBIOS LDAP SMTP Windows

enumeration enumeration enumeration Enumeration
 What is NetBIOS?
NetBIOS is short form for Network Basic Input Output System and is
developed by IBM and Sytek. It is Application Programming Interface (API)
that enables LAN resources of client’s software. This API uses 16 ASCII
character string for identifying device where 15 characters are used for
device name and last character i.e. 16th character is used for representing
NetBIOS service or name record type.

enumeration NetBIOS Enumeration:

Port 139 is used by NetBIOS software on Windows OS. And only when file and printer
service is enabled, attacker can enumerate NetBIOS and perform attack on the remote
machine. Attacker depending on availability of shares can read or write on remote
machine, can enumerate password policies and can also launch DoS attack on remote
machine.

NetBIOS Enumeration Tools:

Many tools are available in market for conducting NetBIOS enumeration but Nbstat, SuperScan,
NetBIOS enumerator, Winfigerprint and hyena are some of the commonly used tools for
conducting such attacks.

NetBIOS Prevention tips:

To prevent NetBIOS enumeration attacks, remove file and printer sharing feature and turn off
unnecessary services like Server Message Block (SMB).
 What is SNMP?
SNMP is Simple Network Management Protocol and is used for managing
network devices. It is based on client server architecture and uses request and
responses for communication with SNMP station. Both request and response
are variables that are configurable and can be accessed by agent software,
require two passwords. It has object id associated with Management
SNMP Information Base (MIB) which represents network object and they can be
altered using SNMP passwords.
enumeration SNMP Enumeration:
Attackers can use default password to alter/view configuration settings and can enumerate
• ARP and routing tables
• Information regarding Network resources such as devices, routers, shares, etc.
• Traffic details and statistics.
• Specific information about device that are connected or were connected.

SNMP Enumeration Tools:

SNScan, OpUtils, SNMP scanner, NS auditor and SolarWinds are some of the popular tools used
for conducting SNMP enumeration.

SNMP prevention tips:

• Use firewall to stop unnecessary connections and use group policy to apply additional restrictions on
anonymous connections.
• Use IPSEC filtering and block access to TCP and UDP ports 161.
• Remove SNMP agents whenever not required and change default passwords.
• Use upgraded version as it provides encryption and authenticate and encrypt using IPSEC.
 What is LDAP?
Light Weight Directory Access Protocol also known as LDAP is internet
protocol. It is used to access distributed directory services. It is logical and
hierarchical structure based on client server architecture and is used for
storing large number of records. Examples of some directory services are
Active Director and OpenLDAP. Basic Encoding Rules (BER) are used for
LDAP transmission of information between client and server using TCP.
enumeration LDAP Enumeration:
Due to the support to anonymous remote queries, LDAP enumeration can be easily
conducted. Query performed will reveal the information that is sensitive. Information
that is disclosed is usernames, contact details, address, department details and some
other information.

LDAP Enumeration Tools:

There are many tools available in market but softerra LDAP administrator, Jxplorer, LDAP
Administrator tool, LDAP admin tool are some of the popular tools.

LDAP prevention tips:

• To prevent LDAP enumeration attack, perform steps given below:
• To control access given, use Kerberos.
• Encrypt LDAP communication with SSL.
• To avoid brute force attack, enable account lockout.
 What is NTP?
NTP is Network Time Protocol. It is used for synchronizing clocks between
different network systems and have accuracy nearly about 200 milliseconds.
It is based on agent server architecture and works on UDP. It can maintain
NTP time within 10 milliseconds.

enumeration
NTP Enumeration:
NTP server supports querying. So attacker can enumerate list of hosts connected to
NTP server and find client IP addresses, the device names and operating systems they
are using.

NetBIOS Enumeration tools:

NTP enumeration is performed by queries such as ntptrace, ntpdc and ntpq.

NTP Prevention tips:

NTP enumeration can be prevented by restricting NTP usage and use NTPSec instead if possible.
Enable logging of messages and events and use IP-Tables for filtering traffic.
 What is SMTP?
Simple Mail Transfer Protocol is SMTP and it is used for transmission of
emails. It works on TCP and is based on client server architecture. Mail
Exchange (MX) servers are used by SMTP for sending mails via DNS.

SMTP
SMTP Enumeration:
enumeration SMTP servers use three built-in commands and these are used by attackers for
enumeration. Attacker use this commands to validate users from the SMTP servers.
Below given are the commands used -
VRFY – validate users on the SMTP servers
EXPN – Delivery addresses of aliases and mailing lists
RCPT TO – Defines the recipients of the message

SMTP Enumeration Tools:

SMTP enumeration can be done with tools like NetScan Tools Pro and SMTP User Enum.

SMTP Prevention tips:

SMTP enumeration can be prevented as follows –
• Avoid giving replies to unknown recipients unless it is really required.
• Do not provide sensitive information in mails and disable open relay functionality.
 What is DNS?
Domain Name Service also known as DNS is decentralized naming system
for services, computers and other devices connected to network. It maintains
database of hostnames and their IP addresses and also stores information
about websites.
DNS
enumeration DNS Enumeration:
DNS enumeration can be done be attackers by pretending to be client and then
requesting for changing zones. In response to this request DNS reveals sensitive
domain records to the attacker.

DNS Enumeration Tools:

For DNS enumeration, Nslookup, DNS Dumpster and DNS Recon are the tools used by
attackers.

DNS prevention tips:

To prevent DNS enumeration, make sure DNS zone transfers do not contain HINFO data and try to
trim zone files. Also make sure for unauthenticated users, you configure DNS servers for not sending
zone transfers.
 Windows Enumeration:
Windows OS can be easily enumerated through the use of different tools. Some
such tools are listed below.

Name of the
Sr. no. Description
tool
Windows 01 PsExec One can run processes on remote system

enumeration 02 PsFile Gives information about the files opened on remote system

03 PsKill Processes running on remote device can be killed using this tool

Gives information about physical memory, kernel build, installation date,

04 PsInfo
processor type and number, etc.

05 PsList Gives Information about process, CPU, Memory, thread statistics

06 PsLoggedOn Local as well as remote logged users can be listed using this tool

07 PsLogList Displays event logs

Windows prevention tips:

You cannot prevent this completely but you can minimize attack by taking precautions.
Remove unnecessary and unused service and use firewall to restrict access to certain sites and applications.
 UNIX or Linux enumeration:
Linux or Unix OS can be enumerated easily using some tools or utilities. Some
of them are given below -

UNIX or Linux Sr. no. Name of the tool Description

enumeration
01 Finger Can get information of users on remote machine

02 rpcInfo Display information about remote procedure call

03 Rpcclient Lists Usernames using Linux

04 Showmount Gives information about shared directories

LINUX prevention tips:

For minimizing impact of this attack, remove unused and unnecessary devices and restrict access by
configuring IP Tables.
 Points to remember
Information such as
hostname, username, It can be prevented by
Enumeration is the group names, machine securing network using
process of extracting names, network shares firewall, by removing
information from the and connections and IP unused and unwanted
system. and routing tables, etc. is devices and restricting
acquired by attacker by access.
performing enumeration.
NetBIOS, SNMP,
LDAP, NTP, SMTP,
It is used by attackers
DNS and windows and
for researching before
Linux or UNIX are
conducting attacks.
different types of
Enumeration.

30
Chapter 3
Topic 3

31
3 Keyloggers
Keyloggers
Have you heard of any tool that records
the keystrokes you make on the keypad? Keyloggers

Keylogger is one of those tools which can

either be embedded or installed on the
computer system and it is difficult to find
out about its presence. Software based Hardware based
keyloggers keyloggers

33
Software-based Kidlogger

keyloggers
Spyrix
Best Free
Software-based keyloggers try to monitor Free
Keylogger
keystrokes by recording it and then sending the Keylogger
recording to the hacker by uploading the recordings Software
Keyloggers
on some internet source.
They can also track all the information that we enter
into websites over the internet using screen
recording.
Elite Windows
These keyloggers are now being used for keeping Keylogger Keylogger
an eye on employees or by parents to know about
their children’s activity.

34
Hardware-based
keyloggers
Hardware based keyloggers don't need
installation, instead they are needed to be fit
inside the physical system of a PC. They come in
a chip format.
Monitor based Keyloggers monitor the keys
pressed by the user and record them without the
user's knowledge.
Acoustic Keyloggers records the sound of the
keystrokes which is unique thereby making it
predictable.
Keyloggers can be attached to any hardware
device.

35
 How to detect a keylogger?
To detect whether any keylogger is running in
your PC, you just have to go through your task
manager and check all processes running on
your device.

You can check for a keylogger on the start-up

tab. They run all the time on your PC and hence
they need to be started with OS.

You can check your data usage details to get an

idea about the programs that use the storage.

Checking browser extensions and disabling

them if not installed is also one of the important
step.

Check your device properly. It can have

hardware keylogger connected.

36
Anti-Keylogger
It is software that helps in
detecting the keylogger if present.

It audits all the running processes,

starting from BIOS to background
operating system processes and
apps running, browsing history,
network settings, add-ons,
plug-ins, etc.

It might be possible that one has to

reinstall the operating system in
order to completely get away with
keylogger.

37
3 Spywares
What is spyware?
Spyware is a type of malware that tries to keep Some strains of spyware are also capable of
itself hidden while it secretly records information activating cameras and microphones to watch
and tracks your online activities on your and listen to you undetected.
computers or mobile devices.
By definition, spyware is designed to be invisible,
It can monitor and copy everything you enter, which is most harmful attributes — the longer it
upload, download, and store. goes undetected, the more damage it can cause.

Types of
Spyware

Tracking System
Adware Trojans Keyloggers Stalkware
cookies monitors

39
 Is spyware a virus?
What does it actually do?

40
 Adware: It catches your online activities and displays ads. When compared to some other forms of spyware, adware can
Types of spyware have an impact on the performance of a device, as well as just being annoying.

Tracking cookies: They're similar to adware, although they tend to be less intrusive.

Trojans: After landing on a device, they look for sensitive information, such as bank account information, and send it to
a seedy third-party who will use it to steal money, compromise accounts or make fraudulent purchases. They can also
be used to gain control of a computer through the installation of a backdoor or a remote access Trojan (RAT).

Keyloggers: They allow a miscreant to capture every keystroke from your keyboard, including the keystrokes you use
when you log into your online accounts.

Stalkerware: It's typically installed on a mobile phone so the owner of the phone can be tracked by a third party. For
example, during the trial of Joaquín “El Chapo” Guzmán, it was revealed the drug kingpin installed spyware on the
phones of his wife, associates and female friends so he could read their text messages, listen to their conversations and
follow their movements.

Stealware: It's crafted to take advantage of online shopping sites awarding credits to websites that send traffic to their
product pages. When a user goes to one of those sites, stealware intercepts the request and takes credit for sending the
user there.

System monitors: They record everything that's happening on a device—from keystrokes, emails and chat room
dialogs to websites visited, programs launched, and phone calls made—and send it to a snoop or cyber criminal. They
can also monitor a system's processes and identify any vulnerabilities on it.

41
How to tell if you have spyware?
To see whether it has infected your computer or mobile
system, look for these warning signs:

Your device runs slower than normal

Your device freezes or crashes frequently
You start getting a ton of pop-ups
Your browser homepage changes unexpectedly
New and/or unidentifiable icons appear in the task bar
Web searches redirect you to a different search engine
You start getting random error messages when using
apps that you’ve never had issues with before

Of course, these are also symptoms of other malware

infections. To determine exactly what you’re dealing with,
you’ll need to dig a bit deeper and scan your device with
antivirus software that includes a spyware scanner.

42
3 Virus
What is a Virus?
Virus is a program that damages documents or
changes your file contents.

It may corrupt or eradicate the data available on

your computer.

A computer Virus makes changes or deletes

the files and computer worms replicate
themselves without making any changes to
your file or data. This is why viruses are more
harmful than worms.

Examples of virus are: -

▪ W32.Sfc!mod
▪ ABAP.Rivpas.A
▪ Accept.3773
44
 Types of viruses
• The file virus normally infects program files like .exe, .com, .bat.
File Virus • It tries to infect all other programs that are loaded in the memory where it is present.

• Macro types of viruses infect word, excel, PowerPoint, access and other data files.
Macro Virus • Once the file is infected by macro virus it becomes difficult to repair these files.

Master boot record • MBR viruses are memory-resident viruses.

file virus • MBR virus infects the particular area of the Storage device instead of normal files.

• Boot sector virus infects the boot sector of a HDD or FDD.

Boot sector virus • These are also memory resident in nature. And it is very tough to remove them.

• Multipartite virus is a mixture of Boot and File viruses which infects program files.
Multipartite virus • When the infected program is executed, they infect the boot record.

• Polymorphic viruses are encrypted viruses which are very difficult to detect.
Polymorphic virus • This virus appears differently every time in new infection due to ability of encryption.

• The stealth viruses use various kinds of techniques to escape from its detection.
Stealth virus • They can change the size of the infected file in the directory.
• They can direct the disk head to another sector so that they cannot be found by user. 45
3 Worms
What are worms?
Worm is the malicious program that copies
itself repeatedly.

They recreate themselves in local drive, Files found in Via peer-to-peer

email file-sharing
network shares, etc. This is the only purpose attachments. networks.
of worms as it doesn’t harm any data or file
on the computer like a virus.
Links received
through the ICQ Through a web
and IRC (Internet link or FTP
Worms don’t need themselves attached to Relay Chat) resource.
How
any existing program. They spread by message.
worms
exploiting vulnerabilities in operating spread?
systems.

Examples of worm are: -

▪ W32.SillyFDC.BBY
▪ Packed.Generic.236
▪ W32.Troresba 47
 Types of worms

Internet
worms

Email
IRC worms
worms
Types
of
worms

Instant
File sharing
messaging
worms
worms
BASIS FOR COMPARISON VIRUS WORMS
Virus is type of program that attaches itself to exe files, i.e.
Worm is malicious, self replicating program that spreads
Definition executable files and transfers from one computer to
through computer network.
another.

Since it is self replicating, human action is not necessary for

Human Action Human action is required in order to run and transmit virus.
running or transmitting Worm.

Spreading speed Slow as compared to worm. Speed of spreading worm is rapid.

Need of host Host is needed for spreading virus. It doesn't need a host, since it can replicate itself.

1. Antivirus software can be used. 1. Worm removal tools/softwares can be used.

Removal techniques
2. Formatting system. 2. Formatting System.

Antivirus softwares can be used to detect worms and hence

Antivirus software can be used for preventing virus from
Prevention can be used as prevention technique. Firewall is another
entering your computer.
prevention technique.

It can alter or erase file and program. It can also corrupt It consumes system resources and hence it slows the
Effects
files. system and can also completely halt the system.
49
 Trojans and
3 Backdoors
Trojans
Trojans also known as Trojan horses are malwares
used for compromising target device.

These are used by attackers to specially get access to

the system.

Trojans are generally transferred via email

attachments or by sharing files or by appending them
with other programs that can be downloaded via
internet and by using chat/discussion.

Advertisements while browsing on some websites

can also be source of malware as they show and/or
allow free software downloading which in turn can
download Trojan to your device.

Once these are installed, system becomes slow and

sometimes even crashes.

51
Trojans
Also used by attackers to gain information about your
device. This can cause data theft and other serious
issues.

Trojans can be used to conduct DDoS attacks on

servers.

Apart from this they are also used as key loggers and
can make notes of typed data. They are also capable
of capturing screenshots.

Some common Trojans are as below:

▪ Deep Throat -> UDP -> Port 2140, 3150

▪ Net Bus -> TCP -> 12345, 12346

▪ Back Orifice -> UDP-> 31337 or 31338

52
 Remote Access Trojan Gain Remote control of victim
Types of
Trojans Destructive Trojan Corrupt or delete files

Denial of Services Trojan Launch a DoS attack

FTP Trojan Create FTP server and copy files onto it

Data Sending Trojan Send data from victim to hacker’s computer

Proxy Trojan Use victim’s computer as Proxy to attack another victim

Command Shell Trojan Uses commands to open ports to gain remote access

Email Trojans Access to victim’s computer is taken using sending email and having
them click a link

VNC Trojan VNC servers are used for controlling computer and avoiding being
caught by anti-virus

Botnet Trojans These are used by attackers to use system as Bot for conducting
other attacks 53
 Trojans
Wrappers
• These are also known as Guleware and are used for binding Trojans with applications that
look genuine.
• They wrap Trojans, so that one cannot find them.
• Also due to these genuine looking applications, users often download and install them for
their use.
• So when these are installed, Trojan also gets installed without the knowledge of the user.
Example – Kriptomatik.

Evading Antivirus
• Evading anti-virus is nothing but the technique to avoid anti-virus program.
• Do not use existing Trojans as they can be easily detected. Instead they write Trojan
programs by themselves.
• To avoid being caught, they rename file extensions. Example – .exe to .xls or .ppt or .mp4,
etc.
• Divide Trojan file into multiple parts and then send different parts in different ways to the
target device and them combine it to make Trojan file.
• To avoid matching signature and to avoid being caught by IDS, checksum value is changed.
54
Backdoor
Backdoor is Trojan program used by
attackers to enter again into the target
system.

That is, it provides way for attacker to enter

into your system.

Backdoor is installed on system without the

knowledge of the user and one cannot find
backdoor files as they often have names
that are legitimate and hence often go
unnoticed.

55
 Scan Protect your
Do not Use
Make sure external system from
download anti-virus.
you update CDs, pen unauthentic
How to prevent unknown
and
Anti-virus
informs
Use firewall
to restrict
your drives, ated access
applications Floppies and
Trojan? unverified
applications
user when it
finds
untrusted
sites.
whenever first and installation
new update use only if of
from something
arrives. they are applications
internet. malicious.
safe. .

Use tools Check

like processes
Scan device
TCPView, running on Scan Use tools
CurrPorts to computer.
drivers for
finding
registry to
Remove
suspicious
like Trojan How to detect
see that Use tools to check hunter to
ports open monitor
malicious
files/applica
unwanted
files and
folders.
detect the Trojan?
without processes records. Trojans.
tions.
your and remove
knowledge. if necessary.

56
3 Steganography
 Steganography
Steganography is influenced by
Greek influences. It means
“Covered writing”.
This technique is used for hiding
the secret message by fake
message to prevent the secret
information from getting emerged.

Image Audio Video

Text Steganography
steganography Steganography Steganography

Steganography
58
 Types of Steganography
Image Steganography

∙ The image Steganography is used to hide a

secret message inside an image.
∙ The most widely used technique to hide a
secret bit inside the LSB of the cover image.
∙ This method uses bits of each pixel in the
image, it is necessary to use a lossless
compression format, otherwise the hidden
information will get lost in the
transformations of a lossy compression
algorithm.
∙ When using a 24 bit colour image, a bit of
each of the red, green and blue colour
components can be used, so a total of 3 bits
can be used for each pixel, in this way we
can use more secret bit to hide data in it.
59
 Types of Steganography
Audio Steganography

∙ Audio steganography hides the

confidential message in an audio file.
∙ With the help of a typical 16-bit file with
216 sound levels it is very simple to attain
as a few levels difference that cannot be
caught by the human ears.
∙ As it is easy for the sender to embed any
data by using a key in a digital cover file
to produce a hidden file.
∙ In many schemes a method of audio
Steganography based on modification of
least significant bits (LSB) in the
temporal domain or transform domain
have been proposed.

60
 Types of Steganography
Video Steganography

∙ Video Steganography brings more

possibilities of disguising a large amount of
data because it is a combination of image
and sound.
∙ Therefore, image and audio Steganography
techniques can also be employed on the
video.
∙ Video files are generally a collection of
images and sounds, so most of the
presented techniques on images and - audio
can be applied to video files too.
∙ The great advantage of video are the large
amount of data that can be hidden inside
and the fact that it is a moving stream of
images and sounds.
61
 Types of Steganography
Text Steganography

∙ Steganography can be applied to different types of

media including text, audio, image and video etc.
∙ However, text Steganography is considered to be
the most difficult kind of Steganography due to
lack of redundancy in text as compared to image
or audio but still has smaller memory occupation
and simpler communication.
∙ The method that could be used for text
Steganography is data compression.
∙ Data compression encodes information in one
representation into another representation.
∙ The new representation of data is smaller in size.
∙ One of the possible schemes to achieve data
compression is Huffman coding.
62
63
 Points to remember
Keyloggers are used for Virus and worms are
computer programs Steganography is the
tracking your keystrokes
where virus attaches technique of hiding
either using software or
itself to executable files secret messages while
some hardware. And
and worm self replicate cryptography is
anti-keylogger is
itself and spreads across encrypting secret
software used for
the network. messages.
detecting this keyloggers.

Spyware is a type of Trojan and backdoor are

malware that tries to malwares and when
keep itself hidden while installed on system,
it secretly records makes system slow or
information and tracks crash the system or can
your online activities on send information to
your computers or attackers about the
mobile devices. system.

64
Chapter 3
Topic 4

65
4DoS and
DDoS attacks
 DoS attacks
DoS stands for Denial of Services.

A DoS attack is conducted by flooding server

with TCP and UDP packets.

This flooding of packets causes server

overloading.

Server cannot take further packets from the

users due to overloading.

So server becomes unavailable and service is

denied to the users.

This type of attacks are specially used for

denying of services or to shut down network,
services or individual machines or to slow
down services.

67
 Techniques for conducting DoS attack
Buffer Overflow Attacks
• In this technique, machine consumes available hard disk
space, memory or CPU time. Teardrop Attack
• This is generally known as memory buffer overflow attack.
• In this attack, IP data packet fragments are sent to a
• Due to consumption of memory, it results in system crashes or network.
sluggish behaviour or other deleterious behaviours in servers
• Fields in the fragments are designed in such a way
which further results in denial of service.
that they confuse the system.
• So this process of compiling fragments to original
Ping of Death or ICMP Flood packets, results in exhaustion which further results in
system crash.
• Attacker takes the misconfigured or unconfigured network
device or devices to send spoofed packets.
• This spoofed packets pings every node within that network. Smurf Attack
• Such attacks are known as the ICMP flood attacks or ping of • In this type, attacker uses broadcast address of
death(POD) attack. vulnerable network.
• This is used for sending spoofed packets to target IP
SYN Flood address.
• Which results in flooding and thereby results in denial
• Attacker keeps sending requests but doesn’t complete of the service.
handshake.
• As a result, network is flooded with requests and this means
now network cannot take more requests.
• So it prevents others from connecting to network. 68
 DDoS Attacks
DDoS attack stands for Distributed Denial of
Services attack.

Many systems from different locations are used to

conduct attack, so it becomes difficult to find origin
of attack and the attacker.

Attacker requires multiple systems to conduct

attack. This systems are known as slave computers
and are also known as zombies or bots.

Network is formed using this bots and is known as

botnet.

This botnet is managed by bot master or attacker

using commands and control server and bots follow
orders given.

69
70
 Types of DDoS Attacks
Types of
DDoS
Attacks

Volume-bas Protocol-bas Application

ed DDoS ed DDoS Layer
Attacks Attacks Attacks

Attacks Layer 7
UDP floods ICMP floods Ping floods Ping of Death SYN Flood targeting the HTTP Flood
DNS server Attack

Randomized Cache-bypas WordPress

Basic HTTP
HTTP s HTTP XMLRPC
Floods
Floods Floods Floods

71
 DoS vs DDoS: What’s the Difference?
In DoS attacks, single system is used conduct Single system cannot send the amount of traffic
attack while in DDoS attack, multiple systems are multiple systems can send together.
used to conduct attack. This is the main difference
Due to this, DDoS is more dangerous than DoS attack.
between DoS and DDoS.
DoS attack is conducted through script or DoS tools
Due to use of multiple systems from multiple
while DDoS attack is conducted by controlling bots
locations, DDoS attacks are difficult to detect as
and executing attack.
origin of the attack cannot be detected easily.

72
How to detect DoS
and DDoS attacks?

73
 Commonly used DoS/DDoS attack tools

Low Orbit Ion High Orbit Ion Slowloris R.U.D.Y

Cannon (LOIC) Cannon (HOIC) (R-U-Dead-Yet)
•Slowloris is tool popular
•Low Orbit Ion Cannon is an •High Orbit Ion Cannon was among attackers for •R.U.D.Y is also low and
open source application created as an advance conducting DoS attack. slow attack tool used by
that have user friendly version of Low Orbit Ion •As the name suggests, attackers.
interface. Cannon. slowloris is designed in •It has simple point and click
•It allows both UDP and •HOIC conducts attacks that such a way that it instigates interface that is easy to use
TCP protocol attacks to be are difficult to mitigate. low and slow attack on for conducting attacks.
carried out. •This is done using HTTP targeted network or server. •By sending multiple HTTP
•Many derivatives are protocol. •In limited resources, Post requests and then
created due to its popularity •Also this tool is designed in slowloris can conduct keeping them open as long
and these allow attacks to such a way that minimum attack that has damaging as possible, attack is
be conducted through web 50 people can work effect. conducted on targeted
browser. together for conducting •Due to this speciality, it is server.
attack. one of the popular tool.

74
 Preventive Measures
Make sure you develop
One cannot prevent DDoS DDoS prevention plan by Make sure you use updated
Use firewall, VPN, load
attack completely but we can properly researching and applications or products as
balancing, anti-spam, content
definitely try to reduce its understanding your network outdated applications often
filtering and other techniques
effect by following and system. This is critical have security issues that are
to secure network.
techniques given below. step and needs to be patched in updated versions.
followed properly.

Buy enough bandwidth to

Try using servers that are Try having backup option handle sudden increase in
Make sure to use redundant
located on different locations like if one server is attacked network traffic that can arise
network resources in your
as this will create difficulty then other servers can handle due to DoS or DDoS attacks,
network architecture.
for attacker. the network traffic. so that your service works
properly.

Use cloud technology if

Make sure you configure feasible. As cloud has more
your network, firewall or bandwidth and more
router. So that you can drop resources as well as better
packets coming from outside security than most private
of your network. networks, it is really difficult
to attack the cloud.
75
 Points to remember

Difference There is no
Purpose for
between DoS and particular way to
DoS is Denial of conducting this
DDoS is DoS uses prevent this attack
Services and attacks are - server
single machine but some steps can
DDoS is becomes
while DDoS uses be taken to avoid
Distributed Denial unavailable and
multiple machines this attack and
of Services. service is denied
for conducting minimizing its
to the user.
attack. effect.

76
Chapter 3
Topic 5

77
5
SQL Injection
 SQL Injection
SQL Injection attack is also known as SQLi attack. They can also use this technique to add or retrieve
or alter data in the database.
In this attack, attacker uses SQL vulnerabilities to execute
malicious SQL statements. This is one of the oldest and favourite attack of
attackers due to the fact that it is still working and
Web applications and websites use database to store data
is considered as one of the most damaging attack.
and this databases use SQL for performing operations on
data. The OWASP (Open Web Application Security
Project) Organization has listed top ten web
This means, SQL statements can control database server.
application security risks, and guess what, SQL
Attackers use this technique to bypass security measures set
injection tops the list!
by applications.

79
How an SQL Injection Attack Performed?

80
 Why SQL Injection Attack is Performed?
Attackers can gain credentials of other users. Attackers can
then impersonate as these users and there can be admin
having all database privileges.

Since SQL is used to add and change data in database, this

enables attackers to modify balances, transfer money or alter
transactions in financial applications.

Operating system can be accessed using SQL in some

database servers. In such cases, attacker can attack internal
network behind firewall by using SQL injection as initial
vector.

Attackers can use this attack to delete data from database.

This can include few records or few tables or the whole
database.

Even if database backup is used to restore data, some recent

records cannot be recovered due to the fact that backups are
taken manually in particular time period.
81
 Types of SQL Injection Attack

SQL Injection

In-band SQL Inferential Out-of-band

injection SQL injection SQLi

Boolean-bas Time-based
Error-based Union-based
ed Blind SQL Blind SQL
SQL injection SQL injection
injection injection
82
83
Tools used for SQL injection
BSQL
SQLmap
Hacker

Safe3 SQL
SQLninja
Injector

SQLSus Mole

84
 Preventive Measures
Use Prepared Statements: Using prepared Disable unwanted functionalities: It is Hide information of error messages:
statements with parameterized queries is important to disable functionalities you do Attackers can learn almost everything from
easy to understand and simple to write. User not need, as this functionalities can be used error messages. So try to show only required
entered values are taken in variables which by attackers to gain access to important data information and use general error messages
is passed as a parameter in query. in your database. to avoid disclosure of error messages.

Encrypt credentials and store them

Use Stored Procedures: Using stored Validate user input: User inputs can be
separately: Imagine if database falls in
procedures adds extra layer of security. validated on the basis of length, format, type,
wrong hands then amount of damage it
Stored procedure is stored in database etc. This will eliminate most trivial attacks
would be if you have database credentials
server and is called from server whenever but cannot fix underlying vulnerability. This
without encryption inside database. So
needed. So web app or web page treats is like opening your door for only those who
encrypt credentials properly and store them
input as data only and not SQL query. have your validity.
separately in other file.

Avoid using root privileged account: If Update system: Whenever you encounter
you use attack having root privileges on that your web applications or websites have
your web apps or pages, then attacker might SQL vulnerability, it is important to solve it.
gain access to whole database. So it is Once solved, make sure you apply patch and
always better to use account having few update system so that you can avoid attacks
privileges on your web apps or web pages. in future.

85
 Buffer
5
Overflow
 Buffer Overflow
Buffers are temporary storage memory regions. This overwriting can cause lot of issues such as
They are used for storing data temporarily. programs behaving unpredictably, memory access
errors, crashes and can even generate results
When data is more than the buffer storage capacity,
incorrectly.
buffer overflow occurs.
Attackers use this to create triggering response that
In this situation, since buffer is full, adjacent
damages files or changes execution of program.
memory locations are used.

87
What are the different types of buffer overflow
attacks?
Stack Overflow Attack Heap Overflow Attack Integer Overflow Unicode Overflow Attack
Attack
• This is one of the old methods • Heap Overflow occurs when • Unicode is encoding method just
used by attackers. buffer was allocated using • When arithmetic operations like ASCII. Difference between
malloc( ) routine, so when give too large Integer results, ASCII and Unicode is that ASCII
• In this attack, buffer gets more overflow occurs, heap buffer cannot store whole only covers English characters
data by the program then the memory is used to store result due to predefined while Unicode covers almost
space allocated for it. access attack. Integer capacity. every written language.

• This extra data is then written • This is used by attackers for • Since this result is Integer in • Due to this difference Unicode
on program’s stack, resulting crashing programs. type, and it results in buffer characters are larger than largest
in corruption of data or overflow, so it is known as ASCII character. So whenever
crashing of program or Integer Overflow Attack. user inputs Unicode characters
program operating incorrectly. instead of ASCII characters,
Unicode Overflow attack occurs.

88
How to detect this attack?

89
 How to Prevent Buffer Overflows?
Buffer Developers can prevent this attacks by For example, data of maximum 4 bytes is expected from
writing code that is more secure and by user then only 4 bytes of data should be written in buffer
allowing limited number of bits or bytes of and this can be done by limiting input data to that size.
input data and by using languages that offer
Now a days, operating systems are also providing
built-in protection.
runtime protection. They are given below:

Structured exception
Address space Data execution
handler overwrite
randomization (ASLR) prevention
protection (SEHOP)
• Address space randomization • Operating System reserves • Structured Exception Handler
is the technique used by OS to some memory locations and (SEH) is built in function that
move randomly around flag them as non-executable. manages hardware and software
address space locations of data • This prevents attack from exceptions.
regions. running code in this • So SEHOP stops malicious code
non-executable area, leading from attacking SEH.
to failure of attack.
90
 Points to remember

SQL Injection also SQL injection attack Buffer Overflow

It is mainly used to
known as SQLi is the can be prevented by attack occurs when
crash systems and
Structured Query writing clean and data more than the
can be prevented by
Language attack. secure code, using size to buffer. Buffer
writing codes to
Vulnerabilities of prepared statements, gets overloaded and
allow limited data
SQL is used by functions and triggers adjacent memory
and by using modern
attackers to gain wherever possible locations are used to
operating system
information from and by giving only write remaining extra
techniques.
database. required privileges. data.

91
Chapter 3
Topic 6

92
6 Phishing
What is Phishing?
In simple terms, Phishing is a
cybercrime where attacker pretends
being legal to get information from
the user.

In this attack, attacker contacts user

through email, telephone or text
messages or using links, websites
for getting sensitive data such as
banking and credit card details,
passwords and personally
identifiable information.

Attacker pretends to be legitimate to

individuals.

94
 Web based
delivery
Spear
Ransomware
phishing

Link
Malware
manipulation

Phishing
Smishing Technique Key loggers

Vishing Trojan

Content
Malvertising
injection
Session
hijacking

95
96
Common Phishing Scams – Can you guess?

97
Email Phishing Scams

98
99
Website Phishing Scams

100
 Preventive Measures
To prevent falling for this type of Now a days, browsers have
scams you first need to have Do not click on links on random anti-phishing toolbars as an
knowledge that this scams exist emails, messages and untrusted Look at salutations, your name in option. Install those in your
and how they work. So it is websites. Try to make a habit of the emails to make sure that it is browser. This toolbars have list
important to keep yourself and hovering on links to see on which from trusted source. of known phishing sites, so if
people in your organisation page it is going to take you. you come across one then toolbar
updated about such attacks. will give you alert.

When you are submitting

Browser release security patches
important information like credit
Do not download files from Check your monthly statements often to cover loopholes or to add
card details, make sure website is
untrusted/unknown email ids and carefully to make sure that security. Attackers can use this
secured, i.e. it starts with “https”
websites. As this files can unknown transactions have not loopholes if you do not update
and not with “http” or check for
contain virus, malware etc. been made. your browser. So make sure your
closed lock icon near address bar
browser is updated.
on your browser.

Antivirus software guard your

Firewalls act as buffers between Use browsers that allow you to
computer against loopholes and
your pc, your browser and block pop ups. Even then if you
known technology workarounds.
intruders. So use software or get pop ups then click on small
They scan each and every file
hardware firewall according to “x” button in the upper right
and alert you if your file is
your need and requirement. They corner and do not click on cancel
infected. So use antivirus to
reduce odds of phishers messing button as it can take you to other
prevent your computer from
with your network or computer. phishing sites.
damages.
101
 Identity
6
Theft
 Identity Theft
1. Identity theft basically refers to stealing
identity of someone.

2. With small information like your address,

occupation, name, gender, credit card
number, etc. attacker can do lots of damage
to you.

3. Using this data, attacker can use and create

bunch of credit cards without your
knowledge. They can also use this
information for fulfilling their other
purposes.
4. It becomes very difficult to prove to banks
that your identity is stolen. Even if you
prove your point, till then damage will be
done.

103
 Types of Identity Theft
• Financial identity theft refers to the identity theft used for financial purpose.
Financial Identity Theft • This is also known as bank fraud and is discovered when victim notice change in credit history or
he/she finds new accounts or he/she is contacted by banks.
• In this type, attackers use personal information collected by them to become that person in order to
Identity Cloning and conceal themselves from authorities.
Concealment • They use this information to avoid being arrested and to depart from one place to another.
• This cloning identity can be detected only if authorities find them.
• Criminal identity theft refers to identity theft used by criminals to identify him/her as another
individual in front of police.
Criminal Identity Theft
• They can use this for obtaining state-issued id or fake id.
• Victim gets arrested in some cases like traffic violation, etc.
• As name suggests, synthetic identity theft is identity theft used by attacker to make identities that are
fabricated partially or entirely.
Synthetic Identity Theft • That is, fake name and birthdate is used with actual address and driving licence number.
• This synthetic ids are then used by attackers for granting credits from creditors.
• Victim gets affected only if their names are confused with synthetic identities.
• When id thief uses information such as person’s name and/or existing insurance for getting medical
services or goods so that their name does not appear on records.
Medical Identity Theft • This is done without victim’s knowledge and results in creating fake medical records or errors in
existing records.
• Since this is used for medical purpose, it is known as Medical Identity Theft.
 Techniques for identity theft
Skimming Dumpster Diving Old-fashioned stealing
•Special storage device is used to connect to •Attacker dives i.e. goes through trash to •Attackers use old techniques to conduct
ATM machines for stealing credit/debit card obtain personal information. attacks.
numbers. •They check trash for bills, credit cards, bank •They target purses, wallets, statements of
•This device is used to read card details using statements and other information. banks, personal records, medical records,
magnetic strip attached in your card. •So make sure you shred documents properly checks, tax information, etc. for gaining
before throwing them in trash. sensitive information.

Phishing Shoulder surfing Victim research

•Attackers use fraud websites or send spam •Eavesdropping transactions you make •Attackers check Internet search engines,
mails or messages or pop-up messages so publicly allows attackers to collect information. public records, social media accounts and
that you reveal sensitive information. •This information is then used by attacker for government registers for research work.
•Phishing is one of the big threat and can be their purpose. •So basically they conduct research on victim
avoided by taking proper precautions. and then use this information.

Computer identity theft Employment scams Social networking

•Attacker use computer of victim to gain •In this technique, attackers create bogus job •Attackers use social networking sites now a
personal information. vacancy and advertise it. days.
•Attacker can use viruses, key loggers, etc. or •Those seeking jobs, require to fill personal •Since people post their personal information
they can hack computer for getting information for applying for this job. on social networking sites often, it becomes
information. •So it is always better to first check properly easier for attackers to steal personal
before giving personal information to anyone. information to commit fraud.
 Preventive Measures
Protect your sensitive Keep your sensitive
materials like Xerox copies documents and personal
Don’t throw credit, debit or
of important documents, information locked and keep
Periodically check your bank ATM card receipts in public
bank statements, insurance them away from your
and credit card statements. or leave them anywhere.
forms, medical statements, roommates, maids or
Properly dispose them.
etc. by shredding or tearing workers working in the
them. house.

Never provide sensitive

Only carry necessary cards Never give personal
information on social media Change your passwords on
(PAN, Aadhar, Credit, information via phone or
or any website unless you the regular basis.
Debit, etc.). mail or internet.
find it secure.

Protect your identity that is

Keep your mobile phone,
stored on your computer by
laptop and other devices Do not use public network
using a firewall, secure
password protected and only during transfer of any
browser, virus protection
use Wi-Fi from legitimate important information.
application, Anti-viruses,
source.
etc.

106
 Points to remember

Emails and Websites Identity theft is

Phishing is a are used very often usually done using
Identity theft is
cybercrime where by attackers for phishing in modern
stealing identity of
attacker pretends conducting phishing era and can only be
someone and
being legal entity to attacks and hence prevented by not
pretending to be that
get information from email and website publishing and giving
person.
the user. scams are popular sensitive information
among attackers. to anyone else.

107
Chapter 3
Topic 7

108
 Attacks on
7 Wireless
Networks
What are Wireless Network Rogue Access Point

Jamming/Interference

Attacks? Evil Twin

Packet Sniffing
Wireless Network attacks are attacks done on
Wireless networks such as Wi-Fi. WEP Attacks

Every network system is vulnerable and have Wireless WPS Attacks

some loopholes which are used by attackers. Network
Man in the Middle Attack
Attacks
Data can get leaked and enemies or
Session Hijacking
unauthorized users can misuse or modify or
delete this data if there is an attack on the War Driving
network.
Bluejacking
So security of this confidential data is extremely
important. Bluesnarfing

Initialization Vector
110
 Rogue Access Points
A rouge access point is an access point added to
the network without the knowledge of owner/
administrator.

This creates backdoor as the one who added

this point can manage network completely.

This can be prevented by occasionally checking

access points and having some network access
control protocols on the network.

802.1X Network Control Access can be used on

the network to authenticate devices in network.

This will not prevent people from plugging in

an access point but it will always require to
authenticate access point.

111
 Jamming/Interference
Wireless interference is the technique used to
disrupt network or jam the network.

This interference is created with Bluetooth

headset or a microwave oven or a cordless phone.

Due to this, wireless transmission of signals and

receiving those signals becomes difficult.

Use of spectrum analyser helps in narrowing

down to what is causing jamming in the system.

Softwares can also be used to examine the traffic

in the network.

Boosting the power of existing access points and

changing frequencies can also help reducing
jamming.

112
 Evil Twin
Attacker first purchases a wireless access point,
connects it to the network and configures it to
look like exactly existing network access point.

Once this is done, attacker can plug into the

network to overpower other existing access
points and become primary access point.

Now attacker can see all the data transmitted in

and out of the network.

Encrypting data is one technique that can

prevent Evil twin attack.

Due to encryption, even though attacker

captures data, he/she will not be able to read or
understand it.

113
 Packet Sniffing
Packet sniffing refers to capturing this packets
or sniffing this packets from the network.

Capturing this packets enables attacker to see

the information in it.

Packet sniffing can only be done successfully

if network card is silent.

In this case, it is important to send encrypted

information across the network.

As encryption, WPA or WPA2 or other

techniques of encryptions can be used to
prevent the closure of actual information.

114
 WEP Attacks
WEP attacks occur due to the weakness in
WEP encryption methods and systems.

Attacker captures WEP packets and sends

changed packets.

Device in the network rejects it and this

rejected packet is encrypted and sent back.

This packet is then compared with the

captured packet to gain information.

This is very poor method for encryption of

data.

Use other encryption techniques to avoid

disclosing information.

115
 WPS attacks
WPS attacks occur when WPS protocols
are not implemented or they are poorly
implemented.

This attack can be very dangerous when

attacker uses WPS password guessing tools
to launch attack on the network.

This password can be used to gain access to

data and information on the network.

This flaw in wireless networking can be

avoided using implementation of strong
WPS protocols, as this will prevent attacker
from retrieving password information.

116
 Man In The Middle Attacks (MITM)
Man in the middle attacks compromise
integrity of messages on the network.

In this attack, attacker becomes middle man

between the user and authentic access point.

Here, attacker appears as a user to access

point and as an access point to the user.

This way attacker can see the information

passed through the network and he/she can
read or modify this information.

Attacker can also insert malware through the

packets, traffic in the network can be
dropped to stop the communication in the
network.

117
 Session Hijacking
As the name suggests, in session hijacking,
attacker hijacks the session i.e. attacker
takes the control of the whole session.

This attack similar to MITM attack as here

also victim is indirectly attacked.

Here victim will see that session is no

longer in operation, even though it is in
operation.

This is the position where attacker can

exploit data or gain information or use this
session for bad purpose.

This attack happens in real time and it

affects integrity.

118
 War driving
This attack is used by attackers to find access
points wherever they can be.

This is done driving vehicles having Wi-Fi

connection and other GPS technologies.

Attackers can also use special softwares to look

at all the other access points near one access
point.

Information of all the access points is stored and

used for finding open or weak or unknown
access points.

With this information, attacker can gain access

to wireless signal much easily or use some
unused or open access points for conducting
some other attacks.

119
 Bluejacking
Bluejacking refers to Bluetooth jacking.

In this attack, attacker can send unsolicited

messages to other devices via Bluetooth. This
is similar to hacking.

Bluejacking is limited to distance of ten

metres due the range of Bluetooth device.

Since our mobile phones contain Bluetooth

now a days, for ease in sending files between
two devices, it has become much easier to
conduct this kind of attack.

Blue jacking can be carried out using specific

softwares.

120
 Bluesnarfing
Bluesnarfing refers to Bluetooth snarfing.

This attack is totally different from blue

jacking.

In this attack, attacker steals the information

from the Bluetooth enabled device.

Bluetooth enabled device when connected to

Bluetooth network is vulnerable, and this
vulnerability is used to get information such
as contacts, images, etc.

This creates serious security threat.

121
 Initialization Vector (IV) attack
Initialization vector attack also known as IV
attack.

In this attack, wireless packet having encrypted

Initialization Vector is modified during
transmission.

This enables attacker to get information of plain

text and generate other encryption key.

This key is then used to decrypt other packets in

the network using same Initialization Vector.

Using this kind of decryption key, attacker can

create decryption table.

This decryption table can then be used for

decrypting every packet transmitted through the
network.
122
 Tools used for Wireless Network attacks
Aircrack AirSnort Kismet
•Aircrack analyses packets captured from the •Airsnort is free and popular tool when it •Kismet is free tool used as Wi-Fi 802.11
network to crack password. comes to password cracking. a/b/g/n layer 2 wireless network sniffer and
•It is mainly used as 802.11 WEP and •This tool can crack WEP keys of for intrusion detection system.
WPA-PSK keys cracking tool. Wi-Fi802.11b network using computation •It captures packets continuously to detect
•This tool is much faster and efficient and a done on the basis of regularly monitored standard and hidden networks.
bit difficult to understand. transmissions and by capturing packets. •It is mainly used for Wi-Fi troubleshooting.

Cain & Able WireShark Fern Wi-Fi Wireless Cracker

•Cain & Able is the tool used to intercept •WireShark is network protocol analyser and •This tool checks network to see real-time
network traffic. captures live packets from the network. traffic and identify hosts.
•This is done by analysing routing protocols •For using this tool, one must have knowledge •It can crack WEP/WPA/WPS keys, can
of the wireless network. of networks and protocols used in wireless perform network based attacks, Ethernet
•This tool is used for WEP cracking as well as networking. based attacks and it uses dictionary based
password cracking using brute force. attacks for WPA/WPA2 password cracking.

Airjack NetStumbler
•Airjack is Wi-Fi 802.11 packet injection tool •NetStumbler verifies network configurations,
and wireless cracking tool. finds open access points, unauthorised access
•This tool can send forged packets in the points and is used for war driving, finds poor
network and flood it to perform DoS attack. networks and can do much more.
•It is also used for MITM attack and hence it • Due to all this features, this tool is very
is powerful and popular among users. useful in learning purpose.
123
 Preventive Measures
Keep your router in the Use tools to adjust signal such
Apply WPA2 security. And
center. This will not just If central placement of router that it is minimum beyond
turn off WPS. This will make
provide network equally, but is not possible, then try to use walls. Measure how far the
your network difficult for
this will also make sure that directional antennae. reach of your network is using
attackers to break.
signal degrade beyond walls. these tools.

Firewall is important when it Make sure you use strong

Do not use open networks.
comes to security of wireless passwords. Long passwords Change your admin login
And if you really need to use
network. Use firewalls with mix of upper case and credentials. Do not use
public Wi-Fi or open network,
according to your need and lower case letters, numbers admin/password or
use VPN. Setting VPN on
requirement. Make sure and symbols make your admin/admin123, etc. and do
your devices will add
firewall is enabled for all your password stronger. Do not use not use default password.
additional security.
access points. same password anywhere.

Take backup of your data Use security application such

Make sure you keep your
regularly. If ever there is an as anti-virus, anti-malware,
system up to date. Check for
attack on your network and etc. for keeping your system
AP firmware updates, as this
there is modification or safe. Also make sure you use
may contain patches for
deletion in data then in such authorised security
security flaws.
situations backup saves you! applications only.

124
 Points to remember

Securing wireless
Jamming/Interference,
network is really
packet sniffing, man in
Wireless network attacks necessary and can be
the middle, evil twin,
are attacks conducted on done by using firewalls,
session hijacking are
wireless networks using setting VPN, avoiding
some of the very
vulnerabilities. using open networks and
common and popular
by taking some other
wireless network attacks.
precautions.

125