Cryptography & Network Security LAB#2 2021F-BCE-029
LAB#01
Security Attacks and Related Tools
To implement the basics of security objectives and tools for the identification of cybersecurity attacks.
Themain goals are to
1. Understand the elements of security.
2. Get familiar with the potential security attacks and related tools.
3. Attributes that malicious attackers use for security attacks.
4. Exploring the tool/ commands to identify the security attribute.
Task1:
Install nmap and zenmap on your system and perform port scanning for TCP and UDP based
services.
NMAP
ZENMAP:
�Cryptography & Network Security LAB#2 2021F-BCE-029
Task2:
Explore the security attacks that can be performed on Web applications and mobile applications.
List down the attacks for the respective category.
1. Web Application Attacks
SQL Injection (SQLi) – Attackers inject malicious SQL queries to manipulate the database.
Cross-Site Scripting (XSS) – Injecting scripts into web pages to steal user data.
Cross-Site Request Forgery (CSRF) – Tricking users into executing unwanted actions.
Broken Authentication – Weak login mechanisms allow unauthorized access.
Security Misconfiguration – Improper security settings lead to vulnerabilities.
Server-Side Request Forgery (SSRF) – Attackers force servers to make unintended requests.
�Cryptography & Network Security LAB#2 2021F-BCE-029
Denial-of-Service (DoS) – Overloading the server with excessive requests.
Remote Code Execution (RCE) – Injecting and executing malicious code on the server.
Clickjacking – Tricking users into clicking on unintended elements.
Path Traversal Attack – Accessing restricted files through manipulated URLs.
2. Mobile Application Attacks
Reverse Engineering – Extracting source code from mobile apps for exploitation.
Insecure Data Storage – Sensitive data stored without encryption can be stolen.
Man-in-the-Middle (MITM) Attack – Intercepting mobile app communication over unsecured
networks.
Malware Injection – Embedding malicious code into mobile apps.
Session Hijacking – Taking control of user sessions by stealing authentication tokens.
Code Injection – Injecting malicious scripts into mobile applications.
Privilege Escalation – Exploiting vulnerabilities to gain unauthorized access.
Fake Apps & Phishing – Creating fake apps to trick users into entering credentials.
Untrusted Inputs (Intent Spoofing) – Malicious apps exploiting weak input validation.
APIs Exploitation – Attacking insecure API endpoints used by mobile apps.
Task3:
Add the comparison among the explored tools, their specifications, and what type of attacks the tool
covers.
MITM Attacks: Tools include PacketCreator, Ettercap, Dsniff, Cain e Abel.
Phishing Protection/Testing: Avanan, Microsoft Defender for Office 365, RSA FarudAction
protect; Gofish tests.
Social Engineering: SET (settoolkit) for penetration testing.
Drive-By Attacks: Antivirus software (e.g., Norton) provides protection.
Botnet Prevention: Includes updated OS, MFA, firewalls.
DoS Attacks: Tools like HULK, Slowloris, OWASP HTTP Post.
SQL Injection: Tools such as sqlmap, Havij, and web proxies Burp Suite, ZAP.
XXS: Vulnerability assessment with OWASP ZAP, Burp Suite.
Malware Analysis: Tools like Wireshark, Ghidra aid reverse engineering (for ransomware).
Crypto jacking Protection: Uses anti-virus, VPN.
IoT Security Testing: Tools like Appknox, AWS IoT Device Defender.
Cloud Attack Identification: Includes CIpherCloud, Cloudflare WAF.
Software Vulnerabilities: KlocWork for code analysis.
Reconnaissance: Whois for domain info, Nslookup for DNS, ARIN for network ranges, Traceroute
for network paths.
Scanning: Ping for active hosts, Nmap/Zenmap for network mapping and port scanning.
Covering Tracks: Tools like WinZapper.
