Unit 2-CS

Types of Hackers

Hackers can be classified into three different categories:

1. Black Hat Hacker

2. White Hat Hacker
3. Grey Hat Hacker

Black Hat Hacker

Black-hat Hackers are also known as an Unethical Hacker or a Security Cracker. These
people hack the system illegally to steal money or to achieve their own illegal goals. They
find banks or other companies with weak security and steal money or credit card information.
They can also modify or destroy the data as well. Black hat hacking is illegal.

White Hat Hacker

White hat Hackers are also known as Ethical Hackers or a Penetration Tester. White hat
hackers are the good guys of the hacker world.

These people use the same technique used by the black hat hackers. They also hack the
system, but they can only hack the system that they have permission to hack in order to test
the security of the system. They focus on security and protecting IT system. White hat
hacking is legal.

Gray Hat Hacker

Gray hat Hackers are Hybrid between Black hat Hackers and White hat hackers. They can
hack any system even if they don't have permission to test the security of the system but they
will never steal money or damage the system.

In most cases, they tell the administrator of that system. But they are also illegal because they
test the security of the system that they do not have permission to test. Grey hat hacking is
sometimes acted legally and sometimes not.

Hacking may be defined as the technique or planning which is done to get access to
unauthorized systems. Simply we can say gaining access to a network or a computer for
illegal purposes. The person who does that is very intelligent and skilled in computers. The
person who is skilled in Hacking are divided into 2 categories:
1. Hackers: Hackers are kind of good people who do hacking for a good purpose
and to obtain more knowledge from it. They generally find loopholes in the
system and help them to cover the loopholes. Hackers are generally
programmers who obtain advanced knowledge about operating systems and
programming languages. These people never damage or harm any kind of data.
2. Crackers: Crackers are kind of bad people who break or violate the system or a
computer remotely with bad intentions to harm the data and steal it. Crackers
destroy data by gaining unauthorized access to the network. Their works are
always hidden as they are doing illegal stuff. Bypasses passwords of computers
and social media websites, can steal your bank details and transfer money from
the bank.
The Difference between Hackers and Crackers:
 Hacker Cracker

The good people who hack for knowledge The evil person who breaks into a system
purposes. for benefits.

They are skilled and have advanced They may or may not be skilled, some
knowledge of computers OS and crackers just know a few tricks to steal
programming languages. data.

They work in an organization to help

These are the person from which hackers
protect their data and give them expertise in
protect organizations.
internet security.

Hackers share the knowledge and never If they found any loophole they just delete
damages the data. the data or damages the data.

Crackers are unethical and want to benefit

Hackers are the ethical professionals.
themselves from illegal tasks.

Hackers program or hacks to check the Crackers do not make new tools but use
integrity and vulnerability strength of a someone else tools for their cause and
network. harm the network.

Hackers have legal certificates with them Crackers may or may not have certificates,
e.g CEH certificates. as their motive is to stay anonymous.

They are known as White hats or saviors. They are known as Black hats or evildoers.

Cyber Attack
A cyber attack is an attempt to disable computers, steal data, or use a breached computer
system to launch additional attacks. Cybercriminals use different methods to launch a cyber
attack that includes malware, phishing, ransomware, man-in-the-middle attack, or other
methods.

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to

alter computer code, logic or data and lead to cybercrimes, such as information and identity
theft.

We are living in a digital era. Now a day, most of the people use computer and internet. Due
to the dependency on digital things, the illegal computer activity is growing and changing
like any type of crime.
Cyber-attacks can be classified into the following categories:

Web-based attacks

These are the attacks which occur on a website or web applications. Some of the important
web-based attacks are as follows-

1. Injection attacks

It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing

DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a
DNS resolver's cache causing the name server to return an incorrect IP address, diverting
traffic to the attacker?s computer or any other computer. The DNS spoofing attacks can go on
for a long period of time without being detected and can cause serious security issues.

3. Session Hijacking

It is a security attack on a user session over a protected network. Web applications create
cookies to store the state and user sessions. By stealing the cookies, an attacker can have
access to all of the user data.

4. Phishing

Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number. It occurs when an attacker is masquerading as a
trustworthy entity in electronic communication.

5. Brute force
It is a type of attack which uses a trial and error method. This attack generates a large number
of guesses and validates them to obtain actual data like user password and personal
identification number. This attack may be used by criminals to crack encrypted data, or by
security, analysts to test an organization's network security.

6. Denial of Service

It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a
crash. It uses the single system and single internet connection to attack a server. It can be
classified into the following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is
measured in bit per second.

Protocol attacks- It consumes actual server resources, and is measured in a packet.

Application layer attacks- Its goal is to crash the web server and is measured in request per
second.

7. Dictionary attacks

This type of attack stored the list of a commonly used password and validated them to get
original password.

8. URL Interpretation

It is a type of attack where we can change the certain parts of a URL, and one can make a
web server to deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of
the include functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between client and
server and acts as a bridge between them. Due to this, an attacker will be able to read, insert
and modify the data in the intercepted connection.

System-based attacks

These are the attacks which are intended to compromise a computer or a computer network.
Some of the important system-based attacks are as follows-

1. Virus
It is a type of malicious software program that spread throughout the computer files without
the knowledge of a user. It is a self-replicating malicious computer program that replicates by
inserting copies of itself into other computer programs when executed. It can also execute
instructions that cause harm to the system.

2. Worm

It is a type of malware whose primary function is to replicate itself to spread to uninfected

computers. It works same as the computer virus. Worms often originate from email
attachments that appear to be from trusted senders.

3. Trojan horse

It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It
appears to be a normal application but when opened/executed some malicious code will run
in the background.

4. Backdoors

It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or
other purposes.

5. Bots

A bot (short for "robot") is an automated process that interacts with other network services.
Some bots program run automatically, while others only execute commands when they
receive specific input. Common examples of bots program are the crawler, chatroom bots,
and malicious bots.

Vulnerabilities

Vulnerabilities are weaknesses in a system that gives threats the opportunity to compromise
assets. All systems have vulnerabilities. Even though the technologies are improving but the
number of vulnerabilities are increasing such as tens of millions of lines of code, many
developers, human weaknesses, etc. Vulnerabilities mostly happened because of Hardware,
Software, Network and Procedural vulnerabilities.
1. Hardware Vulnerability:
A hardware vulnerability is a weakness which can used to attack the system hardware
through physically or remotely.
For examples:
1. Old version of systems or devices
2. Unprotected storage
3. Unencrypted devices, etc.
2. Software Vulnerability:
A software error happen in development or configuration such as the execution of it can
violate the security policy. For examples:
1. Lack of input validation
2. Unverified uploads
 3. Cross-site scripting
4. Unencrypted data, etc.
3. Network Vulnerability:
A weakness happen in network which can be hardware or software.
For examples:
1. Unprotected communication
2. Malware or malicious software (e.g.:Viruses, Keyloggers, Worms, etc)
3. Social engineering attacks
4. Misconfigured firewalls
4. Procedural Vulnerability:
A weakness happen in an organization operational methods.
For examples:
1. Password procedure – Password should follow the standard password policy.
2. Training procedure – Employees must know which actions should be taken and
what to do to handle the security. Employees must never be asked for user
credentials online. Make the employees know social engineering and phishing
threats.

Malware

Malware is short for malicious software and refers to any software that is designed to cause
harm to computer systems, networks, or users. Malware can take many forms. It’s important
for individuals and organizations to be aware of the different types of malware and take steps
to protect their systems, such as using antivirus software, keeping software and systems up-
to-date, and being cautious when opening email attachments or downloading software from
the internet.
Malware is a program designed to gain access to computer systems, generally for the benefit
of some third party, without the user’s permission. Malware includes computer viruses,
worms, Trojan horses, ransomware, spyware, and other malicious programs.
Why Do Cybercriminals Use Malware?
1. Cybercriminals use malware, which includes all forms of malicious software
including viruses, for a variety of purposes.
2. Using deception to induce a victim to provide personal information for identity
theft
3. Theft of customer credit card information or other financial information
4. Taking over several computers and using them to launch denial-of-service attacks
against other networks
5. Using infected computers to mine for cryptocurrencies like bitcoin.

Types of Malware
1. Viruses – A Virus is a malicious executable code attached to another executable
file. The virus spreads when an infected file is passed from system to system.
Viruses can be harmless or they can modify or delete data. Opening a file can
trigger a virus. Once a program virus is active, it will infect other programs on the
computer.
2. Worms – Worms replicate themselves on the system, attaching themselves to
different files and looking for pathways between computers, such as computer
network that shares common file storage areas. Worms usually slow down
networks. A virus needs a host program to run but worms can run by themselves.
After a worm affects a host, it is able to spread very quickly over the network.
 3. Trojan horse – A Trojan horse is malware that carries out malicious operations
under the appearance of a desired operation such as playing an online game. A
Trojan horse varies from a virus because the Trojan binds itself to non-executable
files, such as image files, and audio files.
4. Ransomware – Ransomware grasps a computer system or the data it contains until
the victim makes a payment. Ransomware encrypts data in the computer with a
key that is unknown to the user. The user has to pay a ransom (price) to the
criminals to retrieve data. Once the amount is paid the victim can resume using
his/her system
5. Adware – It displays unwanted ads and pop-ups on the computer. It comes along
with software downloads and packages. It generates revenue for the software
distributer by displaying ads.
6. Spyware – Its purpose is to steal private information from a computer system for a
third party. Spyware collects information and sends it to the hacker.
7. Logic Bombs – A logic bomb is a malicious program that uses a trigger to activate
the malicious code. The logic bomb remains non-functioning until that trigger
event happens. Once triggered, a logic bomb implements a malicious code that
causes harm to a computer. Cybersecurity specialists recently discovered logic
bombs that attack and destroy the hardware components in a workstation or server
including the cooling fans, hard drives, and power supplies. The logic bomb
overdrives these devices until they overheat or fail.
8. Rootkits – A rootkit modifies the OS to make a backdoor. Attackers then use the
backdoor to access the computer distantly. Most rootkits take advantage of
software vulnerabilities to modify system files.
9. Backdoors – A backdoor bypasses the usual authentication used to access a
system. The purpose of the backdoor is to grant cyber criminals future access to
the system even if the organization fixes the original vulnerability used to attack
the system.
10. Keyloggers – Keylogger records everything the user types on his/her computer
system to obtain passwords and other sensitive information and send them to the
source of the keylogging program.
Sniffing
A sniffing attack is a form of denial-of-service attack which is carried out by sniffing or
capturing packets on the network, and then either sending them repeatedly to a victim
machine or replaying them back to the sender with modifications. Sniffers are often used in
system hacking as a tool for analyzing traffic patterns in a scenario where performing more
intrusive and damaging attacks would not be desirable.
Sniffing Attack:
A sniffing attack can also be used in an attempt to recover a passphrase, such as when an
SSH private key has been compromised. The sniffer captures SSH packets containing
encrypted versions of the password being typed by the user at their terminal, which can then
be cracked offline using brute force methods.
 The term “sniffing” is defined in RFC 2301 as: “Any act of capturing network
traffic and replaying it, usually for the purpose of espionage or sabotage.”
 This definition is not accurate for UNIX-based systems, since any traffic can be
sniffed as long as either the attacker has access to network interfaces (NIC) or
modifies packets that could not be altered in transit. Sniffing can be performed
 using a special program like tcpdump, tcpflow, or LanMon that is connected to a
port over which the packets can be inspected remotely.
 Another sniffing attack called ARP spoofing involves sending forged Address
Resolution Protocol (ARP) messages to the Ethernet data link layer. These
messages are used to associate a victim machine’s IP address with a
different MAC address, leading the targeted machine to send all its traffic
intended for the victim through an attacker-controlled host.
 This is used to both hijack sessions and also cause flooding of the network via a
denial-of-service attack (see Smurf attack).
Every IP packet contains, in addition to its payload, two fields: an IP header, and
an Ethernet header encapsulating it.
 The combination of these two headers is often referred to as a “packet” by those
who work with internet communications. An attacker can, therefore, view and
modify an IP packet’s IP header without having to see its payload.
 The Ethernet header contains information about the destination MAC address (the
hardware address of the recipient machine) and the Ether Type field contains a
value indicating what type of service is requested (e.g., precedence or flow
control).
 The Ether type could be “0xFFFF”, indicating that no service fields were included
for the Ethernet frame. This was used in Cisco’s implementation prior to version
8.0.
Gaining access

Gaining access attack is the second part of the network penetration testing. In this section, we
will connect to the network. This will allow us to launch more powerful attacks and get more
accurate information. If a network doesn't use encryption, we can just connect to it and sniff
out unencrypted data. If a network is wired, we can use a cable and connect to it, perhaps
through changing our MAC address. The only problem is when the target use encryption like
WEP, WPA, WPA2. If we do encounter encrypted data, we need to know the key to decrypt
it, that's the main purpose of this chapter.

If the network uses encryption, we can't get anywhere unless we decrypt it. In this section, we
will discuss that how to break that encryption and how to gain access to the networks whether
they use WEP/WP
A/WPA2.

This section will cover the following topics:

o WEP Introduction
o Basic WEP cracking
o Fake authentication attack
o ARP request replay
o WPA theory
o Handshake theory
o Capturing handshakes
o Creating wordlists
o Wordlist cracking
o Securing network from attacks

Hiding files
When trying to hide files on a computer, there are a variety of different options. In general,
there is a tradeoff between the effectiveness of the hiding techniques and the level of
privileges necessary to accomplish them. While some methods may be extremely difficult for
a user to detect, they also require elevated privileges on the system. More accessible methods,
on the other hand, are much easier to detect.

Different means of hiding files may be specific to different operating systems, but many are
generally applicable. Some of the options for hiding files on a system include:

 Hidden files and folders

 Unexpected locations
 Alternate data streams
 Function modification
 Function hooking

Hidden files and folders

One of the simplest and most well-known methods of hiding files is using the hidden files
attribute. This functionality is built into most operating systems and is intended to ensure that
users do not mess with files that they shouldn’t.

Unexpected locations
Another simple means of hiding files from a user is by placing them in unexpected locations.
While the user can easily see these files if they are looking for them, they’re unlikely to do
so.One example of this is placing a malicious file in the Recycle Bin on Windows.
Alternate data streams
Alternate data streams (ADS) are a feature of the NTFS file system. They allow additional
data or even files to be attached to a file. These data streams are not by default, making them
a good place to hide malicious files or executables.

Function modification
This technique is effective as long as the user does not detect the fact that ls has been
modified. Modifications can easily be detected by comparing the hash of the binary to a
known-good hash, and many security tools are designed to perform this comparison and
generate alerts if a discrepancy is discovered.

Function hooking

Function hooking is the technique used by rootkits to hide malware on a system.When an

application wants a list of the files stored on a computer, the processes running and so on, it
calls a low-level function of the operating system. This function runs, generates the list, and
then sends it back to the calling application.

Virus, Worms,Trojanhorse and backdoors

What is Virus?

A virus is a computer program that connects to another computer software or program to

harm the system. When the legitimate program runs, the virus may execute any function, like
deleting a file. The main task of a virus is that when an infected software or program is run, it
would first run the virus and then the legitimate program code will run. It may also affect the
other programs on the computer system.

After damaging all fi5les on the current user's computer, the virus spreads and sends its code
via the network to the users whose e-mail addresses are stored on the current user's computer
system. Specific events may also trigger a virus. Several types of viruses include parasitic,
polymorphic, stealth, boot sector, memory resident, and metamorphic viruses. Infection with
a virus can be avoided by blocking the entry of a virus.

What is Worm?

A worm is a form of a malicious program (virus) that replicates itself as it moves from one
system to another and leaves copies of itself in the memory of each system. A worm
discovers vulnerability in a computer and spreads like an infection throughout its related
network, continuously looking for more holes. E-mail attachments spread the worms from
reliable senders. Worms are spread to a user's contacts through an address book and e-mail
account.

Some worms reproduce before going dormant, while others cause harm. In such
circumstances, the code of the worm's virus is known as the payload.

What is a Trojan horse?

The Trojan horse gets its name from the well-known story of the Trojan War. It is a
malicious piece of code with the ability to take control of the system. It is intended to steal,
damage, or do some other harmful actions on the computer system. It attempts to deceive the
user into loading and running the files on the device. Once it executes, it permits
cybercriminals to execute various tasks on the user's system, like modifying data from files,
deleting data from files, etc. The trojan horse cannot replicate itself, unlike many viruses or
worms.

A Trojan virus spreads by spamming a huge number of users' inboxes with genuine-looking
e-mails and attachments. If cybercriminals induce users to download malicious software, it
may affect the users' devices. Malicious malware could be hidden in pop-up ads, banner
adverts, or website links.

Some well-known Trojan horses' instances are Beast, Back Orifice, Zeus, and The
Blackhole Exploit Kit.

Key differences between the Virus, Worm, and Trojan horse

There are various key differences between Viruses, Worms, and Trojan horses. Some of the
key differences between Viruses, Worm, and Trojan horses are as follows:

1. Viruses are computer programs that connect to other software or programs to harm
the system, whereas worms duplicate themselves to slow down the computer system.
On the other hand, rather than replicating, a Trojan horse stores critical data about a
computer system or a network.
2. A virus attacks an executable file and attaches itself to it to change the file, whereas a
worm attacks system and application flaws. On the other hand, a trojan horse appears
to be a beneficial application that contains hidden code that is executed to perform
undesirable or harmful operations.
3. A virus's execution and transmission rely on the transfer of infected files, whereas
worms replicate without human action and utilize a network to embed themselves in
other systems. On the other hand, a trojan horse works as utility software and is
executed.
4. A virus could not be remotely controlled. On the other hand, Worms and trojan horses
may be remotely controlled.
 5. The virus is primarily utilized to modify or erase system data, whereas worms are
utilized to excessive using system resources and slow it down. On the other hand, a
trojan horse may be utilized to steal user data to obtain access to the user's computer
system.
6. Viruses may spread slowly, whereas worms may spread quickly. In contrast, trojan
horses may also spread slowly.

Head-to-head comparison between Virus, Worm, and Trojan horse

Here, you will learn the head-to-head comparisons between Viruses, Worms, and Trojan
horses. The main differences between Viruses, Worms, and Trojan horses are as follows:

Features Virus Worm Trojan horse

Definition Viruses are A worm is a malware program A Trojan Horse is a type of

computer programs similar to a virus that doesn't malware that steals
that connect to other interact with other system sensitive data from a user's
software or applications but instead multiplies system and delivers it to a
programs to harm and executes itself to slow down different location on the
the system. and harm the system's network.
performance.

Replication It replicates itself. It also replicates itself. It doesn't replicate itself.

Execution It relies on the It replicates itself without human It is downloaded as

transfer. action and utilizes a network to software and executed.
embed itself in other systems.

Remotely A virus could not be It may be remotely controlled. It may also be remotely
Controlled remotely controlled. controlled.

Infection Viruses spread Worms take advantage of system The Trojan horse runs as a
through executable flaws. program and is interpreted
files. as utility software.

Rate of Viruses spread at a Worms spread at a quicker rate In addition, the spread rate
Spreading moderate rate. than viruses and Trojan horses. of Trojan horses is slower
than that of viruses and
worms.

Purpose It is primarily These are utilized to excessive It may be utilized to steal

utilized to modify or using system resources and slow it user data to obtain access
erase system data. down. to the user's computer
system.
Backdoor:
In cybersecurity, a backdoor is a means of bypassing an organization’s existing security
systems. While a company may have various security solutions in place, there may be
mechanisms in place that allow a legitimate user or attacker to evade them. If an attacker can
identify and access these backdoors, they can gain access to corporate systems without
detection.

Types of Backdoors

Backdoors can come in various different forms. A few of the most common types include:

 Trojans: Most backdoor malware is designed to slip past an organization’s defenses,

providing an attacker with a foothold on a company’s systems. For this reason, they
are commonly trojans, which pretend to be a benign or desirable file while containing
malicious functionality, such as supporting remote access to an infected computer.

 Built-in Backdoors: Device manufacturers may include backdoors in the form of

default accounts, undocumented remote access systems, and similar features. While
these systems are typically only intended for the use of the manufacturer, they are
often designed to be impossible to disable and no backdoor remains secret forever,
exposing these security holes to attackers.

 Web Shells: A web shell is a web page designed to take user input and execute it
within the system terminal. These backdoors are commonly installed by system and
network administrators to make it easier to remotely access and manage corporate
systems.

 Supply Chain Exploits: Web applications and other software often incorporate third-
party libraries and code. An attacker may incorporate backdoor code into a library in
the hope that it will be used in corporate applications, providing backdoor access to
systems running the software.