UNIT-1 INTRODUCTION

Q.1 Terminology of Ethical Hacking

A. Security: A primary focus of information security is the balanced protection of
the confidentiality, integrity, and availability of data while maintaining a focus on
efficient policy implementation, all without compromising organization productivity.
Information security, sometimes abbreviated as InfoSec, is the practice of preventing
unauthorized access, use, disclosure, disruption, modification, inspection, recording,
or destruction of information.

B. Risk: Risk is defined as the possibility or chance that a danger may materialize or
occur. It consists of three main components: threats, vulnerabilities, and assets.

1. Asset: An asset is anything of economic value that belongs to a person,

organization, or corporation. Real assets include things like servers, routers, hard
drives, and laptops; virtual assets include things like formulas, databases,
spreadsheets, and processing time. Whichever type of asset is discussed, the
organization may incur financial losses if it is lost, damaged, or compromised. The
first and most crucial step in the risk analysis process is identifying the assets.

2. Threat: A threat is any agent, circumstance, or situation that has the potential to
cause harm or loss to an IT asset. Threats can be many different things, and they are
not always easy to identify. A threat in cyber security is any potential danger that
can harm a computer system, network, or data. It can come from different sources,
including hackers, malicious software, system vulnerabilities, or even human
mistakes.

3. Vulnerability: The term "vulnerability" refers to any weakness, such as a software

flaw or logic design, that could be used by a threat to cause harm to an asset. The
purpose of penetration testers is to find these weaknesses and try to exploit them. It
is important to keep in mind that just because vulnerability exists, it does not always
mean that there is a risk involved.

C. Confidentiality, Integrity, Availability

The CIA Triad is a fundamental model in cyber security that ensures the security
and integrity of data and information systems. The three core principles of the CIA
Triad are Confidentiality, Integrity, and Availability.
1. Confidentiality: Confidentiality ensures that only authorized individuals or systems can
access sensitive information. This principle is important for protecting personal, financial,
and business data from hackers, unauthorized users, or even insider threats. To protect
confidentiality, various security measures are used, such as: Encryption, Access Control,
Data Masking, Steganography, and Network Security Measures

2. Integrity: Integrity ensures that data remains accurate, consistent, and unaltered by
unauthorized individuals. This means that information should not be changed, modified, or
deleted in an unauthorized or accidental manner. To maintain integrity, organizations use:
Checksums & Hashing, Digital Signatures, Data Backups

3. Availability: Availability ensures that data, applications, and IT resources are accessible
when needed by authorized users. If systems go down due to cyber-attacks, hardware
failures, or natural disasters, it can disrupt business operations and cause financial losses. To
ensure availability, organizations implement: Redundant Systems & Backups, Disaster
Recovery Plans, Load Balancing, DDoS Protection.

Q.2 Hacking Technology Types (Types of Hacking or Type of

attack)
Hacking technologies refer to the various tools, techniques, and methods used by
hackers to exploit vulnerabilities in systems, networks, and applications. These
technologies can be used for both ethical (legal) and unethical (illegal) hacking.

1. Phishing Attacks: A phishing attack is one of the most common ways hackers
trick people. It works by pretending to be a trusted source, like a bank, social media
platform, or well-known company, to steal personal information. The theory behind
phishing is based on social engineering, which means manipulating people into revealing
confidential details. For example, if you receive an email that looks like it's from your
bank, saying your account has been locked and you need to click a link to unlock it, you
might panic and enter your login details. However, the website is fake, and the hacker
now has your password. Prevention: Be cautious of suspicious emails, verify the
sender, and avoid clicking on unknown links.

2. Malware Attacks: A malware attack is when harmful software is installed on your

device without your knowledge. The theory behind malware is that it exploits security
weaknesses in your system to steal, damage, or take control of your data. Malware can
come in many forms, such as viruses that spread by attaching themselves to files,
trojans that disguise themselves as useful programs but secretly harm your device, and
ransomware that locks your files and demands money to unlock them. A common
example is downloading a free app that secretly installs spyware, which tracks
everything you type, including passwords. Prevention: Use antivirus software, avoid
downloading files from untrusted sources, and keep your system updated.

3. Distributed Denial-of-Service (DDoS) Attacks: A Denial of Service (DoS)

attack is when hackers flood a website or server with so much traffic that it becomes
slow or completely shuts down. The theory behind DoS attacks is that overwhelming a
system with too many requests makes it unavailable to real users. Imagine if someone
kept calling your phone nonstop, making it impossible for others to reach you. Hackers
use special programs to send thousands or millions of fake requests at once, causing
websites or online services to crash. In more advanced cases, multiple hacked
computers are used for this attack, which is then called a Distributed Denial of Service
(DDoS) attack. Prevention: Use firewalls, traffic filtering, and DDoS protection services.

4. Man-in-the-Middle (MITM) Attacks: A Man-in-the-Middle (MITM) attack

happens when a hacker secretly intercepts communication between two parties, like
between you and a website or between two devices. The theory behind this attack is that
by placing themselves between the sender and receiver, the hacker can listen to,
modify, or steal data without either side knowing. Imagine sending a letter to your friend,
but someone secretly takes it, changes its content, and then delivers it. This can happen
on public Wi-Fi networks if a hacker pretends to be the Wi-Fi provider, allowing them to
see all the information being exchanged. Prevention: Use encrypted connections
(HTTPS), avoid public Wi-Fi for sensitive tasks, and use VPNs.

5. SQL Injection (SQLi): A SQL Injection attack is a method hackers use to break
into websites by inserting malicious code into a database query. The theory behind this
attack is that websites with weak security don’t properly check user inputs, allowing
hackers to manipulate the database and access sensitive information. For example, if a
website has a login form, a hacker can enter a special code instead of a username and
password, tricking the website into granting access to all user data. This type of attack is
dangerous because it can expose personal information, such as usernames, passwords,
and even financial records. Prevention: Use input validation, parameterized queries,
and secure coding practices.

6. Brute Force attack: A Brute Force attack is when hackers try to guess passwords
by testing different combinations until they find the correct one. The theory behind this
attack is that many people use weak or common passwords, making it possible to guess
them using automated tools that try thousands of passwords per second. Imagine trying
every possible combination to unlock a suitcase with a number lock—eventually, you will
find the right one. Hackers use this method to break into online accounts, especially
when people use simple passwords like "123456" or "password."

Q.3 Ethical Hacking Phases or CEH Scanning Methodology

1. Reconnaissance/Foot printing: The initial stage of ethical hacking, also

referred to as the foot printing and information gathering phase, is called
reconnaissance. Here, a hacker tries collecting various kinds of data, such as
employee information, IP addresses, network topology, and domain names, using
active and passive approaches. The purpose is to create a diagram of the target’s
digital and physical assets. There are two primary types of foot printing:
 1. Passive Footprinting : Passive foot printing, which involves trying to obtain information
about the target without gaining direct access to it through the use of social media, public
websites, and other public resources.
 2. Active Footprinting : Active footprinting is the process of directly engaging with the
target system, network, or organization to collect detailed information. This information
can include: IP addresses, Open ports, Running services, Network topology, Operating
systems, Vulnerabilities.

2. Scanning: The second step in an ethical hacker's methodology is the scanning

phase, which involves applying all the knowledge gained during the reconnaissance
phase to the target location in order to search for vulnerabilities. Hackers look for
information such as user accounts, credentials, IP addresses, and other details. There
are three different types of scanning:
 Port scanning: During this stage, the target is scanned for data such as open
ports, live systems, and other services active on the host.
 Vulnerability scanning: This scanning technique identifies a target’s
vulnerabilities and weak points and attempts to exploit those bugs in various
 ways. It is carried out using automated tools such as Netsparker, OpenVAS, Nmap,
and others.
 Network scanning: This method includes locating the organization’s firewall and
other routers and networks to assist them in their hacking operations.
3. Gaining Access: In this phase, the hacker creates the blueprint for the target’s
network using the data gathered in Phases 1 and 2. Now the hacker has all of the
information he requires. So he creates the network map and decides how to carry out
the attack? There are various alternatives, such as: Phishing attacks, Brute force
attack, Spoofing attack, Man in the middle attack, Dos attack

4. Maintaining Access: An ethical hacker tries to hold onto access to the target
until they have finished the tasks they intend to finish in that target. If a hacker gains
access, they choose to keep it for future exploitation and attack. They also choose to
use the organization's Rootkits and Trojans to carry out more network attacks.

5. Clearing Tracks: After gaining access, the hacker leaves no trace in order to
evade detection by the security team. They accomplish this by erasing all traces of
their activity, including cookies and cache, tampering with log files, and blocking all
open ports. This includes some of the methods an ethical hacker uses to hide and
remove their evidence, such as erasing or corrupting all logs, altering the values of
logs or registries, removing all of the folders they created, and uninstalling all of the
applications.

Q.4 Hacktivism
Hacktivism is a combination of the words "hacking" and "activism." It refers to the
use of hacking techniques to promote political or social causes. Hacktivists are
individuals or groups who use their technical skills to break into computer systems,
websites, or networks to send a message, raise awareness, or disrupt services in
support of their cause.

A. Hacker Classes:
Hacking refers to gaining unauthorized access to a system, network, or device.
However, not all hacking is illegal or harmful. Some hacking is done to improve
security, while others are done for criminal purposes. Below are the different types of
hacking explained in an easy-to-understand way.

1. White Hat Hacking – Good Hacking

Ethical hacking is done by security professionals, called White Hat Hackers, to find
and fix security weaknesses before criminals can exploit them. Companies hire
ethical hackers to test their security systems and prevent cyber-attacks. Example: A
company hires a cyber-security expert to check if their website has any security
flaws. The hacker finds the weakness and helps fix it before a real hacker can attack.
2. Black Hat Hacking – Criminal Hacking
Black Hat hackers are cybercriminals who break into systems illegally to steal data,
cause harm, or spread viruses. They hack for personal gain, revenge, or to damage
organizations and individuals. Example: A hacker steals credit card information from
an online shopping website and sells it on the dark web.
3. Grey Hat Hacking – Between Good and Bad
Grey Hat hackers are in-between White Hat and Black Hat hackers. They may break
into systems without permission but do not cause harm. Instead, they report security
flaws to the owners or ask for money to fix them. Example: A hacker finds
vulnerability in a bank's website, then informs the bank and asks for a reward. The
bank didn’t give permission to hack, so it's still illegal.
B. Skills required for ethical hacker

To become an ethical hacker, you need a mix of technical knowledge, problem-

solving abilities, and a deep understanding of how cybercriminals think. Ethical
hacking is all about identifying security weaknesses in systems before malicious
hackers can exploit them.

Computer networking: Ethical hackers need to understand how data moves across
networks, how computers communicate, and how attackers exploit vulnerabilities in
network protocols. Learning about IP addresses, ports, firewalls, VPNs, and wireless
security is crucial because hackers often target networks to gain access to sensitive
data.

Operating system knowledge: Ethical hackers must be comfortable using

Windows, Linux, and macOS because each system has its own vulnerabilities. Linux,
especially distributions like Kali Linux, is widely used in ethical hacking because it
comes with powerful security testing tools. Knowing how to navigate file systems,
manage user permissions, and execute system commands is key to understanding
and preventing security risks.

Programming and scripting: Programming and scripting skills are also important
Hackers often exploit software vulnerabilities, so ethical hackers need to understand
how software works. Learning languages like Python, C, C++, and JavaScript helps in
writing hacking scripts, automating security tasks, and analysing malicious code. SQL
is also useful because databases are a common target for attacks, such as SQL
injection.

Security tools and hacking techniques: To test and strengthen security, ethical
hackers use various security tools and hacking techniques. Tools like Nmap help in
scanning networks, Metasploit is used for testing exploits, and Wires hark allows
analysing network traffic. These tools help ethical hackers identify weaknesses and
suggest fixes before cybercriminals take advantage of them.

Cryptography and encryption: Another important area is cryptography and

encryption. Since sensitive data is often encrypted to protect it from hackers,
ethical hackers must understand how encryption algorithms work. They need to
know how data is securely stored, how encryption can be broken, and how to ensure
data remains protected.
Problem-solving and creativity: Apart from technical skills, problem-solving
and creativity are crucial. Hackers think outside the box to find ways into systems,
so ethical hackers must be equally creative in finding and fixing security weaknesses.
Since attackers are always developing new methods, ethical hackers must stay
updated with the latest cyber security trends, tools, and hacking techniques.

Continuous learning: Finally, ethical hacking is a field that requires continuous

learning. Technology keeps evolving, and new threats emerge every day. Ethical
hackers must stay informed by reading cyber security blogs, attending security
conferences, and participating in hacking competitions like Capture the Flag (CTF).
This helps them stay ahead of cybercriminals and keep systems secure.

Q.5 Methods of Information Gathering

1. Foot printing: The initial stage of ethical hacking, also referred to as the foot
printing and information gathering phase is called reconnaissance. Here, a hacker
tries collecting various kinds of data, such as employee information, IP addresses,
network topology, and domain names, using active and passive approaches. The
purpose is to create a diagram of the target’s digital and physical assets. There are
two primary types of foot printing:

 1. Passive Footprinting : Passive footprinting, which involves trying to obtain information

about the target without gaining direct access to it through the use of social media, public
websites, and other public resources.

 Search Engine Information Gathering – Hackers use Google, Bing, or other search
engines to find company details, employee names, leaked credentials, and sensitive
files.
 Social Media Profiling – Information from LinkedIn, Twitter, Facebook, and other
platforms can reveal employees, job roles, and company operations.
 WHOIS Lookup – Used to find details about domain registrations, such as the owner’s
name, contact information, and IP addresses.

 2. Active Footprinting : Active footprinting is the process of directly engaging with the
target system, network, or organization to collect detailed information. This information
can include: IP addresses, Open ports, Running services, Network topology, Operating
systems, Vulnerabilities.

 Ping Commands – Used to check if a system is online and measure response time,
which helps in network mapping.
 Port Scanning – Identifies open ports and active services on a target system, using
tools like Nmap.
 Traceroute (Tracing Network Path) – Determines the path data packets take from
the hacker’s computer to the target, revealing network infrastructure and security
devices.
 Email Tracking – Extracting information from email headers to find IP addresses, mail
servers, and recipient locations.

3. Tools Used for Footprinting

 Google Dorking – Advanced Google searches to find sensitive files.

  Shodan – A search engine for finding internet-connected devices like cameras, servers, and IoT devices.

2. Scanning
After gathering information through foot printing, the next step in hacking is scanning. Scanning is the
process of examining a target system, network, or website to find security weaknesses that can be
exploited. Scanning is used by both ethical hackers (to strengthen security) and black-hat hackers (to
find ways to attack).

There are three main types of scanning:

1. Network Scanning – Checking networks for live hosts, open ports, and connected devices.
2. Port Scanning – Identifying open ports and active services running on a target system.
3. Vulnerability Scanning – Looking for known weaknesses in systems, software, or networks.

Techniques of Scanning in Hacking

1. Network Scanning

Network scanning is a technique used to discover devices, services, and

vulnerabilities in a network. Ethical hackers, system administrators, and attackers
use network scanning to map a network, check for open ports, and identify
security risks.

How it works? Attackers send packets (small data requests) to different devices
and wait for a response. If a device responds, it means it is online and can be
explored further.

Tools for network scanning include Wireshark, Advanced IP Scanner, and Angry IP Scanner.

2. Port Scanning

Port scanning is a technique used to discover open ports and services on a

computer or network. Ethical hackers and cyber security professionals use port
scanning to find security weaknesses, while attackers use it to look for
vulnerabilities to exploit.

🔹 how it works? Hackers send requests to different ports on a target system. If the
port responds, it means it is open and can be attacked.

🔹 Tools Used: Nmap – Identifies open ports and running services., Netcat – Helps hackers test open
ports.

3. Vulnerability Scanning

Vulnerability scanning is a process used to find weaknesses in a system, network,

or software. These weaknesses could be out-dated software, misconfigured
settings, or security flaws that hackers can exploit.
How it works? A hacker runs a vulnerability scanner that checks if the target
system is using out-dated software, weak passwords, or unpatched security bugs.

Tools Used: Nessus – One of the best vulnerability scanners., OpenVAS – Open-
source vulnerability scanning tool.

3. Enumeration : Enumeration in ethical hacking is the process of actively

gathering information about a target system, network, or application. It is a crucial
step in penetration testing and is used by ethical hackers to discover usernames,
system resources, network shares, and other sensitive information.

Techniques of Enumeration
1. DNS Enumeration: This technique focuses on gathering information about a
target's Domain Name System (DNS) records. By querying a target’s DNS records, an
attacker can get information like IP addresses, mail servers, subdomains, and other
network infrastructure details. This information helps to map out the target’s
infrastructure and find entry points for further attacks.

2. NetBIOS Enumeration: NetBIOS is a legacy protocol used by Windows systems

for file sharing and communication between devices. NetBIOS enumeration is the
process of extracting detailed information from a system, such as usernames, share
names, and network resources, using the NetBIOS protocol. It can help an attacker
identify weak points in a network or unprotected files.

3. SNMP Enumeration: The Simple Network Management Protocol (SNMP) is used

to manage and monitor network devices like routers, switches, and servers. If not
properly secured, SNMP can allow attackers to enumerate device information such as
system configuration, network topology, and even passwords. Attackers use SNMP
enumeration to gain insights into network infrastructure and devices.

4. FTP Enumeration: File Transfer Protocol (FTP) enumeration is used to gather

information about FTP servers. This technique helps attackers identify the directories
and files shared by the FTP server, and it may even reveal login credentials if the
server is misconfigured or insecure. Attackers can exploit these vulnerabilities to
access sensitive files.

5. Whois Enumeration: Whois is a service that allows you to look up information

about the registration of a domain name. By performing a Whois query, an attacker
can gather administrative, technical, and contact information about the domain, such
as the owner's name, address, phone number, and more. This information can be
used for targeted attacks or to gather intelligence on a target organization.

Q.6what is Email Tracking?

Email tracking is a technique used to monitor if and when someone opens an email, clicks on links inside
it, or interacts with attachments. It is commonly used in marketing, customer service, and cyber security
to understand how recipients engage with emails. However, hackers and cybercriminals also use email
tracking for phishing, spying, and malicious activities.

There are several ways email tracking works. One common method is embedding a tracking pixel, which
is a tiny, invisible image inside an email. When the recipient opens the email, the pixel loads from a remote
server, and the sender receives a notification that the email was read. Another method involves tracking
unique links in the email. If a recipient clicks on a link, the sender can track their activity and sometimes
even get access to their browsing behaviour.

To protect against email tracking, people often disable automatic image loading in their email settings,
use email privacy tools, or open emails in plain text mode. Some security-conscious users also use
temporary or anonymous email addresses to avoid being tracked.

Q.7Ping Sweep Techniques

A ping is a network tool that sends a message (ICMP Echo Request) to another computer or device on a
network to see if it's reachable. The device that receives the ping responds back with an ICMP Echo Reply
if it’s online and active. A ping sweep is when you send ping requests to multiple IP addresses within a
network (or a range of IP addresses) to check which devices respond back. This helps you figure out which
devices are active on the network.

For example: If you're working with a local network that has the IP range 192.168.1.1 to 192.168.1.255, a
ping sweep would send pings to all IP addresses in that range and wait for responses to determine which
addresses are currently active (which devices are online).

Ping Sweep Techniques

1. Simple Ping Sweep:

o The simplest form of ping sweep is done manually by pinging a range of IP addresses one
by one.
o This can be done using the ping command in a terminal or command prompt. For example:
 You type ping 192.168.1.1, then ping 192.168.1.2, and so on.
 You check if you get a reply from each device.
2. Automated Ping Sweep with Scripts:
o To make it faster and easier, you can write a small script that sends pings to a range of IP
addresses automatically.
o In Python, you can write a script that sends pings to multiple IP addresses and shows which
devices are active.
o This script will ping all the IPs from 192.168.1.1 to 192.168.1.254.
3. Nmap ping Sweep :
 This is a popular network scanning tool. It can perform a ping sweep to discover which
devices are online and provide detailed information about them.
 Example command using Nmap: nmap -sn 192.168.1.0/24

This command will send pings to all IP addresses in the range 192.168.1.1 to
192.168.1.254.

4. ARP (Address Resolution Protocol) Sweep:

 o Sometimes, instead of just sending a ping, a technique called an ARP sweep can be used.
ARP works at a lower network level than ICMP (ping).
o ARP can identify devices that are on the same local network by querying the MAC address
of each device. This can be more reliable than ping, especially in networks with firewalls
that block ICMP requests (ping).

Q.8 Explain HTTP Tunnelling Techniques

HTTP tunnelling works the same way: you hide data or traffic inside regular HTTP requests, which helps it bypass
firewalls or network restrictions—since HTTP traffic is usually allowed in most networks. This is especially useful
when a network blocks certain apps, protocols, or ports (like SSH, FTP, etc.), but allows web traffic (HTTP/HTTPS).
Common HTTP Tunnelling Techniques

1. HTTP CONNECT Method

 Used mostly to create a tunnel for HTTPS (like when visiting a secure website).
 It opens a tunnel through a proxy server.
 For example, SSH over HTTP using CONNECT.
2. POST/GET Tunneling
 Data is hidden inside POST or GET requests (the way websites send data).
 The client sends requests with the hidden data to a server, and the server
responds with the needed info.
 Used by tools like HTTPTunnel, cURL, and custom scripts.
3. WebSockets
 WebSockets allow real-time, two-way communication over a single HTTP
connection.
 Used to tunnel traffic in a more interactive and responsive way.
4. Reverse HTTP Tunneling
 Instead of the client initiating the connection, the server does.
 Useful for accessing devices behind firewalls or NAT where you can't directly
connect to the client.
5. VPN over HTTP
 Some VPN tools create encrypted tunnels over HTTP to hide traffic.
 Works well in restrictive environments (like schools or public Wi-Fi) where VPNs
are blocked.
Q.9 Explain IP Spoofing Techniques
IP Spoofing is a technique used to send fake (or "spoofed") IP addresses in the header of
packets on a network. IP Spoofing can be used for a variety of reasons; both legitimate (like
network testing or research) and malicious (like attacks).
An IP address is a unique identifier assigned to each device on a network. When you send
data over the internet, it gets broken into packets, and each packet has a header that
contains information like:
 The source IP address (where the packet is coming from)
 The destination IP address (where the packet is going)

In IP spoofing, attackers modify the source IP address in the packet header, so it looks like
the packet is coming from a different source. How Does IP Spoofing Work?

1. Every device on the internet has an IP address, kind of like a phone number or home
address.
 2. When data is sent (in a packet), it includes the sender’s IP address (called the source
IP).
3. In IP spoofing, the attacker changes the source IP address in the packet to make it
look like it's coming from a trusted source.

Common Techniques Used in IP Spoofing

1. Simple IP Spoofing
This is the most straightforward method of IP spoofing. The attacker manually modifies the
source address in the IP packet header to make it appear as though it came from a different
address.
Example: If you’re attacking a server with the IP 192.168.1.10, you could change the source
IP in your packet to 10.0.0.1, which is a trusted IP address on the network.

2. IP Spoofing in DoS (Denial of Service) Attacks

In this method, IP spoofing is used to flood a target with traffic from fake IP addresses. This
makes it difficult for the target system to filter or block the malicious traffic, as it looks like
it's coming from many different sources.
Example: An attacker sends a flood of packets with different source IP addresses to a
website, overwhelming the server and causing it to crash. This is called a Distributed
Denial of Service (DDoS) attack when many computers are involved.

3. Man-in-the-Middle Attacks (MITM) with IP Spoofing

In a Man-in-the-Middle (MITM) attack, the attacker intercepts communication between
two systems (like between a user and a website). By spoofing the IP address of one of the
systems, the attacker can intercept, modify, or inject malicious data into the communication.
Example: The attacker might pretend to be a trusted server (like your bank's website) by
spoofing its IP address. When you try to connect to the bank, the attacker secretly intercepts
your data, potentially stealing login credentials, credit card information, or other sensitive
data.

4. TCP Sequence Number Prediction

In this more advanced form of IP spoofing, an attacker manipulates the TCP protocol, which
is used for reliable communication over the internet. Every TCP connection has a sequence
number to keep track of the packets being sent. If an attacker can predict these sequence
numbers, they can send fake packets and hijack or disrupt an on-going connection.

Q.10 Steps Involved in SNMP Enumeration

SNMP Enumeration is the process of gathering detailed information from network

devices using the Simple Network Management Protocol (SNMP). This information
could include device configurations, network statistics, usernames, passwords, and
more. Here’s a breakdown of the steps involved in SNMP enumeration in an easy-to-
understand manner:

Step 1: Identify Devices Supporting SNMP

Before performing SNMP enumeration, you need to identify which devices on the
network support SNMP. These could be routers, switches, servers, printers, or other
networked devices that have SNMP agents running. Tools like Nmap can help
identify devices running SNMP by scanning for open SNMP ports (typically port 161).
Example Nmap command to check SNMP: nmap -p 161 192.168.1.1

Step 2: Check the SNMP Version

SNMP has different versions (e.g., SNMPv1, SNMPv2c, SNMPv3). The version you use
will affect how you send requests and what features are available. The most common
versions are:

 SNMPv1 and SNMPv2c: These are older and less secure because they transmit
data without encryption or authentication.
 SNMPv3: More secure, supporting authentication and encryption.

 How to Identify the SNMP Version: You can use Nmap or a tool like
Snmpwalk to try different versions.

Step 3: Identify Community Strings

In SNMP, a community string is like a password that controls access to the SNMP
data on a device. There are two types of community strings:

1. Read-Only (RO): Allows only viewing the device information.

2. Read-Write (RW): Allows modifying the device configuration.

By default, many devices have weak community strings like public for read-only and
private for read-write. If an attacker can guess these community strings, they can get
access to sensitive information.

Step 4: Perform SNMP Walk

Once you've identified the SNMP version and community string, the next step is to
perform an SNMP walk. An SNMP walk is a process where you query the SNMP
device to get all of its available information by asking for the entire MIB
(Management Information Base) tree or specific pieces of information.

MIB (Management Information Base): The MIB is like a dictionary that defines
what data the SNMP agent can provide (e.g., CPU usage, memory stats, device
name).

Step 5: Gather Information from SNMP Responses

Once the SNMP walk is successful, you can begin collecting valuable information
from the responses. Here are some common types of information you can gather
during SNMP enumeration:

1. System Information: This includes the device name, description, uptime, and
contact details.
 2. Network Configuration: Includes IP addresses, routing tables, network
interfaces, etc.
3. Device Performance Data: Metrics like CPU load, memory usage, network
traffic, and disk usage.
4. Users and Services: Information about users, passwords (if they are
exposed), running services, and more.
5. MIB Data: Information from the device's MIB, which could include anything
from hardware details to running software versions.

Step 6: Analyse the Data Collected

After performing the SNMP enumeration and collecting the data, you analyse it to
identify weaknesses or sensitive information.

Step 7: Take Action (for Administrators)

For network administrators, after completing SNMP enumeration, you may decide to
take action to secure the devices.

UNIT-2
Chapter-5 System Hacking
Q.1Five Common Password Cracking Techniques or Web-Based Password
Cracking Technique

Password cracking is the process of guessing or obtaining passwords to gain

unauthorized access to accounts, systems, or encrypted files. Hackers use various
methods to crack passwords, depending on the complexity and security measures in
place. Here are five common password cracking techniques explained in detail:

1. Brute Force Attack: A brute force attack is one of the simplest but most time-
consuming methods of cracking passwords. It involves trying every possible
combination of characters until the correct password is found. This technique does
not rely on any prior knowledge of the password and works best against weak or
short passwords. Modern brute force attacks use automated tools that can attempt
thousands or even millions of combinations per second. However, longer and more
complex passwords significantly increase the time required to crack them.

2. Dictionary Attack: In a dictionary attack, hackers use a precompiled list of

commonly used passwords, called a "dictionary," to guess a password. This list often
includes real words, common phrases, and predictable variations (such as
"password123" or "admin2024"). Unlike brute force attacks, which try every possible
combination, a dictionary attack focuses only on the most likely passwords, making it
faster but less effective against highly complex passwords. Hackers often enhance
this technique by using leaked password databases to refine their guesses.
3. Phishing Attacks: Phishing is a social engineering technique rather than a
technical one. Instead of trying to crack a password through computation, hackers
trick users into willingly providing their login credentials. This is usually done through
fake emails, websites, or messages that mimic legitimate services like banks, email
providers, or social media platforms. When a user enters their credentials on a
fraudulent site, the hacker captures the password and gains access to the account.
Phishing remains one of the most effective password-stealing methods because it
exploits human trust rather than technological weaknesses.

4. Credential Stuffing: Credential stuffing is an attack that takes advantage of

users who reuse passwords across multiple websites. When a hacker obtains a
username-password combination from a data breach, they use automated tools to
try the same credentials on other websites. Since many people use the same
password for multiple accounts, this technique often leads to successful logins. This
method is particularly effective when users fail to change their passwords after a
data breach has occurred.

5. Rainbow Table Attack: A rainbow table attack is a more advanced method used
to crack encrypted passwords stored as hashes. Instead of trying to guess a
password directly, hackers use a precomputed table of hashed passwords and
compare them against the stored password hashes. If a match is found, the original
password is revealed. Rainbow table attacks are effective against systems that use
weak or unsalted hashing algorithms.

Q.2Types of Passwords
Passwords are essential for securing digital accounts and systems. Different types of
passwords are used based on security requirements and ease of use. Below are the main
types of passwords:

1. Alphanumeric Passwords: These passwords consist of a combination of letters (A-Z, a-

z) and numbers (0-9). They are commonly used for online accounts but can be weak if
they are too short or simple, such as "password123".

2. Complex Passwords: Complex passwords add special characters (! @, #, $, etc.) Along

with letters and numbers to make them harder to guess. An example would be
"P@ssw0rd!23". These passwords are more secure against brute-force attacks.

3. Passphrases: A passphrase is a longer sequence of words or a sentence that is easier

to remember but difficult to crack. For example, "BlueSky$RunningFast! 2024" is
stronger than a short random password. Passphrases are recommended for high-security
accounts.

4. One-Time Passwords (OTP): OTPs are temporary passwords that can be used only
once. They are typically sent via SMS, email, or generated by authentication apps like
Google Authenticator. They expire after a short time, making them highly secure against
reuse attacks.
5. Time-Based One-Time Passwords (TOTP): These passwords are generated based on
time and change every 30 to 60 seconds. Used in two-factor authentication (2FA), TOTP-
based passwords prevent unauthorized access even if a previous password was stolen.

6. Graphical Passwords: Instead of text, graphical passwords use images, patterns, or

gestures. Examples include Android's pattern lock, where users draw a unique shape to
unlock their device, and systems that require selecting specific images in order.

7. Biometric Passwords: Biometric passwords rely on unique biological traits such as

fingerprints, facial recognition, iris scans, or voice recognition. These passwords are
convenient and difficult to replicate, making them a popular choice for smartphones and
secure facilities.

Q.3 KEYLOGGERS

A keylogger (short for "keystroke logger") is a type of software or hardware that

records everything you type on a keyboard. It secretly captures your keystrokes and
sends the data to someone else, usually without your knowledge. Hackers and
cybercriminals often use keyloggers to steal passwords, credit card numbers, and
other sensitive information.

Types of Keyloggers

1. SoftwareKeyloggers:These are programs installed on a computer or

smartphone that track keystrokes and send the data to a remote attacker.
They often run in the background, making them hard to detect.
2. HardwareKeyloggers: these are physical devices connected to a computer,
usually between the keyboard and the USB port. They store keystroke data,
which an attacker can later retrieve.

How Do Keyloggers Work?

1. Installation: A hacker installs the keylogger on a victim’s device, often through phishing
emails, fake software downloads, or malicious websites.
2. Recording Keystrokes: The keylogger captures everything typed, including usernames,
passwords, messages, and credit card details.
3. Sending Data: If it's a software keylogger, it secretly sends the recorded keystrokes to the
hacker over the internet.
4. Data Theft: The hacker uses the stolen information for identity theft, financial fraud, or other
cybercrimes.

How to Protect Yourself from Keyloggers

Use an Antivirus: Keep your antivirus software updated to detect and remove keyloggers.
Enable Two-Factor Authentication (2FA): Even if your password is stolen, an extra security step can
prevent unauthorized access.
Avoid Suspicious Links & Emails: Don’t click on unknown links or download attachments from untrusted
sources.
 Use a Virtual Keyboard: Some online banking sites offer virtual keyboards to prevent keyloggers from
recording typed passwords.
Check for Unusual Devices: If using a public or shared computer, inspect USB ports for any suspicious
hardware keyloggers.
Keep Your Software Updated: Regular updates fix security vulnerabilities that keyloggers may exploit.

Q.4 SPYWARE TECHNOLOGIES

Spyware refers to software that secretly monitors and collects information about a
user's activities on a computer or device without their knowledge or consent. Here
are some common spyware technologies and functionalities:

a) Key loggers: Capture and record keystrokes made by the user, potentially
capturing sensitive information like login credentials, credit card numbers, or other
personal data.

b) Screen Recorders: Record the user's screen activity, capturing screenshots or

videos of everything happening on the computer or device.

d) Webcam and Microphone Monitoring: Activate and record video or audio from the
device's webcam or microphone without the user's knowledge.

e) Location Tracking: Track the physical location of a device, often using GPS or Wi-Fi
signals, to monitor the user's movements.

g) Data Harvesting: Collect personal information such as usernames, passwords,

email addresses, and other sensitive data stored on the device.

i) Adware with Spyware Components: Adware is software that displays unwanted

advertisements. Some adware also includes spyware components to track users'
online activities and preferences for targeted advertising.

j) System and Network Monitoring: Monitor system processes, network traffic, and
other system activities to gather information about the user's behaviour and usage
patterns.

Q.5Escalating Privileges
Privilege escalation is a hacking technique where an attacker gains higher access
permissions than they are supposed to have. This means the attacker starts with
low-level access (like a normal user) and escalates their privileges to gain higher
control, such as an administrator or root user. Once they get higher privileges,
they can modify system settings, access restricted data, or even take complete
control of the system.

Types of Privilege Escalation

Vertical privilege escalation happens when a lower-level user (such as a regular
employee or hacker) gains administrative or root-level access. This is often achieved
by exploiting software vulnerabilities, using malware, or cracking administrator
passwords. Attackers may manipulate system flaws, inject malicious code, or take
advantage of misconfigured permissions to escalate their access and take full control
of the system.

Horizontal privilege escalation occurs when a user remains at the same privilege
level but gains access to another user’s data or account. This can happen if session
tokens are stolen, credentials are guessed, or security flaws in web applications allow
unauthorized access. Instead of aiming for administrative control, the attacker
focuses on accessing restricted user information, emails, or confidential files of other
users at the same level.
How Attackers Escalate Privileges

1. Exploiting Software Vulnerabilities

Hackers search for bugs or flaws in software to gain higher access. If an operating
system or application has a security loophole, attackers can execute malicious
code to get administrator privileges.
2. Misconfigured Permissions
Some systems accidentally allow too much permission to users. Hackers can take
advantage of weak security settings to modify system files, gain access to restricted
areas, or run commands with higher privileges.
3. Credential Theft (Password Cracking, Phishing, or Key logging)
If a hacker steals an administrator’s password through phishing or key logging,
they can log in with high privileges without hacking the system.
4. Malware and Rootkits
Some malware is designed to automatically escalate privileges once installed on
a victim's computer. Rootkits hide in the system and secretly give hackers
administrator access.
5. Weak or Default Passwords
If an administrator account uses a weak or default password (like "admin123"), an
attacker can guess or brute-force the password to gain higher privileges.
How to Prevent Privilege Escalation

1. Keep Software Updated – Always apply security patches to fix known

vulnerabilities.
2. Enable Multi-Factor Authentication (MFA) – Adds extra security to prevent
unauthorized access.
3. Use Strong Passwords & Change Them Regularly – Prevents attackers from
easily guessing passwords.
4. Use Security Software – Install firewalls, antivirus, and anti-malware tools to
detect threats.
5. Restrict Executable Files – Prevents unauthorized applications from running
with admin privileges.

Q.6 Rootkits
A rootkit is a type of malware that hides deep inside a computer or phone to avoid
detection. It allows hackers to secretly control a device, steal data, or install more
malware without the user knowing. Types of Rootkits

Kernel Mode Rootkits – Hide deep in the operating system, giving hackers full control.
Boot loader Rootkits – Infect the start-up process, making them very hard to remove.
Application Rootkits – Infect programs like web browsers or word processors.
Firmware Rootkits – Hide in hardware like your motherboard or network devices.
Hypervisor Rootkits – Trick the system into running a fake version of the operating
system controlled by the hacker.

Characteristics of Rootkits (What Makes Rootkits Special)

 Hides Deep in the System – Rootkits are designed to stay invisible by disguising
themselves as normal files or processes.
 Difficult to Detect – They disable antivirus software and system monitoring tools,
making them hard to find.
 Grants Full Control – Once installed, a rootkit allows hackers to do anything on your
device, including stealing data or installing more malware.
 Persists Even After Reboots – Some rootkits infect system files or hardware (like
firmware), meaning they stay active even after restarting your device.
 Can Be Installed in Different Ways – They can infect a system through phishing
emails, fake software downloads, or even USB drives.

Q.7Sniffing
Sniffing is a technique used to intercept and monitor data being sent over a
network. It can be used for good (like network troubleshooting) or bad (like stealing
passwords and personal data).Think of it like eavesdropping on a conversation, but
instead of listening to voices, hackers "listen" to digital information traveling across a
network.

When you browse the internet, send emails, or enter passwords, your data travels
through a network. Hackers use special tools (called sniffers) to capture and read this
data without you knowing. If the data is not encrypted, they can easily see your
personal information. Sniffing is broadly classified into two types: Passive Sniffing and Active Sniffing.

1. Passive Sniffing: The attacker silently monitors network traffic without affecting
the system. Used in Wi-Fi hacking and spying on open networks.
2. Active Sniffing: The attacker injects malicious packets or alters network traffic to
steal information. Often used in corporate attacks.

Common Sniffing Techniques

 Packet sniffing: One common method is packet sniffing, where attackers
capture small pieces of data (called packets) as they move across a network. If
the data is not encrypted, the hacker can read its contents, including login
credentials and private messages. This is especially dangerous on public Wi-Fi
networks.
 ARP spoofing: Another technique is ARP spoofing, where the hacker tricks
devices into believing that their computer is the main network gateway. This
allows them to intercept all network traffic, making it easy to steal data from
unsuspecting users.
 MAC flooding: MAC flooding is another approach where an attacker
overwhelms a network switch by sending a massive number of fake MAC
addresses. When the switch becomes overloaded, it starts sending data to all
connected devices, including the hacker’s system, allowing them to capture
sensitive information.
 DNS spoofing: Hackers can also use DNS spoofing, where they manipulate a
device’s settings to redirect users to fake websites that look identical to real ones.
When a user enters their login details on the fake site, the hacker captures their
credentials.
 Man-in-the-Middle: A more advanced method is the Man-in-the-Middle
(MITM) attack, where the hacker secretly intercepts communication between
two parties. The victim believes they are securely communicating with a trusted
service, but in reality, the hacker is reading and possibly altering the messages.

How to Protect Yourself from Sniffing Attacks

Use HTTPS Websites – Always check for the lock symbol in the browser before entering
sensitive data.
Avoid Public Wi-Fi – Hackers often target unsecured networks. Use a VPN if necessary.
Use a VPN (Virtual Private Network) – Encrypts your data so sniffers can’t read it.
Keep Your Devices Updated – Software updates fix security holes that sniffers exploit.

Q.8 ARP Poisoning

ARP Poisoning (also called ARP Spoofing) is a hacking technique used to trick
computers into sending data to the wrong device. It allows attackers to steal
sensitive information, spy on network activity, or even modify data.

Think of it like this: Imagine you want to send a letter to your friend, but a thief
secretly replaces your friend’s address with their own. Now, your letter goes to the thief
instead, and they can read or change the message before forwarding it. That’s exactly
what happens in an ARP poisoning attack, but in a computer network!

How ARP Works in Normal Situations

1. When a computer wants to communicate with another computer on a local

network, it needs the recipient's MAC address (hardware address).
2. The computer sends an ARP request, asking, "Who has this IP address?"
3. The device with that IP replies with an ARP response, saying, "I have that IP, and
my MAC address is XYZ."
4. The sender saves this information in its ARP cache and sends data to the
correct device.

This process ensures smooth communication between computers on a network.

How ARP Poisoning Works

In an ARP poisoning attack, a hacker sends fake ARP messages to a network. These
messages falsely associate the hacker’s MAC address with the IP address of another
device (such as a router or a target computer).

Example of ARP Poisoning

Imagine a hacker is in a Wi-Fi network at a coffee shop.

 Your computer needs to communicate with the Wi-Fi router to access the
internet.
 The hacker sends fake ARP messages, making your computer believe their MAC
address is the router’s MAC address.
 Your computer sends all your internet traffic to the hacker instead of the router.
 The hacker can now read your emails, steal login credentials, or capture
credit card details.

This type of attack is commonly used for Man-in-the-Middle (MITM) attacks.

Consequences of ARP Poisoning

1. Data Theft: Hackers can steal sensitive data, such as usernames, passwords,
credit card details, and emails.
2. Session Hijacking: Attackers can take over online sessions, such as banking or
social media accounts.
3. Denial of Service (DoS) Attacks: By manipulating ARP tables, a hacker can
disrupt network communication and block internet access for users.
4. Malware Injection: Hackers can modify traffic to inject malware, ransom ware, or
spyware into a victim’s device.

Q.9 DNS Spoofing

DNS spoofing (also called DNS cache poisoning) is a cyber-attack where hackers corrupt the DNS
(Domain Name System) to redirect users to fake websites.
Instead of reaching the real website, users unknowingly enter their sensitive information (like passwords or
credit card details) into a fraudulent website controlled by the hacker.

How Does DNS Work Normally?

When you enter a website like www.bank.com, your computer does not understand domain names. It needs
the IP address of the website.

1. Your computer asks a DNS server for the IP address of www.bank.com.

2. The DNS server responds with the correct IP address (e.g., 192.168.1.10).
3. Your browser connects to the correct website.

How DNS Spoofing Works

In a DNS spoofing attack, the hacker tricks your computer into visiting the wrong website. This happens
in two main ways:

1. DNS Cache Poisoning

 The hacker injects a fake IP address into a DNS cache.

 When users try to visit a website, the DNS server gives them the wrong IP address (a fake website).
 The fake website looks like the original and steals login credentials.

2. Man-in-the-Middle (MITM) DNS Spoofing

 The hacker intercepts your DNS request and modifies the response.
 Instead of connecting to the real website, you are redirected to a malicious site.

Consequences of DNS Spoofing

1. Phishing Attacks: Users are tricked into entering sensitive data on fake
websites.

2. Malware Distribution: Hackers can redirect users to sites that automatically

download malware.

3. Corporate Espionage: Attackers can spy on business traffic and steal

confidential company information.

4. Ransom ware Attacks: Redirecting users to malicious sites can lead to ransom
ware infections.

How to Detect DNS Spoofing

1. Check the Website Certificate (HTTPS): Fake websites often lack HTTPS or
show an invalid certificate warning.

2. Compare DNS Responses: Use the nslookup or dig command to check if a

domain resolves to a suspicious IP address.
3. Use DNS Monitoring Tools: Tools like dnstracer or Wireshark can help detect
unusual DNS behavior.

How to Prevent DNS Spoofing

1. Use Secure DNS Services: Use Google Public DNS (8.8.8.8, 8.8.4.4) or
Cloud flare DNS (1.1.1.1) for better security.

2. Enable DNSSEC (DNS Security Extensions): DNSSEC helps verify that the
DNS responses are authentic.

3. Use a VPN (Virtual Private Network): A VPN encrypts your DNS requests,
preventing MITM attacks.

4. Keep DNS Caches Secure: Clear DNS cache regularly

5. Install Anti-Phishing and Security Software: Use browser extensions that

detect phishing websites.

Q.10 Denial of Service (DoS) Attack

A Denial of Service (DoS) attack is a type of cyber-attack where hackers overload a
website or network, making it slow or completely unavailable for users.

 Think of it like this: Imagine a restaurant where too many fake customers enter,
take up all the tables, and never order food. Real customers can’t get in, and the
restaurant can't function properly. A DoS attack does the same thing to websites
and networks—it floods them with too much traffic so real users can't access
them.

Types of DoS Attacks

1. Volumetric Attacks: In this type, hackers send a massive amount of fake traffic to a website or network, making
it impossible for real users to access it. It’s like filling up a highway with so many fake cars that real drivers can't
move.
2. Protocol Attacks: These attacks target the communication rules (protocols) that networks and devices follow,
making them confused and unresponsive.
3. Application-Layer Attacks: These attacks don’t flood the entire network, but instead target specific functions of
a website to slow it down or crash it.
4. Distributed Denial of Service (DDoS): A DDoS attack is the most dangerous type because it comes from multiple
infected computers (botnet), making it harder to stop.
5. Teardrop Attack: A Teardrop attack confuses a computer by sending broken (fragmented) data
packets that the system struggles to reassemble. This can cause older or weak systems to crash.

How DoS Attacks Work?

1. Attacker Selects a Target

The hacker chooses a website, server, or network they want to attack. The target could
be a company website, an online game, a bank, or any service that people rely on.

2. Attacker Finds a Weakness

The hacker studies the target system to find vulnerabilities. Some websites may have
limited resources, meaning they can only handle a certain number of visitors before
slowing down. Others might have weak security settings that make them easy to
overload.

3. Attack Begins – Overloading the System

Once a weakness is found, the hacker launches the attack. There are different ways to do
this:

 Sending too many fake visitors or data requests (Volumetric Attack).

 Exploiting communication rules (protocols) to confuse the system (Protocol
Attack).
 Targeting a website’s login page or search bar to slow it down (Application-Layer
Attack).

4. System Overwhelms and Crashes

The server or website can’t handle the flood of fake traffic or requests. It becomes
too slow or completely stops working, making it impossible for real users to access it.

5. Real Users Are Blocked or Affected

Because the system is overwhelmed, real customers, employees, or users can't access
it. This can cause huge losses for businesses, disrupt important services, and even cause
panic if critical systems (like hospitals or banks) are attacked.

Q.11 what are Bots and Botnets?

Bots and botnets are tools used in cyber-attacks, often without people realizing it.
Hackers use them to steal data, spread viruses, or launch massive attacks on
websites and networks.

Bot: A bot is a computer program that can automate tasks on the internet. Some bots
are useful (like search engine bots that help Google find websites), but others are
dangerous when controlled by hackers.

Example of a Good Bot: Google uses bots to scan websites so they show up in
search results.
Example of a Bad Bot: A hacker creates a bot to steal passwords or send spam
emails.
Botnet: A botnet is a network of infected computers, phones, or IoT devices
controlled by a hacker. The hacker (called a botmaster) can use these devices
to perform cyber-attacks on a large scale.

Example: Imagine a hacker secretly controlling thousands of computers to send

fake traffic to a website, making it crash.

How Do Computers Become Part of a Botnet?

1. Malware Infection – The hacker tricks people into downloading a virus (through fake emails, malicious websites,
or software).
2. Silent Takeover – Once infected, the device becomes part of the hacker’s botnet without the user knowing.
3. Hacker Gives Commands – The hacker controls all infected devices remotely to launch attacks, steal data, or
send spam.

What Do Hackers Use Botnets For

🔴 DDoS Attacks – Overloading websites or networks to shut them down.

🔴 Spreading Malware – Infecting more computers with viruses.
🔴 Stealing Data – Collecting personal details, passwords, and banking info.
🔴 Click Fraud – Clicking on ads to generate fake revenue.
🔴 Mining Cryptocurrency – Using other people’s computers to mine digital currency.

Q.12 what is spoofing?

Spoofing is a trick used by hackers to disguise their identity or pretend to be someone else.
They use spoofing to steal data, spread malware, or launch attacks by faking emails,
websites, phone numbers, or even computer addresses. Types of Spoofing Attacks

1IP. Spoofing (Faking a Computer’s Address)

In IP Spoofing, a hacker hides their real IP address (the unique number of a device on the
internet) by pretending to be a trusted device. This is often used in cyber-attacks like DDoS
attacks to make it look like the attack is coming from multiple sources. Example: Imagine
sending a letter but writing a fake return address so no one knows where it really came from.

2. Email Spoofing (Fake Emails from Trusted Sources)

Hackers send fake emails that look real, pretending to be from banks, companies, or even
friends. These emails trick people into clicking malicious links or giving away personal
information. Example: You receive an email that looks like it’s from PayPal, asking you to
reset your password. But when you click the link, it takes you to a fake PayPal website that
steals your login details.

3. Caller ID Spoofing

Scammers use special software to change their phone number so it looks like a call is coming
from a real company, government agency, or even someone you know. Example: You get a
call that looks like it’s from your bank, saying there’s a problem with your account. But it’s
actually a scammer trying to steal your money.

4. Website Spoofing (Fake Websites) A hacker creates a fake website that

looks exactly like a real one, such as a bank or social media site. When people
enter their login details, the hacker steals their username and password.
Example: You think you’re logging into Facebook, but you’re actually on a fake
page that steals your password.

5. ARP Spoofing (Tricking a Network)

In ARP Spoofing, a hacker tricks a network into thinking they are a trusted device, allowing
them to intercept or modify internet traffic. This is often used in Man-in-the-Middle (MitM)
attacks, where the hacker secretly listens to communications. Example: A hacker sits in a
coffee shop and spies on your internet activity, stealing your login details when you connect
to public Wi-Fi.

6. DNS Spoofing (Redirecting You to Fake Websites)

Hackers tamper with the internet’s address book (DNS) to redirect users to fake websites
without them knowing. Example: You type "www.google.com", but instead of going to
Google, your browser takes you to a fake website controlled by hackers.

Q.13 what is hijacking?

Hijacking is when a hacker takes control of something that doesn’t belong to them—like a website, an online
account, or an internet connection. This allows them to steal data, spread malware, or manipulate information
without the user knowing.

Types of Hijacking Attacks 🛑

1. Session Hijacking (Stealing Your Online Session)

Hackers steal your session ID (a unique number assigned when you log into a website)
and use it to take over your account without needing your password. Example: You log
into your bank account, and a hacker hijacks your session. Now, they can make
transactions as if they were you. Effect: Can lead to stolen bank details, hacked emails,
or unauthorized transactions.

2. Browser Hijacking (Taking Over Your Web Browser)

A hacker or malicious software changes your browser’s settings, forcing you to visit
unwanted websites, showing too many ads, or even spying on your activity. Example: You
open Google, but it automatically redirects you to a fake search engine filled with ads
and scams. Effect: Can lead to annoying pop-ups, stolen personal data, and even
malware infections.

3. Click jacking (Tricking You into Clicking)

Hackers hide dangerous buttons under real ones, so when you think you're clicking on
something safe; you're actually clicking on something malicious. Example: You try to "Play
Video", but instead, you accidentally "Allow Access to Your Camera" because the hacker
hid a permission request under the play button. Effect: Can be used to steal information,
control webcams, or install malware.

4. DNS Hijacking (Redirecting You to Fake Websites) 🌍

Hackers alter your internet’s address book (DNS) so that when you try to visit a real
website, you’re redirected to a fake one that looks identical. Example: You type
"www.facebook.com", but instead of going to Facebook, you land on a fake site that steals
your password. Effect: Can lead to stolen passwords, identity theft, and malware
infections.

5. Email Hijacking (Taking Over Email Accounts)

Hackers gain access to email accounts (especially bank or business emails) and pretend
to be the real owner to scam people. Example: A hacker hijacks your company’s email
account and sends fake invoices to clients, making them transfer money to the hacker’s
account. Effect: Can lead to financial fraud and loss of sensitive business data.

6.Wi-Fi Hijacking (Spying on Public Wi-Fi Users)

Hackers create fake Wi-Fi networks in public places, tricking people into connecting. Once
connected, the hacker can steal passwords, banking details, and private messages.
Example: You connect to "Free Airport Wi-Fi," but it's actually controlled by a hacker who
can see everything you type. Effect: Can lead to stolen banking info, hacked social
media accounts, and identity theft.

Q.14 Web Server Vulnerabilities OR type of attack against web

server

Q.1 Web Application Vulnerabilities and Web Application

Hacking
A web server is a computer that stores and delivers websites to users. But if it’s not properly secured, hackers can
find weaknesses (vulnerabilities) and attack it to steal data, take control of the server, or shut it down.

Some Common Web Server Vulnerabilities

1. SQL Injection

Hackers insert malicious code into a website’s database to steal, delete, or modify
sensitive information like passwords and credit card details.

Example: A hacker types special SQL commands into a login form instead of a
username and password, tricking the server into giving access. Effect: Can lead to data
leaks, hacked accounts, and financial fraud.

2. Cross-Site Scripting (XSS)

Hackers insert malicious JavaScript into web pages, which then runs on visitors'
browsers. This can steal user data, spread malware, or redirect users to fake sites.
Example: A hacker injects a script into a comment section on a blog. When someone
reads the comment, the script steals their cookies and login session. Effect: Can be
used to steal login credentials or spread malware.

3. File Inclusion Vulnerabilities

If a web server allows users to upload or include files without proper security, hackers
can upload dangerous scripts that give them control over the server. Example: A
hacker uploads a malicious PHP file, and then runs it to steal files or take over the
website. Effect: Can lead to website defacement, server hijacking, and data
theft.

4. Denial of Service (DoS) Attacks (Overloading the Server)

Hackers flood a web server with too many fake requests, making the website slow or
completely unavailable. Example: A hacker uses a botnet (thousands of infected
computers) to send millions of requests to a website, crashing it.Effect: Can cause
downtime, loss of business, and reputation damage.

5. Weak Passwords (Easy to Guess Logins)

If a web server has weak or default passwords, hackers can guess them using brute
force attacks (trying many passwords until one works). Example: A hacker guesses
"admin123" as the website administrator’s password and gains full control. Effect: Can
lead to complete website takeover and data breaches.

6. Misconfigured Security Settings (Leaving Doors Open)

If a server is not properly secured, it can leak sensitive data or allow unauthorized
users to access critical files. Example: A website has directory listing enabled,
allowing hackers to browse and download hidden files from the server. Effect: Can
expose private files, database credentials, or backup data.

Q.15 Patch Management Techniques

Patch management is the process of updating software, apps, and systems to fix
security vulnerabilities, improve performance, and add new features. Example: Imagine
your smartphone gets a security update from Apple or Android. This update (patch) fixes
bugs and protects your phone from hackers. Similarly, computers and servers also
need updates to stay secure.

Common Patch Management Techniques

1. Automatic Updates

Some systems automatically download and install updates without user intervention. This ensures that the latest
security patches are applied immediately. Example: Windows and macOS often update automatically, fixing
security flaws without you having to do anything.

2. Manual Updates
In some cases, patches are manually downloaded and installed. IT teams test patches before applying them to
avoid compatibility issues. Example: A company manually tests updates on a few computers before rolling them
out to all employees.

3. Scheduled Patching

Organizations schedule updates during off-hours (like midnight) to avoid downtime during work hours. Example: A
hospital updates its computer systems at night to prevent disruptions during the day.

4. Patch Prioritization

Not all patches are equally important. Some fix small bugs, while others close dangerous
security holes. Organizations prioritize critical patches that protect against major cyber
threats. Example: A company immediately installs a patch fixing a critical security flaw
but waits to install a minor design update.

5. Testing Patches before Deployment

Some updates may cause software crashes or compatibility issues. Companies test
patches in a safe environment before applying them to all systems. Example: An IT team
tests an update on a few devices to make sure it doesn’t break any software.

6. Rollback Plans

Sometimes, a patch introduces new problems instead of fixing old ones. A rollback plan
allows companies to undo a bad update and restore the previous version. Example: A
bank installs a security update, but it crashes their app. They roll back to the previous
version while they investigate.

Q.16 Web Server Hardening

Web server hardening is the process of securing a web server to reduce its
vulnerabilities and minimize the risk of cyber-attacks. It involves implementing
security best practices, configuring settings, and applying necessary patches to
enhance the server’s resilience against threats like unauthorized access, data
breaches, and malware infections. Key Steps for Web Server Hardening

1. Keep Software & OS Updated

Regularly update the web server software (Apache, Nginx, IIS, etc.), operating system, and
dependencies. Apply security patches to fix vulnerabilities.

2. Disable Unnecessary Services & Modules

Remove or disable unused services, ports, and modules to minimize attack surfaces. Only
enable features that are essential for the server’s functionality.

3. Use Secure Protocols (HTTPS & TLS)

Install an SSL/TLS certificate to encrypt traffic (use TLS 1.2 or 1.3). Disable weak ciphers and
older protocols like SSL 2.0, SSL 3.0, and TLS 1.0/1.1.
4. Restrict Directory & File Permissions

Set the correct file and directory permissions to prevent unauthorized access. Restrict public
access to sensitive directories such as /var/www/html/config/.

5. Implement Strong Authentication & Access Controls

Use strong, unique passwords and multi-factor authentication (MFA). Restrict admin panel
access based on IP whitelisting.

6. Hide Server Information

Disable server signatures and banners to prevent attackers from identifying server versions.

7. Secure Database Connections

Restrict database access to authorized applications and IPs. Use encrypted database
connections (SSL/TLS).

8. Backup Data Regularly

Automate regular backups of server configurations and website data. Store backups securely
and test recovery procedures.

Chapter-11Web Based Password Cracking Techniques

Q.1 Authentication Type
Authentication is a critical component of web and network security, ensuring that
only authorized users can access specific systems, applications, or resources. There
are several types of authentication methods, each with its own strengths and
weaknesses. Below, we'll explore these authentication types in detail, outlining how
they function and the advantages and disadvantages of each.
1. Knowledge-based Authentication
This is the most traditional form of authentication, where a user proves their identity
by providing something they know. Typically, this involves passwords or PINs.
3. Biometric Authentication
Biometric authentication uses a user’s unique physical characteristics to verify their
identity. This could include fingerprint scans, facial recognition, iris scans, or voice
recognition.
4. Behavioural Authentication
This is a newer form of authentication that is based on patterns of behaviour
exhibited by the user, such as keystroke dynamics, mouse movements, or walking
patterns.
5. Multi-factor Authentication (MFA)
Multi-factor authentication (MFA) combines two or more different authentication
methods to enhance security. It requires users to provide two or more pieces of
evidence to verify their identity.
6. Token-based Authentication
Token-based authentication involves the use of a token (often a time-limited,
encrypted string) as a method of proving identity, typically in web or mobile
applications.

Q.2 Password Cracker Countermeasure

Password cracking is a technique used by attackers to guess or break into user

accounts by cracking passwords. Fortunately, there are several countermeasures
that organizations and individuals can implement to mitigate the risk of password
cracking. These countermeasures aim to make it more difficult for attackers to
succeed in cracking passwords, protecting user accounts and sensitive information.
Below, we will explain the password cracker countermeasures in detail.

1. Strong Password Policies

Enforcing strong password policies is one of the most effective countermeasures to

prevent password cracking. By requiring users to choose complex passwords, the
difficulty of cracking passwords increases significantly.

2. Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) requires users to provide two or more forms of

identification to access an account. This adds an additional layer of security beyond
just passwords.

3. Account Lockout Mechanisms

Account lockout mechanisms involve temporarily locking an account after a certain

number of failed login attempts. This helps prevent brute force and dictionary
attacks.

4. Password Salting and Hashing

Hashing and salting passwords make it much harder for attackers to reverse-
engineer the original passwords even if they gain access to the hashed password
database.

6. Password Expiry and Rotation

Password expiry and rotation involve setting policies that require users to change
their passwords periodically. This reduces the window of time during which a cracked
password can be used.
7. Monitoring and Logging Failed Login Attempts

Monitoring and logging login attempts can help detect and respond to suspicious
activities, such as brute force or credential stuffing attacks, in real time.

Chapter-12 SQL Injection

Q.3 SQL Injection

SQL Injection (SQLi) is a type of cyber-attack where hackers insert malicious SQL
(Structured Query Language) code into a website’s input fields to access,
modify, or delete sensitive data from a database.

Imagine you have a login page where users enter a username and password. A
hacker might enter special SQL commands instead of normal credentials to trick
the system and gain unauthorized access.

How Does SQL Injection Work?

A website or application stores data (like usernames, passwords, and credit card
details) in a database. To retrieve this data, it uses SQL queries.

For example, when a user logs in, the website might run this SQL query:

SELECT * FROM users WHERE username = 'john' AND password =

'mypassword';
 If "john" and "mypassword" exist in the database, access is granted.
 If not, access is denied.

Example of a Basic SQL Injection Attack

A hacker enters the following in the username field and leaves the password field
empty.

Now, the SQL query looks like this:

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';

Why Does This Work?

 '1'='1' is always true.

 The query becomes valid and returns all user records.
 The hacker logs in without knowing any real credentials.

Types of SQL Injection Attacks

1. Union-Based SQL Injection

The attacker uses the UNION SQL operator to combine results from multiple queries,
allowing them to retrieve sensitive data.

Example:
If a search box uses this query: SELECT name, email FROM users WHERE name =
'John';

An attacker enters: John' UNION SELECT credit_card_number, CVV FROM payments --

The query now fetches credit card details instead of usernames.

2. Boolean-Based SQL Injection

The attacker injects conditions (OR, AND, etc.) and observes how the website
responds.

Example: SELECT * FROM users WHERE username = 'admin' AND password = '123'
OR '1'='1';

 If the page loads normally, the attack is successful.

 If the page denies access, the attacker tries another condition.

3. Error-Based SQL Injection

The attacker forces the database to display error messages that reveal
database details.

Example: Entering this in a form: ' OR 1=1 --

Might return an error like: You have an error in your SQL syntax near '1=1 --'

The hacker can analyse this message to learn about the database structure.

4. Blind SQL Injection

The attacker does not see error messages but can still extract data by asking
yes/no questions.

Example: SELECT * FROM users WHERE username = 'admin' AND LENGTH

(password)=8;

 If the page loads normally, the hacker knows the password is 8 characters
long.
 They repeat the process to guess the entire password character by
character.
5. Time-Based SQL Injection

The attacker delays database responses using the SLEEP () function to determine
if an injection is successful.

Example: SELECT * FROM users WHERE username='admin' AND IF (1=1, SLEEP (5),
0);

 If the website takes 5 seconds to respond, the hacker knows the injection
worked.
 This helps when error messages are hidden.

Q.4 SQL Server Vulnerabilities

SQL Server is a popular database system used to store and manage data for web applications. However, if not
secured properly, it can become a target for hackers. Attackers exploit vulnerabilities in SQL Server to steal data,
modify records, or even take control of the entire database. Let’s go through the most common SQL Server
vulnerabilities in a simple and easy-to-understand way.

Common SQL Server Vulnerabilities

1. SQL Injection (SQLi)
SQL Injection is one of the most dangerous vulnerabilities in SQL Server. It occurs
when an attacker enters malicious SQL commands into an input field (like a login
form or search box) to manipulate the database.
2. Weak Authentication and Password Policies
If a database has weak passwords or default credentials, attackers can easily guess
them and gain unauthorized access
3. Lack of Proper User Permissions (Excessive Privileges)
If every user or application has full admin privileges, a hacker who gains access
can completely take over the database.
4. Unpatched SQL Server (Out-dated Software)
Attackers often exploit known security flaws in out-dated SQL Server versions. If
security updates are not installed, hackers can take advantage of vulnerabilities.
5. Lack of Backup and Disaster Recovery Plans
If SQL Server does not have regular backups, a cyber-attack (like ransom ware) or
hardware failure can lead to permanent data loss.
6. Insecure Database Communication
If the connection between the database and the application is not encrypted,
hackers can intercept sensitive data (like passwords and credit card details).

Chapter-13 Buffer Overflows

Q.5 Buffer Overflow

A buffer overflow is a type of cyber-attack where a hacker overloads a

computer's memory with too much data. This can cause the system to crash,
behave unpredictably, or even allow the hacker to take control of the system. A
buffer is a small storage space in a computer’s memory that holds temporary data.

Types of Buffer Overflow Attacks

There are different types of buffer overflow attacks, depending on where the extra
data is stored.

1. Stack-Based Buffer Overflow

 The stack is a memory section where temporary data (like function calls and
variables) is stored.
 If an attacker overflows a buffer in the stack, it overwrites important data,
like return addresses.
 This allows the hacker to redirect the program’s execution and run
malicious code.

2. Heap-Based Buffer Overflow

 The heap is another memory section used for storing dynamically allocated
data (like user input).
 If a hacker overflows a buffer in the heap, they can modify important data
structures and cause unexpected behaviour. These attacks are more complex
but can be just as dangerous.

3. Integer Overflow Attack

 This happens when a program miscalculates the size of data before storing
it in a buffer.
 Example: If a program expects a number between 1 and 255 but gets 256, it
might allocate too little space, causing a buffer overflow. Hackers exploit
this to crash programs or execute malicious code.

4. Format String Attack

 Some functions allow formatted text input (e.g., %s, %d in C programming).
 If a hacker provides unexpected input (like multiple %s), they can trick the
program into reading or writing unintended memory locations. This can
reveal sensitive data or allow code execution.

Q.6 Mutation Techniques

Mutation techniques are used in cyber security, specifically in fuzz testing

(fuzzing) and malware analysis, to generate new test cases or variations of
malicious code. These techniques modify existing inputs, files, or code to discover
security vulnerabilities or evade detection.
Mutation techniques are mainly used in two areas:

1. Fuzz Testing (Fuzzing) – Finding software vulnerabilities by feeding modified

inputs to programs.
2. Malware Mutation – Creating new variants of malware to bypass antivirus
detection.

Common Mutation technique used in mutation testing:

1. Arithmetic Operator Replacement: Mutants are generated by replacing arithmetic

operators (+, -, *, /) with other operators or constants. This helps evaluate whether
the test suite can detect errors related to incorrect mathematical calculations.

2. Relational Operator Replacement: Mutants are created by changing relational

operators (e.g., <, >, <=,>=,==, !=) to different operators. This checks if the test
suite is effective in identifying faults related to incorrect comparison operations.

3. Logical Operator Replacement: Logical operators (e.g., &&, II) are replaced with
other logical operators or constants to create mutants. This helps assess the ability
of the test suite to catch faults in logical conditions.

4. Assignment Operator Replacement: Mutants are generated by changing

assignment operators (=, +=,=, *=, /=) to other operators. This evaluates whether
the test suite can detect faults related to incorrect variable assignments.

5. Unary Operator Replacement: Unary operators (e.g., ++, -,!) are replaced with
other operators or constants to create mutants. This checks if the test suite can find
faults related to incorrect unary operations.

6. Statement Deletion: Mutants are created by removing entire statements from the
code. This assesses whether the test suite can detect missing or incomplete code.

7. Statement Insertion: New statements are inserted into the code to create mutants.
This helps evaluate if the test suite can identify unwanted or incorrect additions to
the code.

8. Conditional Statement Modification: Mutants are generated by changing the

conditions within if statements or loops.

This assesses the ability of the test suite to identify faults related to incorrect control
flow.

9. Loop Boundary Modification: The boundaries of loops (e.g., changing loop counters
or loop conditions) are modified to create mutants. This checks if the test suite can
detect faults related to incorrect loop behaviour.

10. Function Call Modification: Mutants are created by modifying parameters or

changing the order of function calls. This evaluates whether the test suite can
identify faults related to incorrect function usage.

Chapter-14 Wireless Hacking

Q.7 what is Wireless Hacking and its techniques.

Wireless hacking is the process of breaking into or exploiting weaknesses in wireless

networks. Instead of using a wired connection, hackers target Wi-Fi networks, which
use radio signals to transmit data. If a wireless network is not properly secured,
hackers can intercept communications, steal sensitive information, or even take
control of connected devices.

Most Wi-Fi networks are protected by passwords and encryption methods to

prevent unauthorized access. However, if security is weak or out-dated, hackers can
exploit vulnerabilities to gain access.

Common Wireless Hacking Techniques

Types of WiFi Attacks

1. Evil Twin Attack (Fake WiFi Network)

 Hackers set up a fake WiFi network with the same name (SSID) as a real
one.
 When users connect, the hacker can steal login credentials, monitor
traffic, and inject malware.

2. Deauthentication Attack (Forcing Disconnection)

 Hackers send fake deauthentication packets to disconnect users from the
real network.
 Users may then connect to a fake WiFi network (Evil Twin) without realizing
it.
 Tools like aireplay-ng are used for this attack.

3. Man-in-the-Middle Attack (MITM)

 Hackers intercept communication between a user and the router.
 They can steal login credentials, modify data, or redirect users to
malicious websites.
 Tools like Ettercap and MITMf are used for this.

4. Rogue Access Point Attack

 Hackers install a fake WiFi access point in an office, café, or public place.
 When people connect, all their data passes through the hacker’s system,
allowing them to steal sensitive information.

6. Brute Force Attack on WPA/WPA2

 If the network uses WPA or WPA2, hackers can try to crack the password
using brute force (trying many passwords until one works). This attack is slow
but can be effective if the password is weak.

Q.8 Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP) is an old security protocol used to protect wireless
networks. WEP encrypts data transmitted over a wireless network to prevent
unauthorized users from accessing the network or intercepting data.

However, WEP has serious security weaknesses, and today, it is considered

completely insecure. It has been replaced by stronger encryption protocols like
WPA2 and WPA3.

How Does WEP Work?

WEP encrypts the data that is sent between devices (such as laptops, smartphones,
and routers) using an encryption key. This key is shared between the router (Wi-Fi
access point) and the connected devices. The goal of WEP is to prevent hackers
from eavesdropping on wireless communications and stealing information.
WEP uses the RC4 (Rivest Cipher 4) encryption algorithm to scramble data so
that only devices with the correct key can decode and read it. It uses a combination
of a pre-shared key (PSK) and an Initialization Vector (IV) to encrypt data.

Q.9 WPA Authentication Mechanisms

Wi-Fi Protected Access (WPA) is a security protocol designed to protect wireless

networks. It was created as a replacement for WEP (Wired Equivalent Privacy), which
had many security flaws. WPA uses stronger encryption and authentication
mechanisms to ensure that only authorized users can connect to the network.

Authentication in WPA determines who is allowed to connect to a Wi-Fi network

and ensures that their credentials are valid. There are two main types of
authentication mechanisms in WPA:

1. WPA-Personal (WPA-PSK – Pre-Shared Key)

2. WPA-Enterprise (WPA-EAP – Extensible Authentication Protocol)

Let’s break down these authentication methods in simple terms.

1. WPA-Personal (WPA-PSK – Pre-Shared Key Authentication)

How It Works
WPA-Personal (also known as WPA-PSK) is the most common authentication method
used in homes and small businesses. In this method, all users connect to the Wi-Fi
network using the same password, known as the Pre-Shared Key (PSK).

 The router stores this shared password and uses it to authenticate devices
when they try to connect.
 The password is also used to generate an encryption key that encrypts all
the data sent between the router and connected devices.

When a user enters the correct password, their device can join the network and
communicate securely. If the password is incorrect, the connection is denied.
2. WPA-Enterprise (WPA-EAP – Extensible Authentication
Protocol)

WPA-Enterprise is designed for large organizations, businesses, and schools that

need stronger security and individual user authentication. Unlike WPA-
Personal, where all users share the same password, WPA-Enterprise requires each
user to have a unique username and password.

This is achieved using a RADIUS (Remote Authentication Dial-In User Service)

server, which verifies users before allowing them to connect. The process works like
this:

1. A user tries to connect to the Wi-Fi network.

2. The Wi-Fi access point sends the login request to the RADIUS server.
3. The RADIUS server checks the username and password.
4. If the credentials are correct, the user is granted access to the
network.
5. If the credentials are incorrect, the connection is denied.

WPA-Enterprise uses different authentication protocols under EAP (Extensible

Authentication Protocol) to ensure secure authentication.

Q.10 How to Protect Your Wi-Fi Network from Attacks

1. Use Strong Encryption (WPA3 or WPA2-PSK AES)

 Avoid WEP and WPA (TKIP) as they are vulnerable.
 Use WPA2-PSK with AES encryption or, even better, WPA3.

2. Use a Strong and Unique Wi-Fi Password

 Avoid simple passwords like 12345678 or password123.
 Use a mix of uppercase, lowercase, numbers, and special characters.

3. Change the Default Router Settings

 Change the admin username and password for your router.
 Disable WPS (WiFi Protected Setup) because it is easy to hack.
 Change the SSID (WiFi name) to something unique.

5. Keep Router Firmware Updated

 Manufacturers release security updates for routers to fix vulnerabilities.
 Always update your router’s firmware to the latest version.

6. Turn Off WiFi When Not in Use

 If you are not using WiFi for a long time (e.g., at night), turn it off to prevent
attacks.

7. Use a VPN (Virtual Private Network)

 A VPN encrypts your internet traffic, making it harder for hackers to
intercept your data.
 Chapter-15 Penetration Testing Methodologies
Q.11 Explain penetration testing methodologies
Penetration testing is like a security check-up for computer systems, applications, or
networks. It involves ethical hackers trying to break into a system to find weaknesses
before real hackers can exploit them. To perform a penetration test properly,
professionals follow a structured process that includes several key steps.

Step 1: Planning & Preparation

Before starting the test, both the company and the security team need to decide
what will be tested and how. This includes defining the scope, meaning which
systems, applications, or parts of the network will be tested.The testers also need to
get proper permission to avoid legal issues. Additionally, both parties set the rules of
engagement, such as whether testing can be done during business hours and
whether aggressive attacks like Denial-of-Service (DoS) are allowed.

Step 2: Information Gathering (Reconnaissance)

Once the rules are set, the penetration testers begin gathering as much information
as possible about the target system. There are two main ways to gather information:
passive reconnaissance and active reconnaissance. Passive reconnaissance means
collecting publicly available information without directly interacting with the system.
This includes searching for company details on Google, looking at social media
profiles, and checking domain registration information. Active reconnaissance
involves directly scanning the target system to discover details such as open ports,
running services, and technologies in use. Tools like Nmap help identify which parts
of a system might be vulnerable.

Step 3: Vulnerability Analysis

After gathering information, the next step is identifying weaknesses in the system.
The testers use automated tools to scan for known vulnerabilities, such as out-dated
software or weak passwords. They also manually test for security flaws that
automated scanners might miss.

Step 4: Exploitation (Breaking In)

Now comes the most exciting part—actually trying to hack into the system. Testers
use the weaknesses they identified in the previous step to attempt real attacks. If
they found an out-dated software version, they might use a known exploit to take
control of the system. If they found weak passwords, they might try to crack those
using automated tools. Web applications are tested for vulnerabilities like SQL
Injection, which allows attackers to steal data from databases, and Cross-Site
Scripting (XSS), which can inject malicious code into web pages. The goal of this step
is not to cause harm but to prove that the vulnerabilities are real and need to be
fixed.
Step 5: Post-Exploitation (Evaluating the Impact)

After successfully exploiting vulnerability and gaining access to a system, the

penetration tester enters the post-exploitation phase. This phase focuses on
understanding what can be done with that access—just like a real attacker would do
after breaking in. The goal is not just to break in, but to show the impact of
the breach.

Step 6: Reporting & Documentation

After testing is complete, the penetration testers document everything they found.
This report is one of the most important parts of the process because it helps the
company understand the risks and how to fix them.

Step 7: Remediation & Retesting

After receiving the report, the company’s IT team works on fixing the vulnerabilities.
They update software, change security settings, and improve password policies.
Once the fixes are applied, penetration testers conduct a retest to make sure the
vulnerabilities are no longer exploitable. This step ensures that all issues have been
properly resolved and that the system is now secure.

Q.12 Penetration Testing Automated Tools

Penetration testing can be done manually or with the help of automated tools.
Automated tools make the process faster and more efficient by scanning systems,
identifying vulnerabilities, and even performing basic exploitation. These tools are
widely used by security professionals because they save time and provide a detailed
analysis of potential security risks.

Network Scanners: One of the most commonly used automated tools is Nmap
(Network Mapper). This tool helps penetration testers discover devices on a
network, check for open ports, and identify what services are running.

Vulnerability Scanners: Another popular tool is Nessus, which is used for vulnerability
scanning. It checks systems for known security weaknesses, such as out-dated
software, weak passwords, and misconfigured security settings. Nessus provides a
report with a list of vulnerabilities, their severity levels, and recommendations on
how to fix them.

Web Application Security Testing Tools: For testing web applications,

Burp Suite is one of the best tools available. It helps testers find vulnerabilities like
SQL Injection and Cross-Site Scripting (XSS). Burp Suite works by intercepting
requests between the user and the web application, allowing testers to modify them
and see how the system responds. This helps identify weak points in a website’s
security.
Exploitation Frameworks: Metasploit is another powerful tool, commonly
used for exploitation. It has a large database of known vulnerabilities and exploits
that testers can use to check if a system can be hacked. For example, if Nessus
identifies that a server is running an outdate version of Windows, Metasploit can
attempt to exploit it using a real-world hacking technique. This helps companies
understand how dangerous an unpatched system can be.

For password security testing, Hydra is an effective tool. It performs brute-force

attacks, trying thousands of username and password combinations to check if an
account is protected by a weak password. If Hydra successfully logs into a system, it
means that the company needs to enforce stronger password policies.

Another useful tool is Wireshark, which captures and analyzes network traffic. It
allows testers to see what data is being transmitted over a network, helping them
detect security issues like unencrypted sensitive information. If a company is
transmitting login credentials over an unsecured connection, Wireshark can capture
this data, demonstrating a serious security risk.