This document discusses several cybersecurity topics including ARP spoofing, password cracking, WEP vulnerabilities, MAC flooding, IP spoofing, and SYN flood attacks. It provides details on how each works and potential prevention and mitigation techniques. ARP spoofing allows attackers to intercept network traffic by spoofing MAC addresses. Password cracking involves recovering passwords through methods like brute force attacks or rainbow tables. WEP has security flaws in its use of short, static IVs and lack of integrity checks. MAC flooding overwhelms switches by sending fake MAC addresses. IP spoofing and SYN floods are types of DDoS attacks that respectively modify source IP addresses or abuse the TCP three-way handshake. Defenses include ingress filtering, egress filtering, and SYN cookies.

1. Enterprise Security
Network hacking
By:Asst.Prof. Prachi N. Mishal

2. ARP Protocol
 Address Resolution Protocol (ARP) is a protocol that enables network communications
to reach a specific device on the network. ARP translates Internet Protocol (IP) addresses
to a Media Access Control (MAC) address, and vice versa.
 Most commonly, devices use ARP to contact the router or gateway that enables them to
connect to the Internet.
 Hosts maintain an ARP cache, a mapping table between IP addresses and MAC addresses,
and use it to connect to destinations on the network. If the host doesn’t know the MAC
address for a certain IP address, it sends out an ARP request packet, asking other machines
on the network for the matching MAC address.
 The ARP protocol was not designed for security, so it does not verify that a response to an
ARP request really comes from an authorized party. It also lets hosts accept ARP responses
even if they never sent out a request. This is a weak point in the ARP protocol, which
opens the door to ARP spoofing attacks.
 ARP only works with 32-bit IP addresses in the older IPv4 standard. The newer IPv6
protocol uses a different protocol, Neighbor Discovery Protocol (NDP), which is secure
and uses cryptographic keys to verify host identities. However, since most of the Internet
still uses the older IPv4 protocol, ARP remains in wide use.

3. What is ARP Spoofing (ARP Poisoning)
An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack
that allows attackers to intercept communication between network devices. The attack works
as follows:
 The attacker must have access to the network. They scan the network to determine the IP
addresses of at least two devices let’s say these are a workstation and a router.
 The attacker uses a spoofing tool, such as Arpspoof or Driftnet, to send out forged ARP
responses.
 The forged responses advertise that the correct MAC address for both IP addresses,
belonging to the router and workstation, is the attacker’s MAC address. This fools both
router and workstation to connect to the attacker’s machine, instead of to each other.
 The two devices update their ARP cache entries and from that point onwards,
communicate with the attacker instead of directly with each other.
 The attacker is now secretly in the middle of all communications.

4. The ARP spoofing attacker pretends to be both sides of a network
communication channel

5. Once the attacker succeeds in an ARP spoofing attack, they can:
1. Continue routing the communications as-is the attacker can sniff the packets and steal
data, except if it is transferred over an encrypted channel like HTTPS.
2. Perform session hijacking if the attacker obtains a session ID, they can gain access to
accounts the user is currently logged into.
3. Alter communication for example pushing a malicious file or website to the
workstation.
4. Distributed Denial of Service (DDoS) the attackers can provide the MAC address of
a server they wish to attack with DDoS, instead of their own machine. If they do this
for a large number of IPs, the target server will be bombarded with traffic.
Detect an ARP Cache Poisoning Attack
Here is a simple way to detect that a specific device’s ARP cache has been poisoned, using
the command line. Start an operating system shell as an administrator. Use the following
command to display the ARP table, on both:
arp –a
The output will be as follows:
Internet Address Physical Address
192.168.5.1 00-14-22-01-23-45
192.168.5.201 40-d4-48-cr-55-b8
192.168.5.202 00-14-22-01-23-45
If the table contains two different IP addresses that have the same MAC address, this
indicates an ARP attack is taking place.

6. ARP Spoofing Prevention
Here are a few best practices that can help you prevent ARP Spoofing on your network:
1. Use a Virtual Private Network (VPN)
A VPN allows devices to connect to the Internet through an encrypted tunnel. This
makes all communication encrypted, and worthless for an ARP spoofing attacker.
2. Use static ARP
The ARP protocol lets you define a static ARP entry for an IP address, and prevent
devices from listening on ARP responses for that address. For example, if a
workstation always connects to the same router, you can define a static ARP entry for
that router, preventing an attack.
3. Use packet filtering
Packet filtering solutions can identify poisoned ARP packets by seeing that they
contain conflicting source information, and stop them before they reach devices on
your network.
4. Run a spoofing attack
check if your existing defenses are working by mounting a spoofing attack, in
coordination with IT and security teams. If the attack succeeds, identify weak points
in your defensive measures and remediate them.

7. Password cracking
Password cracking means recovering passwords from a computer or from data
that a computer transmits. This doesn’t have to be a sophisticated method. A brute-force
attack where all possible combinations are checked is also password cracking.
If the password is stored as plaintext, hacking the database gives the attacker
all account information. However, now most passwords are stored using a key derivation
function (KDF). This takes a password and runs it through a one-way encryption cipher,
creating what’s known as a “hash.” The server stores the hash-version of the password.
It’s easy to try different hashed passwords at a high rate when using a GPU
or botnet. That’s why most password hash functions use key stretching algorithms,
which increase the resources (and, therefore, time) needed for a brute-force attack.
Some methods of password cracking become significantly more difficult if
your password uses salting or key stretching. Unfortunately, there are still some services
that store unencrypted or weakly-encrypted passwords on their servers.

8. A typical password cracking attack looks like this:
1. Get the password hashes
2. Prepare the hashes for a selected cracking tool
3. Choose a cracking methodology
4. Run the cracking tool
5. Evaluate the results
6. If needed, tweak the attack
7. Go to Step 2
Password cracking methods:
Dictionary attack Brute force attack
Rainbow table attack Phishing
Malware Social engineering
Offline cracking Shoulder surfing
Spidering Guess

9. WEP Vulnerabilities
WEP stands for Wired Equivalent Privacy. The 802.11 designers intention was to
provide wireless users with a level of security equivalent to that achievable on a wired
network. Unfortunately WEP has turned out to be much less secure than intended.
How does WEP work?
WEP uses secret keys to encrypt data. Both AP and the receiving stations must know the
secret keys.
There are two kinds of WEP with keys of either 64bits or 128bits. The longer key gives a
slightly higher level of security (but not as much as the larger number would imply). In
fact the user keys are 40bits and 104bits long, the other 24bits in each case being taken up
by a variable called the Initialization Vector (IV).
When a packet is to be sent it is encrypted using a combination of the IV and the secret
key. The IV is different (in theory) for each packet, while the secret key is fixed.
The resulting packet data looks like random data and therefore makes the original message
unreadable to an outsider not knowing the key. The receiving station reverses the
encryption process to retrieve the message in clear text.

10. As if key management problems weren’t enough, you have other problems with the WEP
algorithm.
 The IV is too small and in cleartext.
It’s a 24-bit field sent in the cleartext portion of a message. This 24-bit string, used to
initialize the key stream generated by the RC4 algorithm, is a relatively small field
when used for cryptographic purposes.
 The IV is static.
Reuse of the same IV produces identical key streams for the protection of data, and
because the IV is short, it guarantees that those streams will repeat after a relatively
short time (between 5 and 7 hours) on a busy network.
 The IV makes the key stream vulnerable.
The 802.11 standard does not specify how the IVs are set or changed, and individual
wireless adapters from the same vendor may all generate the same IV sequences, or
some wireless adapters may possibly use a constant IV. As a result, hackers can record
network traffic, determine the key stream, and use it to decrypt the ciphertext.

11.  The IV is a part of the RC4 encryption key.
The fact that an eavesdropper knows 24-bits of every packet key, combined with a
weakness in the RC4 key schedule, leads to a successful analytic attack that recovers
the key after intercepting and analyzing only a relatively small amount of traffic.
Such an attack is so nearly a no-brainer that it’s publicly available as an attack script
and as open-source code.
 WEP provides no cryptographic integrity protection.
However, the 802.11 MAC protocol uses a non-cryptographic Cyclic Redundancy
Check (CRC) to check the integrity of packets, and acknowledges packets that have
the correct checksum. The combination of non-cryptographic checksums with stream
ciphers is dangerous — and often introduces vulnerabilities.

12. MAC (Media Access Control) Flooding is a type of cyber attack done in a network to
compromise the security of the network switches.
In this attack the network is flooded with the fake MAC addresses.
The hacker uses this attack to steal sensitive data that is being transferred in the network.
The attack is used for forcing the legitimate MAC table contents out of the switch and
forcing the unicast flooding behavior for potentially sending sensitive information to portions
of the network where it is not normally intended to go.
MAC (Media Access Control) Flooding
Procedure For The Attack
1. In this attack, the hacker first connects to the switch ports and floods it's interface by
forcing legitimate MAC addresses out of the MAC address table through very large
number of fake MAC addresses .
2. Once the MAC address table is full, the network switch enters into the fail-open mode
and behaves like a network hub, broadcasting all the packets on all the switch ports.
3. The hacker finally uses an packet analyzer to capture these packets to steal the
sensitive information

13. To stay safe from this attack, follow the following:
1. Authentication, Authorization, and Accounting Servers
(AAA) can be used for authentication against MAC addresses as an
preventive measures
2. Configure the switches to limit the number of MAC addresses on the
ports that are connected to the end stations.

14. IP spoofing
IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source
address in order to either hide the identity of the sender, to impersonate another computer
system, or both.
It is a technique often used by bad actors to invoke DDoS attacks against a target device or
the surrounding infrastructure.
Sending and receiving IP packets is a primary way in which networked computers and
other devices communicate, and constitutes the basis of the modern internet.
All IP packets contain a header which precedes the body of the packet and contains
important routing information, including the source address.
In a normal packet, the source IP address is the address of the sender of the packet. If the
packet has been spoofed, the source address will be forged.

15. IP Spoofing is analogous to an attacker sending a package to someone with the
wrong return address listed.
If the person receiving the package wants to stop the sender from sending
packages, blocking all packages from the bogus address will do little good, as the
return address is easily changed.
Relatedly, if the receiver wants to respond to the return address, their response
package will go somewhere other than to the real sender.
The ability to spoof the addresses of packets is a core vulnerability exploited by
many DDoS attacks.
spoofing is also used to masquerade as another device so that responses are sent to
that targeted device instead.
Volumetric attacks such as NTP Amplification and DNS amplification make use of
this vulnerability.
The ability to modify the source IP is inherent to the design of TCP/IP, making it
an ongoing security concern.

16. Protection against IP spoofing (packet filtering)
While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets
from infiltrating a network.
A very common defense against spoofing is ingress filtering, outlined in BCP38 (a Best
Common Practice document).
Ingress filtering is a form of packet filtering usually implemented on a network
edge device which examines incoming IP packets and looks at their source headers.
If the source headers on those packets don’t match their origin or they otherwise look
fishy, the packets are rejected.
Some networks will also implement egress filtering, which looks at IP packets exiting
the network, ensuring that those packets have legitimate source headers to prevent
someone within the network from launching an outbound malicious attack using IP
spoofing.

17. SYN flood attack
A SYN flood (half-open attack) is a type of denial-of-service (DDoS) attack which aims to
make a server unavailable to legitimate traffic by consuming all available server resources.
By repeatedly sending initial connection request (SYN) packets, the attacker is able to
overwhelm all available ports on a targeted server machine, causing the targeted device to
respond to legitimate traffic sluggishly or not at all.
SYN flood attack working:
SYN flood attacks work by exploiting the handshake process of a TCP connection. Under
normal conditions, TCP connection exhibits three distinct processes in order to make a
connection.
1. First, the client sends a SYN packet to the server in order to initiate the connection.
2. The server then responds to that initial packet with a SYN/ACK packet, in order to
acknowledge the communication.
3. Finally, the client returns an ACK packet to acknowledge the receipt of the packet from
the server. After completing this sequence of packet sending and receiving, the TCP
connection is open and able to send and receive data.

19. To create denial-of-service, an attacker exploits the fact that after an initial SYN packet has
been received, the server will respond back with one or more SYN/ACK packets and wait
for the final step in the handshake. Here’s how it works:
1.The attacker sends a high volume of SYN packets to the targeted server, often
with spoofed IP addresses.
2.The server then responds to each one of the connection requests and leaves an open port
ready to receive the response.
3.While the server waits for the final ACK packet, which never arrives, the attacker
continues to send more SYN packets. The arrival of each new SYN packet causes the
server to temporarily maintain a new open port connection for a certain length of time, and
once all the available ports have been utilized the server is unable to function normally.

20. In networking, when a server is leaving a connection open but the machine on the other side
of the connection is not, the connection is considered half-open. In this type of DDoS
attack, the targeted server is continuously leaving open connections and waiting for each
connection to timeout before the ports become available again. The result is that this type of
attack can be considered a “half-open attack”.

21. A SYN flood can occur in three different ways:
1.Direct attack:
A SYN flood where the IP address is not spoofed is known as a direct attack. In this attack,
the attacker does not mask their IP address at all. As a result of the attacker using a single
source device with a real IP address to create the attack, the attacker is highly vulnerable to
discovery and mitigation. In order to create the half-open state on the targeted machine, the
hacker prevents their machine from responding to the server’s SYN-ACK packets. This is
often achieved by firewall rules that stop outgoing packets other than SYN packets or by
filtering out any incoming SYN-ACK packets before they reach the malicious user's
machine. In practice this method is used rarely (if ever), as mitigation is fairly
straightforward – just block the IP address of each malicious system. If the attacker is using
a botnet such as the Mirai botnet they won’t care about masking the IP of the infected
device.
2.Spoofed Attack:
A malicious user can also spoof the IP address on each SYN packet they send in order to
inhibit mitigation efforts and make their identity more difficult to discover. While the
packets may be spoofed, those packets can potentially be traced back to their source. It’s
difficult to do this sort of detective work but it’s not impossible, especially if Internet service
providers (ISPs) are willing to help.
3.Distributed attack (DDoS):
If an attack is created using a botnet the likelihood of tracking the attack back to its source is
low. For an added level of obfuscation, an attacker may have each distributed device also
spoof the IP addresses from which it sends packets. If the attacker is using a botnet such as
the Mirai botnet, they generally won’t care about masking the IP of the infected device.

22. There are a number of common techniques to mitigate SYN flood attacks, including:
1. Micro blocks—administrators can allocate a micro-record (as few as 16 bytes) in
the server memory for each incoming SYN request instead of a complete connection
object.
2. SYN cookies—using cryptographic hashing, the server sends its SYN-ACK
response with a sequence number (seqno) that is constructed from the client IP address,
port number, and possibly other unique identifying information. When the client responds,
this hash is included in the ACK packet. The server verifies the ACK, and only then
allocates memory for the connection.
3. RST cookies—for the first request from a given client, the server intentionally
sends an invalid SYN-ACK. This should result in the client generating an RST packet,
which tells the server something is wrong. If this is received, the server knows the request
is legitimate, logs the client, and accepts subsequent incoming connections from it.
4. Stack tweaking—administrators can tweak TCP stacks to mitigate the effect of
SYN floods. This can either involve reducing the timeout until a stack frees memory
allocated to a connection, or selectively dropping incoming connections.
Obviously, all of the above mentioned methods rely on the target network’s ability to handle
large-scale volumetric DDoS attacks, with traffic volumes measured in tens of Gigabits (and
even hundreds of Gigabits) per second.

23. Smurf attack
A Smurf attack is a distributed denial-of-service (DDoS) attack in which an attacker attempts
to flood a targeted server with Internet Control Message Protocol (ICMP) packets. By making
requests with the spoofed IP address of the targeted device to one or more computer networks,
the computer networks then respond to the targeted server, amplifying the initial attack traffic and
potentially overwhelming the target, rendering it inaccessible. This attack vector is generally
considered a solved vulnerability and is no longer prevalent.
While ICMP packets can be utilized in a DDoS attack, normally they serve valuable
functions in network administration.
The ping application, which utilizes ICMP packets, is used by network administrators
to test networked hardware devices such as computers, printers or routers.
A ping is commonly used to see if a device is operational, and to track the amount of
time it takes for the message to go round trip from the source device to the target and back to the
source.
Unfortunately, because the ICMP protocol does not include a handshake, hardware
devices receiving requests are unable to verify if the request is legitimate.
This type of DDoS attack can be thought of metaphorically as a prankster calling an
office manager and pretending to be the company’s CEO.
The prankster asks the manager to tell each employee to call the executive back on his
private number and give him an update on how they’re doing.
The prankster gives the callback number of a targeted victim, who then receives as
many unwanted phone calls as there are people in the office.

24. Here's How a Smurf attack works:
1.First the Smurf malware builds a spoofed packet that has its source address set to the real IP
address of the targeted victim.
2.The packet is then sent to an IP broadcast address of a router or firewall, which in turn sends
requests to every host device address inside the broadcasting network, increasing the number
of requests by the number of networked devices on the network.
3.Each device inside the network receives the request from the broadcaster and then responds
to the spoofed address of the target with an ICMP Echo Reply packet.
4.The target victim then receives a deluge of ICMP Echo Reply packets, potentially becoming
overwhelmed and resulting in denial-of-service to legitimate traffic.

25. Smurf attack mitigation techniques:
Several mitigation strategies for this attack vector have been developed and implemented over
the years, and the exploit is largely considered solved.
On a limited number of legacy systems, mitigation techniques may still need to be applied.
A simple solution is to disable IP broadcasting addresses at each network router and firewall.
Older routers are likely to enable broadcasting by default, while newer routers will likely
already have it disabled.
In the event that a Smurf attack occurs, Cloudflare eliminates the attack traffic by preventing
the ICMP packets from reaching the targeted origin server. Learn more about how
Cloudflare's DDoS Protection works.

26. Applications hacking
Directory traversal:
Directory traversal (also known as file path traversal) is a web security vulnerability that
allows an attacker to read arbitrary files on the server that is running an application.
This might include application code and data, credentials for back-end systems, and sensitive
operating system files.
In some cases, an attacker might be able to write to arbitrary files on the server, allowing
them to modify application data or behavior, and ultimately take full control of the server.

27. Brute force attack
A brute force attack uses trial-and-error to guess login info, encryption keys, or find a
hidden web page. Hackers work through all possible combinations hoping to guess
correctly.
These attacks are done by ‘brute force’ meaning they use excessive forceful attempts to
try and ‘force’ their way into your private account(s).
This is an old attack method, but it's still effective and popular with hackers. Because
depending on the length and complexity of the password, cracking it can take anywhere
from a few seconds to many years.
how hackers benefit from brute force attacks:
• Profiting from ads or collecting activity data
• Stealing personal data and valuables
• Spreading malware to cause disruptions
• Hijacking your system for malicious activity
• Ruining a website’s reputation

28. Types of Brute Force Attacks
Each brute force attack can use different methods to uncover your sensitive data. You
might be exposed to any of the following popular brute force methods:
•Simple Brute Force Attacks
•Dictionary Attacks
•Hybrid Brute Force Attacks
•Reverse Brute Force Attacks
•Credential Stuffing
Steps to Protect Passwords for Professionals
To keep yourself and your network safe, you'll want to take your precautions and help
others do so as well. User behavior and network security systems will both need
reinforcement.
For IT specialists and users alike, you’ll want to take a few general pieces of advice to
heart:
•Use an advanced username and password. Protect yourself with credentials that are
stronger than admin and password1234 to keep out these attackers. The stronger this
combination is, the harder it will be for anyone to penetrate it.
•Remove any unused accounts with high-level permissions. These are the cyber
equivalent of doors with weak locks that make breaking in easy. Unmaintained accounts are
a vulnerability you can’t risk. Throw them away as soon as possible.

29. Unsecured login mechanisms
Many websites require users to log in before they can do anything with the
application. Surprisingly, these can be a great help to hackers. These login mechanisms often
don’t handle incorrect user IDs or passwords gracefully. They often divulge too much
information that an attacker can use to gather valid user IDs and passwords.
To test for unsecured login mechanisms, browse to your application and log in
•Using an invalid user ID with a valid password
•Using a valid user ID with an invalid password
•Using an invalid user ID and invalid password

30. SQL injection
SQL injection is a code injection technique that might destroy your database.
SQL injection is one of the most common web hacking techniques.
SQL injection is the placement of malicious code in SQL statements, via web page input.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause
repudiation issues such as voiding transactions or changing balances, allow the complete
disclosure of all data on the system, destroy the data or make it otherwise unavailable, and
become administrators of the database server.

31. Mobile apps security
Mobile application security focuses on the software security posture of mobile apps on various
platforms like Android, iOS, and Windows Phone.
This covers applications that run both on mobile phones as well as tablets. It involves assessing
applications for security issues in the contexts of the platforms that they are designed to run on,
the frameworks that they are developed with, and the anticipated set of users (e.g., employees vs.
end users).
Mobile applications are a critical part of a business’s online presence and many businesses rely
entirely on mobile apps to connect with users from around the world.
More users than ever before rely on mobile applications for a majority of their digital tasks over
traditional desktop applications.
In 2015 in the U.S. alone, users spent 54% of their digital media time on mobile
devices actively using mobile apps. These applications have access to large amounts of user data,
much of which is sensitive data and must be protected from unauthorized access.

32. All popular mobile platforms provide security controls designed to help software developers
build secure applications. However, it is often left to the developer to choose from myriad of
security options. A lack of vetting can lead to security feature implementation that can be
easily circumvented by attackers.
Common issues that affect mobile apps include:
•Storing or unintentionally leaking sensitive data in ways that it could be read by other
applications on the user’s phone.
•Implementing poor authentication and authorization checks that could be bypassed by
malicious applications or users.
•Using data encryption methods that are known to be vulnerable or can be easily broken.
•Transmitting sensitive data without encryption over the Internet.
These issues could be exploited in many ways; for example, by malicious applications on a
user’s device, or by an attacker who has access to the same WiFi network as an end user.

33. Malware analysis
Malware analysis is the process of understanding the behavior and purpose of a suspicious file or
URL. The output of the analysis aids in the detection and mitigation of the potential threat.
The key benefit of malware analysis is that it helps incident responders and security analysts:
•Pragmatically triage incidents by level of severity
•Uncover hidden indicators of compromise (IOCs) that should be blocked
•Improve the efficacy of IOC alerts and notifications
•Enrich context when threat hunting

34. Types of Malware Analysis
The analysis may be conducted in a manner that is static, dynamic or a hybrid of the two.
Static Analysis
Basic static analysis does not require that the code is actually run. Instead, static analysis
examines the file for signs of malicious intent. It can be useful to identify malicious
infrastructure, libraries or packed files.
Technical indicators are identified such as file names, hashes, strings such as IP addresses,
domains, and file header data can be used to determine whether that file is malicious. In
addition, tools like disassemblers and network analyzers can be used to observe the malware
without actually running it in order to collect information on how the malware works.

35. Dynamic Analysis
Dynamic malware analysis executes suspected malicious code in a safe environment called
a sandbox. This closed system enables security professionals to watch the malware in action
without the risk of letting it infect their system or escape into the enterprise network.
Dynamic analysis provides threat hunters and incident responders with deeper visibility, allowing
them to uncover the true nature of a threat. As a secondary benefit, automated sandboxing
eliminates the time it would take to reverse engineer a file to discover the malicious code.
The challenge with dynamic analysis is that adversaries are smart, and they know sandboxes are
out there, so they have become very good at detecting them. To deceive a sandbox, adversaries
hide code inside them that may remain dormant until certain conditions are met. Only then does
the code run.
Hybrid Analysis (includes both of the techniques above)
Basic static analysis isn’t a reliable way to detect sophisticated malicious code, and sophisticated
malware can sometimes hide from the presence of sandbox technology.
By combining basic and dynamic analysis techniques, hybrid analysis provide security
team the best of both approaches –primarily because it can detect malicious code that is trying
to hide, and then can extract many more indicators of compromise (IOCs) by statically and
previously unseen code.
Hybrid analysis helps detect unknown threats, even those from the most sophisticated malware.

36. Netcat Trojan:
netcat (often abbreviated to nc) is a computer networking utility for reading from and writing
to network connections using TCP or UDP. The command is designed to be a
dependable back-end that can be used directly or easily driven by other programs and scripts.
At the same time, it is a feature-rich network debugging and investigation tool, since it can
produce almost any kind of connection its user could need and has a number of built-in
capabilities.
Designed to be a reliable “back-end” tool – to be used directly or easily driven by other
programs/scripts
Very powerful in combination with scripting languages (eg. Perl)

37. Netcat – Major Features
• Outbound or inbound connections
• TCP or UDP, to or from any ports
• Full DNS forward/reverse checking, with appropriate warnings
• Ability to use any local source port
• Ability to use any locally-configured network source address
• Built-in port-scanning capabilities, with randomizer ECE 4883 - Internetwork
Security
• Built-in loose source-routing capability
• Can read command line arguments from standard input
• Slow-send mode, one line every N seconds
• Hex dump of transmitted and received data
• Optional ability to let another program service established connections
• Optional telnet-options responder

38. Wrappers:
A wrapper is a program used in Transmission Control Protocol (TCP) to provide a layer of
security by intercepting calls to computer services and determining whether the service is
authorized to execute.
A wrapper provides the necessary protection against host name and host address spoofing.
The determination of whether to provide access to requests is done with the help of a system
administrator, who adds entries in the TCP wrapper configuration files /etc/hosts.allow and
/etc/host.deny after installing the wrapper program.
Whenever an incoming request for servers started by inetd arrives, the wrapper checks in the
two configuration files and allows or denies access accordingly.
A wrapper has the following characteristics:
•Monitors and filters all incoming requests for network services, such as EXEC, TFTP,
TALK, FTP, FINGER, etc.
•Provides extensive logging services
•Makes sure there are no impacts in system performance or with authorized users
•Passes control to the real associated network program
•Employs a trap-setting feature to take appropriate actions on the host

39. wrapper has a few drawbacks:
•It will not function with programs that are not using TCP or Internet Protocol.
•Will not work on applications that are frequently running.
•Does not provide cryptographic authentication.

40. Reverse-engineering is used for many purposes: as a learning tool; as a way to make new,
compatible products that are cheaper than what's currently on the market; for making
software interoperate more effectively or to bridge data between different operating systems
or databases; and to uncover the undocumented features of commercial products.
Reverse-engineering can also expose security flaws and questionable privacy
practices. For instance, reverse-engineering of Dallas-based Digital: Convergence
Corp.'s CueCat scanning device revealed that each reader has a unique serial
number that allows the device's maker to marry scanned codes with user
registration data and thus track each user's habits in great detail—a previously
unpublicized feature.
With the help of Reverse Engineering we can modify a software at own way… Like
we can change the name of Software, We can editing a software, We can convert
Trial Software to License software… n many more.
Reverse-engineering

41. Steganography is the technique of hiding secret data within an ordinary, non-secret, file or
message in order to avoid detection; the secret data is then extracted at its destination. The
use of steganography can be combined with encryption as an extra step for hiding or
protecting data. The word steganography is derived from the Greek
words steganos (meaning hidden or covered) and the Greek root graph (meaning to write).
Steganography can be used to conceal almost any type of digital content, including text,
image, video or audio content; the data to be hidden can be hidden inside almost any other
type of digital content. The content to be concealed through steganography -- called hidden
text -- is often encrypted before being incorporated into the innocuous-seeming cover text file
or data stream. If not encrypted, the hidden text is commonly processed in some way in order
to increase the difficulty of detecting the secret content.
Steganography is practiced by those wishing to convey a secret message or code. While there
are many legitimate uses for steganography, malware developers have also been found to use
steganography to obscure the transmission of malicious code.
Steganography

42. Event Logs alteration
There is a four-step process to covering your tracks by tamping with logs that hackers know
like the back of their hand. These steps are:
1.Disable auditing
2.Clearing logs
3.Modifying logs
4.Erasing command history
1. Disable auditing
Disable auditing is a smart first step for hackers because if logging is turned off, there will be
no trail of evidence.
In Windows systems, hackers can use the command line favorite, Auditpol, which will not
only allow the hacker to disable auditing but will also allow the hacker to see the level of
logging that the organization’s system administrator has set. Knowing this will help the hacker
see what is logged. This is important because when possible, hackers like to turn off or alter
only the logging that captured their activity — making them harder to track.
2. Clearing logs
Since logs preserve the evidence trail of hacking activities, clearing logs is the logical next
step for ethical hackers to know about. One way is to use the clearlogs.exe file. To run the file,
enter the following into a command line prompt:
clearlogs.exe -sec

43. 3. Modifying logs
Knowing is half the battle, and knowing where the logs are in your target system is
crucial for any hacker.
Being that you are an ethical hacker working on behalf of your organization, you
will already know their location. Inexperienced hackers may not, causing wasted
time and an increased chance of detection. In some cases, a text editor may be
needed to modify logs; regardless, it as easy as modifying a Word file.
4. Deleting commands
The thing with bash is that it retains the history of entered bash commands, so
unless you clear it, the administrator will be able to see that the Shred command
above was entered. The retained history of bash commands is found in the file
~/.bash_history.

44. Intrusion Detection System (IDS)
An Intrusion Detection System (IDS) is a system that monitors network traffic for
suspicious activity and issues alerts when such activity is discovered.
It is a software application that scans a network or a system for harmful activity or policy
breaching. Any malicious venture or violation is normally reported either to an administrator or
collected centrally using a security information and event management (SIEM) system.
A SIEM system integrates outputs from multiple sources and uses alarm filtering techniques to
differentiate malicious activity from false alarms.
IDS are classified into 5 types:
1.Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a planned point within the
network to examine traffic from all devices on the network. It performs an observation of
passing traffic on the entire subnet and matches the traffic that is passed on the subnets to
the collection of known attacks.
Once an attack is identified or abnormal behavior is observed, the alert can be sent to the
administrator. An example of an NIDS is installing it on the subnet where firewalls are
located in order to see if someone is trying crack the firewall.

45. 2. Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on independent hosts or devices on the
network. A HIDS monitors the incoming and outgoing packets from the device only and will
alert the administrator if suspicious or malicious activity is detected. It takes a snapshot of
existing system files and compares it with the previous snapshot. If the analytical system
files were edited or deleted, an alert is sent to the administrator to investigate. An example of
HIDS usage can be seen on mission critical machines, which are not expected to change
their layout.
3. Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS) comprises of a system or agent that would
consistently resides at the front end of a server, controlling and interpreting the protocol
between a user/device and the server. It is trying to secure the web server by regularly
monitoring the HTTPS protocol stream and accept the related HTTP protocol. As HTTPS is
un-encrypted and before instantly entering its web presentation layer then this system would
need to reside in this interface, between to use the HTTPS.
4. Application Protocol-based Intrusion Detection System (APIDS):
Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that
generally resides within a group of servers. It identifies the intrusions by monitoring and
interpreting the communication on application specific protocols. For example, this would
monitor the SQL protocol explicit to the middleware as it transacts with the database in the
web server.

46. 5.Hybrid Intrusion Detection System :
Hybrid intrusion detection system is made by the combination of two or more approaches of the
intrusion detection system. In the hybrid intrusion detection system, host agent or system data is
combined with network information to develop a complete view of the network system. Hybrid
intrusion detection system is more effective in comparison to the other intrusion detection
system. Prelude is an example of Hybrid IDS.
Intrusion prevention system (IPS)
An intrusion prevention system (IPS) is a form of network security that works to detect
and prevent identified threats. Intrusion prevention systems continuously monitor your
network, looking for possible malicious incidents and capturing information about them.
The IPS reports these events to system administrators and takes preventative action, such
as closing access points and configuring firewalls to prevent future attacks. IPS solutions
can also be used to identify issues with corporate security policies, deterring employees
and network guests from violating the rules these policies contain.
With so many access points present on a typical business network, it is essential that you
have a way to monitor for signs of potential violations, incidents and imminent threats.
Today's network threats are becoming more and more sophisticated and able to infiltrate
even the most robust security solutions.

47. Intrusion prevention systems Vs. Intrusion detection systems
•Intrusion prevention systems control the access to an IT network and protect it
from abuse and attack. These systems are designed to monitor intrusion data and
take the necessary action to prevent an attack from developing.
•Intrusion detection systems are not designed to block attacks and will simply
monitor the network and send alerts to systems administrators if a potential threat
is detected.
An intrusion prevention system is typically configured to use a number of different
approaches to protect the network from unauthorized access. These include:
•Signature-Based - The signature-based approach uses predefined signatures of
well-known network threats. When an attack is initiated that matches one of these
signatures or patterns, the system takes necessary action.
•Anomaly-Based - The anomaly-based approach monitors for any abnormal or
unexpected behavior on the network. If an anomaly is detected, the system blocks
access to the target host immediately.
•Policy-Based - This approach requires administrators to configure security
policies according to organizational security policies and the network
infrastructure. When an activity occurs that violates a security policy, an alert is
triggered and sent to the system administrators.

48. Honeypots
The Nature of Honeypots
Honeypots are designed to attract attackers with the idea that monitoring systems
will allow the attacker to be observed. Honeypots come in different scales with
a honeypot being a host, a honeynet is a network and a honeytoken is a piece of
monitored data.
Before the deployment of a honeypot, a company or organization needs to verify
that they are not violating the privacy rights of the attacker, (go figure...) Convert
honeyposts deployed by third party projects rest in a different category.
The art to setting up a decoy victim is to make it appear legitimate. It must not
stand out or seem in any way unusual or the attacker will notice and avoid it. With
this, honeypots are not necessarily entirely exposed to risks, where a bastion host is
used to describe one that is since it is completely exposed and completely hardened
because it is getting no help. Honeypots cannot create additional risks or they
could, and would be used against their attacker.

49. Honeypot Types
Physical Honeypots - These types are considered physical tests, fully functional and heavily
monitored. They can be as simple as an unlocked bicycle leaning against a wall. Though it is
there and unsecured, this does not mean the owner has given any permissions for anyone to
take it.
Virtual Honeypots - Thus type is a sacrificial host setup on a network having real services
running on a real OS but only containing fictional information, if any at all. Though this
honeypots comes with great risk, it is the most convincing form of honeypot.
This type of honeypot will appear as a rogue infrastructure and cause internal time wasting
should it not be formalized in configuration, release and without change management
processes in place.
Low Interaction - This form appears to an attacker as an access point. It only logs probing
activity, however, and since this host is of no production value, all access attempts are
considered suspicious.
High Interaction - This form can be of great risk. Being able to be fully compromised, it must
be separated from any network segment that has production value. The monitoring capabilities
of this type of honeypot facilitates the gathering of information that would not be noticed by
NIDS. By diligently monitoring the honeypot, detection of the larger plan of the attacker is
possible and if the attacker manages to evade the network-based intrusion detection, hopefully
the diversion will be discovered and attacked.

50. Evasion Techniques
Signature-based analyzers and other real time IDS systems can be fooled if they are not set up
correctly or are not installed on hardware that is designed to handle the load on their segment. in
this case, simple command line tools can can play havoc in these circumstances.
•Fragmented Traffic
•Encryption
•Decoy Traffic
•Denial of Service
Fragmented Traffic -
Available for Linux, fragrouter is a command line tool that allows the attacker to
ensure that all packets sent to a particular host will be fragmented to the size the attacker
specifies. The IDS must then reassemble the fragments before full analysis can take place and
therefore keeps the IDS busy. During this period other packets might be able to pass through
during the time of high network load.
It is important not to confuse fragrouter with the tool fragroute. Fragroute is capable of being an
inline packet modification tool otherwise known as a packet sharper.

51. Encryption -
Whether encryption is mandated or forbidden is dictated by security policies. This is
the only way any traffic can be flagged as suspicious even when a determination cannot be
made as to what the attack is exactly.
Encryption countermeasures can sometimes be used to create covert channels for attackers. If
the host end points that have established tunnels are compromised, the attacker might not need
to even care about encryption, in fact it is sometimes even a benefit to them. Unless given the
ability to decode the packets, IDS tools cannot analyze encrypted traffic. This action will
expose the keys to more risk or further complicates key issuance and management.
Decoy Traffic -
There are tools such as nmap that includes options for generating packets that have
random IP addresses and port numbers that are used to mix with the attack packets. This could
cause the IDS to log many false positives so the analyst has to figure out what is real and what
is not.
Denial of Service -
The IDS might be Denial of Service based on the underlying operating system or on a
flaw in the IDS code itself. If attention is paid, this problem will be fixed quickly. Usually this
issue can be fixed by a member of the Security Operations Center (SOC), however it might be
just enough time for the attacker that is conducting the access step to plant the maintaining
access code.

52. Secure Code Reviews
A secure code review is a specialized task involving manual and/or automated review of an
application's source code in an attempt to identify security-related weaknesses (flaws) in
the code. A secure code review does not attempt to identify every issue in the code, but
instead looks to provide insight into what types of problems exist and to help the
developers of the application understand what classes of issues are present. The goal is to
arm the developers with information to help them make the application's source code more
sound and secure.
If you’ve integrated security testing throughout your development process, you may think
you’re secured for release. But until you’ve ensured that your applications have correctly
implemented the security mechanisms by automated and/or manual review, you can’t be
sure that last-minute issues or vulnerabilities undetectable by your security tools have
popped up.
This is where secure code reviews come into the picture. The same way we all review an
important document one more time before sending it out, applications require a “last look”
to ensure that the application and its’ components, are free of security flaws.

53. Verifying the security of your code via a secure code review also serves to cut down on time
and resources it would take if vulnerabilities were detected after release. The security bugs
being looked for during a secure code review have been the cause of countless breaches which
have resulted in billions of dollars in lost revenue, fines, and abandoned customers.
Security code reviews focus on finding flaws in each of the following areas:
Authentication, authorization, security configuration, session management, logging, data
validation, error handling, and encryption.
Code reviewers should be well-versed in the language of the application they’re testing, as well
as knowledgeable on the secure coding practices and security controls that they need to be
looking out for.